libssh-0.9.6-3.el8
エラータID: AXSA:2022-3399:01
リリース日:
2022/07/05 Tuesday - 05:41
題名:
libssh-0.9.6-3.el8
影響のあるチャネル:
Asianux Server 8 for x86_64
Severity:
Low
Description:
以下項目について対処しました。
[Security Fix]
- libssh には、鍵の再交換処理時に鍵の交換方法が変更され
SSH セッションの保持に必要な session_id 値と secret_hash 値の
サイズが異なった場合にメモリ破壊が発生する脆弱性があります。
(CVE-2021-3634)
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2021-3634
A flaw has been found in libssh in versions prior to 0.9.6. The SSH protocol keeps track of two shared secrets during the lifetime of the session. One of them is called secret_hash and the other session_id. Initially, both of them are the same, but after key re-exchange, previous session_id is kept and used as an input to new secret_hash. Historically, both of these buffers had shared length variable, which worked as long as these buffers were same. But the key re-exchange operation can also change the key exchange method, which can be based on hash of different size, eventually creating "secret_hash" of different size than the session_id has. This becomes an issue when the session_id memory is zeroed or when it is used again during second key re-exchange.
A flaw has been found in libssh in versions prior to 0.9.6. The SSH protocol keeps track of two shared secrets during the lifetime of the session. One of them is called secret_hash and the other session_id. Initially, both of them are the same, but after key re-exchange, previous session_id is kept and used as an input to new secret_hash. Historically, both of these buffers had shared length variable, which worked as long as these buffers were same. But the key re-exchange operation can also change the key exchange method, which can be based on hash of different size, eventually creating "secret_hash" of different size than the session_id has. This becomes an issue when the session_id memory is zeroed or when it is used again during second key re-exchange.
追加情報:
N/A
ダウンロード:
SRPMS
- libssh-0.9.6-3.el8.src.rpm
MD5: 90337de9a483ff235419b01a5cdad3f1
SHA-256: 6ee7dbc4ea864f03b27b1ee5f3f99699866182eda457bed385e50d6d1792d4b5
Size: 1.03 MB
Asianux Server 8 for x86_64
- libssh-0.9.6-3.el8.x86_64.rpm
MD5: c6c3686eeda7c2b9696a96a29ff51513
SHA-256: e888016278542e6bba9ec238165b1be244d2ee9c73476cc8206463d05907faba
Size: 215.16 kB - libssh-config-0.9.6-3.el8.noarch.rpm
MD5: 80ea04cb0cdb76116ff33abc545b2166
SHA-256: 0e490b358c9c8e0f06a9c646a52f04da9f0d0b20945aaae5efbbbb3710047537
Size: 18.28 kB - libssh-devel-0.9.6-3.el8.x86_64.rpm
MD5: 20484b47b316c22c23e780d725d73364
SHA-256: 0d96a12cb03e1a046653da47a72dd579b751c4eea4bedd4c91c64764aa487d0e
Size: 437.58 kB - libssh-0.9.6-3.el8.i686.rpm
MD5: bfb1bee30e8a6e2072d5b33ae95289b9
SHA-256: b862bf0f720704227e052a377c6376d13dbc89b7f716e711582d214fc2ff4913
Size: 235.01 kB - libssh-devel-0.9.6-3.el8.i686.rpm
MD5: aeaf14fb176c3b6682bf4845f4fb2ec6
SHA-256: 670c45ac75ba96b6688e5bc28833b0371ed0c4bc0f29fc26148326407555f0b6
Size: 437.62 kB