VDB
GCVE-110-MAGEIA-2024-4
GCVE-110-MAGEIA-2024-4
Advisory Published
Parts of the SSH specification are vulnerable to a novel prefix
truncation attack (a.k.a. Terrapin attack), which allows a
man-in-the-middle attacker to strip an arbitrary number of messages
right after the initial key exchange, breaking SSH extension negotiation
(RFC8308) in the process and thus downgrading connection security.
### Mitigations
To mitigate this protocol vulnerability, OpenSSH suggested a so-called
"strict kex" which alters the SSH handshake to ensure a
Man-in-the-Middle attacker cannot introduce unauthenticated messages as
well as convey sequence number manipulation across handshakes. Support
for strict key exchange has been added to a variety of SSH
implementations, including OpenSSH itself, PuTTY, libssh, and more.
This release includes a patch to implement Strict KEX mode.
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| Mageia | kernel-firmware | 20231111-1.mga9 (unaffected), 0 (affected) | — |
| Mageia | dropbear | 0 (affected), 2022.83-2.1.mga9 (unaffected), 0 (affected), 2022.83-2.1.mga9 (unaffected) | — |
Aliases
Browse GCVE Records
72,921 records in the GCVE database · Updated July 15, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.