Debian Long Term Support / LTS Security Information / 2016 / Security Information -- DLA-426-1 libssh2

Debian Security Advisory

DLA-426-1 libssh2 -- LTS security update

Date Reported:

23 Feb 2016

Affected Packages:

libssh2

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2016-0787.

More information:

Andreas Schneider reported that libssh2, an SSH2 protocol implementation used by many applications, did not generate sufficiently long Diffie-Hellman secrets.

This vulnerability could be exploited by an eavesdropper to decrypt and to intercept SSH sessions.

For the oldoldstable distribution (squeeze), this has been fixed in version 1.2.6-1+deb6u2. Although the changelog refers to sha256, this version only supports DH SHA-1 key exchange and it is that key exchange method that has been fixed.

For the oldstable (wheezy) and stable (jessie) distributions, this will be fixed soon.