Upstream has issued advisories on May 4: https://www.libssh.org/security/advisories/CVE-2023-1667.txt https://www.libssh.org/security/advisories/CVE-2023-2283.txt The issues are fixed upstream in 0.9.7 and 0.10.5: https://www.libssh.org/2023/05/04/libssh-0-10-5-and-libssh-0-9-7-security-releases/ Fedora has issued an advisory for this on May 14: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/C4KR3JZOQP2PX7KTYELHWXLPT3JRJXUM/ Mageia 8 is also affected.
Whiteboard: (none) => MGA8TOOStatus comment: (none) => Fixed upstream in 0.9.7 and 0.10.5
Neither 'fixed' version is yet in Cauldron. Is 0.9.7 for M8, 0.10.5 for M9? Various packagers involved with libssh, so assigning globally.
Assignee: bugsquad => pkg-bugs
Suggested advisory: ======================== The updated packages fix security vulnerabilities: Potential NULL dereference during rekeying with algorithm guessing. (CVE-2023-1667) Authorization bypass in pki_verify_data_signature. (CVE-2023-2283) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1667 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2283 https://www.libssh.org/security/advisories/CVE-2023-1667.txt https://www.libssh.org/security/advisories/CVE-2023-2283.txt https://www.libssh.org/2023/05/04/libssh-0-10-5-and-libssh-0-9-7-security-releases/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/C4KR3JZOQP2PX7KTYELHWXLPT3JRJXUM/ ======================== Updated packages in core/updates_testing: ======================== lib(64)ssh4-0.9.7-1.mga8 lib(64)ssh-devel-0.9.7-1.mga8 from SRPM: libssh-0.9.7-1.mga8.src.rpm
Status: NEW => ASSIGNEDVersion: Cauldron => 8Source RPM: libssh-0.10.4-1.mga9.src.rpm => libssh-0.9.6-1.mga8.src.rpmCC: (none) => nicolas.salgueroWhiteboard: MGA8TOO => (none)Status comment: Fixed upstream in 0.9.7 and 0.10.5 => (none)Assignee: pkg-bugs => qa-bugs
CC: (none) => mageia
MGA8-64 MATE on Acer Aspire 5253 No installation issues. Ref bug 29419 and 27036, use remmina to connect to my desktop PC: works OK.
Whiteboard: (none) => MGA8-64-OKCC: (none) => herman.viaene
Validating. Advisory in comment 2.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0184.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED