| Summary: | libssh new security issue CVE-2021-3634 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | andrewsfarm, brtians1, davidwhodgins, geiger.david68210, joequant, marja11, nicolas.salguero, sysadmin-bugs |
| Version: | 8 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA8-64-OK | ||
| Source RPM: | libssh-0.9.5-1.mga8.src.rpm | CVE: | CVE-2021-3634 |
| Status comment: | |||
|
Description
David Walser
2021-08-27 17:30:55 CEST
David Walser
2021-08-27 17:31:11 CEST
Whiteboard:
(none) =>
MGA8TOO Ubuntu has issued an advisory for this on August 26: https://ubuntu.com/security/notices/USN-5053-1 Severity:
normal =>
major Assigning to DavidG who has dealt with this in the past; CC'ing Joseph who did the most recent update, and may be willing to deal with this. Assignee:
bugsquad =>
geiger.david68210 Debian has issued an advisory for this on August 31: https://www.debian.org/security/2021/dsa-4965 Reassigning to all packagers collectively, because Daviddavid hasn't been around so far this summer. libssh-0.9.6 built fine in cauldron locally and lib64ssh4-0.9.6 installed fine, too, but I have no understanding of the package and nothing on my system needs lib64ssh4, so I can't test it and therefore won't commit it, sorry. Assignee:
geiger.david68210 =>
pkg-bugs Suggested advisory: ======================== The updated packages fix a security vulnerability: A flaw has been found in libssh in versions prior to 0.9.6. The SSH protocol keeps track of two shared secrets during the lifetime of the session. One of them is called secret_hash and the other session_id. Initially, both of them are the same, but after key re-exchange, previous session_id is kept and used as an input to new secret_hash. Historically, both of these buffers had shared length variable, which worked as long as these buffers were same. But the key re-exchange operation can also change the key exchange method, which can be based on hash of different size, eventually creating "secret_hash" of different size than the session_id has. This becomes an issue when the session_id memory is zeroed or when it is used again during second key re-exchange. (CVE-2021-3634) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3634 https://www.libssh.org/security/advisories/CVE-2021-3634.txt https://www.libssh.org/2021/08/26/libssh-0-9-6-security-release/ https://ubuntu.com/security/notices/USN-5053-1 https://www.debian.org/security/2021/dsa-4965 ======================== Updated packages in core/updates_testing: ======================== lib(64)ssh4-0.9.6-1.mga8 lib(64)ssh-devel-0.9.6-1.mga8 from SRPM: libssh-0.9.6-1.mga8.src.rpm Assignee:
pkg-bugs =>
qa-bugs MGA8-64 $ uname -a Linux localhost 5.10.62-desktop-1.mga8 #1 SMP Fri Sep 3 14:47:45 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux installed lib64ssh4 - used keygen to generate a new private/public key - published public key - able to connect to remote server with new key seems to work if this is a valid test. Whiteboard:
(none) =>
MGA8-64-OK Openssh itself doesn't use this library, so you'd have to use something that does for it to be a valid test. taking off the okay then until I can confirm the library. Whiteboard:
MGA8-64-OK =>
(none) installed remmina strace -o lib64ssh4.txt remmina attempted connection to remote linux server in log I see openat(AT_FDCWD, "/lib64/libssh.so.4", O_RDONLY|O_CLOEXEC) = 3 seems to be responding and working.
Brian Rockwell
2021-09-09 23:24:18 CEST
Whiteboard:
(none) =>
MGA8-64-OK Validating. Advisory in Comment 5. Keywords:
(none) =>
validated_update
Dave Hodgins
2021-09-22 21:46:02 CEST
CC:
(none) =>
davidwhodgins An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0441.html Status:
ASSIGNED =>
RESOLVED |