Login
Login-Name Passwort


 
Newsletter
Werbung

Sicherheit: Preisgabe von Informationen in libssh2
Aktuelle Meldungen Distributionen
Name: Preisgabe von Informationen in libssh2
ID: FEDORA-2016-215a2219b1
Distribution: Fedora
Plattformen: Fedora 23
Datum: Sa, 27. Februar 2016, 10:25
Referenzen: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0787

Originalnachricht

Name        : libssh2
Product : Fedora 23
Version : 1.6.0
Release : 4.fc23
URL : http://www.libssh2.org/
Summary : A library implementing the SSH2 protocol
Description :
libssh2 is a library implementing the SSH2 protocol as defined by
Internet Drafts: SECSH-TRANS(22), SECSH-USERAUTH(25),
SECSH-CONNECTION(23), SECSH-ARCH(20), SECSH-FILEXFER(06)*,
SECSH-DHGEX(04), and SECSH-NUMBERS(10).

-------------------------------------------------------------------------------
-
Update Information:

During the SSHv2 handshake when libssh2 is to get a suitable value for
'group
order' in the Diffle Hellman negotiation, it would pass in number of bytes
to a
function that expected number of bits. This would result in the library
generating numbers using only an 8th the number of random bits than what were
intended: 128 or 256 bits instead of 1023 or 2047 Using such drastically
reduced amount of random bits for Diffie Hellman weakened the handshake
security
significantly. The Common Vulnerabilities and Exposures (CVE) project has
assigned the name CVE-2016-0787 to this issue.
-------------------------------------------------------------------------------
-
References:

[ 1 ] Bug #1306021 - CVE-2016-0787 libssh2: bits/bytes confusion resulting in
truncated Diffie-Hellman secret length
https://bugzilla.redhat.com/show_bug.cgi?id=1306021
-------------------------------------------------------------------------------
-

This update can be installed with the "yum" update program. Use
su -c 'yum update libssh2' at the command line.
For more information, refer to "Managing Software with yum",
available at https://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
-------------------------------------------------------------------------------
-
_______________________________________________
package-announce mailing list
package-announce@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/package-announce
Pro-Linux
Traut euch!
Neue Nachrichten
Werbung