Upstream has issued advisories on March 18: https://www.openwall.com/lists/oss-security/2019/03/18/3 The issues are fixed upstream in 1.8.1. Patches are linked from the message above (and the individual advisories). Mageia 6 is also affected.
Whiteboard: (none) => MGA6TOOStatus comment: (none) => Fixed upstream in 1.8.1
libssh2-1.8.1-1.mga7 uploaded for Cauldron by David Geiger.
CC: (none) => geiger.david68210Whiteboard: MGA6TOO => (none)Version: Cauldron => 6
Assigning to all packagers collectively, since there is no registered maintainer for this package.
CC: (none) => marja11
Assignee: bugsquad => pkg-bugs
Hmmm! 5 patches doesn't apply properly! Better to go with 1.8.1 for mga6 too?
SUSE has issued an advisory for this today (March 19): http://lists.suse.com/pipermail/sle-security-updates/2019-March/005203.html So the patches should be backportable.
Suggested advisory: ======================== The updated packages fix security vulnerabilities: Possible integer overflow in transport read allows out-of-bounds write. (CVE-2019-3855) Possible integer overflow in keyboard interactive handling allows out-of-bounds write. (CVE-2019-3856) Possible integer overflow leading to zero-byte allocation and out-of-bounds write. (CVE-2019-3857) Possible zero-byte allocation leading to an out-of-bounds read. (CVE-2019-3858) Out-of-bounds reads with specially crafted payloads due to unchecked use of `_libssh2_packet_require` and `_libssh2_packet_requirev`. (CVE-2019-3859) Out-of-bounds reads with specially crafted SFTP packets. (CVE-2019-3860) Out-of-bounds reads with specially crafted SSH packets. (CVE-2019-3861) Out-of-bounds memory comparison. (CVE-2019-3862) Integer overflow in user authenicate keyboard interactive allows out-of-bounds writes. (CVE-2019-3863) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3855 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3856 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3857 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3858 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3859 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3860 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3861 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3862 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3863 https://www.openwall.com/lists/oss-security/2019/03/18/3 http://lists.suse.com/pipermail/sle-security-updates/2019-March/005203.html ======================== Updated packages in core/updates_testing: ======================== lib(64)ssh2_1-1.7.0-2.1.mga6 lib(64)ssh2-devel-1.7.0-2.1.mga6 from SRPMS: libssh2-1.7.0-2.1.mga6.src.rpm
Status: NEW => ASSIGNEDAssignee: pkg-bugs => qa-bugsSource RPM: libssh2-1.8.0-2.mga7.src.rpm => libssh2-1.7.0-2.mga6.src.rpmCC: (none) => nicolas.salguero
MGA6-32 MATE on IBM Thinkpad R50e No installation issues. Checked content of the libssh2. It just contains the libssh.so file, so it has nothing to do directly with the ssh server. Checked at CLI: # urpmq --whatrequires libssh2_1 aria2 aria2 and further mc ssh server does not show on this list. So tried both commands from CLI as $ strace -o libssh.txt mc similar for aria and both traces show calls to libssh2.so.1 and mc and aria work OK OK for me.
CC: (none) => herman.viaeneWhiteboard: (none) => MGA6-32-OK
Non-devel library installs cleanly on 64-bit. Validating. Suggested advisory in comment 5.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
CC: (none) => davidwhodginsKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0139.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED
For additional reference, Debian has issued an advisory for this on April 13: https://www.debian.org/security/2019/dsa-4431