Advisories » MGASA-2026-0179

Updated golang-x-crypto & golang-x-sys-devel packages fix security vulnerability

Publication date: 07 Jun 2026
Modification date: 07 Jun 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2023-48795

Description

fixes a protocol weakness in the golang.org/x/crypto/ssh package that
allowed a MITM attacker to compromise the integrity of the secure
channel before it was established, allowing them to prevent transmission
of a number of messages immediately after the secure channel was
established without either side being aware.
The impact of this attack is relatively limited, as it does not
compromise confidentiality of the channel. Notably this attack would
allow an attacker to prevent the transmission of the SSH2_MSG_EXT_INFO
message, disabling a handful of newer security features.
                

References

• https://bugs.mageia.org/show_bug.cgi?id=32674
• https://www.openwall.com/lists/oss-security/2023/12/18/3
• https://www.openwall.com/lists/oss-security/2023/12/19/5
• https://www.openwall.com/lists/oss-security/2023/12/20/3
• https://www.cve.org/CVERecord?id=CVE-2023-48795

SRPMS

9/core

• golang-x-crypto-0.45.0-1.mga9
• golang-x-sys-0.30.0-2.mga9