Alerts This Week
Warning Icon 1 485
Alerts This Week
Warning Icon 1 485

Debian: DSA-2023-085 Medium: OpenSSL Denial of Service Risk

gentoo
Calendar Grey March 15, 2020
Dist Gentoo Esm H88
A critical libssh flaw presents significant dangers of executing remote commands on Gentoo systems. Access key security advisory information here.
A vulnerability in libssh could allow a remote attacker to execute arbitrary commands.

Summary

It was discovered that libssh incorrectly handled certain scp commands.

Resolution

All libssh users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-libs/libssh-0.9.3"

References

[ 1 ] CVE-2019-14889 https://nvd.nist.gov/vuln/detail/CVE-2019-14889

Availability

This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202003-27
style>.gentoo_availability{display:block;}

Concerns

Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.

Severity: Normal
Title: libssh: Arbitrary command execution
Date: March 15, 2020
Bugs: #701598
ID: 202003-27

Synopsis

A vulnerability in libssh could allow a remote attacker to execute arbitrary commands.

Background

libssh is a multiplatform C library implementing the SSHv2 protocol on client and server side.

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Affected Packages

------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-libs/libssh < 0.9.3 >= 0.9.3

Impact

===== A remote attacker could trick a victim into using a specially crafted scp command, possibly resulting in the execution of arbitrary commands on the server.

Workaround

There is no known workaround at this time.

Your message here