Gentoo Logo

LibSSH: Information disclosure


1.  Gentoo Linux Security Advisory

Version Information

Advisory Reference GLSA 201408-03 / libssh
Release Date August 10, 2014
Latest Revision August 10, 2014: 1
Impact low
Exploitable local
Package Vulnerable versions Unaffected versions Architecture(s)
net-libs/libssh < 0.6.3 >= 0.6.3 All supported architectures

Related bugreports: #503504


A vulnerability in LibSSH can result in leakage of private key information.

2.  Impact Information


LibSSH is a C library providing SSHv2 and SSHv1.


A new connection inherits the state of the PRNG without re-seeding with random data.


Servers using ECC (ECDSA) or DSA certificates in non-deterministic mode may under certain conditions leak their private key.

3.  Resolution Information


There is no known workaround at this time.


All LibSSH users should upgrade to the latest version:

Code Listing 3.1: Resolution

  # emerge --sync
  # emerge --ask --oneshot --verbose ">=net-libs/libssh-0.6.3"

4.  References


Page updated August 10, 2014

Summary: This is a Gentoo Linux Security Advisory

Security Team
Contact Address

Donate to support our development efforts.

Copyright 2001-2015 Gentoo Foundation, Inc. Questions, Comments? Contact us.