Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jgit-dev] Vulnerability CVE-2023-48795

On 02.01.24 15:12 , Malyshkin, Denis via jgit-dev wrote:
There is a new vulnerability -- <> According to the list of the affected libraries, the "Apache MINA sshd through 2.11.0" library is also affected.

Does this vulnerability affect JGit and/or JGit users somehow?

Not directly; but it does of course affect SSH connections.

If yes, do you have plans to update the Apache Mina library?  Do you have a ticket for this?

Once upstream will have released a new version incorporating the fix,
we will update our dependencies to require at least that version.

No, we don't yet have a ticket for this. We will when we're ready do

The corresponding Apache Mina ticket is still in progress yet -- <>

In the meantime the Terrapin discoverers have given some possible
mitigation steps. Or you might use an external SSH executable.

Also take note of what OpenSSH has to say about this attack in its
release notes[1]. The security impact appears to be rather limited.
Note that "keystroke timing obfuscation" is not implemented in Apache
MINA sshd at all, and typically is of no concern for git-over-ssh.




Back to the top