26462 – libssh new security issue CVE-2020-1730

Bug 26462 - libssh new security issue CVE-2020-1730

Summary: libssh new security issue CVE-2020-1730

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	7
Hardware:	All Linux

Priority:	Normal Severity: major
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA7-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2020-04-09 19:17 CEST by David Walser
Modified:	2020-04-15 12:13 CEST (History)
CC List:	5 users (show)

See Also:
Source RPM:	libssh-0.8.8-1.mga7.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2020-04-09 19:17:00 CEST

Upstream has issued an advisory today (April 9):
https://www.libssh.org/security/advisories/CVE-2020-1730.txt

The issue is fixed upstream in 0.8.9 and 0.9.4:
https://www.libssh.org/2020/04/09/libssh-0-9-4-and-libssh-0-8-9-security-release/

Mageia 7 is also affected.

David Walser 2020-04-09 19:17:23 CEST

CC: (none) => geiger.david68210
Whiteboard: (none) => MGA7TOO
Status comment: (none) => Fixed upstream in 0.8.9 and 0.9.4

Comment 1 David Walser 2020-04-09 19:36:49 CEST

Updated packages uploaded by David Geiger.

Advisory:
========================

Updated libssh packages fix security vulnerability:

A malicious client or server could crash the counterpart implemented with
libssh AES-CTR ciphers are used and don't get fully initialized. It will crash
when it tries to cleanup the AES-CTR ciphers when closing the connection
(CVE-2020-1730).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1730
https://www.libssh.org/security/advisories/CVE-2020-1730.txt
https://www.libssh.org/2020/04/09/libssh-0-9-4-and-libssh-0-8-9-security-release/
========================

Updated packages in core/updates_testing:
========================
libssh4-0.8.9-1.mga7
libssh-devel-0.8.9-1.mga7

from libssh-0.8.9-1.mga7.src.rpm

Assignee: bugsquad => qa-bugs
Source RPM: libssh-0.9.3-2.mga8.src.rpm, libssh-0.8.8-1.mga7.src.rpm => libssh-0.8.8-1.mga7.src.rpm
Version: Cauldron => 7
Whiteboard: MGA7TOO => (none)
Status comment: Fixed upstream in 0.8.9 and 0.9.4 => (none)

Comment 2 David Walser 2020-04-09 22:07:11 CEST

Ubuntu has issued an advisory for this today (April 9):
https://usn.ubuntu.com/4327-1/

Severity: normal => major

Comment 3 Herman Viaene 2020-04-10 11:42:59 CEST

MGA7-64 Plasma on Lenovo B50
No installation issues.
Ref to bug 25865  Comment 6 for testing.
So at CLI:
$ strace -o lib64ssh4.txt remmina
StatusNotifier/Appindicator support: your desktop does support it and libappindicator is compiled in remmina. Good!
WARNING: Remmina is running without a secret plugin. Passwords will be saved in a less secure way.
and a few more wernings
Connected remmina to my desktop and that worked OK.
Trace shows 
openat(AT_FDCWD, "/lib64/libssh.so.4", O_RDONLY|O_CLOEXEC) = 3

So all seems OK.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => herman.viaene

Comment 4 Thomas Andrews 2020-04-10 17:02:32 CEST

Validating. Advisory in Comment 1.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2020-04-15 10:45:46 CEST

Keywords: (none) => advisory
CC: (none) => tmb

Comment 5 Mageia Robot 2020-04-15 12:13:56 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0171.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.