|
|
Subscribe / Log in / New account

Mageia alert MGASA-2015-0209 (libssh)



From:
    	      Mageia Updates <buildsystem-daemon@mageia.org> 


To:
    	      updates-announce@ml.mageia.org 


Subject:
    	      [updates-announce] MGASA-2015-0209: Updated libssh packages fix CVE-2015-3146 


Date:
    	      Mon, 11 May 2015 22:11:10 +0200


Message-ID:
    	      <20150511201110.EFE0D43AA1@valstar.mageia.org>


MGASA-2015-0209 - Updated libssh packages fix CVE-2015-3146

Publication date: 11 May 2015
URL: http://advisories.mageia.org/MGASA-2015-0209.html
Type: security
Affected Mageia releases: 4
CVE: CVE-2015-3146

Description:
Updated libssh packages fix security vulnerability:

libssh versions 0.5.1 and above, but before 0.6.5, have a logical error in the
handling of a SSH_MSG_NEWKEYS and SSH_MSG_KEXDH_REPLY package. A detected
error did not set the session into the error state correctly and further
processed the packet which leads to a null pointer dereference. This is the
packet after the initial key exchange and doesn’t require authentication.
This could be used for a Denial of Service (DoS) attack (CVE-2015-3146).

References:
- https://bugs.mageia.org/show_bug.cgi?id=15861
- https://www.libssh.org/2015/04/30/libssh-0-6-5-security-a...
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3146

SRPMS:
- 4/core/libssh-0.5.5-2.3.mga4
to post comments


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds