Описание
ELSA-2020-4545: libssh security, bug fix, and enhancement update (MODERATE)
[0.9.4-2]
- Do not return error when server properly closed the channel (#1849071)
- Add a test for CVE-2019-14889
- Do not parse configuration file in torture_knownhosts test
[0.9.4-1]
- Update to version 0.9.4 https://www.libssh.org/2020/04/09/libssh-0-9-4-and-libssh-0-8-9-security-release/
- Fixed CVE-2019-14889 (#1781782)
- Fixed CVE-2020-1730 (#1802422)
- Create missing directories in the path provided for known_hosts files (#1733914)
- Removed inclusion of OpenSSH server configuration file from libssh_server.config (#1821339)
Обновленные пакеты
Oracle Linux 8
Oracle Linux aarch64
libssh
0.9.4-2.el8
libssh-config
0.9.4-2.el8
libssh-devel
0.9.4-2.el8
Oracle Linux x86_64
libssh
0.9.4-2.el8
libssh-config
0.9.4-2.el8
libssh-devel
0.9.4-2.el8
Связанные CVE
Связанные уязвимости
A flaw was found in libssh versions before 0.8.9 and before 0.9.4 in the way it handled AES-CTR (or DES ciphers if enabled) ciphers. The server or client could crash when the connection hasn't been fully initialized and the system tries to cleanup the ciphers when closing the connection. The biggest threat from this vulnerability is system availability.
A flaw was found in libssh versions before 0.8.9 and before 0.9.4 in the way it handled AES-CTR (or DES ciphers if enabled) ciphers. The server or client could crash when the connection hasn't been fully initialized and the system tries to cleanup the ciphers when closing the connection. The biggest threat from this vulnerability is system availability.