[SECURITY] [DSA 2879-1] libssh security update

2014-03-1321:54:28

lists.debian.org

1.9 Low

CVSS2

Attack Vector

LOCAL

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:L/AC:M/Au:N/C:P/I:N/A:N

5.7 Medium

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

5.1%

JSON

Debian Security Advisory DSA-2879-1 [email protected]
http://www.debian.org/security/ Raphael Geissert
March 13, 2014 http://www.debian.org/security/faq

Package : libssh
CVE ID : CVE-2014-0017

It was discovered that libssh, a tiny C SSH library, did not reset the
state of the PRNG after accepting a connection. A server mode
application that forks itself to handle incoming connections could see
its children sharing the same PRNG state, resulting in a cryptographic
weakness and possibly the recovery of the private key.

For the oldstable distribution (squeeze), this problem has been fixed in
version 0.4.5-3+squeeze2.

For the stable distribution (wheezy), this problem has been fixed in
version 0.5.4-1+deb7u1.

For the testing distribution (jessie), this problem has been fixed in
version 0.5.4-3.

For the unstable distribution (sid), this problem has been fixed in
version 0.5.4-3.

We recommend that you upgrade your libssh packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: [email protected]

OSVersionArchitecturePackageVersionFilename
Debian6mipsellibssh-dev< 0.4.5-3+squeeze2libssh-dev_0.4.5-3+squeeze2_mipsel.deb
Debian7kfreebsd-i386libssh-4< 0.5.4-1+deb7u1libssh-4_0.5.4-1+deb7u1_kfreebsd-i386.deb
Debian7armellibssh-4< 0.5.4-1+deb7u1libssh-4_0.5.4-1+deb7u1_armel.deb
Debian6ia64libssh-dev< 0.4.5-3+squeeze2libssh-dev_0.4.5-3+squeeze2_ia64.deb
Debian6armellibssh-dbg< 0.4.5-3+squeeze2libssh-dbg_0.4.5-3+squeeze2_armel.deb
Debian6i386libssh-dev< 0.4.5-3+squeeze2libssh-dev_0.4.5-3+squeeze2_i386.deb
Debian7armellibssh-dbg< 0.5.4-1+deb7u1libssh-dbg_0.5.4-1+deb7u1_armel.deb
Debian7i386libssh-dev< 0.5.4-1+deb7u1libssh-dev_0.5.4-1+deb7u1_i386.deb
Debian7mipsellibssh-4< 0.5.4-1+deb7u1libssh-4_0.5.4-1+deb7u1_mipsel.deb
Debian6alllibssh-doc< 0.4.5-3+squeeze2libssh-doc_0.4.5-3+squeeze2_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	6	mipsel	libssh-dev	< 0.4.5-3+squeeze2	libssh-dev_0.4.5-3+squeeze2_mipsel.deb
Debian	7	kfreebsd-i386	libssh-4	< 0.5.4-1+deb7u1	libssh-4_0.5.4-1+deb7u1_kfreebsd-i386.deb
Debian	7	armel	libssh-4	< 0.5.4-1+deb7u1	libssh-4_0.5.4-1+deb7u1_armel.deb
Debian	6	ia64	libssh-dev	< 0.4.5-3+squeeze2	libssh-dev_0.4.5-3+squeeze2_ia64.deb
Debian	6	armel	libssh-dbg	< 0.4.5-3+squeeze2	libssh-dbg_0.4.5-3+squeeze2_armel.deb
Debian	6	i386	libssh-dev	< 0.4.5-3+squeeze2	libssh-dev_0.4.5-3+squeeze2_i386.deb
Debian	7	armel	libssh-dbg	< 0.5.4-1+deb7u1	libssh-dbg_0.5.4-1+deb7u1_armel.deb
Debian	7	i386	libssh-dev	< 0.5.4-1+deb7u1	libssh-dev_0.5.4-1+deb7u1_i386.deb
Debian	7	mipsel	libssh-4	< 0.5.4-1+deb7u1	libssh-4_0.5.4-1+deb7u1_mipsel.deb
Debian	6	all	libssh-doc	< 0.4.5-3+squeeze2	libssh-doc_0.4.5-3+squeeze2_all.deb