Alerts This Week
Warning Icon 1 905
Alerts This Week
Warning Icon 1 905

Gentoo: GLSA-202004-08 Low: libssh Denial of Service Issue

gentoo
Calendar Grey April 10, 2020
Dist Gentoo Esm H88
A weakness in libssh related to Denial of Service might allow distant adversaries to bring down servers. It is recommended to install the latest patch for safety.
A vulnerability in libssh could allow a remote attacker to cause a Denial of Service condition.

Summary

It was discovered that libssh could crash when AES-CTR ciphers are used.

Topics%20covered

Topics Covered

security advisory denial of service gentoo remote attack low severity libssh

Resolution

All libssh users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-libs/libssh-0.9.4"

References

[ 1 ] CVE-2020-1730 https://nvd.nist.gov/vuln/detail/CVE-2020-1730

Availability

This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202004-08
style>.gentoo_availability{display:block;}

Concerns

Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.

Severity
low
Lowest
Low
Medium
High
Critical

Severity: Low
Title: libssh: Denial of Service
Date: April 10, 2020
Bugs: #716788
ID: 202004-08

Topics%20covered

Topics Covered

security advisory denial of service gentoo remote attack low severity libssh

Synopsis

A vulnerability in libssh could allow a remote attacker to cause a Denial of Service condition.

Background

libssh is a multiplatform C library implementing the SSHv2 protocol on client and server side.

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Affected Packages

------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-libs/libssh < 0.9.4 >= 0.9.4

Impact

===== A remote attacker running a malicious client or server could possibly crash the counterpart implemented with libssh and cause a Denial of Service condition.

Workaround

Disable AES-CTR ciphers. If you implement a server using libssh it is recommended to use a prefork model so each session runs in an own process.

Your message here