1. Forum
  2. Usenet
  3. LINUX.DEBIAN.ANNOUNCE.SEC

  • [SECURITY] [DSA 4322-1] libssh security update

    From Salvatore Bonaccorso@1:229/2 to All on Wed Oct 17 18:20:01 2018
    From: [email protected]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA512

    - ------------------------------------------------------------------------- Debian Security Advisory DSA-4322-1 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso October 17, 2018 https://www.debian.org/security/faq
    - -------------------------------------------------------------------------

    Package : libssh
    CVE ID : CVE-2018-10933
    Debian Bug : 911149

    Peter Winter-Smith of NCC Group discovered that libssh, a tiny C SSH
    library, contains an authentication bypass vulnerability in the server
    code. An attacker can take advantage of this flaw to successfully
    authenticate without any credentials by presenting the server an SSH2_MSG_USERAUTH_SUCCESS message in place of the
    SSH2_MSG_USERAUTH_REQUEST message which the server would expect to
    initiate authentication.

    For the stable distribution (stretch), this problem has been fixed in
    version 0.7.3-2+deb9u1.

    We recommend that you upgrade your libssh packages.

    For the detailed security status of libssh please refer to its security
    tracker page at:
    https://security-tracker.debian.org/tracker/libssh

    Further information about Debian Security Advisories, how to apply
    these updates to your system and frequently asked questions can be
    found at: https://www.debian.org/security/

    Mailing list: [email protected]
    -----BEGIN PGP SIGNATURE-----

    iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlvHX65fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0QzRRAAkVzmI8DleL1oJ7sGN/NbPcYVPin1G+yYPw9OLKvYVCcz3rl4Hj8xNPSk 9bneHArC8/lvdk8ycyX9IuriO6E8D31pnMaWpxkWG/ulBRWymx+fT1wrWirhYEvT iYFCXpBFSHOWgPLM8Yand87xcnSLsbT8if24cv0Wuj4mTb2RdjvuBnrBqX1B91h1 08Pe27RPpyX83Lj9yCtQcZzm/t3vqYZPt9WNd91wRHD6wL6Xvt0uqCm6QnB/T3hk 9AdhpSUUCQFYNUliVYAgm1xDOWbVzmptPDo1jdo3/4qFAZhoYEnqdZCfholl4ldJ SxSmMHbXrug1lTGEqLlZSG1U6R4bUlodcBKwVLEjf0uFxlG3EqYKdIWlIN+TFqlO 8ttarFk1nCNyzt/ieheLNN6I/OOBrgT9+FS50m/6QN6gGnKJZPsY/YngHWGbc48v vN91cbn5RITfV3TQQiYY8LzbdGJNNNJp7PN23G3BKxgcM+n/sxjm1xajm0r3USaG bCbxNpzFTeTv+XUtjZvU8cWgHJJJOg6/2XB6loiplqgffTHUPC8LlIC8Vpa3uwkm W5353+UAp1OqvQvwYUj9rxAL+xbleMi8OHDOcqqGW5nkA4K1sLyCgunH6TDEMwjM bxWr6q0drbgtS5ePpLqqXMeNV/eQqxkrRg5EGwF6kyOAA35YrCU=
    =PEQu
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: you cannot sedate... all the things you hate (1:229/2)