Preisgabe von Informationen in libssh2
ID: | FEDORA-2016-215a2219b1 |
Distribution: | Fedora |
Plattformen: | Fedora 23 |
Datum: | Sa, 27. Februar 2016, 10:25 |
Referenzen: | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0787 |
Applikationen: | libssh2 |
Originalnachricht |
|
Name : libssh2 Product : Fedora 23 Version : 1.6.0 Release : 4.fc23 URL : http://www.libssh2.org/ Summary : A library implementing the SSH2 protocol Description : libssh2 is a library implementing the SSH2 protocol as defined by Internet Drafts: SECSH-TRANS(22), SECSH-USERAUTH(25), SECSH-CONNECTION(23), SECSH-ARCH(20), SECSH-FILEXFER(06)*, SECSH-DHGEX(04), and SECSH-NUMBERS(10). -------------------------------------------------------------------------------- Update Information: During the SSHv2 handshake when libssh2 is to get a suitable value for 'group order' in the Diffle Hellman negotiation, it would pass in number of bytes to a function that expected number of bits. This would result in the library generating numbers using only an 8th the number of random bits than what were intended: 128 or 256 bits instead of 1023 or 2047 Using such drastically reduced amount of random bits for Diffie Hellman weakened the handshake security significantly. The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2016-0787 to this issue. -------------------------------------------------------------------------------- References: [ 1 ] Bug #1306021 - CVE-2016-0787 libssh2: bits/bytes confusion resulting in truncated Diffie-Hellman secret length https://bugzilla.redhat.com/show_bug.cgi?id=1306021 -------------------------------------------------------------------------------- This update can be installed with the "yum" update program. Use su -c 'yum update libssh2' at the command line. For more information, refer to "Managing Software with yum", available at https://docs.fedoraproject.org/yum/. All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- _______________________________________________ package-announce mailing list package-announce@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/package-announce |