Updated libssh packages fix security vulnerability
Publication date: 20 Jan 2019Modification date: 19 Jan 2019
Type: security
Affected Mageia releases : 6
CVE: CVE-2018-10933
Description
libssh versions 0.6 and above have an authentication bypass
vulnerability in the server code. By presenting the server an
SSH2_MSG_USERAUTH_SUCCESS message in place of the
SSH2_MSG_USERAUTH_REQUEST message which the server would expect to
initiate authentication, the attacker could successfully authentciate
without any credentials (CVE-2018-10933).
References
- https://bugs.mageia.org/show_bug.cgi?id=23711
- https://www.libssh.org/security/advisories/CVE-2018-10933.txt
- https://www.libssh.org/2018/10/16/libssh-0-8-4-and-0-7-6-security-and-bugfix-release/
- https://www.libssh.org/2018/10/29/libssh-0-8-5-and-libssh-0-7-7/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10933
SRPMS
6/core
- libssh-0.7.7-1.mga6