31925 – libssh new security issues CVE-2023-1667 and CVE-2023-2283

Bug 31925 - libssh new security issues CVE-2023-1667 and CVE-2023-2283

Summary: libssh new security issues CVE-2023-1667 and CVE-2023-2283

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	8
Hardware:	All Linux

Priority:	Normal Severity: major
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA8-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2023-05-15 16:48 CEST by David Walser
Modified:	2023-05-21 10:44 CEST (History)
CC List:	6 users (show)

See Also:
Source RPM:	libssh-0.9.6-1.mga8.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2023-05-15 16:48:17 CEST

Upstream has issued advisories on May 4:
https://www.libssh.org/security/advisories/CVE-2023-1667.txt
https://www.libssh.org/security/advisories/CVE-2023-2283.txt

The issues are fixed upstream in 0.9.7 and 0.10.5:
https://www.libssh.org/2023/05/04/libssh-0-10-5-and-libssh-0-9-7-security-releases/

Fedora has issued an advisory for this on May 14:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/C4KR3JZOQP2PX7KTYELHWXLPT3JRJXUM/

Mageia 8 is also affected.

David Walser 2023-05-15 16:48:38 CEST

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Fixed upstream in 0.9.7 and 0.10.5

Comment 1 Lewis Smith 2023-05-15 21:30:10 CEST

Neither 'fixed' version is yet in Cauldron.
Is 0.9.7 for M8, 0.10.5 for M9?

Various packagers involved with libssh, so assigning globally.

Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2023-05-16 13:50:34 CEST

Suggested advisory:
========================

The updated packages fix security vulnerabilities:

Potential NULL dereference during rekeying with algorithm guessing. (CVE-2023-1667)

Authorization bypass in pki_verify_data_signature. (CVE-2023-2283)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1667
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2283
https://www.libssh.org/security/advisories/CVE-2023-1667.txt
https://www.libssh.org/security/advisories/CVE-2023-2283.txt
https://www.libssh.org/2023/05/04/libssh-0-10-5-and-libssh-0-9-7-security-releases/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/C4KR3JZOQP2PX7KTYELHWXLPT3JRJXUM/
========================

Updated packages in core/updates_testing:
========================
lib(64)ssh4-0.9.7-1.mga8
lib(64)ssh-devel-0.9.7-1.mga8

from SRPM:
libssh-0.9.7-1.mga8.src.rpm

Status: NEW => ASSIGNED
Version: Cauldron => 8
Source RPM: libssh-0.10.4-1.mga9.src.rpm => libssh-0.9.6-1.mga8.src.rpm
CC: (none) => nicolas.salguero
Whiteboard: MGA8TOO => (none)
Status comment: Fixed upstream in 0.9.7 and 0.10.5 => (none)
Assignee: pkg-bugs => qa-bugs

PC LX 2023-05-17 12:02:12 CEST

CC: (none) => mageia

Comment 3 Herman Viaene 2023-05-17 13:54:45 CEST

MGA8-64 MATE on Acer Aspire 5253
No installation issues.
Ref bug 29419 and 27036, use remmina to connect to my desktop PC: works OK.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => herman.viaene

Comment 4 Thomas Andrews 2023-05-19 01:42:15 CEST

Validating. Advisory in comment 2.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2023-05-21 02:32:04 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 5 Mageia Robot 2023-05-21 10:44:38 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0184.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.