Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

rocky логотип

RLSA-2025:21977

Опубликовано: 25 нояб. 2025
Источник: rocky
Оценка: Moderate

Описание

Moderate: libssh security update

libssh is a library which implements the SSH protocol. It can be used to implement client and server applications.

Security Fix(es):

  • libssh: Incorrect Return Code Handling in ssh_kdf() in libssh (CVE-2025-5372)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Затронутые продукты

  • Rocky Linux 8

НаименованиеАрхитектураРелизRPM
libsshi68616.el8_10libssh-0.9.6-16.el8_10.i686.rpm
libsshx86_6416.el8_10libssh-0.9.6-16.el8_10.x86_64.rpm
libssh-confignoarch16.el8_10libssh-config-0.9.6-16.el8_10.noarch.rpm

Показывать по

Связанные CVE

CVE-2025-5372

Ссылки на источники

Исправления

Связанные уязвимости

ubuntu логотип

CVE-2025-5372

CVSS3: 5
ubuntu
5 месяцев назад

A flaw was found in libssh versions built with OpenSSL versions older than 3.0, specifically in the ssh_kdf() function responsible for key derivation. Due to inconsistent interpretation of return values where OpenSSL uses 0 to indicate failure and libssh uses 0 for success—the function may mistakenly return a success status even when key derivation fails. This results in uninitialized cryptographic key buffers being used in subsequent communication, potentially compromising SSH sessions' confidentiality, integrity, and availability.

redhat логотип

CVE-2025-5372

CVSS3: 5
redhat
5 месяцев назад

A flaw was found in libssh versions built with OpenSSL versions older than 3.0, specifically in the ssh_kdf() function responsible for key derivation. Due to inconsistent interpretation of return values where OpenSSL uses 0 to indicate failure and libssh uses 0 for success—the function may mistakenly return a success status even when key derivation fails. This results in uninitialized cryptographic key buffers being used in subsequent communication, potentially compromising SSH sessions' confidentiality, integrity, and availability.

nvd логотип

CVE-2025-5372

CVSS3: 5
nvd
5 месяцев назад

A flaw was found in libssh versions built with OpenSSL versions older than 3.0, specifically in the ssh_kdf() function responsible for key derivation. Due to inconsistent interpretation of return values where OpenSSL uses 0 to indicate failure and libssh uses 0 for success—the function may mistakenly return a success status even when key derivation fails. This results in uninitialized cryptographic key buffers being used in subsequent communication, potentially compromising SSH sessions' confidentiality, integrity, and availability.

msrc логотип

CVE-2025-5372

CVSS3: 5
msrc
5 месяцев назад

Libssh: incorrect return code handling in ssh_kdf() in libssh

debian логотип

CVE-2025-5372

CVSS3: 5
debian
5 месяцев назад

A flaw was found in libssh versions built with OpenSSL versions older ...