| Summary: | libssh2 new security issue CVE-2016-0787 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | davidwhodgins, mageia, sysadmin-bugs, tarazed25 |
| Version: | 5 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/676927/ | ||
| Whiteboard: | MGA5-64-OK MGA5-32-OK advisory | ||
| Source RPM: | libssh2-1.4.3-6.mga5.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2016-02-24 15:56:31 CET
Debian has issued an advisory for this on February 23: https://www.debian.org/security/2016/dsa-3487 URL:
(none) =>
http://lwn.net/Vulnerabilities/676927/ There's also comments in this thread: https://www.libssh2.org/mail/libssh2-devel-archive-2016-02/0029.shtml no new infos, lets push this update now . SRPMS: libssh2-1.4.3-6.1.mga5 CC:
(none) =>
mageia Advisory: ======================== Updated libssh packages fix security vulnerability: Andreas Schneider reported that libssh2 passes the number of bytes to a function that expects number of bits during the SSHv2 handshake when libssh2 is to get a suitable value for 'group order' in the Diffie-Hellman negotiation. This weakens significantly the handshake security, potentially allowing an eavesdropper with enough resources to decrypt or intercept SSH sessions (CVE-2016-0787). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0787 https://www.libssh2.org/adv_20160223.html https://www.debian.org/security/2016/dsa-3487 ======================== Updated packages in core/updates_testing: ======================== libssh2_1-1.4.3-6.1.mga5 libssh2-devel-1.4.3-6.1.mga5 from libssh2-1.4.3-6.1.mga5.src.rpm Looking at this on x86_64. An exchange at https://bugs.gnupg.org/gnupg/issue2256 describes a procedure for running the curl test suite against gcrypt&libssh2 as part of an experiment to expose the bug, maybe. I cannot make much of that and cannot see anything else approximating to a PoC so will confine this test to before and after functionality. CC:
(none) =>
tarazed25 Installed the development package
$ urpmq --requires-recursive openssh-server | grep lib64ssh2_1
lib64ssh2_1
$ systemctl status sshd.service
â sshd.service - OpenSSH server daemon
Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled)
Active: active (running) since Fri 2016-11-11 12:56:55 GMT; 1 weeks 0 days ago
Main PID: 1839 (sshd)
CGroup: /system.slice/sshd.service
ââ1839 /usr/sbin/sshd -D
ssh is in constant use so no preliminary testing is required.
Installed the updates and restarted the sshd service.
On belexeuli:
Remote login to cursa = i586 vbox guest on another machine (vega).
From that session copied a postscript file to belexeuli using scp.
From the cursa session remote login to belexeuli and displayed the copied file in
the doubly remote session on belexeuli.
That worked fine.
$ hostname
belexeuli
In belexeuli remote pushed a jpeg file to cursa and logged out of belexeuli remote back to cursa remote. Displayed the copied file OK.
Ran 'sudo ifconfig' to confirm that the address of localhost agreed with the address for cursa.
In the cursa remote session pulled another jpeg file from belexeuli and displayed that OK.
Moved to cursa and installed the updates for i586 and restarted the sshd server.
Carried out similar tests with the cursa host = vega, including a double remote login:
cursa -> vega -> belexeuli. All worked well. pinging other hosts also worked fine.
Len Lawrence
2016-11-18 19:47:21 CET
Keywords:
(none) =>
validated_update
Dave Hodgins
2016-11-21 19:52:48 CET
CC:
(none) =>
davidwhodgins An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0392.html Status:
NEW =>
RESOLVED |