Ubuntu has issued an advisory today (January 28): http://www.ubuntu.com/usn/usn-1707-1/ Update is in Cauldron SVN, waiting to be freeze pushed. Patch is checked into Mageia 1 and Mageia 2 SVN.
Whiteboard: (none) => MGA2TOO
Updated package uploaded for Cauldron. Patched package uploaded for Mageia 2. Advisory: ======================== Updated libssh packages fix security vulnerability: Yong Chuan Koh discovered that libssh incorrectly handled certain negotiation requests. A remote attacker could use this to cause libssh to crash, resulting in a denial of service (CVE-2013-0176). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0176 http://www.libssh.org/2013/01/22/libssh-0-5-4-security-release/ http://www.ubuntu.com/usn/usn-1707-1/ ======================== Updated packages in core/updates_testing: ======================== libssh4-0.5.2-1.2.mga2 libssh-devel-0.5.2-1.2.mga2 from libssh-0.5.2-1.2.mga2.src.rpm
Version: Cauldron => 2Assignee: bugsquad => qa-bugsWhiteboard: MGA2TOO => (none)
Testing complete mga2 64 No public PoC so just checking using hydra Note: this library isn't a require of openssh-server or client Before ------ $ hydra -l testuser -p testpass ssh://localhost Hydra v7.2 (c)2012 by van Hauser/THC & David Maciejak - for legal purposes only Hydra (http://www.thc.org/thc-hydra) starting at 2013-01-30 13:52:10 [DATA] 1 task, 1 server, 1 login try (l:1/p:1), ~1 try per task [DATA] attacking service ssh on port 22 [STATUS] attack finished for localhost (waiting for children to finish) 1 of 1 target successfuly completed, 0 valid passwords found Hydra (http://www.thc.org/thc-hydra) finished at 2013-01-30 13:52:12 After ----- $ hydra -l testuser -p testpass ssh://localhost Hydra v7.2 (c)2012 by van Hauser/THC & David Maciejak - for legal purposes only Hydra (http://www.thc.org/thc-hydra) starting at 2013-01-30 14:30:26 [DATA] 1 task, 1 server, 1 login try (l:1/p:1), ~1 try per task [DATA] attacking service ssh on port 22 [STATUS] attack finished for localhost (waiting for children to finish) 1 of 1 target successfuly completed, 0 valid passwords found Hydra (http://www.thc.org/thc-hydra) finished at 2013-01-30 14:30:28
Whiteboard: (none) => has_procedure mga2-64-OK
Testing complete mga2 32 Validating Advisory & SRPM in comment 1 Could sysadmin please push from core/updates_testing to core/updates Thanks!
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsWhiteboard: has_procedure mga2-64-OK => has_procedure mga2-64-OK mga2-32-ok
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0033
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED