Candidate: CVE-2018-7749
PublicDate: 2018-03-12 19:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7749
 https://github.com/ronf/asyncssh/commit/16e6ebfa893167c7d9d3f6dc7a2c0d197e47f43a
 https://github.com/ronf/asyncssh/commit/c161e26cdc0d41b745b63d9f17b437f073bf7ba4
Description:
 The SSH server implementation of AsyncSSH before 1.12.1 does not properly
 check whether authentication is completed before processing other requests.
 A customized SSH client can simply skip the authentication step.
Ubuntu-Description:
 Matthijs Kooijman discovered that AsyncSSH server did not properly handle
 authentication under certain conditions. An attacker with a specially crafted
 client could use this vulnerability to skip authentication of SSH sessions.
Notes:
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892787
Priority: high
Discovered-by: Matthijs Kooijman
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [9.8 CRITICAL]


Patches_python-asyncssh:
upstream_python-asyncssh: released (1.12.1-1)
precise/esm_python-asyncssh: DNE
trusty_python-asyncssh: DNE
trusty/esm_python-asyncssh: DNE
xenial_python-asyncssh: ignored (no rdepends, library likely broken by python-bcrypt dependency)
artful_python-asyncssh: ignored (reached end-of-life)
bionic_python-asyncssh: needed
cosmic_python-asyncssh: ignored (reached end-of-life)
disco_python-asyncssh: ignored (reached end-of-life)
eoan_python-asyncssh: not-affected (1.12.2-1)
focal_python-asyncssh: not-affected (1.12.2-1)
groovy_python-asyncssh: not-affected (1.12.2-1)
hirsute_python-asyncssh: not-affected (1.12.2-1)
impish_python-asyncssh: not-affected (1.12.2-1)
jammy_python-asyncssh: not-affected (1.12.2-1)
devel_python-asyncssh: not-affected (1.12.2-1)