Debian Bug report logs -
#780249
libssh4: CVE-2015-1782: Using SSH_MSG_KEXINIT data unbounded
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Wed, 11 Mar 2015 07:51:02 UTC
Severity: grave
Tags: fixed-upstream, patch, security, upstream
Found in versions libssh4/1.4.2-1, libssh4/1.2.6-1
Fixed in versions libssh4/1.4.3-4.1, libssh4/1.2.6-1+deb6u1, libssh4/1.4.2-1.1+deb7u1
Done: Salvatore Bonaccorso <carnil@debian.org>
Bug is archived. No further changes may be made.
Forwarded to https://trac.libssh4.org/ticket/294
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Mikhail Gusarov <dottedmag@debian.org>:
Bug#780249; Package src:libssh4.
(Wed, 11 Mar 2015 07:51:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Mikhail Gusarov <dottedmag@debian.org>.
(Wed, 11 Mar 2015 07:51:07 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: libssh4
Version: 1.4.2-1
Severity: grave
Tags: security upstream patch fixed-upstream
Hi,
the following vulnerability was published for libssh4.
CVE-2015-1782[0]:
Using SSH_MSG_KEXINIT data unbounded
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2015-1782
[1] http://www.libssh4.org/adv_20150311.html
Please adjust the affected versions in the BTS as needed.
Note, packages for wheezy-security are already built and prepared to
be released.
Regards,
Salvatore
Marked as fixed in versions libssh4/1.4.2-1.1+deb7u1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 11 Mar 2015 11:03:15 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Mikhail Gusarov <dottedmag@debian.org>:
Bug#780249; Package src:libssh4.
(Wed, 11 Mar 2015 11:33:13 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Mikhail Gusarov <dottedmag@debian.org>.
(Wed, 11 Mar 2015 11:33:13 GMT) (full text, mbox, link).
Message #14 received at 780249@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Control: tags 780249 + pending
Hi Mikhail,
I've prepared an NMU for libssh4 (versioned as 1.4.3-4.1) and
uploaded it to DELAYED/2. Please feel free to tell me if I
should delay it longer.
It is the part to solve #780249/CVE-2015-1782 for sid and jessie.
Regards,
Salvatore
[libssh4-1.4.3-4.1-nmu.diff (text/x-diff, attachment)]
Added tag(s) pending.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 780249-submit@bugs.debian.org.
(Wed, 11 Mar 2015 11:33:13 GMT) (full text, mbox, link).
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Fri, 13 Mar 2015 11:51:15 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Fri, 13 Mar 2015 11:51:15 GMT) (full text, mbox, link).
Message #21 received at 780249-close@bugs.debian.org (full text, mbox, reply):
Source: libssh4
Source-Version: 1.4.3-4.1
We believe that the bug you reported is fixed in the latest version of
libssh4, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 780249@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated libssh4 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 11 Mar 2015 12:08:30 +0100
Source: libssh4
Binary: libssh4-1 libssh4-1-dev libssh4-1-dbg
Architecture: source amd64
Version: 1.4.3-4.1
Distribution: unstable
Urgency: high
Maintainer: Mikhail Gusarov <dottedmag@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description:
libssh4-1 - SSH2 client-side library
libssh4-1-dbg - SSH2 client-side library (debug package)
libssh4-1-dev - SSH2 client-side library (development headers)
Closes: 780249
Changes:
libssh4 (1.4.3-4.1) unstable; urgency=high
.
* Non-maintainer upload by the Security Team.
* Add 0003-CVE-2015-1782.patch.
CVE-2015-1782: Using SSH_MSG_KEXINIT data unbounded. (Closes: #780249)
Checksums-Sha1:
cb3db521bd8b39ead29662eb31c0728f696df69d 1854 libssh4_1.4.3-4.1.dsc
9bc1aab69dd8db3e7c62d1262e467fe22bcfc8e5 7884 libssh4_1.4.3-4.1.debian.tar.xz
Checksums-Sha256:
841dff8b0ab68f839136959d573fb56842f7266b48392acaf20456ff689c729b 1854 libssh4_1.4.3-4.1.dsc
27b7e51ae13210787435ca94328f20b4e39a94fcfbc618a595d01f5bc3587311 7884 libssh4_1.4.3-4.1.debian.tar.xz
Files:
4c8755992d0fec1f9b320574ffc501e0 1854 libs optional libssh4_1.4.3-4.1.dsc
93df88fa42b6a13a3860ba451b799195 7884 libs optional libssh4_1.4.3-4.1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJVACRUAAoJEAVMuPMTQ89EyBoP/jlxK3omvhZUFXSlmCGpKKsn
/F3SI5h9yCXj+2+X5yYZzyrAV0uR9JYJCJojnG2fva0otD7NnoadoEF2jP7+O4ma
xaPniUb9HLWz1c5sfys2KaV0hBIob5oPsk0ExPcpHJy9kGRmZBVgR8GH9E2mcENC
CF37pds6PjecchW0IJWZnwVlyRqvjLGdmMatwA7/HaIMmZrZtTZWYUmKi36gmg1Q
QX/e2bj9wHN1zs8/pf42r+hsMdBWZQzKvJMHFZ7+oy5NLSGkz85TA8mXdwlcWEdr
x5p2qgaKrxakAWZvqgvG01ZGMXzapKwPhbTkMjlU8c5palTk6t/F6kPa3DXJPDzc
0m6qtQXSxveAATlNLZKrMpvQku1JB4fXhUZ3FexT34w3+pXMECaAdbDx11Hhi+Pk
/9PyDcISTPGvlJ5Yt74upfjtdznJ0iz+xXoSUrIdonTmc/seRo9GWe98RWQViR9f
3ry4wzZuKHlpzh5XSb04ku8f8VgPjnf1bALbx99GVl2nHpADdAhw8CtpjUEAjn8x
VVfxAQcf8Zz/VqEr3KlS99LJdcu9RQ/NMP1LGwkxoWEJCzNm26/cpOuQf9HjEgqC
VRX+7if8Uko3PSGVRhUH13Nol2BxrRDYpU0vdj7EHA8Bc8jU4WB8zW2yyhYwTgQC
fx2WFbaCCsfDNTRZ//92
=NuT0
-----END PGP SIGNATURE-----
Marked as found in versions libssh4/1.2.6-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 18 Mar 2015 16:09:11 GMT) (full text, mbox, link).
Marked as fixed in versions libssh4/1.2.6-1+deb6u1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 18 Mar 2015 16:09:12 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 24 May 2015 07:52:16 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:17:38 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon