LibSSH: Information disclosure — GLSA 201408-03

A vulnerability in LibSSH can result in leakage of private key information.

Affected packages

net-libs/libssh on all architectures
Affected versions < 0.6.3
Unaffected versions >= 0.6.3

Background

LibSSH is a C library providing SSHv2 and SSHv1.

Description

A new connection inherits the state of the PRNG without re-seeding with random data.

Impact

Servers using ECC (ECDSA) or DSA certificates in non-deterministic mode may under certain conditions leak their private key.

Workaround

There is no known workaround at this time.

Resolution

All LibSSH users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=net-libs/libssh-0.6.3"
 

References

Release date
August 10, 2014

Latest revision
August 10, 2014: 1

Severity
low

Exploitable
local

Bugzilla entries