Bug 26462

Summary: libssh new security issue CVE-2020-1730
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, geiger.david68210, herman.viaene, sysadmin-bugs, tmb
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: libssh-0.8.8-1.mga7.src.rpm CVE:
Status comment:

Description David Walser 2020-04-09 19:17:00 CEST 
Upstream has issued an advisory today (April 9):
https://www.libssh.org/security/advisories/CVE-2020-1730.txt

The issue is fixed upstream in 0.8.9 and 0.9.4:
https://www.libssh.org/2020/04/09/libssh-0-9-4-and-libssh-0-8-9-security-release/

Mageia 7 is also affected.
David Walser 2020-04-09 19:17:23 CEST

CC: (none) => geiger.david68210
Whiteboard: (none) => MGA7TOO
Status comment: (none) => Fixed upstream in 0.8.9 and 0.9.4

Comment 1 David Walser 2020-04-09 19:36:49 CEST 
Updated packages uploaded by David Geiger.

Advisory:
========================

Updated libssh packages fix security vulnerability:

A malicious client or server could crash the counterpart implemented with
libssh AES-CTR ciphers are used and don't get fully initialized. It will crash
when it tries to cleanup the AES-CTR ciphers when closing the connection
(CVE-2020-1730).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1730
https://www.libssh.org/security/advisories/CVE-2020-1730.txt
https://www.libssh.org/2020/04/09/libssh-0-9-4-and-libssh-0-8-9-security-release/
========================

Updated packages in core/updates_testing:
========================
libssh4-0.8.9-1.mga7
libssh-devel-0.8.9-1.mga7

from libssh-0.8.9-1.mga7.src.rpm

Assignee: bugsquad => qa-bugs
Source RPM: libssh-0.9.3-2.mga8.src.rpm, libssh-0.8.8-1.mga7.src.rpm => libssh-0.8.8-1.mga7.src.rpm
Version: Cauldron => 7
Whiteboard: MGA7TOO => (none)
Status comment: Fixed upstream in 0.8.9 and 0.9.4 => (none)

Comment 2 David Walser 2020-04-09 22:07:11 CEST 
Ubuntu has issued an advisory for this today (April 9):
https://usn.ubuntu.com/4327-1/

Severity: normal => major

Comment 3 Herman Viaene 2020-04-10 11:42:59 CEST 
MGA7-64 Plasma on Lenovo B50
No installation issues.
Ref to bug 25865  Comment 6 for testing.
So at CLI:
$ strace -o lib64ssh4.txt remmina
StatusNotifier/Appindicator support: your desktop does support it and libappindicator is compiled in remmina. Good!
WARNING: Remmina is running without a secret plugin. Passwords will be saved in a less secure way.
and a few more wernings
Connected remmina to my desktop and that worked OK.
Trace shows 
openat(AT_FDCWD, "/lib64/libssh.so.4", O_RDONLY|O_CLOEXEC) = 3

So all seems OK.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => herman.viaene

Comment 4 Thomas Andrews 2020-04-10 17:02:32 CEST 
Validating. Advisory in Comment 1.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2020-04-15 10:45:46 CEST

Keywords: (none) => advisory
CC: (none) => tmb

Comment 5 Mageia Robot 2020-04-15 12:13:56 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0171.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED