ALAS-2023-2376

Amazon Linux 2 Security Advisory: ALAS-2023-2376
Advisory Release Date: 2023-12-18 09:20 Pacific
Advisory Updated Date: 2023-12-19 14:20 Pacific
Severity: Medium
Issue Overview:

AWS is aware of CVE-2023-48795, also known as Terrapin, which is found in the SSH protocol and affects SSH channel integrity. A protocol extension has been introduced by OpenSSH which needs to be applied to both the client and the server in order to address this issue. We recommend customers update to the latest version of SSH. (CVE-2023-48795)


Affected Packages:

openssh


Note:

This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.


Issue Correction:
Run yum update openssh to update your system.

New Packages:
aarch64:
    openssh-7.4p1-22.amzn2.0.6.aarch64
    openssh-clients-7.4p1-22.amzn2.0.6.aarch64
    openssh-server-7.4p1-22.amzn2.0.6.aarch64
    openssh-server-sysvinit-7.4p1-22.amzn2.0.6.aarch64
    openssh-ldap-7.4p1-22.amzn2.0.6.aarch64
    openssh-keycat-7.4p1-22.amzn2.0.6.aarch64
    openssh-askpass-7.4p1-22.amzn2.0.6.aarch64
    openssh-cavs-7.4p1-22.amzn2.0.6.aarch64
    pam_ssh_agent_auth-0.10.3-2.22.amzn2.0.6.aarch64
    openssh-debuginfo-7.4p1-22.amzn2.0.6.aarch64

i686:
    openssh-7.4p1-22.amzn2.0.6.i686
    openssh-clients-7.4p1-22.amzn2.0.6.i686
    openssh-server-7.4p1-22.amzn2.0.6.i686
    openssh-server-sysvinit-7.4p1-22.amzn2.0.6.i686
    openssh-ldap-7.4p1-22.amzn2.0.6.i686
    openssh-keycat-7.4p1-22.amzn2.0.6.i686
    openssh-askpass-7.4p1-22.amzn2.0.6.i686
    openssh-cavs-7.4p1-22.amzn2.0.6.i686
    pam_ssh_agent_auth-0.10.3-2.22.amzn2.0.6.i686
    openssh-debuginfo-7.4p1-22.amzn2.0.6.i686

src:
    openssh-7.4p1-22.amzn2.0.6.src

x86_64:
    openssh-7.4p1-22.amzn2.0.6.x86_64
    openssh-clients-7.4p1-22.amzn2.0.6.x86_64
    openssh-server-7.4p1-22.amzn2.0.6.x86_64
    openssh-server-sysvinit-7.4p1-22.amzn2.0.6.x86_64
    openssh-ldap-7.4p1-22.amzn2.0.6.x86_64
    openssh-keycat-7.4p1-22.amzn2.0.6.x86_64
    openssh-askpass-7.4p1-22.amzn2.0.6.x86_64
    openssh-cavs-7.4p1-22.amzn2.0.6.x86_64
    pam_ssh_agent_auth-0.10.3-2.22.amzn2.0.6.x86_64
    openssh-debuginfo-7.4p1-22.amzn2.0.6.x86_64

Additional References

Red Hat: CVE-2023-48795

Mitre: CVE-2023-48795