Gentoo Logo

LibSSH: Information disclosure

Content:

1.  Gentoo Linux Security Advisory

Version Information

Advisory Reference GLSA 201408-03 / libssh
Release Date August 10, 2014
Latest Revision August 10, 2014: 1
Impact low
Exploitable local
Package Vulnerable versions Unaffected versions Architecture(s)
net-libs/libssh < 0.6.3 >= 0.6.3 All supported architectures

Related bugreports: #503504

Synopsis

A vulnerability in LibSSH can result in leakage of private key information.

2.  Impact Information

Background

LibSSH is a C library providing SSHv2 and SSHv1.

Description

A new connection inherits the state of the PRNG without re-seeding with random data.

Impact

Servers using ECC (ECDSA) or DSA certificates in non-deterministic mode may under certain conditions leak their private key.

3.  Resolution Information

Workaround

There is no known workaround at this time.

Resolution

All LibSSH users should upgrade to the latest version:

Code Listing 3.1: Resolution

  # emerge --sync
  # emerge --ask --oneshot --verbose ">=net-libs/libssh-0.6.3"

4.  References



Print

Page updated August 10, 2014

Summary: This is a Gentoo Linux Security Advisory

Security Team
Contact Address

Donate to support our development efforts.

Copyright 2001-2014 Gentoo Foundation, Inc. Questions, Comments? Contact us.