Advisories ยป MGASA-2015-0209

Updated libssh packages fix CVE-2015-3146

Publication date: 11 May 2015
Type: security
Affected Mageia releases : 4
CVE: CVE-2015-3146


Updated libssh packages fix security vulnerability:

libssh versions 0.5.1 and above, but before 0.6.5, have a logical error in the
handling of a SSH_MSG_NEWKEYS and SSH_MSG_KEXDH_REPLY package. A detected
error did not set the session into the error state correctly and further
processed the packet which leads to a null pointer dereference. This is the
packet after the initial key exchange and doesn't require authentication.
This could be used for a Denial of Service (DoS) attack (CVE-2015-3146).