libssh2-1.4.2-3.AXS4.1
エラータID: AXSA:2019-3922:01
リリース日:
2019/07/02 Tuesday - 12:49
題名:
libssh2-1.4.2-3.AXS4.1
影響のあるチャネル:
Asianux Server 4 for x86_64
Asianux Server 4 for x86
Severity:
High
Description:
以下項目について対処しました。
[Security Fix]
- libssh2には、サーバーからのパケットの読み込みに境界外書き込みを
引き起こす整数オーバーフローがあり、リモートの攻撃者がユーザーが
SSHサーバーに繋いでいる際、クライアントシステムで任意のコードを実
行させることが可能な脆弱性があります。(CVE-2019-3855)
- libssh2には、キーボードプロンプトリクエストの解析に境界外書き込
みを引き起こす整数オーバーフローがあり、リモートの攻撃者がユーザー
が SSHサーバーに繋いでいる際、クライアントシステムで任意のコードを
実行させることが可能な脆弱性があります。(CVE-2019-3856)
- libssh2には、SSH_MSG_CHANNEL_REQUESTを含むパケットをEXITシグナル
と一緒に解析するときに、境界外書き込みを引き起こす整数オーバーフ
ローがあり、リモートの攻撃者がユーザーがSSHサーバーに繋いでいる際、
クライアントシステムで、任意のコードを実行させることが可能な脆弱性
があります。 (CVE-2019-3857)
- libssh2には、サーバーが複数のインタラクティブなキーボードレスポ
ンスメッセージの合計長を符号無しcharの最大値を越えて送ることが可
能なため、境域外メモリ書き込みを引き起こしてしまう脆弱性がありま
す。(CVE-2019-3863)
一部CVEの翻訳文はJVNからの引用になります。
http://jvndb.jvn.jp/
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2019-3855
An integer overflow flaw which could lead to an out of bounds write was discovered in libssh2 before 1.8.1 in the way packets are read from the server. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.
An integer overflow flaw which could lead to an out of bounds write was discovered in libssh2 before 1.8.1 in the way packets are read from the server. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.
CVE-2019-3856
An integer overflow flaw, which could lead to an out of bounds write, was discovered in libssh2 before 1.8.1 in the way keyboard prompt requests are parsed. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.
An integer overflow flaw, which could lead to an out of bounds write, was discovered in libssh2 before 1.8.1 in the way keyboard prompt requests are parsed. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.
CVE-2019-3857
An integer overflow flaw which could lead to an out of bounds write was discovered in libssh2 before 1.8.1 in the way SSH_MSG_CHANNEL_REQUEST packets with an exit signal are parsed. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.
An integer overflow flaw which could lead to an out of bounds write was discovered in libssh2 before 1.8.1 in the way SSH_MSG_CHANNEL_REQUEST packets with an exit signal are parsed. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.
CVE-2019-3863
A flaw was found in libssh2 before 1.8.1. A server could send a multiple keyboard interactive response messages whose total length are greater than unsigned char max characters. This value is used as an index to copy memory causing in an out of bounds memory write error.
A flaw was found in libssh2 before 1.8.1. A server could send a multiple keyboard interactive response messages whose total length are greater than unsigned char max characters. This value is used as an index to copy memory causing in an out of bounds memory write error.
追加情報:
N/A
ダウンロード:
SRPMS
- libssh2-1.4.2-3.AXS4.1.src.rpm
MD5: 80903a5928b27079a3d0102efc693adf
SHA-256: 3c3819f1c9d0d8fea8587e74946ebeb7a7e0362fc3f637b613ab9027c8066b5f
Size: 680.62 kB
Asianux Server 4 for x86
- libssh2-1.4.2-3.AXS4.1.i686.rpm
MD5: e005861e52c46f344115999e92f118ee
SHA-256: e5b22250adb141715392c4d6f24bf82d0d136dfac75ba438db1c0f94a487cb07
Size: 124.18 kB
Asianux Server 4 for x86_64
- libssh2-1.4.2-3.AXS4.1.x86_64.rpm
MD5: 1fd833ba62e6e51b84b7474b00f1010c
SHA-256: 404e1bedf5e9e301bde88351b3645c4d551c72ac6135efc4c5f072baff3baf12
Size: 122.46 kB - libssh2-1.4.2-3.AXS4.1.i686.rpm
MD5: e005861e52c46f344115999e92f118ee
SHA-256: e5b22250adb141715392c4d6f24bf82d0d136dfac75ba438db1c0f94a487cb07
Size: 124.18 kB
English