Advisories » MGASA-2016-0392

Updated libssh2 packages fix security vulnerability

Publication date: 21 Nov 2016
Modification date: 21 Nov 2016
Type: security
Affected Mageia releases : 5
CVE: CVE-2016-0787

Description

Andreas Schneider reported that libssh2 passes the number of bytes to a
function that expects number of bits during the SSHv2 handshake when
libssh2 is to get a suitable value for 'group order' in the Diffie-Hellman
negotiation. This weakens significantly the handshake security,
potentially allowing an eavesdropper with enough resources to decrypt or
intercept SSH sessions (CVE-2016-0787).
                

References

• https://bugs.mageia.org/show_bug.cgi?id=17813
• https://www.libssh2.org/adv_20160223.html
• https://www.debian.org/security/2016/dsa-3487
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0787

SRPMS

5/core

• libssh2-1.4.3-6.1.mga5