libssh2 security update

2016-03-10T12:05:04
ID CESA-2016:0428
Type centos
Reporter CentOS Project
Modified 2016-03-10T12:53:35

Description

CentOS Errata and Security Advisory CESA-2016:0428

The libssh2 packages provide a library that implements the SSHv2 protocol.

A type confusion issue was found in the way libssh2 generated ephemeral secrets for the diffie-hellman-group1 and diffie-hellman-group14 key exchange methods. This would cause an SSHv2 Diffie-Hellman handshake to use significantly less secure random parameters. (CVE-2016-0787)

Red Hat would like to thank Aris Adamantiadis for reporting this issue.

All libssh2 users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing these updated packages, all running applications using libssh2 must be restarted for this update to take effect.

Merged security bulletin from advisories: http://lists.centos.org/pipermail/centos-announce/2016-March/033764.html http://lists.centos.org/pipermail/centos-announce/2016-March/033765.html

Affected packages: libssh2 libssh2-devel libssh2-docs

Upstream details at: https://rhn.redhat.com/errata/RHSA-2016-0428.html