Debian has issued an advisory on November 13: https://www.debian.org/lts/security/2019/dla-1991 https://lists.debian.org/debian-lts-announce/2019/11/msg00010.html https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=943562 https://security-tracker.debian.org/tracker/CVE-2019-17498 Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOOCC: (none) => zombie.ryushu
libssh2-1.9.0-2.mga8 uploaded by David Geiger to fix Cauldron. Mageia 7 patched build failed.
Whiteboard: MGA7TOO => (none)Version: Cauldron => 7CC: (none) => geiger.david68210
Suggested advisory: ======================== The updated packages fix a security vulnerability: In libssh2 v1.9.0 and earlier versions, the SSH_MSG_DISCONNECT logic in packet.c has an integer overflow in a bounds check, enabling an attacker to specify an arbitrary (out-of-bounds) offset for a subsequent memory read. A crafted SSH server may be able to disclose sensitive information or cause a denial of service condition on the client system when a user connects to the server. (CVE-2019-17498) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17498 https://www.debian.org/lts/security/2019/dla-1991 https://lists.debian.org/debian-lts-announce/2019/11/msg00010.html https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=943562 https://security-tracker.debian.org/tracker/CVE-2019-17498 ======================== Updated packages in core/updates_testing: ======================== lib(64)ssh2_1-1.8.2-1.1.mga7 lib(64)ssh2-devel-1.8.2-1.1.mga7 from SRPMS: libssh2-1.8.2-1.1.mga7.src.rpm
CC: (none) => nicolas.salgueroAssignee: bugsquad => qa-bugsCVE: (none) => CVE-2019-17498Status: NEW => ASSIGNEDSource RPM: libssh2-1.9.0-1.mga8.src.rpm => libssh2-1.8.2-1.mga7.src.rpm
Installed and tested without issues. Tested with aria2c, mc and nmap. Also tried testing with vlc but strace did not show the libssh2 being loaded or used. System: Mageia 7, x86_64, Intel CPU. $ uname -a Linux marte 5.3.11-desktop-1.mga7 #1 SMP Tue Nov 12 21:10:01 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux $ rpm -qa | grep ssh2 lib64ssh2_1-1.8.2-1.1.mga7 $ rpm -q mc aria2 nmap mc-4.8.22-1.mga7 aria2-1.34.0-3.mga7 nmap-7.70-2.1.mga7 $ urpmq --whatrequires lib64ssh2_1 | sort -u aria2 cargo lib64git2_28 lib64ssh2_1 lib64ssh2-devel lib64virt0 libvirt-utils mc medusa nmap php-ssh2 qemu-block-ssh rls vlc-plugin-common $ strace -o strace.log mc sftp://pclx@localhost/tmp/ $ grep -i ssh strace.log openat(AT_FDCWD, "/lib64/libssh2.so.1", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/home/pclx/.ssh/config", O_RDONLY) = 9 sendto(9, "SSH-2.0-libssh2_1.8.2\r\n", 23, MSG_NOSIGNAL, NULL, 0) = 23 recvfrom(9, "\0\0\4<\7!\0\0\1\227\0\0\0\7ssh-rsa\0\0\0\3\1\0\1\0\0\1\201"..., 16384, MSG_NOSIGNAL, NULL, NULL) = 1104 connect(10, {sa_family=AF_UNIX, sun_path="/tmp/ssh-KVklOAIawMGa/agent.1667"}, 110) = 0 recvfrom(10, "\f\0\0\0\3\0\0\2\25\0\0\0\7ssh-rsa\0\0\0\1#\0\0\2\1\0\317_"..., 1315, 0, NULL, NULL) = 1315 sendto(10, "\r\0\0\1\27\0\0\0\7ssh-rsa\0\0\0\3\1\0\1\0\0\1\1\0\310,\23l"..., 664, 0, NULL, 0) = 664 recvfrom(10, "\16\0\0\1\17\0\0\0\7ssh-rsa\0\0\1\0'\220\216\373\3115-]\270\340:4"..., 276, 0, NULL, NULL) = 276 $ strace -o strace.log nmap -sV localhost | grep -i ssh 22/tcp open ssh OpenSSH 8.0 (protocol 2.0) $ grep -i ssh strace.log openat(AT_FDCWD, "/lib64/libssh2.so.1", O_RDONLY|O_CLOEXEC) = 3 read(5, "ntry { filename = \"ssh-run.nse\","..., 4096) = 4096 read(5, "i/protocol $1/\n\n# SCS\nmatch ssh "..., 4096) = 4096 read(5, "ol $1/ cpe:/a:openbsd:openssh:$2"..., 4096) = 4096 read(5, "2\\.0-OpenSSH\\r?\\n| p/Linksys WRT"..., 4096) = 4096 read(5, "d/broadband router/\nmatch ssh m|"..., 4096) = 4096 read(5, "TPSSHD_5\\r\\n| p/CrushFTP sftpd/ "..., 4096) = 4096 read(5, "nston:dropbear_ssh_server/\nmatch"..., 4096) = 4096 recvfrom(6, "SSH-2.0-OpenSSH_8.0\r\n", 8192, 0, 0x7fffcf2ae2e0, [128->0]) = 21 $ strace -o strace.log aria2c 'sftp://pclx@localhost/tmp/test' &> /dev/null $ grep -i ssh strace.log openat(AT_FDCWD, "/usr/lib64/libssh2.so.1", O_RDONLY|O_CLOEXEC) = 3 sendto(5, "SSH-2.0-libssh2_1.8.2\r\n", 23, MSG_NOSIGNAL, NULL, 0) = 23 recvfrom(5, "\0\0\4<\10!\0\0\1\227\0\0\0\7ssh-rsa\0\0\0\3\1\0\1\0\0\1\201"..., 16384, MSG_NOSIGNAL, NULL, NULL) = 1104
Whiteboard: (none) => MGA7-64-OKCC: (none) => mageia
Validating. Advisory in Comment 2.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => tmb
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0343.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED
Summary: libssh2 new security issue CVE-2019-17498 => libssh2 new security issues CVE-2019-13115 and CVE-2019-17498CVE: CVE-2019-17498 => CVE-2019-13115, CVE-2019-17498
*** Bug 25934 has been marked as a duplicate of this bug. ***