[gentoo-announce] [ GLSA 202004-08 ] libssh: Denial of Service - gentoo-announce

From:	Thomas Deutschmann <whissi@g.o>
To:	gentoo-announce@l.g.o
Subject:	[gentoo-announce] [ GLSA 202004-08 ] libssh: Denial of Service
Date:	Fri, 10 Apr 2020 21:49:16
Message-Id:	`f11e580a-5c80-ae2a-d29f-372a5c72fe89@gentoo.org`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 202004-08

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                           https://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

 Severity: Low

8

    Title: libssh: Denial of Service

9

     Date: April 10, 2020

10

     Bugs: #716788

11

       ID: 202004-08

12

13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

14

15

Synopsis

16

========

17

18

A vulnerability in libssh could allow a remote attacker to cause a

19

Denial of Service condition.

20

21

Background

22

==========

23

24

libssh is a multiplatform C library implementing the SSHv2 protocol on

25

client and server side.

26

27

Affected packages

28

=================

29

30

    -------------------------------------------------------------------

31

     Package              /     Vulnerable     /            Unaffected

32

    -------------------------------------------------------------------

33

  1  net-libs/libssh              < 0.9.4                    >= 0.9.4

34

35

Description

36

===========

37

38

It was discovered that libssh could crash when AES-CTR ciphers are

39

used.

40

41

Impact

42

======

43

44

A remote attacker running a malicious client or server could possibly

45

crash the counterpart implemented with libssh and cause a Denial of

46

Service condition.

47

48

Workaround

49

==========

50

51

Disable AES-CTR ciphers. If you implement a server using libssh it is

52

recommended to use a prefork model so each session runs in an own

53

process.

54

55

Resolution

56

==========

57

58

All libssh users should upgrade to the latest version:

59

60

  # emerge --sync

61

  # emerge --ask --oneshot --verbose ">=net-libs/libssh-0.9.4"

62

63

References

64

==========

65

66

[ 1 ] CVE-2020-1730

67

      https://nvd.nist.gov/vuln/detail/CVE-2020-1730

68

69

Availability

70

============

71

72

This GLSA and any updates to it are available for viewing at

73

the Gentoo Security Website:

74

75

 https://security.gentoo.org/glsa/202004-08

76

77

Concerns?

78

=========

79

80

Security is a primary focus of Gentoo Linux and ensuring the

81

confidentiality and security of our users' machines is of utmost

82

importance to us. Any security concerns should be addressed to

83

security@g.o or alternatively, you may file a bug at

84

https://bugs.gentoo.org.

85

86

License

87

=======

88

89

Copyright 2020 Gentoo Foundation, Inc; referenced text

90

belongs to its owner(s).

91

92

The contents of this document are licensed under the

93

Creative Commons - Attribution / Share Alike license.

94

95

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Archives: gentoo-announce

Attachments

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 202004-08
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	https://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: Low
8	Title: libssh: Denial of Service
9	Date: April 10, 2020
10	Bugs: #716788
11	ID: 202004-08
12
13	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15	Synopsis
16	========
17
18	A vulnerability in libssh could allow a remote attacker to cause a
19	Denial of Service condition.
20
21	Background
22	==========
23
24	libssh is a multiplatform C library implementing the SSHv2 protocol on
25	client and server side.
26
27	Affected packages
28	=================
29
30	-------------------------------------------------------------------
31	Package / Vulnerable / Unaffected
32	-------------------------------------------------------------------
33	1 net-libs/libssh < 0.9.4 >= 0.9.4
34
35	Description
36	===========
37
38	It was discovered that libssh could crash when AES-CTR ciphers are
39	used.
40
41	Impact
42	======
43
44	A remote attacker running a malicious client or server could possibly
45	crash the counterpart implemented with libssh and cause a Denial of
46	Service condition.
47
48	Workaround
49	==========
50
51	Disable AES-CTR ciphers. If you implement a server using libssh it is
52	recommended to use a prefork model so each session runs in an own
53	process.
54
55	Resolution
56	==========
57
58	All libssh users should upgrade to the latest version:
59
60	# emerge --sync
61	# emerge --ask --oneshot --verbose ">=net-libs/libssh-0.9.4"
62
63	References
64	==========
65
66	[ 1 ] CVE-2020-1730
67	https://nvd.nist.gov/vuln/detail/CVE-2020-1730
68
69	Availability
70	============
71
72	This GLSA and any updates to it are available for viewing at
73	the Gentoo Security Website:
74
75	https://security.gentoo.org/glsa/202004-08
76
77	Concerns?
78	=========
79
80	Security is a primary focus of Gentoo Linux and ensuring the
81	confidentiality and security of our users' machines is of utmost
82	importance to us. Any security concerns should be addressed to
83	security@g.o or alternatively, you may file a bug at
84	https://bugs.gentoo.org.
85
86	License
87	=======
88
89	Copyright 2020 Gentoo Foundation, Inc; referenced text
90	belongs to its owner(s).
91
92	The contents of this document are licensed under the
93	Creative Commons - Attribution / Share Alike license.
94
95	https://creativecommons.org/licenses/by-sa/2.5