You are here
Home > Preporuke > Sigurnosni nedostaci programske biblioteke libssh2

Sigurnosni nedostaci programske biblioteke libssh2

openSUSE Security Update: Security update for libssh2_org
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:1075-1
Rating: moderate
References: #1091236 #1128471 #1128472 #1128474 #1128476
#1128480 #1128481 #1128490 #1128492 #1128493

Cross-References: CVE-2019-3855 CVE-2019-3856 CVE-2019-3857
CVE-2019-3858 CVE-2019-3859 CVE-2019-3860
CVE-2019-3861 CVE-2019-3862 CVE-2019-3863

Affected Products:
openSUSE Leap 42.3
______________________________________________________________________________

An update that solves 9 vulnerabilities and has one errata
is now available.

Description:

This update for libssh2_org fixes the following issues:

Security issues fixed:

– CVE-2019-3861: Fixed Out-of-bounds reads with specially crafted SSH
packets (bsc#1128490).
– CVE-2019-3862: Fixed Out-of-bounds memory comparison with specially
crafted message channel request packet (bsc#1128492).
– CVE-2019-3860: Fixed Out-of-bounds reads with specially crafted SFTP
packets (bsc#1128481).
– CVE-2019-3863: Fixed an Integer overflow in user authenticate keyboard
interactive which could allow out-of-bounds writes with specially
crafted keyboard responses (bsc#1128493).
– CVE-2019-3856: Fixed a potential Integer overflow in keyboard
interactive handling which could allow out-of-bounds write with
specially crafted payload (bsc#1128472).
– CVE-2019-3859: Fixed Out-of-bounds reads with specially crafted payloads
due to unchecked use of _libssh2_packet_require and
_libssh2_packet_requirev (bsc#1128480).
– CVE-2019-3855: Fixed a potential Integer overflow in transport read
which could allow out-of-bounds write with specially crafted payload
(bsc#1128471).
– CVE-2019-3858: Fixed a potential zero-byte allocation which could lead
to an out-of-bounds read with a specially crafted SFTP packet
(bsc#1128476).
– CVE-2019-3857: Fixed a potential Integer overflow which could lead to
zero-byte allocation and out-of-bounds with specially crafted message
channel request SSH packet (bsc#1128474).

Other issue addressed:

– Libbssh2 will stop using keys unsupported types in the known_hosts file
(bsc#1091236).

This update was imported from the SUSE:SLE-12:Update update project.

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or “zypper patch”.

Alternatively you can run the command listed for your product:

– openSUSE Leap 42.3:

zypper in -t patch openSUSE-2019-1075=1

Package List:

– openSUSE Leap 42.3 (i586 x86_64):

libssh2-1-1.4.3-19.3.1
libssh2-1-debuginfo-1.4.3-19.3.1
libssh2-devel-1.4.3-19.3.1
libssh2_org-debugsource-1.4.3-19.3.1

– openSUSE Leap 42.3 (x86_64):

libssh2-1-32bit-1.4.3-19.3.1
libssh2-1-debuginfo-32bit-1.4.3-19.3.1

References:

https://www.suse.com/security/cve/CVE-2019-3855.html
https://www.suse.com/security/cve/CVE-2019-3856.html
https://www.suse.com/security/cve/CVE-2019-3857.html
https://www.suse.com/security/cve/CVE-2019-3858.html
https://www.suse.com/security/cve/CVE-2019-3859.html
https://www.suse.com/security/cve/CVE-2019-3860.html
https://www.suse.com/security/cve/CVE-2019-3861.html
https://www.suse.com/security/cve/CVE-2019-3862.html
https://www.suse.com/security/cve/CVE-2019-3863.html
https://bugzilla.suse.com/1091236
https://bugzilla.suse.com/1128471
https://bugzilla.suse.com/1128472
https://bugzilla.suse.com/1128474
https://bugzilla.suse.com/1128476
https://bugzilla.suse.com/1128480
https://bugzilla.suse.com/1128481
https://bugzilla.suse.com/1128490
https://bugzilla.suse.com/1128492
https://bugzilla.suse.com/1128493


To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-security-announce+help@opensuse.org

Top
More in Preporuke
Sigurnosni nedostaci programske biblioteke libssh2

Otkriveni su sigurnosni nedostaci programske biblioteke libssh2 za operacijski sustav RHEL. Otkriveni nedostaci potencijalnim napadačima omogućuju izvršavanje proizvoljnog programskog koda....

Close