[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DSA 4322-1] libssh security update



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4322-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
October 17, 2018                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : libssh
CVE ID         : CVE-2018-10933
Debian Bug     : 911149

Peter Winter-Smith of NCC Group discovered that libssh, a tiny C SSH
library, contains an authentication bypass vulnerability in the server
code. An attacker can take advantage of this flaw to successfully
authenticate without any credentials by presenting the server an
SSH2_MSG_USERAUTH_SUCCESS message in place of the
SSH2_MSG_USERAUTH_REQUEST message which the server would expect to
initiate authentication.

For the stable distribution (stretch), this problem has been fixed in
version 0.7.3-2+deb9u1.

We recommend that you upgrade your libssh packages.

For the detailed security status of libssh please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/libssh

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlvHX65fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0QzRRAAkVzmI8DleL1oJ7sGN/NbPcYVPin1G+yYPw9OLKvYVCcz3rl4Hj8xNPSk
9bneHArC8/lvdk8ycyX9IuriO6E8D31pnMaWpxkWG/ulBRWymx+fT1wrWirhYEvT
iYFCXpBFSHOWgPLM8Yand87xcnSLsbT8if24cv0Wuj4mTb2RdjvuBnrBqX1B91h1
08Pe27RPpyX83Lj9yCtQcZzm/t3vqYZPt9WNd91wRHD6wL6Xvt0uqCm6QnB/T3hk
9AdhpSUUCQFYNUliVYAgm1xDOWbVzmptPDo1jdo3/4qFAZhoYEnqdZCfholl4ldJ
SxSmMHbXrug1lTGEqLlZSG1U6R4bUlodcBKwVLEjf0uFxlG3EqYKdIWlIN+TFqlO
8ttarFk1nCNyzt/ieheLNN6I/OOBrgT9+FS50m/6QN6gGnKJZPsY/YngHWGbc48v
vN91cbn5RITfV3TQQiYY8LzbdGJNNNJp7PN23G3BKxgcM+n/sxjm1xajm0r3USaG
bCbxNpzFTeTv+XUtjZvU8cWgHJJJOg6/2XB6loiplqgffTHUPC8LlIC8Vpa3uwkm
W5353+UAp1OqvQvwYUj9rxAL+xbleMi8OHDOcqqGW5nkA4K1sLyCgunH6TDEMwjM
bxWr6q0drbgtS5ePpLqqXMeNV/eQqxkrRg5EGwF6kyOAA35YrCU=
=PEQu
-----END PGP SIGNATURE-----


Reply to: