Описание
A flaw was found in libssh versions before 0.8.9 and before 0.9.4 in the way it handled AES-CTR (or DES ciphers if enabled) ciphers. The server or client could crash when the connection hasn't been fully initialized and the system tries to cleanup the ciphers when closing the connection. The biggest threat from this vulnerability is system availability.
A flaw was found in the way libssh handled AES-CTR (or DES ciphers if enabled) ciphers. The server or client could crash when the connection hasn't been fully initialized and the system tries to cleanup the ciphers when closing the connection. The biggest threat from this vulnerability is system availability.
Меры по смягчению последствий
Disable AES-CTR ciphers (and DES in libssh 0.8). If you implement a server using libssh we advise to use a prefork model so each session runs in an own process. If you have implemented your server this way this is not really an issue. The client will kill its own connection.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 6 | libssh2 | Not affected | ||
| Red Hat Enterprise Linux 7 | libssh | Not affected | ||
| Red Hat Enterprise Linux 7 | libssh2 | Not affected | ||
| Red Hat Enterprise Linux 8 | libssh2 | Not affected | ||
| Red Hat Enterprise Linux 8 | libssh | Fixed | RHSA-2020:4545 | 04.11.2020 |
| Red Hat Enterprise Linux 8 | libssh | Fixed | RHSA-2020:4545 | 04.11.2020 |
| Red Hat Virtualization 4 for Red Hat Enterprise Linux 8 | redhat-virtualization-host | Fixed | RHSA-2020:5218 | 24.11.2020 |
Показывать по
Дополнительная информация
Статус:
EPSS
5.3 Medium
CVSS3
Связанные уязвимости
A flaw was found in libssh versions before 0.8.9 and before 0.9.4 in the way it handled AES-CTR (or DES ciphers if enabled) ciphers. The server or client could crash when the connection hasn't been fully initialized and the system tries to cleanup the ciphers when closing the connection. The biggest threat from this vulnerability is system availability.
A flaw was found in libssh versions before 0.8.9 and before 0.9.4 in the way it handled AES-CTR (or DES ciphers if enabled) ciphers. The server or client could crash when the connection hasn't been fully initialized and the system tries to cleanup the ciphers when closing the connection. The biggest threat from this vulnerability is system availability.
A flaw was found in libssh versions before 0.8.9 and before 0.9.4 in t ...
EPSS
5.3 Medium
CVSS3