FEDORA-2016-7942ee2cc5 — security update for libssh2

libssh2-1.5.0-2.fc22

FEDORA-2016-7942ee2cc5 created by pghmcfc 6 years ago for Fedora 22

stable

During the SSHv2 handshake when libssh2 is to get a suitable value for 'group order' in the Diffle Hellman negotiation, it would pass in number of bytes to a function that expected number of bits. This would result in the library generating numbers using only an 8th the number of random bits than what were intended: 128 or 256 bits instead of 1023 or 2047

Using such drastically reduced amount of random bits for Diffie Hellman weakened the handshake security significantly.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2016-0787 to this issue.

How to install

sudo dnf upgrade --advisory=FEDORA-2016-7942ee2cc5

This update has been submitted for testing by pghmcfc.

6 years ago

This update has been pushed to testing.

6 years ago

pghmcfc edited this update.

6 years ago

norenh commented & provided feedback 6 years ago

karma

No regressions detected

kakoskin commented & provided feedback 6 years ago

karma

No regressions noted.

This update has reached 14 days in testing and can be pushed to stable now if the maintainer wishes

6 years ago

This update has been submitted for stable by pghmcfc.

6 years ago

This update has been pushed to stable.

6 years ago

Please login to add feedback.

Metadata

Type

security

Severity

medium

Karma

Signed

Content Type

RPM

Test Gating

Builds

libssh2-1.5.0-2.fc22

Settings

Unstable by Karma

-1

Stable by Karma

Stable by Time

disabled

Dates

submitted

6 years ago

in testing

6 years ago

in stable

6 years ago

modified

6 years ago

BZ#1306021 CVE-2016-0787 libssh2: bits/bytes confusion resulting in truncated Diffie-Hellman secret length

BZ#1311214 CVE-2016-0787 libssh2: bits/bytes confusion resulting in truncated Diffie-Hellman secret length [fedora-all]

libssh2-1.5.0-2.fc22

How to install

Automated Test Results