CentOS Errata and Security Advisory CESA-2016:0428
The libssh2 packages provide a library that implements the SSHv2 protocol.
A type confusion issue was found in the way libssh2 generated ephemeral secrets for the diffie-hellman-group1 and diffie-hellman-group14 key exchange methods. This would cause an SSHv2 Diffie-Hellman handshake to use significantly less secure random parameters. (CVE-2016-0787)
Red Hat would like to thank Aris Adamantiadis for reporting this issue.
All libssh2 users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing these updated packages, all running applications using libssh2 must be restarted for this update to take effect.
Merged security bulletin from advisories: http://lists.centos.org/pipermail/centos-announce/2016-March/033764.html http://lists.centos.org/pipermail/centos-announce/2016-March/033765.html
Affected packages: libssh2 libssh2-devel libssh2-docs
Upstream details at: https://rhn.redhat.com/errata/RHSA-2016-0428.html