libssh 0.6.3 has been announced on March 4, fixing a security issue: http://www.libssh.org/2014/03/04/libssh-0-6-3-security-release/ Updated package uploaded for Cauldron. Patched packages uploaded for Mageia 3 and Mageia 4. Advisory: ======================== Updated libssh packages fix security vulnerability: When using libssh before 0.6.3, a libssh-based server, when accepting a new connection, forks and the child process handles the request. The RAND_bytes() function of openssl doesn't reset its state after the fork, but simply adds the current process id (getpid) to the PRNG state, which is not guaranteed to be unique. The most important consequence is that servers using EC (ECDSA) or DSA certificates may under certain conditions leak their private key (CVE-2014-0017). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0017 http://www.libssh.org/2014/03/04/libssh-0-6-3-security-release/ https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-0017 ======================== Updated packages in core/updates_testing: ======================== libssh4-0.5.4-1.1.mga3 libssh-devel-0.5.4-1.1.mga3 libssh4-0.5.5-2.1.mga4 libssh-devel-0.5.5-2.1.mga4 from SRPMS: libssh-0.5.4-1.1.mga3.src.rpm libssh-0.5.5-2.1.mga4.src.rpm Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA3TOO
No poc, so just testing that ssh server still works. Testing shortly.
CC: (none) => davidwhodginsWhiteboard: MGA3TOO => MGA3TOO advisory
Testing complete on Mageia 3 and 4, i586 and x86_64. Someone from the sysadmin team please push 12942.adv to updates.
Keywords: (none) => validated_updateWhiteboard: MGA3TOO advisory => MGA3TOO advisory MGA4-64-OK MGA4-32-OK MGA3-64-OK MGA3-32-OKCC: (none) => sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2014-0119.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/589740/