Upstream has issued an advisory on August 26:
The issue is fixed upstream in 0.9.6:
Mageia 8 is also affected.
Fixed upstream in 0.9.6Whiteboard:
Ubuntu has issued an advisory for this on August 26:
Assigning to DavidG who has dealt with this in the past; CC'ing Joseph who did the most recent update, and may be willing to deal with this.
Debian has issued an advisory for this on August 31:
Reassigning to all packagers collectively, because Daviddavid hasn't been around so far this summer.
libssh-0.9.6 built fine in cauldron locally and lib64ssh4-0.9.6 installed fine, too, but I have no understanding of the package and nothing on my system needs lib64ssh4, so I can't test it and therefore won't commit it, sorry.
The updated packages fix a security vulnerability:
A flaw has been found in libssh in versions prior to 0.9.6. The SSH protocol keeps track of two shared secrets during the lifetime of the session. One of them is called secret_hash and the other session_id. Initially, both of them are the same, but after key re-exchange, previous session_id is kept and used as an input to new secret_hash. Historically, both of these buffers had shared length variable, which worked as long as these buffers were same. But the key re-exchange operation can also change the key exchange method, which can be based on hash of different size, eventually creating "secret_hash" of different size than the session_id has. This becomes an issue when the session_id memory is zeroed or when it is used again during second key re-exchange. (CVE-2021-3634)
Updated packages in core/updates_testing:
Fixed upstream in 0.9.6 =>
$ uname -a
Linux localhost 5.10.62-desktop-1.mga8 #1 SMP Fri Sep 3 14:47:45 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
- used keygen to generate a new private/public key
- published public key
- able to connect to remote server with new key
seems to work if this is a valid test.
Openssh itself doesn't use this library, so you'd have to use something that does for it to be a valid test.
taking off the okay then until I can confirm the library.
strace -o lib64ssh4.txt remmina
attempted connection to remote linux server
in log I see
openat(AT_FDCWD, "/lib64/libssh.so.4", O_RDONLY|O_CLOEXEC) = 3
seems to be responding and working.
Validating. Advisory in Comment 5.