| Summary: | libssh needs to be updated for CVE-2016-0739 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | Pascal Terjan <pterjan> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | luigiwalser, sysadmin-bugs, tarazed25 |
| Version: | 5 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/676929/ | ||
| Whiteboard: | has_procedure advisory MGA5-64-OK MGA5-32-OK | ||
| Source RPM: | libssh | CVE: | |
| Status comment: | |||
|
Description
Pascal Terjan
2016-02-23 14:47:23 CET
Assigning to packagers collectively since ssh does not have a registered maintainer. Assignee:
bugsquad =>
pkg-bugs Note the last line, I created the update candidate already :) Oops, assigning to you then, as you should have, until you decide it's ready for QA! Assignee:
pkg-bugs =>
pterjan Testing procedure (please note that openssh does *not* use this): https://bugs.mageia.org/show_bug.cgi?id=8880#c2 Advisory: ======================== Updated libssh packages fix security vulnerability: libssh versions 0.1 and above have a bits/bytes confusion bug and generate an abnormally short ephemeral secret for the diffie-hellman-group1 and diffie-hellman-group14 key exchange methods. The resulting secret is 128 bits long, instead of the recommended sizes of 1024 and 2048 bits respectively. Both client and server are are vulnerable, pre-authentication. This vulnerability could be exploited by an eavesdropper with enough resources to decrypt or intercept SSH sessions (CVE-2016-0739). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0739 https://www.libssh.org/2016/02/23/libssh-0-7-3-security-and-bugfix-release/ ======================== Updated packages in core/updates_testing: ======================== libssh4-0.6.5-1.mga5 libssh-devel-0.6.5-1.mga5 from libssh-0.6.5-1.mga5.src.rpm Assignee:
pterjan =>
qa-bugs kio_sftp also uses this (sftp:/ protocol in Konqueror). kio_sftp is really neat. Very straightforward to use: http://blog.cynapses.org/2009/07/24/kio_sftp-in-action/ CC:
(none) =>
luigiwalser I forgot to change the release... (In reply to Pascal Terjan from comment #6) > I forgot to change the release... You mean you forgot to add a subrel. Please add it on the line directly above the %mkrel line. Thanks. Oh you already did. Updated packages in core/updates_testing: ======================== libssh4-0.6.5-1.1.mga5 libssh-devel-0.6.5-1.1.mga5 from libssh-0.6.5-1.1.mga5.src.rpm mga5 x86_64 4.1.15-desktop-2.mga5 Mate Before update. Needed to install hydra, "a very fast network logon cracker which support many different services" $ sudo urpmi hydra (medium "Core Release (distrib1)") hydra 8.1 1.mga5 x86_64 lib64fbclient2 2.5.3.26778 4.mga5 x86_64 lib64ncpfs2.3 2.2.6 18.mga5 x86_64 Used test procedure referenced in comment #4. $ hydra -l testuser -p testpass ssh://localhost Hydra v8.1 (c) 2014 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes. Hydra (http://www.thc.org/thc-hydra) starting at 2016-02-24 08:09:15 [DATA] max 1 task per 1 server, overall 64 tasks, 1 login try (l:1/p:1), ~0 tries per task [DATA] attacking service ssh on port 22 1 of 1 target completed, 0 valid passwords found Hydra (http://www.thc.org/thc-hydra) finished at 2016-02-24 08:09:18 Updated to lib64ssh4-0.6.5-1.1.mga5 and # urpmi --search-media "Updates Testing" lib64ssh-devel (medium "Core Release (distrib1)") lib64gpg-error-devel 1.13 3.mga5 x86_64 (medium "Core Updates (distrib3)") lib64gcrypt-devel 1.5.4 5.2.mga5 x86_64 (medium "Core Updates Testing (distrib5)") lib64ssh-devel 0.6.5 1.1.mga5 x86_64 $ hydra -l testuser -p testpass ssh://localhost [DATA] max 1 task per 1 server, overall 64 tasks, 1 login try (l:1/p:1), ~0 tries per task [DATA] attacking service ssh on port 22 1 of 1 target completed, 0 valid passwords found Hydra (http://www.thc.org/thc-hydra) finished at 2016-02-24 08:19:53 CC:
(none) =>
tarazed25
Len Lawrence
2016-02-24 09:25:32 CET
Whiteboard:
has_procedure =>
has_procedure MGA5-64-OK mga5 i586 in virtualbox 4.4.1-desktop-2.mga5 Mate Installed hydra for the pre and post update testing of this candidate. Used this command: $ hydra -l testuser -p testpass ssh://localhost to produce the same kind of output as in the 64-bit case, cf comment #9. lib(64)ssh4 can be validated and pushed to Mageia 5 updates.
Len Lawrence
2016-02-24 10:42:11 CET
Keywords:
(none) =>
validated_update Adding upstream advisory to references. Also, Ubuntu has issued an advisory for this on February 23: http://www.ubuntu.com/usn/usn-2912-1 Advisory: ======================== Updated libssh packages fix security vulnerability: libssh versions 0.1 and above have a bits/bytes confusion bug and generate an abnormally short ephemeral secret for the diffie-hellman-group1 and diffie-hellman-group14 key exchange methods. The resulting secret is 128 bits long, instead of the recommended sizes of 1024 and 2048 bits respectively. Both client and server are are vulnerable, pre-authentication. This vulnerability could be exploited by an eavesdropper with enough resources to decrypt or intercept SSH sessions (CVE-2016-0739). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0739 https://www.libssh.org/2016/02/23/libssh-0-7-3-security-and-bugfix-release/ https://www.libssh.org/security/advisories/CVE-2016-0739.txt URL:
https://www.libssh.org/2016/02/23/libssh-0-7-3-security-and-bugfix-release/ =>
http://lwn.net/Vulnerabilities/676929/ Advisory uploaded. Whiteboard:
has_procedure MGA5-64-OK MGA5-32-OK =>
has_procedure advisory MGA5-64-OK MGA5-32-OK An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0082.html Status:
NEW =>
RESOLVED |