openSUSE-SU-2020:0102-1

Опубликовано: 25 янв. 2020

Источник: suse-cvrf

Описание

Security update for libssh

This update for libssh fixes the following issues:

CVE-2019-14889: Fixed an unwanted command execution in scp caused by unsanitized location (bsc#1158095).

This update was imported from the SUSE:SLE-15-SP1:Update update project.

Список пакетов

openSUSE Leap 15.1

libssh-devel-0.8.7-lp151.2.9.1

libssh4-0.8.7-lp151.2.9.1

libssh4-32bit-0.8.7-lp151.2.9.1

Ссылки

https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/X4OQAFK46VVG5CQGEEX5AH2BI6NVBPZO/
E-Mail link for openSUSE-SU-2020:0102-1
https://www.suse.com/support/security/rating/
SUSE Security Ratings
https://bugzilla.suse.com/1158095
SUSE Bug 1158095
https://www.suse.com/security/cve/CVE-2019-14889/
SUSE CVE CVE-2019-14889 page

Описание

A flaw was found with the libssh API function ssh_scp_new() in versions before 0.9.3 and before 0.8.8. When the libssh SCP client connects to a server, the scp command, which includes a user-provided path, is executed on the server-side. In case the library is used in a way where users can influence the third parameter of the function, it would become possible for an attacker to inject arbitrary commands, leading to a compromise of the remote target.

Затронутые продукты

openSUSE Leap 15.1:libssh-devel-0.8.7-lp151.2.9.1

openSUSE Leap 15.1:libssh4-0.8.7-lp151.2.9.1

openSUSE Leap 15.1:libssh4-32bit-0.8.7-lp151.2.9.1

Ссылки

https://www.suse.com/security/cve/CVE-2019-14889.html
CVE-2019-14889
https://bugzilla.suse.com/1158095
SUSE Bug 1158095
https://bugzilla.suse.com/1224871
SUSE Bug 1224871

openSUSE-SU-2020:0102-1

Описание

Список пакетов

openSUSE Leap 15.1

Ссылки

Уязвимость: CVE-2019-14889

Описание

Затронутые продукты

Ссылки