Fedora has issued an advisory on December 20:
The issue is fixed upstream in 0.6.4:
Updated package committed to Cauldron SVN. Freeze push requested.
Patched package uploaded for Mageia 4.
Updated libssh packages fix security vulnerability:
Double free vulnerability in the ssh_packet_kexinit function in kex.c in
libssh 0.5.x and 0.6.x before 0.6.4 allows remote attackers to cause a denial
of service via a crafted kexinit packet (CVE-2014-8132).
Updated packages in core/updates_testing:
Steps to Reproduce:
MGA4-64 on HP Probook 6555b KDE.
No ijnstallation issues. As per bug 12942, I checked that I can stop/start sshd succesfully.
MGA4-32 on Acer D620 Xfce.
Same result as Comment 1.
Not so fast. sshd has nothing to do with this.
$ urpmq --whatrequires libssh4 | uniq
I believe Claire tested hydra last time we updated this.
MGA4-64-OK MGA-32-OK =>
David, I believe you. So, bug 12942 Comment 1 set me on the wrong foot??
MGA4-64 on HP Probook 6555b KDE
No installation issues.
Used hydra to test:
strace -o hydra hydra -l tester -p tester ssh://localhost
Hydra v7.5 (c)2013 by van Hauser/THC & David Maciejak - for legal purposes only
Hydra (http://www.thc.org/thc-hydra) starting at 2015-01-08 10:28:35
[DATA] 1 task, 1 server, 1 login try (l:1/p:1), ~1 try per task
[DATA] attacking service ssh on port 22
[ERROR] ssh protocol error
1 of 1 target completed, 0 valid passwords found
Hydra (http://www.thc.org/thc-hydra) finished at 2015-01-08 10:28:35
strace confirms that libssh.so.4 is used.
MGA4-32 on AcerD620.
Same results as Comment 6.
Validating. Advisory uploaded.
Please push to 4 updates
MGA4-64-OK MGA4-32-OK =>
has_procedure advisory MGA4-64-OK MGA4-32-OKCC:
An update for this issue has been pushed to Mageia Updates repository.