Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2018.3171
libssh security update
18 October 2018
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: libssh
Publisher: Debian
Operating System: Debian GNU/Linux 9
Impact/Access: Unauthorised Access -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2018-10933
Reference: ESB-2018.3135
Original Bulletin:
http://www.debian.org/security/2018/dsa-4322
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- - -------------------------------------------------------------------------
Debian Security Advisory DSA-4322-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
October 17, 2018 https://www.debian.org/security/faq
- - -------------------------------------------------------------------------
Package : libssh
CVE ID : CVE-2018-10933
Debian Bug : 911149
Peter Winter-Smith of NCC Group discovered that libssh, a tiny C SSH
library, contains an authentication bypass vulnerability in the server
code. An attacker can take advantage of this flaw to successfully
authenticate without any credentials by presenting the server an
SSH2_MSG_USERAUTH_SUCCESS message in place of the
SSH2_MSG_USERAUTH_REQUEST message which the server would expect to
initiate authentication.
For the stable distribution (stretch), this problem has been fixed in
version 0.7.3-2+deb9u1.
We recommend that you upgrade your libssh packages.
For the detailed security status of libssh please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/libssh
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlvHX65fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0QzRRAAkVzmI8DleL1oJ7sGN/NbPcYVPin1G+yYPw9OLKvYVCcz3rl4Hj8xNPSk
9bneHArC8/lvdk8ycyX9IuriO6E8D31pnMaWpxkWG/ulBRWymx+fT1wrWirhYEvT
iYFCXpBFSHOWgPLM8Yand87xcnSLsbT8if24cv0Wuj4mTb2RdjvuBnrBqX1B91h1
08Pe27RPpyX83Lj9yCtQcZzm/t3vqYZPt9WNd91wRHD6wL6Xvt0uqCm6QnB/T3hk
9AdhpSUUCQFYNUliVYAgm1xDOWbVzmptPDo1jdo3/4qFAZhoYEnqdZCfholl4ldJ
SxSmMHbXrug1lTGEqLlZSG1U6R4bUlodcBKwVLEjf0uFxlG3EqYKdIWlIN+TFqlO
8ttarFk1nCNyzt/ieheLNN6I/OOBrgT9+FS50m/6QN6gGnKJZPsY/YngHWGbc48v
vN91cbn5RITfV3TQQiYY8LzbdGJNNNJp7PN23G3BKxgcM+n/sxjm1xajm0r3USaG
bCbxNpzFTeTv+XUtjZvU8cWgHJJJOg6/2XB6loiplqgffTHUPC8LlIC8Vpa3uwkm
W5353+UAp1OqvQvwYUj9rxAL+xbleMi8OHDOcqqGW5nkA4K1sLyCgunH6TDEMwjM
bxWr6q0drbgtS5ePpLqqXMeNV/eQqxkrRg5EGwF6kyOAA35YrCU=
=PEQu
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBW8g1WmaOgq3Tt24GAQiGUBAA3mBDlEEqvHGtltYs2z8WIMLGrq7ZftJR
4xSsevzNhdyX+10PrnhBB67ET7Ite2QBZ6wt+ztxQTEGqS2MgqV09JlSxnI6jATC
PbKlJH8mUjI32Se4WOQGV5cQQAfF9Oq6bnIxYwnB/aFqECKvla2EfEyxkUxjotjD
PLX0p33SaY875br71+VcRzhl7otEUM6yXwfpt5p6pDEfqmuGJgxT+V/K2OrukFwq
EFDdWumQ3IzV2MIzE03PstVkTCot7cGY1Gj2Za4xT+gHVeAdLuEQbkAiM/BuCFAf
ZGita1CP1yihTHA4ILQluy6DEhPzDn3BBxC/qI+ufAjn0fVYwgffEXm1hSB8DDnf
79N++KTl40eXN1+UpSwSJ+ke3v5gpPd2tl4H0GuRCExS3UXR8LuZQT1UKBy21/4M
eCoSMybx/tqYdIYvbQEE6PmS/QqUniccr0oBhxDmrHEXmg6/B+bfhCYC8TBm9UpD
Ntow5iMTJ9r1glHX8MMb4POgn6BEFGCjjPXjAZBwC3HbmL9s2WE8i79s5QqAOniQ
48WzVKoxTxaQ1SLUikHvie+0VtPorEdvmh9319Hm3DISdxXrqGXHkQl4k05SgWgM
Ba4OMsjZa0zZjVQVuu4Y4zi8vx2yUbENBSNdQcoi2VVzhCtqtma1gRC60d9krtv1
3sfwKV1k3VY=
=cmct
-----END PGP SIGNATURE-----