libssh-0.9.6-3.el8
エラータID: AXSA:2022-3399:01
libssh is a library which implements the SSH protocol. It can be used to implement client and server applications.
The following packages have been upgraded to a later upstream version: libssh (0.9.6). (BZ#1896651)
Security Fix(es):
* libssh: possible heap-based buffer overflow when rekeying (CVE-2021-3634)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Asianux Server 8.6 Release Notes linked from the References section.
CVE-2021-3634
A flaw has been found in libssh in versions prior to 0.9.6. The SSH protocol keeps track of two shared secrets during the lifetime of the session. One of them is called secret_hash and the other session_id. Initially, both of them are the same, but after key re-exchange, previous session_id is kept and used as an input to new secret_hash. Historically, both of these buffers had shared length variable, which worked as long as these buffers were same. But the key re-exchange operation can also change the key exchange method, which can be based on hash of different size, eventually creating "secret_hash" of different size than the session_id has. This becomes an issue when the session_id memory is zeroed or when it is used again during second key re-exchange.
Update packages.
A flaw has been found in libssh in versions prior to 0.9.6. The SSH protocol keeps track of two shared secrets during the lifetime of the session. One of them is called secret_hash and the other session_id. Initially, both of them are the same, but after key re-exchange, previous session_id is kept and used as an input to new secret_hash. Historically, both of these buffers had shared length variable, which worked as long as these buffers were same. But the key re-exchange operation can also change the key exchange method, which can be based on hash of different size, eventually creating "secret_hash" of different size than the session_id has. This becomes an issue when the session_id memory is zeroed or when it is used again during second key re-exchange.
N/A
SRPMS
- libssh-0.9.6-3.el8.src.rpm
MD5: 90337de9a483ff235419b01a5cdad3f1
SHA-256: 6ee7dbc4ea864f03b27b1ee5f3f99699866182eda457bed385e50d6d1792d4b5
Size: 1.03 MB
Asianux Server 8 for x86_64
- libssh-0.9.6-3.el8.x86_64.rpm
MD5: c6c3686eeda7c2b9696a96a29ff51513
SHA-256: e888016278542e6bba9ec238165b1be244d2ee9c73476cc8206463d05907faba
Size: 215.16 kB - libssh-config-0.9.6-3.el8.noarch.rpm
MD5: 80ea04cb0cdb76116ff33abc545b2166
SHA-256: 0e490b358c9c8e0f06a9c646a52f04da9f0d0b20945aaae5efbbbb3710047537
Size: 18.28 kB - libssh-devel-0.9.6-3.el8.x86_64.rpm
MD5: 20484b47b316c22c23e780d725d73364
SHA-256: 0d96a12cb03e1a046653da47a72dd579b751c4eea4bedd4c91c64764aa487d0e
Size: 437.58 kB - libssh-0.9.6-3.el8.i686.rpm
MD5: bfb1bee30e8a6e2072d5b33ae95289b9
SHA-256: b862bf0f720704227e052a377c6376d13dbc89b7f716e711582d214fc2ff4913
Size: 235.01 kB - libssh-devel-0.9.6-3.el8.i686.rpm
MD5: aeaf14fb176c3b6682bf4845f4fb2ec6
SHA-256: 670c45ac75ba96b6688e5bc28833b0371ed0c4bc0f29fc26148326407555f0b6
Size: 437.62 kB