Bugzilla – Bug 910790
VUL-0: CVE-2014-8132: libssh: Double free on dangling pointers in initial key exchange packet.
Last modified: 2015-01-16 09:45:40 UTC
via Andreas Schneider on IRC. http://www.libssh.org/2014/12/19/libssh-0-6-4-security-and-bugfix-release/ http://www.libssh.org/security/advisories/CVE-2014-8132.txt libssh 0.6.4 (Security and bugfix release) 19/12/14 - 11:38am This is an important SECURITY and maintenance release in order to address CVE-2014-8132 – Double free on dangling pointers in initial key exchange packet. libssh versions 0.5.1 and above could leave dangling pointers in the session crypto structures. It is possible to send a malicious kexinit package to eventually cause a server to do a double-free before this fix. This could be used for a Denial of Service attack. As this was found by a libssh developer there are no currently known exploits for this problem (as of December 19th 2014).
(libssh and not libssh2_org)
Maintenance request 47717 submitted for SLE12
Nothing required for SLE11
This is an autogenerated message for OBS integration: This bug (910790) was mentioned in https://build.opensuse.org/request/show/265950 13.2+13.1+12.3 / libssh
Whoops, didn't commit before submitting, new SLE12 request is 47723
This is an autogenerated message for OBS integration: This bug (910790) was mentioned in https://build.opensuse.org/request/show/266147 13.2+13.1+12.3 / libssh
SUSE-SU-2014:1731-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 910790 CVE References: CVE-2014-8132 Sources used: SUSE Linux Enterprise Workstation Extension 12 (src): libssh-0.6.3-4.1 SUSE Linux Enterprise Software Development Kit 12 (src): libssh-0.6.3-4.1 SUSE Linux Enterprise Desktop 12 (src): libssh-0.6.3-4.1
openSUSE-SU-2015:0017-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 910790 CVE References: CVE-2014-8132 Sources used: openSUSE 13.2 (src): libssh-0.6.3-2.4.1 openSUSE 13.1 (src): libssh-0.5.5-2.12.1 openSUSE 12.3 (src): libssh-0.5.3-2.12.1
update released