Upstream has issued an advisory today (April 9): https://www.libssh.org/security/advisories/CVE-2020-1730.txt The issue is fixed upstream in 0.8.9 and 0.9.4: https://www.libssh.org/2020/04/09/libssh-0-9-4-and-libssh-0-8-9-security-release/ Mageia 7 is also affected.
CC: (none) => geiger.david68210Whiteboard: (none) => MGA7TOOStatus comment: (none) => Fixed upstream in 0.8.9 and 0.9.4
Updated packages uploaded by David Geiger. Advisory: ======================== Updated libssh packages fix security vulnerability: A malicious client or server could crash the counterpart implemented with libssh AES-CTR ciphers are used and don't get fully initialized. It will crash when it tries to cleanup the AES-CTR ciphers when closing the connection (CVE-2020-1730). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1730 https://www.libssh.org/security/advisories/CVE-2020-1730.txt https://www.libssh.org/2020/04/09/libssh-0-9-4-and-libssh-0-8-9-security-release/ ======================== Updated packages in core/updates_testing: ======================== libssh4-0.8.9-1.mga7 libssh-devel-0.8.9-1.mga7 from libssh-0.8.9-1.mga7.src.rpm
Assignee: bugsquad => qa-bugsSource RPM: libssh-0.9.3-2.mga8.src.rpm, libssh-0.8.8-1.mga7.src.rpm => libssh-0.8.8-1.mga7.src.rpmVersion: Cauldron => 7Whiteboard: MGA7TOO => (none)Status comment: Fixed upstream in 0.8.9 and 0.9.4 => (none)
Ubuntu has issued an advisory for this today (April 9): https://usn.ubuntu.com/4327-1/
Severity: normal => major
MGA7-64 Plasma on Lenovo B50 No installation issues. Ref to bug 25865 Comment 6 for testing. So at CLI: $ strace -o lib64ssh4.txt remmina StatusNotifier/Appindicator support: your desktop does support it and libappindicator is compiled in remmina. Good! WARNING: Remmina is running without a secret plugin. Passwords will be saved in a less secure way. and a few more wernings Connected remmina to my desktop and that worked OK. Trace shows openat(AT_FDCWD, "/lib64/libssh.so.4", O_RDONLY|O_CLOEXEC) = 3 So all seems OK.
Whiteboard: (none) => MGA7-64-OKCC: (none) => herman.viaene
Validating. Advisory in Comment 1.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => tmb
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0171.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED