UbuntuUpdates.org

Package "libssh"

Name: libssh

Description:

This package is just an umbrella for a group of other packages, it has no description.
Description samples from packages in group:

  • tiny C SSH library (OpenSSL flavor)
  • tiny C SSH library - Development files (OpenSSL flavor)
  • tiny C SSH library - Documentation files
  • tiny C SSH library (gcrypt flavor)

Latest version: 0.9.6-2ubuntu0.22.04.3
Release: jammy (22.04)
Level: security
Repository: main

Links



Other versions of "libssh" in Jammy

Repository Area Version
base main 0.9.6-2build1
updates main 0.9.6-2ubuntu0.22.04.3

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 0.9.6-2ubuntu0.22.04.3 2024-01-23 04:06:52 UTC

  libssh (0.9.6-2ubuntu0.22.04.3) jammy-security; urgency=medium

  * SECURITY UPDATE: code injection via ProxyCommand/ProxyJump hostname
    - debian/patches/CVE-2023-6004-*.patch: validate hostnames.
    - CVE-2023-6004
  * SECURITY UPDATE: DoS via incorrect return value checks
    - debian/patches/CVE-2023-6918-*.patch: check return values.
    - CVE-2023-6918

 -- Marc Deslauriers <email address hidden> Thu, 11 Jan 2024 07:44:15 -0500

Source diff to previous version
CVE-2023-6004 A flaw was found in libssh. By utilizing the ProxyCommand or ProxyJump feature, users can exploit unchecked hostname syntax on the client. This issue
CVE-2023-6918 A flaw was found in the libssh implements abstract layer for message digest (MD) operations implemented by different supported crypto backends. The r

Version: 0.9.6-2ubuntu0.22.04.2 2023-12-19 16:08:33 UTC

  libssh (0.9.6-2ubuntu0.22.04.2) jammy-security; urgency=medium

  * SECURITY UPDATE: Prefix truncation attack on BPP
    - debian/patches/CVE-2023-48795-1.patch: add client side mitigation.
    - debian/patches/CVE-2023-48795-2.patch: add server side mitigations.
    - debian/patches/CVE-2023-48795-3.patch: strip extensions from both kex
      lists for matching.
    - debian/patches/CVE-2023-48795-4.patch: tests: adjust calculation to
      strict kex.
    - CVE-2023-48795

 -- Marc Deslauriers <email address hidden> Mon, 18 Dec 2023 17:30:05 -0500

Source diff to previous version
CVE-2023-48795 The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integri

Version: 0.9.6-2ubuntu0.22.04.1 2023-06-05 16:07:22 UTC

  libssh (0.9.6-2ubuntu0.22.04.1) jammy-security; urgency=medium

  * SECURITY UPDATE: Potential NULL dereference during rekeying with
    algorithm guessing
    - debian/patches/CVE-2023-1667-*.patch: upstream patches to fix the
      issue.
    - CVE-2023-1667
  * SECURITY UPDATE: Authorization bypass in pki_verify_data_signature
    - debian/patches/CVE-2023-2283-*.patch: upstream patches to fix the
      issue.
    - CVE-2023-2283

 -- Marc Deslauriers <email address hidden> Fri, 26 May 2023 06:31:25 -0400

CVE-2023-1667 A NULL pointer dereference was found In libssh during re-keying with algorithm guessing. This issue may allow an authenticated client to cause a deni
CVE-2023-2283 A vulnerability was found in libssh, where the authentication check of the connecting client can be bypassed in the`pki_verify_data_signature` functi



About   -   Send Feedback to @ubuntu_updates