GLSA
Advocate
Joined: 12 May 2004
Posts: 2663
|
 Posted: Fri Apr 10, 2020 10:26 pm Post subject: [ GLSA 202004-08 ] libssh |
 |
|
Gentoo Linux Security Advisory
Title: libssh: Denial of Service (GLSA 202004-08)
Severity: low
Exploitable: remote
Date: 2020-04-10
Bug(s): #716788
ID: 202004-08
Synopsis
A vulnerability in libssh could allow a remote attacker to cause a
Denial of Service condition.
Background
libssh is a multiplatform C library implementing the SSHv2 protocol on
client and server side.
Affected Packages
Package: net-libs/libssh
Vulnerable: < 0.9.4
Unaffected: >= 0.9.4
Architectures: All supported architectures
Description
It was discovered that libssh could crash when AES-CTR ciphers are used.
Impact
A remote attacker running a malicious client or server could possibly
crash the counterpart implemented with libssh and cause a Denial of
Service condition.
Workaround
Disable AES-CTR ciphers. If you implement a server using libssh it is
recommended to use a prefork model so each session runs in an own
process.
Resolution
All libssh users should upgrade to the latest version: | Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=net-libs/libssh-0.9.4"
|
References
CVE-2020-1730 |
|
News & Announcements
