Upstream security advisory from November 20: http://www.libssh.org/2012/11/20/libssh-0-5-3-security-release/ CVE-2012-4559, CVE-2012-4560, CVE-2012-4561 and CVE-2012-4562 Not immediately clear if 0.4.7 (Mageia 1) is affected.
Whiteboard: (none) => MGA2TOO, MGA1TOO
CC: (none) => nicolas.lecureuil
CC: (none) => balcaen.john
CC: (none) => anssi.hannula
CC: (none) => oliver.bgr
CC: (none) => guillomovitch
This library is used by xbmc, x2goclient, hydra, and kdebase4-runtime.
Some of the other bugs fixed in 0.5.3 (like use after free, for example) are sometimes considered security bugs too. Should we just strictly use the CVE patches for the Mageia 2 update (currently has 0.5.2) or update to 0.5.3?
CC: (none) => oe
SuSE has issued an advisory for this on November 21: http://lists.opensuse.org/opensuse-security-announce/2012-11/msg00015.html Given that is for version 0.2, 0.4 should be affected.
URL: (none) => http://lwn.net/Vulnerabilities/526468/
CC: (none) => fundawang
CC: (none) => thierry.vignaud
Fixed in Cauldron by updating to 0.5.3.
Version: Cauldron => 2Whiteboard: MGA2TOO, MGA1TOO => MGA1TOOSeverity: normal => major
CVE patches rediffed for 0.5.2 and 0.4.7. If anyone wants to update Mageia 2 to 0.5.3 instead, please speak up soon. Patched package uploaded for Mageia 1 and Mageia 2. Advisory: ======================== Updated libssh packages fix security vulnerabilities: Multiple double free flaws, buffer overflow flaws, invalid free flaws, and improper overflow checks in libssh before 0.5.3 could enable a denial of service attack against libssh clients (CVE-2012-4559, CVE-2012-4560, CVE-2012-4561 and CVE-2012-4562). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4559 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4560 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4561 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4562 http://www.libssh.org/2012/11/20/libssh-0-5-3-security-release/ http://lists.opensuse.org/opensuse-security-announce/2012-11/msg00015.html ======================== Updated packages in core/updates_testing: ======================== libssh4-0.4.7-1.1.mga1 libssh-devel-0.4.7-1.1.mga1 libssh4-0.5.2-1.1.mga2 libssh-devel-0.5.2-1.1.mga2 from SRPMS: libssh-0.4.7-1.1.mga1.src.rpm libssh-0.5.2-1.1.mga2.src.rpm
Assignee: bugsquad => qa-bugs
Testing complete on Mageia 2 x86-64. No poc, so just testing that it works. For testing, I restarted kde, to ensure the new version of the lib would be used, and then used konqueror fish://dave@mine/home/dave to access my old computer, which is setup for passwordless ssh access, with the following in .ssh/config Host mine Hostname 192.168.10.101 Port munged User dave I'll test i586 and Mageia 1 shortly.
CC: (none) => davidwhodgins
Testing complete on Mageia 2 i586, Mageia1 x86-64 and i586. Could someone from the sysadmin team push the srpm libssh-0.5.2-1.1.mga2.src.rpm from Mageia 2 Core Updates Testing to Core Updates and the srpm libssh-0.4.7-1.1.mga1.src.rpm from Mageia 1 Core Updates Testing to Core Updates. Advisory: Updated libssh packages fix security vulnerabilities: Multiple double free flaws, buffer overflow flaws, invalid free flaws, and improper overflow checks in libssh before 0.5.3 could enable a denial of service attack against libssh clients (CVE-2012-4559, CVE-2012-4560, CVE-2012-4561 and CVE-2012-4562). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4559 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4560 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4561 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4562 http://www.libssh.org/2012/11/20/libssh-0-5-3-security-release/ http://lists.opensuse.org/opensuse-security-announce/2012-11/msg00015.html https://bugs.mageia.org/show_bug.cgi?id=8188
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsWhiteboard: MGA1TOO => MGA1TOO MGA2-64-OK MGA2-32-OK MGA1-64-OK MGA1-32-OK
Ubuntu has issued an advisory for this on November 26: http://www.ubuntu.com/usn/usn-1640-1/ Theirs actually addresses all 4 CVEs, and notes possible remote code execution. I'm updating the advisory based on this. Advisory: Updated libssh packages fix security vulnerabilities: Multiple double free flaws, buffer overflow flaws, invalid free flaws, and improper overflow checks in libssh before 0.5.3 could enable a denial of service attack against libssh clients, or possibly arbitrary code execution (CVE-2012-4559, CVE-2012-4560, CVE-2012-4561 and CVE-2012-4562). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4559 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4560 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4561 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4562 http://www.libssh.org/2012/11/20/libssh-0-5-3-security-release/ http://www.ubuntu.com/usn/usn-1640-1/ https://bugs.mageia.org/show_bug.cgi?id=8188
URL: http://lwn.net/Vulnerabilities/526468/ => http://lwn.net/Vulnerabilities/527128/
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0344
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED