Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 454
Alerts This Week
Warning Icon 1 454

Fedora 22: 2016-7942ee2cc5 Moderate: Libssh2 Weak Handshake

fedora
Calendar Grey March 9, 2016
Dist Fedora Esm H88
Fedora 22 has promptly fixed a libssh2 vulnerability impacting the SSH handshake, enhancing authentication. Users must apply updates to secure their systems.
During the SSHv2 handshake when libssh2 is to get a suitable value for 'group order' in the Diffle Hellman negotiation, it would pass in number of bytes to a function that expected...

Summary

libssh2 is a library implementing the SSH2 protocol as defined by

Internet Drafts: SECSH-TRANS(22), SECSH-USERAUTH(25),

SECSH-CONNECTION(23), SECSH-ARCH(20), SECSH-FILEXFER(06)*,

SECSH-DHGEX(04), and SECSH-NUMBERS(10).

Update Information:

During the SSHv2 handshake when libssh2 is to get a suitable value for 'group order' in the Diffle Hellman negotiation, it would pass in number of bytes to a function that expected number of bits. This would result in the library generating numbers using only an 8th the number of random bits than what were intended: 128 or 256 bits instead of 1023 or 2047 Using such drastically reduced amount of random bits for Diffie Hellman weakened the handshake security significantly. The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2016-0787 to this issue.

Change Log

References


[ 1 ] Bug #1306021 - CVE-2016-0787 libssh2: bits/bytes confusion resulting in truncated Diffie-Hellman secret length https://bugzilla.redhat.com/show_bug.cgi?id=1306021

Update Instructions

This update can be installed with the "yum" update program. Use su -c 'yum update libssh2' at the command line. For more information, refer to "Managing Software with yum", available at .

Severity
important
Lowest
Low
Medium
High
Critical

Name: libssh2
Product: Fedora 22
Version: 1.5.0
Release: 2.fc22
Summary: A library implementing the SSH2 protocol

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.