Fedora has issued an advisory on December 20: https://lists.fedoraproject.org/pipermail/package-announce/2015-January/147464.html The issue is fixed upstream in 0.6.4: http://www.libssh.org/2014/12/19/libssh-0-6-4-security-and-bugfix-release/ Updated package committed to Cauldron SVN. Freeze push requested. Patched package uploaded for Mageia 4. Advisory: ======================== Updated libssh packages fix security vulnerability: Double free vulnerability in the ssh_packet_kexinit function in kex.c in libssh 0.5.x and 0.6.x before 0.6.4 allows remote attackers to cause a denial of service via a crafted kexinit packet (CVE-2014-8132). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8132 https://lists.fedoraproject.org/pipermail/package-announce/2015-January/147464.html ======================== Updated packages in core/updates_testing: ======================== libssh4-0.5.5-2.2.mga4 libssh-devel-0.5.5-2.2.mga4 from libssh-0.5.5-2.2.mga4.src.rpm Reproducible: Steps to Reproduce:
MGA4-64 on HP Probook 6555b KDE. No ijnstallation issues. As per bug 12942, I checked that I can stop/start sshd succesfully.
CC: (none) => herman.viaeneWhiteboard: (none) => MGA4-64-OK
MGA4-32 on Acer D620 Xfce. Same result as Comment 1.
Whiteboard: MGA4-64-OK => MGA4-64-OK MGA-32-OK
Not so fast. sshd has nothing to do with this. $ urpmq --whatrequires libssh4 | uniq hydra kdebase4-runtime libssh-devel libssh4 remmina remmina-plugins-nx sshtrix x2goclient x2goclient-mozilla-plugin xbmc I believe Claire tested hydra last time we updated this.
Whiteboard: MGA4-64-OK MGA-32-OK => (none)
https://bugs.mageia.org/show_bug.cgi?id=8880#c2
David, I believe you. So, bug 12942 Comment 1 set me on the wrong foot??
MGA4-64 on HP Probook 6555b KDE No installation issues. Used hydra to test: strace -o hydra hydra -l tester -p tester ssh://localhost Hydra v7.5 (c)2013 by van Hauser/THC & David Maciejak - for legal purposes only Hydra (http://www.thc.org/thc-hydra) starting at 2015-01-08 10:28:35 [DATA] 1 task, 1 server, 1 login try (l:1/p:1), ~1 try per task [DATA] attacking service ssh on port 22 [ERROR] ssh protocol error 1 of 1 target completed, 0 valid passwords found Hydra (http://www.thc.org/thc-hydra) finished at 2015-01-08 10:28:35 strace confirms that libssh.so.4 is used.
Whiteboard: (none) => MGA4-64-OK
MGA4-32 on AcerD620. Same results as Comment 6.
Whiteboard: MGA4-64-OK => MGA4-64-OK MGA4-32-OK
Validating. Advisory uploaded. Please push to 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: MGA4-64-OK MGA4-32-OK => has_procedure advisory MGA4-64-OK MGA4-32-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0014.html
Status: NEW => RESOLVEDResolution: (none) => FIXED