libssh 0.6.3 has been announced on March 4, fixing a security issue:
Updated package uploaded for Cauldron.
Patched packages uploaded for Mageia 3 and Mageia 4.
Updated libssh packages fix security vulnerability:
When using libssh before 0.6.3, a libssh-based server, when accepting a new
connection, forks and the child process handles the request. The RAND_bytes()
function of openssl doesn't reset its state after the fork, but simply adds
the current process id (getpid) to the PRNG state, which is not guaranteed to
be unique. The most important consequence is that servers using EC (ECDSA) or
DSA certificates may under certain conditions leak their private key
Updated packages in core/updates_testing:
Steps to Reproduce:
No poc, so just testing that ssh server still works. Testing shortly.
Testing complete on Mageia 3 and 4, i586 and x86_64.
Someone from the sysadmin team please push 12942.adv to updates.
MGA3TOO advisory =>
MGA3TOO advisory MGA4-64-OK MGA4-32-OK MGA3-64-OK MGA3-32-OKCC: