Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 495
Alerts This Week
Warning Icon 1 495

SUSE: 2024:0539-1 Important: libssh Command Injection Risk

suse
Calendar Grey February 20, 2024
Dist Suse Esm H88
This software patch targets vital libssh concerns, improving platform safety in response to recent risks and weaknesses.
* bsc#1158095 * bsc#1168699 * bsc#1174713 * bsc#1189608 * bsc#1211188

Summary

## This update for libssh fixes the following issues: Update to version 0.9.8 (jsc#PED-7719): * Fix CVE-2023-6004: Command injection using proxycommand (bsc#1218209) * Fix CVE-2023-48795: Potential downgrade attack using strict kex (bsc#1218126) * Fix CVE-2023-6918: Missing checks for return values of MD functions (bsc#1218186) * Allow @ in usernames when parsing from URI composes Update to version 0.9.7 * Fix CVE-2023-1667: a NULL dereference during rekeying with algorithm guessing (bsc#1211188) * Fix CVE-2023-2283: a possible authorization bypass in pki_verify_data_signature under low-memory conditions (bsc#1211190) * Fix several memory leaks in GSSAPI handling code Update to version 0.9.6 (bsc#1189608, CVE-2021-3634)

References

* bsc#1158095

* bsc#1168699

* bsc#1174713

* bsc#1189608

* bsc#1211188

* bsc#1211190

* bsc#1218126

* bsc#1218186

* bsc#1218209

* jsc#PED-7719

Cross-

* CVE-2019-14889

* CVE-2020-16135

* CVE-2020-1730

* CVE-2021-3634

* CVE-2023-1667

* CVE-2023-2283

* CVE-2023-48795

* CVE-2023-6004

* CVE-2023-6918

CVSS scores:

* CVE-2019-14889 ( SUSE ): 7.1 CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

* CVE-2019-14889 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

* CVE-2019-14889 ( NVD ): 7.1 CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

* CVE-2020-16135 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

* CVE-2020-16135 ( NVD ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Severity
important
Lowest
Low
Medium
High
Critical

Announcement ID: SUSE-SU-2024:0539-1
Rating: important

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.