Bug 12942

Summary: libssh new security issue CVE-2014-0017
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: davidwhodgins, sysadmin-bugs, tmb
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/589740/
Whiteboard: MGA3TOO advisory MGA4-64-OK MGA4-32-OK MGA3-64-OK MGA3-32-OK
Source RPM: libssh-0.5.5-2.mga4.src.rpm CVE:
Status comment:

Description David Walser 2014-03-05 13:44:08 CET 
libssh 0.6.3 has been announced on March 4, fixing a security issue:
http://www.libssh.org/2014/03/04/libssh-0-6-3-security-release/

Updated package uploaded for Cauldron.

Patched packages uploaded for Mageia 3 and Mageia 4.

Advisory:
========================

Updated libssh packages fix security vulnerability:

When using libssh before 0.6.3, a libssh-based server, when accepting a new
connection, forks and the child process handles the request. The RAND_bytes()
function of openssl doesn't reset its state after the fork, but simply adds
the current process id (getpid) to the PRNG state, which is not guaranteed to
be unique. The most important consequence is that servers using EC (ECDSA) or
DSA certificates may under certain conditions leak their private key
(CVE-2014-0017).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0017
http://www.libssh.org/2014/03/04/libssh-0-6-3-security-release/
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-0017
========================

Updated packages in core/updates_testing:
========================
libssh4-0.5.4-1.1.mga3
libssh-devel-0.5.4-1.1.mga3
libssh4-0.5.5-2.1.mga4
libssh-devel-0.5.5-2.1.mga4

from SRPMS:
libssh-0.5.4-1.1.mga3.src.rpm
libssh-0.5.5-2.1.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
David Walser 2014-03-05 13:44:14 CET

Whiteboard: (none) => MGA3TOO

Comment 1 Dave Hodgins 2014-03-05 16:12:29 CET 
No poc, so just testing that ssh server still works. Testing shortly.

CC: (none) => davidwhodgins
Whiteboard: MGA3TOO => MGA3TOO advisory

Comment 2 Dave Hodgins 2014-03-05 17:32:31 CET 
Testing complete on Mageia 3 and 4, i586 and x86_64.

Someone from the sysadmin team please push 12942.adv to updates.

Keywords: (none) => validated_update
Whiteboard: MGA3TOO advisory => MGA3TOO advisory MGA4-64-OK MGA4-32-OK MGA3-64-OK MGA3-32-OK
CC: (none) => sysadmin-bugs

Comment 3 Thomas Backlund 2014-03-06 00:27:00 CET 
Update pushed:
http://advisories.mageia.org/MGASA-2014-0119.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED

David Walser 2014-03-06 16:51:01 CET

URL: (none) => http://lwn.net/Vulnerabilities/589740/