Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.3171 libssh security update 18 October 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: libssh Publisher: Debian Operating System: Debian GNU/Linux 9 Impact/Access: Unauthorised Access -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2018-10933 Reference: ESB-2018.3135 Original Bulletin: http://www.debian.org/security/2018/dsa-4322 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-4322-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso October 17, 2018 https://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : libssh CVE ID : CVE-2018-10933 Debian Bug : 911149 Peter Winter-Smith of NCC Group discovered that libssh, a tiny C SSH library, contains an authentication bypass vulnerability in the server code. An attacker can take advantage of this flaw to successfully authenticate without any credentials by presenting the server an SSH2_MSG_USERAUTH_SUCCESS message in place of the SSH2_MSG_USERAUTH_REQUEST message which the server would expect to initiate authentication. For the stable distribution (stretch), this problem has been fixed in version 0.7.3-2+deb9u1. We recommend that you upgrade your libssh packages. For the detailed security status of libssh please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libssh Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlvHX65fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0QzRRAAkVzmI8DleL1oJ7sGN/NbPcYVPin1G+yYPw9OLKvYVCcz3rl4Hj8xNPSk 9bneHArC8/lvdk8ycyX9IuriO6E8D31pnMaWpxkWG/ulBRWymx+fT1wrWirhYEvT iYFCXpBFSHOWgPLM8Yand87xcnSLsbT8if24cv0Wuj4mTb2RdjvuBnrBqX1B91h1 08Pe27RPpyX83Lj9yCtQcZzm/t3vqYZPt9WNd91wRHD6wL6Xvt0uqCm6QnB/T3hk 9AdhpSUUCQFYNUliVYAgm1xDOWbVzmptPDo1jdo3/4qFAZhoYEnqdZCfholl4ldJ SxSmMHbXrug1lTGEqLlZSG1U6R4bUlodcBKwVLEjf0uFxlG3EqYKdIWlIN+TFqlO 8ttarFk1nCNyzt/ieheLNN6I/OOBrgT9+FS50m/6QN6gGnKJZPsY/YngHWGbc48v vN91cbn5RITfV3TQQiYY8LzbdGJNNNJp7PN23G3BKxgcM+n/sxjm1xajm0r3USaG bCbxNpzFTeTv+XUtjZvU8cWgHJJJOg6/2XB6loiplqgffTHUPC8LlIC8Vpa3uwkm W5353+UAp1OqvQvwYUj9rxAL+xbleMi8OHDOcqqGW5nkA4K1sLyCgunH6TDEMwjM bxWr6q0drbgtS5ePpLqqXMeNV/eQqxkrRg5EGwF6kyOAA35YrCU= =PEQu - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBW8g1WmaOgq3Tt24GAQiGUBAA3mBDlEEqvHGtltYs2z8WIMLGrq7ZftJR 4xSsevzNhdyX+10PrnhBB67ET7Ite2QBZ6wt+ztxQTEGqS2MgqV09JlSxnI6jATC PbKlJH8mUjI32Se4WOQGV5cQQAfF9Oq6bnIxYwnB/aFqECKvla2EfEyxkUxjotjD PLX0p33SaY875br71+VcRzhl7otEUM6yXwfpt5p6pDEfqmuGJgxT+V/K2OrukFwq EFDdWumQ3IzV2MIzE03PstVkTCot7cGY1Gj2Za4xT+gHVeAdLuEQbkAiM/BuCFAf ZGita1CP1yihTHA4ILQluy6DEhPzDn3BBxC/qI+ufAjn0fVYwgffEXm1hSB8DDnf 79N++KTl40eXN1+UpSwSJ+ke3v5gpPd2tl4H0GuRCExS3UXR8LuZQT1UKBy21/4M eCoSMybx/tqYdIYvbQEE6PmS/QqUniccr0oBhxDmrHEXmg6/B+bfhCYC8TBm9UpD Ntow5iMTJ9r1glHX8MMb4POgn6BEFGCjjPXjAZBwC3HbmL9s2WE8i79s5QqAOniQ 48WzVKoxTxaQ1SLUikHvie+0VtPorEdvmh9319Hm3DISdxXrqGXHkQl4k05SgWgM Ba4OMsjZa0zZjVQVuu4Y4zi8vx2yUbENBSNdQcoi2VVzhCtqtma1gRC60d9krtv1 3sfwKV1k3VY= =cmct -----END PGP SIGNATURE-----