+++ This bug was initially created as a clone of Bug #2250330 +++ More information about this security flaw is available in the following bug: http://bugzilla.redhat.com/show_bug.cgi?id=2250329 Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process. --- Additional comment from Borja Tarraso on 2023-11-17 18:22:54 UTC --- Use the following template to for the 'fedpkg update' request to submit an update for this issue as it contains the top-level parent bug(s) as well as this tracking bug. This will ensure that all associated bugs get updated when new packages are pushed to stable. ===== # bugfix, security, enhancement, newpackage (required) type=security # low, medium, high, urgent (required) severity=high # testing, stable request=testing # Bug numbers: 1234,9876 bugs=2250329,2250330 # Description of your update notes=Security fix for [PUT CVEs HERE] # Enable request automation based on the stable/unstable karma thresholds autokarma=True stable_karma=3 unstable_karma=-3 # Automatically close bugs when this marked as stable close_bugs=True # Suggest that users restart after update suggest_reboot=False ====== Additionally, you may opt to use the bodhi web interface to submit updates: https://bodhi.fedoraproject.org/updates/new --- Additional comment from Georg Sauthoff on 2023-11-17 22:26:36 UTC --- @ktdreyer, what do you think, should asyncssh be bumped to 2.14.1 in EPEL8 to fix this? However, I fear that RHEL8's python3-cryptography is also older than what asyncssh 2.14.1 requires ... (cf. https://bugzilla.redhat.com/show_bug.cgi?id=2250331#c3) NB: There is also another CVE fixed in 2.14.1 (cf. https://bugzilla.redhat.com/show_bug.cgi?id=2250326), --- Additional comment from Carl George 🤠 on 2024-01-23 22:39:55 UTC --- The upstream commit that fixes this CVE applies cleanly to version 2.13.2 in EPEL 9. I've prepared that as a backport patch in this pull request. https://src.fedoraproject.org/rpms/python-asyncssh/pull-request/6 The same commit does not apply cleanly to version 2.7.0 in EPEL 8, but we should at least resolve it in EPEL 9.