Описание
Security update for libssh
This update for libssh fixes the following issues:
- CVE-2019-14889: Fixed an arbitrary command execution (bsc#1158095).
Список пакетов
Container suse/sle15:15.0
libssh4-0.7.5-6.6.1
Image SLES15-Azure-BYOS
libssh4-0.7.5-6.6.1
Image SLES15-EC2-CHOST-HVM-BYOS
libssh4-0.7.5-6.6.1
Image SLES15-EC2-HVM-BYOS
libssh4-0.7.5-6.6.1
Image SLES15-GCE-BYOS
libssh4-0.7.5-6.6.1
Image SLES15-OCI-BYOS
libssh4-0.7.5-6.6.1
Image SLES15-SAP-Azure
libssh4-0.7.5-6.6.1
Image SLES15-SAP-Azure-BYOS
libssh4-0.7.5-6.6.1
Image SLES15-SAP-Azure-LI-BYOS-Production
libssh4-0.7.5-6.6.1
Image SLES15-SAP-Azure-VLI-BYOS-Production
libssh4-0.7.5-6.6.1
Image SLES15-SAP-EC2-HVM
libssh4-0.7.5-6.6.1
Image SLES15-SAP-EC2-HVM-BYOS
libssh4-0.7.5-6.6.1
Image SLES15-SAP-GCE
libssh4-0.7.5-6.6.1
Image SLES15-SAP-GCE-BYOS
libssh4-0.7.5-6.6.1
Image SLES15-SAP-OCI-BYOS
libssh4-0.7.5-6.6.1
SUSE Linux Enterprise Module for Basesystem 15
libssh-devel-0.7.5-6.6.1
libssh4-0.7.5-6.6.1
libssh4-32bit-0.7.5-6.6.1
Ссылки
- Link for SUSE-SU-2019:3293-1
- E-Mail link for SUSE-SU-2019:3293-1
- SUSE Security Ratings
- SUSE Bug 1158095
- SUSE CVE CVE-2019-14889 page
Описание
A flaw was found with the libssh API function ssh_scp_new() in versions before 0.9.3 and before 0.8.8. When the libssh SCP client connects to a server, the scp command, which includes a user-provided path, is executed on the server-side. In case the library is used in a way where users can influence the third parameter of the function, it would become possible for an attacker to inject arbitrary commands, leading to a compromise of the remote target.
Затронутые продукты
Container suse/sle15:15.0:libssh4-0.7.5-6.6.1
Image SLES15-Azure-BYOS:libssh4-0.7.5-6.6.1
Image SLES15-EC2-CHOST-HVM-BYOS:libssh4-0.7.5-6.6.1
Image SLES15-EC2-HVM-BYOS:libssh4-0.7.5-6.6.1
Ссылки
- CVE-2019-14889
- SUSE Bug 1158095
- SUSE Bug 1224871