[X2Go-Dev] Fwd: libssh 0.6.5 has been released to address CVE-2015-3146

Michael DePaulo mikedep333 at gmail.com
Thu Apr 30 17:35:56 CEST 2015


Sent from my Android Smartphone
---------- Forwarded message ----------
From: "Andreas Schneider" <asn at cryptomilk.org>
Date: Apr 30, 2015 10:33 AM
Subject: libssh 0.6.5 has been released to address CVE-2015-3146
To: <libssh at libssh.org>
Cc:

ibssh versions 0.5.1 and above have a logical error in the handling of a
SSH_MSG_NEWKEYS and SSH_MSG_KEXDH_REPLY package. A detected error did not
set
the session into the error state correctly and further processed the packet
which leads to a null pointer dereference. This is the packet after the
initial key exchange and doesn’t require authentication.

This could be used for a Denial of Service (DoS) attack.

The bug was found and reported by Mariusz Ziulek from the Open Web
Application
Security Project (OWASP).

https://www.libssh.org/2015/04/30/libssh-0-6-5-security-and-bugfix-release/

--
Andreas Schneider                   GPG-ID: CC014E3D
www.cryptomilk.org                asn at cryptomilk.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.x2go.org/pipermail/x2go-dev/attachments/20150430/aa09ce55/attachment.html>


More information about the x2go-dev mailing list