libssh versions 0.1 and above have a bits/bytes confusion bug and generate the an anormaly short ephemeral secret for the diffie-hellman-group1 and diffie-hellman-group14 key exchange methods. The resulting secret is 128 bits long, instead of the recommended sizes of 1024 and 2048 bits respectively. There are practical algorithms (Baby steps/Giant steps, Pollardâs rho) that can solve this problem in O(2^63) operations. Both client and server are are vulnerable, pre-authentication. This vulnerability could be exploited by an eavesdropper with enough resources to decrypt or intercept SSH sessions. The bug was found during an internal code review by Aris Adamantiadis of the libssh team. Packages were uploaded in cauldron and in 5/core/updates_testing
Assigning to packagers collectively since ssh does not have a registered maintainer.
Assignee: bugsquad => pkg-bugs
Note the last line, I created the update candidate already :)
Oops, assigning to you then, as you should have, until you decide it's ready for QA!
Assignee: pkg-bugs => pterjan
Testing procedure (please note that openssh does *not* use this): https://bugs.mageia.org/show_bug.cgi?id=8880#c2 Advisory: ======================== Updated libssh packages fix security vulnerability: libssh versions 0.1 and above have a bits/bytes confusion bug and generate an abnormally short ephemeral secret for the diffie-hellman-group1 and diffie-hellman-group14 key exchange methods. The resulting secret is 128 bits long, instead of the recommended sizes of 1024 and 2048 bits respectively. Both client and server are are vulnerable, pre-authentication. This vulnerability could be exploited by an eavesdropper with enough resources to decrypt or intercept SSH sessions (CVE-2016-0739). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0739 https://www.libssh.org/2016/02/23/libssh-0-7-3-security-and-bugfix-release/ ======================== Updated packages in core/updates_testing: ======================== libssh4-0.6.5-1.mga5 libssh-devel-0.6.5-1.mga5 from libssh-0.6.5-1.mga5.src.rpm
Assignee: pterjan => qa-bugsWhiteboard: (none) => has_procedure
kio_sftp also uses this (sftp:/ protocol in Konqueror). kio_sftp is really neat. Very straightforward to use: http://blog.cynapses.org/2009/07/24/kio_sftp-in-action/
CC: (none) => luigiwalser
I forgot to change the release...
(In reply to Pascal Terjan from comment #6) > I forgot to change the release... You mean you forgot to add a subrel. Please add it on the line directly above the %mkrel line. Thanks.
Oh you already did. Updated packages in core/updates_testing: ======================== libssh4-0.6.5-1.1.mga5 libssh-devel-0.6.5-1.1.mga5 from libssh-0.6.5-1.1.mga5.src.rpm
mga5 x86_64 4.1.15-desktop-2.mga5 Mate Before update. Needed to install hydra, "a very fast network logon cracker which support many different services" $ sudo urpmi hydra (medium "Core Release (distrib1)") hydra 8.1 1.mga5 x86_64 lib64fbclient2 2.5.3.26778 4.mga5 x86_64 lib64ncpfs2.3 2.2.6 18.mga5 x86_64 Used test procedure referenced in comment #4. $ hydra -l testuser -p testpass ssh://localhost Hydra v8.1 (c) 2014 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes. Hydra (http://www.thc.org/thc-hydra) starting at 2016-02-24 08:09:15 [DATA] max 1 task per 1 server, overall 64 tasks, 1 login try (l:1/p:1), ~0 tries per task [DATA] attacking service ssh on port 22 1 of 1 target completed, 0 valid passwords found Hydra (http://www.thc.org/thc-hydra) finished at 2016-02-24 08:09:18 Updated to lib64ssh4-0.6.5-1.1.mga5 and # urpmi --search-media "Updates Testing" lib64ssh-devel (medium "Core Release (distrib1)") lib64gpg-error-devel 1.13 3.mga5 x86_64 (medium "Core Updates (distrib3)") lib64gcrypt-devel 1.5.4 5.2.mga5 x86_64 (medium "Core Updates Testing (distrib5)") lib64ssh-devel 0.6.5 1.1.mga5 x86_64 $ hydra -l testuser -p testpass ssh://localhost [DATA] max 1 task per 1 server, overall 64 tasks, 1 login try (l:1/p:1), ~0 tries per task [DATA] attacking service ssh on port 22 1 of 1 target completed, 0 valid passwords found Hydra (http://www.thc.org/thc-hydra) finished at 2016-02-24 08:19:53
CC: (none) => tarazed25
Whiteboard: has_procedure => has_procedure MGA5-64-OK
mga5 i586 in virtualbox 4.4.1-desktop-2.mga5 Mate Installed hydra for the pre and post update testing of this candidate. Used this command: $ hydra -l testuser -p testpass ssh://localhost to produce the same kind of output as in the 64-bit case, cf comment #9. lib(64)ssh4 can be validated and pushed to Mageia 5 updates.
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA5-64-OK => has_procedure MGA5-64-OK MGA5-32-OKCC: (none) => sysadmin-bugs
Adding upstream advisory to references. Also, Ubuntu has issued an advisory for this on February 23: http://www.ubuntu.com/usn/usn-2912-1 Advisory: ======================== Updated libssh packages fix security vulnerability: libssh versions 0.1 and above have a bits/bytes confusion bug and generate an abnormally short ephemeral secret for the diffie-hellman-group1 and diffie-hellman-group14 key exchange methods. The resulting secret is 128 bits long, instead of the recommended sizes of 1024 and 2048 bits respectively. Both client and server are are vulnerable, pre-authentication. This vulnerability could be exploited by an eavesdropper with enough resources to decrypt or intercept SSH sessions (CVE-2016-0739). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0739 https://www.libssh.org/2016/02/23/libssh-0-7-3-security-and-bugfix-release/ https://www.libssh.org/security/advisories/CVE-2016-0739.txt
URL: https://www.libssh.org/2016/02/23/libssh-0-7-3-security-and-bugfix-release/ => http://lwn.net/Vulnerabilities/676929/Severity: normal => major
Advisory uploaded.
Whiteboard: has_procedure MGA5-64-OK MGA5-32-OK => has_procedure advisory MGA5-64-OK MGA5-32-OK
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0082.html
Status: NEW => RESOLVEDResolution: (none) => FIXED