Closed df7cb closed 1 year ago
There is no signature verification for user public keys or i miss something? https://github.com/tmate-io/tmate-ssh-server/blob/master/tmate-ssh-server.c
Seems to be already fixed with 1c020d1f5ca. Please consider tagging a new release with the fixes. Thanks.
Forwarding from https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1001225:
Hi,
The following vulnerabilities were published for tmate-ssh-server.
CVE-2021-44512[0], CVE-2021-44513[1].
Note that there are as well other issues which do not have a CVE which are mentioned in the oss-security[2] post.
If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-44512 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44512 [1] https://security-tracker.debian.org/tracker/CVE-2021-44513 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44513 [2] https://www.openwall.com/lists/oss-security/2021/12/06/2
Regards, Salvatore
Once the issues are resolved, please tag a new release so distributions can update the tmate-ssh-server packages. Thanks!