Debian-LTS alert DLA-426-1 (libssh2)

From:
    	       Ben Hutchings <benh@debian.org> 
To:
    	       debian-lts-announce@lists.debian.org 
Subject:
    	       [SECURITY] [DLA 426-1] libssh2 security update 
Date:
    	       Tue, 23 Feb 2016 13:16:47 +0000
Message-ID:
    	       <1456233407.15241.90.camel@debian.org>
Package        : libssh2
Version        : 1.2.6-1+deb6u2
CVE ID         : CVE-2016-0787

Andreas Schneider reported that libssh2, an SSH2 protocol
implementation used by many applications, did not generate
sufficiently long Diffie-Hellman secrets.

This vulnerability could be exploited by an eavesdropper to decrypt
and to intercept SSH sessions.

For the oldoldstable distribution (squeeze), this has been fixed in
version 1.2.6-1+deb6u2.  Although the changelog refers to 'sha256',
this version only supports DH SHA-1 key exchange and it is that key
exchange method that has been fixed.

For the oldstable (wheezy) and stable (jessie) distributions, this
will be fixed soon.

-- 
Ben Hutchings - Debian developer, member of Linux kernel and LTS teams

From:		Ben Hutchings <benh@debian.org>
To:		debian-lts-announce@lists.debian.org
Subject:		[SECURITY] [DLA 426-1] libssh2 security update
Date:		Tue, 23 Feb 2016 13:16:47 +0000
Message-ID:		<1456233407.15241.90.camel@debian.org>