UbuntuUpdates.org

Package "libssh-gcrypt-4"

Name: libssh-gcrypt-4

Description:

tiny C SSH library (gcrypt flavor)
Latest version: 0.10.5-3ubuntu1.2
Release: mantic (23.10)
Level: security
Repository: main
Head package: libssh
Homepage: https://www.libssh.org/

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Download "libssh-gcrypt-4"

32-bit deb package
64-bit deb package
APT INSTALL

Other versions of "libssh-gcrypt-4" in Mantic

Repository Area Version
base main 0.10.5-3ubuntu1
updates main 0.10.5-3ubuntu1.2

Changelog

Version: 0.10.5-3ubuntu1.2 2024-01-22 15:07:11 UTC

  libssh (0.10.5-3ubuntu1.2) mantic-security; urgency=medium

  * SECURITY UPDATE: code injection via ProxyCommand/ProxyJump hostname
    - debian/patches/CVE-2023-6004-*.patch: validate hostnames.
    - CVE-2023-6004
  * SECURITY UPDATE: DoS via incorrect return value checks
    - debian/patches/CVE-2023-6918-*.patch: check return values.
    - CVE-2023-6918

 -- Marc Deslauriers <email address hidden> Wed, 10 Jan 2024 13:47:51 -0500
Source diff to previous version
CVE-2023-6004 A flaw was found in libssh. By utilizing the ProxyCommand or ProxyJump feature, users can exploit unchecked hostname syntax on the client. This issue
CVE-2023-6918 A flaw was found in the libssh implements abstract layer for message digest (MD) operations implemented by different supported crypto backends. The r

Version: 0.10.5-3ubuntu1.1 2023-12-21 16:06:55 UTC

  libssh (0.10.5-3ubuntu1.1) mantic-security; urgency=medium

  * SECURITY UPDATE: Prefix truncation attack on BPP
    - debian/patches/CVE-2023-48795-1.patch: add client side mitigation.
    - debian/patches/CVE-2023-48795-2.patch: add server side mitigations.
    - debian/patches/CVE-2023-48795-3.patch: strip extensions from both kex
      lists for matching.
    - debian/patches/CVE-2023-48795-4.patch: tests: adjust calculation to
      strict kex.
    - CVE-2023-48795

 -- Marc Deslauriers <email address hidden> Mon, 18 Dec 2023 17:18:26 -0500
CVE-2023-48795 The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integri


About   -   Send Feedback to @ubuntu_updates