LibSSH: Information disclosure

2014-08-10T00:00:00
ID GLSA-201408-03
Type gentoo
Reporter Gentoo Foundation
Modified 2014-08-10T00:00:00

Description

Background

LibSSH is a C library providing SSHv2 and SSHv1.

Description

A new connection inherits the state of the PRNG without re-seeding with random data.

Impact

Servers using ECC (ECDSA) or DSA certificates in non-deterministic mode may under certain conditions leak their private key.

Workaround

There is no known workaround at this time.

Resolution

All LibSSH users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=net-libs/libssh-0.6.3"