Advisories » MGASA-2015-0107

Updated libssh2 packages fix CVE-2015-1782

Publication date: 12 Mar 2015
Modification date: 12 Mar 2015
Type: security
Affected Mageia releases : 4
CVE: CVE-2015-1782

Description

Updated libssh2 packages fix security vulnerability:

Mariusz Ziulek reported that libssh2, a SSH2 client-side library, was reading
and using the SSH_MSG_KEXINIT packet without doing sufficient range checks
when negotiating a new SSH session with a remote server. A malicious attacker
could man in the middle a real server and cause a client using the libssh2
library to crash (denial of service) or otherwise read and use unintended
memory areas in this process (CVE-2015-1782).
                

References

• https://bugs.mageia.org/show_bug.cgi?id=15470
• http://www.libssh2.org/adv_20150311.html
• https://www.debian.org/security/2015/dsa-3182
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1782

SRPMS

4/core

• libssh2-1.4.3-3.1.mga4