Bug 31925

Summary:	libssh new security issues CVE-2023-1667 and CVE-2023-2283
Product:	Mageia	Reporter:	David Walser <luigiwalser>
Component:	Security	Assignee:	QA Team <qa-bugs>
Status:	RESOLVED FIXED	QA Contact:	Sec team <security>
Severity:	major
Priority:	Normal	CC:	andrewsfarm, davidwhodgins, herman.viaene, mageia, nicolas.salguero, sysadmin-bugs
Version:	8	Keywords:	advisory, validated_update
Target Milestone:	---
Hardware:	All
OS:	Linux
Whiteboard:	MGA8-64-OK
Source RPM:	libssh-0.9.6-1.mga8.src.rpm	CVE:
Status comment:

Description David Walser 2023-05-15 16:48:17 CEST

Upstream has issued advisories on May 4:
https://www.libssh.org/security/advisories/CVE-2023-1667.txt
https://www.libssh.org/security/advisories/CVE-2023-2283.txt

The issues are fixed upstream in 0.9.7 and 0.10.5:
https://www.libssh.org/2023/05/04/libssh-0-10-5-and-libssh-0-9-7-security-releases/

Fedora has issued an advisory for this on May 14:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/C4KR3JZOQP2PX7KTYELHWXLPT3JRJXUM/

Mageia 8 is also affected.

David Walser 2023-05-15 16:48:38 CEST

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Fixed upstream in 0.9.7 and 0.10.5

Comment 1 Lewis Smith 2023-05-15 21:30:10 CEST

Neither 'fixed' version is yet in Cauldron.
Is 0.9.7 for M8, 0.10.5 for M9?

Various packagers involved with libssh, so assigning globally.

Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2023-05-16 13:50:34 CEST

Suggested advisory:
========================

The updated packages fix security vulnerabilities:

Potential NULL dereference during rekeying with algorithm guessing. (CVE-2023-1667)

Authorization bypass in pki_verify_data_signature. (CVE-2023-2283)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1667
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2283
https://www.libssh.org/security/advisories/CVE-2023-1667.txt
https://www.libssh.org/security/advisories/CVE-2023-2283.txt
https://www.libssh.org/2023/05/04/libssh-0-10-5-and-libssh-0-9-7-security-releases/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/C4KR3JZOQP2PX7KTYELHWXLPT3JRJXUM/
========================

Updated packages in core/updates_testing:
========================
lib(64)ssh4-0.9.7-1.mga8
lib(64)ssh-devel-0.9.7-1.mga8

from SRPM:
libssh-0.9.7-1.mga8.src.rpm

Status: NEW => ASSIGNED
Version: Cauldron => 8
Source RPM: libssh-0.10.4-1.mga9.src.rpm => libssh-0.9.6-1.mga8.src.rpm
CC: (none) => nicolas.salguero
Whiteboard: MGA8TOO => (none)
Status comment: Fixed upstream in 0.9.7 and 0.10.5 => (none)
Assignee: pkg-bugs => qa-bugs

PC LX 2023-05-17 12:02:12 CEST

CC: (none) => mageia

Comment 3 Herman Viaene 2023-05-17 13:54:45 CEST

MGA8-64 MATE on Acer Aspire 5253
No installation issues.
Ref bug 29419 and 27036, use remmina to connect to my desktop PC: works OK.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => herman.viaene

Comment 4 Thomas Andrews 2023-05-19 01:42:15 CEST

Validating. Advisory in comment 2.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2023-05-21 02:32:04 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 5 Mageia Robot 2023-05-21 10:44:38 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0184.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED