| Summary: | libssh new security issues fixed in 0.5.3 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | |
| Severity: | major | ||
| Priority: | Normal | CC: | anssi.hannula, balcaen.john, davidwhodgins, fundawang, guillomovitch, mageia, oe, oliver.bgr, sysadmin-bugs, thierry.vignaud, tmb |
| Version: | 2 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/527128/ | ||
| Whiteboard: | MGA1TOO MGA2-64-OK MGA2-32-OK MGA1-64-OK MGA1-32-OK | ||
| Source RPM: | libssh-0.5.2-1.mga2.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2012-11-23 17:16:22 CET
David Walser
2012-11-23 17:16:57 CET
Whiteboard:
(none) =>
MGA2TOO, MGA1TOO
David Walser
2012-11-23 17:18:20 CET
CC:
(none) =>
nicolas.lecureuil
David Walser
2012-11-23 17:18:37 CET
CC:
(none) =>
balcaen.john
David Walser
2012-11-23 17:18:47 CET
CC:
(none) =>
anssi.hannula
David Walser
2012-11-23 17:19:05 CET
CC:
(none) =>
oliver.bgr
David Walser
2012-11-23 17:19:24 CET
CC:
(none) =>
guillomovitch This library is used by xbmc, x2goclient, hydra, and kdebase4-runtime. Some of the other bugs fixed in 0.5.3 (like use after free, for example) are sometimes considered security bugs too. Should we just strictly use the CVE patches for the Mageia 2 update (currently has 0.5.2) or update to 0.5.3? CC:
(none) =>
oe SuSE has issued an advisory for this on November 21: http://lists.opensuse.org/opensuse-security-announce/2012-11/msg00015.html Given that is for version 0.2, 0.4 should be affected.
David Walser
2012-11-26 17:01:15 CET
URL:
(none) =>
http://lwn.net/Vulnerabilities/526468/
David Walser
2012-11-26 19:48:25 CET
CC:
(none) =>
fundawang
David Walser
2012-11-26 19:48:32 CET
CC:
(none) =>
thierry.vignaud Fixed in Cauldron by updating to 0.5.3. Version:
Cauldron =>
2 CVE patches rediffed for 0.5.2 and 0.4.7. If anyone wants to update Mageia 2 to 0.5.3 instead, please speak up soon. Patched package uploaded for Mageia 1 and Mageia 2. Advisory: ======================== Updated libssh packages fix security vulnerabilities: Multiple double free flaws, buffer overflow flaws, invalid free flaws, and improper overflow checks in libssh before 0.5.3 could enable a denial of service attack against libssh clients (CVE-2012-4559, CVE-2012-4560, CVE-2012-4561 and CVE-2012-4562). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4559 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4560 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4561 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4562 http://www.libssh.org/2012/11/20/libssh-0-5-3-security-release/ http://lists.opensuse.org/opensuse-security-announce/2012-11/msg00015.html ======================== Updated packages in core/updates_testing: ======================== libssh4-0.4.7-1.1.mga1 libssh-devel-0.4.7-1.1.mga1 libssh4-0.5.2-1.1.mga2 libssh-devel-0.5.2-1.1.mga2 from SRPMS: libssh-0.4.7-1.1.mga1.src.rpm libssh-0.5.2-1.1.mga2.src.rpm Assignee:
bugsquad =>
qa-bugs Testing complete on Mageia 2 x86-64. No poc, so just testing that it works. For testing, I restarted kde, to ensure the new version of the lib would be used, and then used konqueror fish://dave@mine/home/dave to access my old computer, which is setup for passwordless ssh access, with the following in .ssh/config Host mine Hostname 192.168.10.101 Port munged User dave I'll test i586 and Mageia 1 shortly. CC:
(none) =>
davidwhodgins Testing complete on Mageia 2 i586, Mageia1 x86-64 and i586. Could someone from the sysadmin team push the srpm libssh-0.5.2-1.1.mga2.src.rpm from Mageia 2 Core Updates Testing to Core Updates and the srpm libssh-0.4.7-1.1.mga1.src.rpm from Mageia 1 Core Updates Testing to Core Updates. Advisory: Updated libssh packages fix security vulnerabilities: Multiple double free flaws, buffer overflow flaws, invalid free flaws, and improper overflow checks in libssh before 0.5.3 could enable a denial of service attack against libssh clients (CVE-2012-4559, CVE-2012-4560, CVE-2012-4561 and CVE-2012-4562). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4559 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4560 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4561 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4562 http://www.libssh.org/2012/11/20/libssh-0-5-3-security-release/ http://lists.opensuse.org/opensuse-security-announce/2012-11/msg00015.html https://bugs.mageia.org/show_bug.cgi?id=8188 Keywords:
(none) =>
validated_update Ubuntu has issued an advisory for this on November 26: http://www.ubuntu.com/usn/usn-1640-1/ Theirs actually addresses all 4 CVEs, and notes possible remote code execution. I'm updating the advisory based on this. Advisory: Updated libssh packages fix security vulnerabilities: Multiple double free flaws, buffer overflow flaws, invalid free flaws, and improper overflow checks in libssh before 0.5.3 could enable a denial of service attack against libssh clients, or possibly arbitrary code execution (CVE-2012-4559, CVE-2012-4560, CVE-2012-4561 and CVE-2012-4562). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4559 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4560 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4561 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4562 http://www.libssh.org/2012/11/20/libssh-0-5-3-security-release/ http://www.ubuntu.com/usn/usn-1640-1/ https://bugs.mageia.org/show_bug.cgi?id=8188 URL:
http://lwn.net/Vulnerabilities/526468/ =>
http://lwn.net/Vulnerabilities/527128/ Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0344 Status:
NEW =>
RESOLVED |