FEDORA-2016-215a2219b1 created by pghmcfc 4 years ago for Fedora 23
stable

During the SSHv2 handshake when libssh2 is to get a suitable value for 'group order' in the Diffle Hellman negotiation, it would pass in number of bytes to a function that expected number of bits. This would result in the library generating numbers using only an 8th the number of random bits than what were intended: 128 or 256 bits instead of 1023 or 2047

Using such drastically reduced amount of random bits for Diffie Hellman weakened the handshake security significantly.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2016-0787 to this issue.

How to install

sudo dnf upgrade --advisory=FEDORA-2016-215a2219b1

This update has been submitted for testing by pghmcfc.

4 years ago

This update has been pushed to testing.

4 years ago
User Icon cserpentis commented & provided feedback 4 years ago
karma

works for me

pghmcfc edited this update.

4 years ago
User Icon besser82 commented & provided feedback 4 years ago
karma

Works great! LGTM =)

This update has been submitted for stable by bodhi.

4 years ago
User Icon fszymanski commented & provided feedback 4 years ago
karma

Works for me.

This update has been pushed to stable.

4 years ago

Please login to add feedback.

Metadata
Type
security
Severity
medium
Karma
3
Signed
Content Type
RPM
Test Gating
Settings
Unstable by Karma
-1
Stable by Karma
3
Stable by Time
disabled
Dates
submitted
4 years ago
in testing
4 years ago
in stable
4 years ago
modified
4 years ago
BZ#1306021 CVE-2016-0787 libssh2: bits/bytes confusion resulting in truncated Diffie-Hellman secret length
0
0
BZ#1311214 CVE-2016-0787 libssh2: bits/bytes confusion resulting in truncated Diffie-Hellman secret length [fedora-all]
0
0

Automated Test Results