[SECURITY] [DLA 426-1] libssh2 security update

2016-02-23T13:17:15
ID DEBIAN:DLA-426-1:18954
Type debian
Reporter Debian
Modified 2016-02-23T13:17:15

Description

Package        : libssh2 Version        : 1.2.6-1+deb6u2 CVE ID         : CVE-2016-0787

Andreas Schneider reported that libssh2, an SSH2 protocol implementation used by many applications, did not generate sufficiently long Diffie-Hellman secrets.

This vulnerability could be exploited by an eavesdropper to decrypt and to intercept SSH sessions.

For the oldoldstable distribution (squeeze), this has been fixed in version 1.2.6-1+deb6u2.  Although the changelog refers to 'sha256', this version only supports DH SHA-1 key exchange and it is that key exchange method that has been fixed.

For the oldstable (wheezy) and stable (jessie) distributions, this will be fixed soon.

-- Ben Hutchings - Debian developer, member of Linux kernel and LTS teams