CVE-2023-28113

Name	CVE-2023-28113
Description	russh is a Rust SSH client and server library. Starting in version 0.34.0 and prior to versions 0.36.2 and 0.37.1, Diffie-Hellman key validation is insufficient, which can lead to insecure shared secrets and therefore breaks confidentiality. Connections between a russh client and server or those of a russh peer with some other misbehaving peer are most likely to be problematic. These may vulnerable to eavesdropping. Most other implementations reject such keys, so this is mainly an interoperability issue in such a case. This issue is fixed in versions 0.36.2 and 0.37.1
Source	CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
rust-russh (PTS)	forky, sid	0.57.1-2	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
rust-russh	source	(unstable)	(not affected)

Notes

- rust-russh <not-affected> (Fixed before initial upload to Debian)
https://github.com/Eugeny/russh/security/advisories/GHSA-cqvm-j2r2-hwpg
Fixed by: https://github.com/Eugeny/russh/commit/d831a3716d3719dc76f091fcea9d94bd4ef97c6e (v0.36.2)