UbuntuUpdates.org

Package "libssh"

Name: libssh

Description:

This package is just an umbrella for a group of other packages, it has no description.
Description samples from packages in group:

  • tiny C SSH library (OpenSSL flavor)
  • tiny C SSH library - Development files (OpenSSL flavor)
  • tiny C SSH library - Documentation files
  • tiny C SSH library (gcrypt flavor)
Latest version: 0.10.4-2ubuntu0.3
Release: lunar (23.04)
Level: security
Repository: main

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Other versions of "libssh" in Lunar

Repository Area Version
base main 0.10.4-2
updates main 0.10.4-2ubuntu0.3

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 0.10.4-2ubuntu0.3 2024-01-22 15:07:09 UTC

  libssh (0.10.4-2ubuntu0.3) lunar-security; urgency=medium

  * SECURITY UPDATE: code injection via ProxyCommand/ProxyJump hostname
    - debian/patches/CVE-2023-6004-*.patch: validate hostnames.
    - CVE-2023-6004
  * SECURITY UPDATE: DoS via incorrect return value checks
    - debian/patches/CVE-2023-6918-*.patch: check return values.
    - CVE-2023-6918

 -- Marc Deslauriers <email address hidden> Wed, 10 Jan 2024 13:47:51 -0500
Source diff to previous version
CVE-2023-6004 A flaw was found in libssh. By utilizing the ProxyCommand or ProxyJump feature, users can exploit unchecked hostname syntax on the client. This issue
CVE-2023-6918 A flaw was found in the libssh implements abstract layer for message digest (MD) operations implemented by different supported crypto backends. The r

Version: 0.10.4-2ubuntu0.2 2023-12-19 15:07:10 UTC

  libssh (0.10.4-2ubuntu0.2) lunar-security; urgency=medium

  * SECURITY UPDATE: Prefix truncation attack on BPP
    - debian/patches/CVE-2023-48795-1.patch: add client side mitigation.
    - debian/patches/CVE-2023-48795-2.patch: add server side mitigations.
    - debian/patches/CVE-2023-48795-3.patch: strip extensions from both kex
      lists for matching.
    - debian/patches/CVE-2023-48795-4.patch: tests: adjust calculation to
      strict kex.
    - CVE-2023-48795

 -- Marc Deslauriers <email address hidden> Mon, 18 Dec 2023 17:28:31 -0500
Source diff to previous version
CVE-2023-48795 The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integri

Version: 0.10.4-2ubuntu0.1 2023-06-05 16:07:31 UTC

  libssh (0.10.4-2ubuntu0.1) lunar-security; urgency=medium

  * SECURITY UPDATE: Potential NULL dereference during rekeying with
    algorithm guessing
    - debian/patches/CVE-2023-1667-*.patch: upstream patches to fix the
      issue.
    - CVE-2023-1667
  * SECURITY UPDATE: Authorization bypass in pki_verify_data_signature
    - debian/patches/CVE-2023-2283-*.patch: upstream patches to fix the
      issue.
    - CVE-2023-2283

 -- Marc Deslauriers <email address hidden> Thu, 25 May 2023 13:11:29 -0400
CVE-2023-1667 A NULL pointer dereference was found In libssh during re-keying with algorithm guessing. This issue may allow an authenticated client to cause a deni
CVE-2023-2283 A vulnerability was found in libssh, where the authentication check of the connecting client can be bypassed in the`pki_verify_data_signature` functi


About   -   Send Feedback to @ubuntu_updates