Upstream has issued an advisory on February 23: https://www.libssh2.org/adv_20160223.html The upstream patch is committed in SVN (and Cauldron is updated to 1.7.0), but the upstream commit to fix this issue has already attracted some comments: https://github.com/libssh2/libssh2/commit/ca5222ea819cc5ed797860070b4c6c1aeeb28420 Holding off on building the Mageia 5 update until the correctness of the fix is established. RedHat bug for this: https://bugzilla.redhat.com/show_bug.cgi?id=1306021
Debian has issued an advisory for this on February 23: https://www.debian.org/security/2016/dsa-3487
URL: (none) => http://lwn.net/Vulnerabilities/676927/
There's also comments in this thread: https://www.libssh2.org/mail/libssh2-devel-archive-2016-02/0029.shtml
no new infos, lets push this update now . SRPMS: libssh2-1.4.3-6.1.mga5
CC: (none) => mageiaAssignee: luigiwalser => qa-bugs
Advisory: ======================== Updated libssh packages fix security vulnerability: Andreas Schneider reported that libssh2 passes the number of bytes to a function that expects number of bits during the SSHv2 handshake when libssh2 is to get a suitable value for 'group order' in the Diffie-Hellman negotiation. This weakens significantly the handshake security, potentially allowing an eavesdropper with enough resources to decrypt or intercept SSH sessions (CVE-2016-0787). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0787 https://www.libssh2.org/adv_20160223.html https://www.debian.org/security/2016/dsa-3487 ======================== Updated packages in core/updates_testing: ======================== libssh2_1-1.4.3-6.1.mga5 libssh2-devel-1.4.3-6.1.mga5 from libssh2-1.4.3-6.1.mga5.src.rpm
Looking at this on x86_64. An exchange at https://bugs.gnupg.org/gnupg/issue2256 describes a procedure for running the curl test suite against gcrypt&libssh2 as part of an experiment to expose the bug, maybe. I cannot make much of that and cannot see anything else approximating to a PoC so will confine this test to before and after functionality.
CC: (none) => tarazed25
Installed the development package $ urpmq --requires-recursive openssh-server | grep lib64ssh2_1 lib64ssh2_1 $ systemctl status sshd.service â sshd.service - OpenSSH server daemon Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled) Active: active (running) since Fri 2016-11-11 12:56:55 GMT; 1 weeks 0 days ago Main PID: 1839 (sshd) CGroup: /system.slice/sshd.service ââ1839 /usr/sbin/sshd -D ssh is in constant use so no preliminary testing is required. Installed the updates and restarted the sshd service. On belexeuli: Remote login to cursa = i586 vbox guest on another machine (vega). From that session copied a postscript file to belexeuli using scp. From the cursa session remote login to belexeuli and displayed the copied file in the doubly remote session on belexeuli. That worked fine. $ hostname belexeuli In belexeuli remote pushed a jpeg file to cursa and logged out of belexeuli remote back to cursa remote. Displayed the copied file OK. Ran 'sudo ifconfig' to confirm that the address of localhost agreed with the address for cursa. In the cursa remote session pulled another jpeg file from belexeuli and displayed that OK. Moved to cursa and installed the updates for i586 and restarted the sshd server. Carried out similar tests with the cursa host = vega, including a double remote login: cursa -> vega -> belexeuli. All worked well. pinging other hosts also worked fine.
Keywords: (none) => validated_updateWhiteboard: (none) => MGA5-64-OK MGA5-32-OKCC: (none) => sysadmin-bugs
CC: (none) => davidwhodginsWhiteboard: MGA5-64-OK MGA5-32-OK => MGA5-64-OK MGA5-32-OK advisory
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0392.html
Status: NEW => RESOLVEDResolution: (none) => FIXED