libssh2 security update

ID CESA-2016:0428
Type centos
Reporter CentOS Project
Modified 2016-03-10T12:53:35


CentOS Errata and Security Advisory CESA-2016:0428

The libssh2 packages provide a library that implements the SSHv2 protocol.

A type confusion issue was found in the way libssh2 generated ephemeral secrets for the diffie-hellman-group1 and diffie-hellman-group14 key exchange methods. This would cause an SSHv2 Diffie-Hellman handshake to use significantly less secure random parameters. (CVE-2016-0787)

Red Hat would like to thank Aris Adamantiadis for reporting this issue.

All libssh2 users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing these updated packages, all running applications using libssh2 must be restarted for this update to take effect.

Merged security bulletin from advisories:

Affected packages: libssh2 libssh2-devel libssh2-docs

Upstream details at: