Debian Bug report logs -
#956308
libssh: CVE-2020-1730: Client/server denial of service when handling AES-CTR ciphers
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Laurent Bigonville <bigon@debian.org>:
Bug#956308; Package src:libssh.
(Thu, 09 Apr 2020 15:30:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Laurent Bigonville <bigon@debian.org>.
(Thu, 09 Apr 2020 15:30:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: libssh
Version: 0.9.3-2
Severity: important
Tags: security upstream
Forwarded: https://bugs.libssh.org/T213
Control: found -1 0.8.7-1
Hi,
The following vulnerability was published for libssh.
CVE-2020-1730[0]:
| Client/server denial of service when handling AES-CTR ciphers
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-1730
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1730
[1] https://bugs.libssh.org/T213
[2] https://www.libssh.org/security/advisories/CVE-2020-1730.txt
Regards,
Salvatore
Marked as found in versions libssh/0.8.7-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Thu, 09 Apr 2020 15:30:04 GMT) (full text, mbox, link).
Reply sent
to Laurent Bigonville <bigon@debian.org>:
You have taken responsibility.
(Thu, 09 Apr 2020 21:09:12 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Thu, 09 Apr 2020 21:09:12 GMT) (full text, mbox, link).
Message #12 received at 956308-close@bugs.debian.org (full text, mbox, reply):
Source: libssh
Source-Version: 0.9.4-1
Done: Laurent Bigonville <bigon@debian.org>
We believe that the bug you reported is fixed in the latest version of
libssh, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 956308@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Laurent Bigonville <bigon@debian.org> (supplier of updated libssh package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 09 Apr 2020 22:27:02 +0200
Source: libssh
Architecture: source
Version: 0.9.4-1
Distribution: unstable
Urgency: medium
Maintainer: Laurent Bigonville <bigon@debian.org>
Changed-By: Laurent Bigonville <bigon@debian.org>
Closes: 933015 956308
Changes:
libssh (0.9.4-1) unstable; urgency=medium
.
* New upstream release
- Fix possible DoS in client and server when handling AES-CTR keys with
OpenSSL (Closes: #956308 CVE-2020-1730)
* debian/control: Bump Standards-Version to 4.5.0 (no further changes)
* Add default debian/salsa-ci.yml file
* d/p/1004-hurd-ftbfs.patch: Fix FTBFS on hurd-i386 (Closes: #933015)
* d/p/1005-reproducible-doc.patch: Make the documentation reproducible
Checksums-Sha1:
b1556c9a7e6ce039c9b7bc8d23a40e02d7b6ecac 2356 libssh_0.9.4-1.dsc
93289b77379263328c843fa85ba5ed4b274b689f 500776 libssh_0.9.4.orig.tar.xz
33fd0d1e61e5cf10b0838a8aeffc6a939a023d2d 833 libssh_0.9.4.orig.tar.xz.asc
83a21a84658da7cf265d728ed6433c326ee97126 27472 libssh_0.9.4-1.debian.tar.xz
a27a4aaee2be0c86ee6154bb06549847ace62471 6669 libssh_0.9.4-1_source.buildinfo
Checksums-Sha256:
2419999b1f297479d77c6f35da2611e0212fa5fa23cbe3c6517b52cb27e1a959 2356 libssh_0.9.4-1.dsc
150897a569852ac05aac831dc417a7ba8e610c86ca2e0154a99c6ade2486226b 500776 libssh_0.9.4.orig.tar.xz
b637b8e4dae3109ae0b10ddfb35f9d5ce01049409c0b3572ee81292be30bccae 833 libssh_0.9.4.orig.tar.xz.asc
7b960ee6f953a0ce15406ea2f959c047fe62dd0ef1839ff7f85e193d2c914c97 27472 libssh_0.9.4-1.debian.tar.xz
654b93873a38fbe801570135b1e152c80f79c686b622ef4fb323553511012ff7 6669 libssh_0.9.4-1_source.buildinfo
Files:
b20d9b050304fe514aa7996b0d730c91 2356 libs optional libssh_0.9.4-1.dsc
3fca6ef7485c170b3aecaef9a1efe8e6 500776 libs optional libssh_0.9.4.orig.tar.xz
49de6701ff4803b7dc28e6482b1a19f4 833 libs optional libssh_0.9.4.orig.tar.xz.asc
73e987fc5ff826149abae89adeeeb6c0 27472 libs optional libssh_0.9.4-1.debian.tar.xz
8cebedddda529f0c1cc5e1f9f446a71d 6669 libs optional libssh_0.9.4-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQFFBAEBCAAvFiEEmRrdqQAhuF2x31DwH8WJHrqwQ9UFAl6PhTARHGJpZ29uQGRl
Ymlhbi5vcmcACgkQH8WJHrqwQ9Vxvwf/cenyWIh7lRw9K0XmOeR2KRP5xRsMHx60
bSpcUSMd48M5DLKZUopmeUoHwCYtbA7fjRiDIxLj5oE7tCnNHqZ+Qm8vBRXri3hJ
KOh9nTZ4l8z+lV1l0lbZoVOgxnaYsLWVlfkuQnem8wIoTe2WTBBLWuwkTl+wbOvv
B/nKRulIruBa1KHxThl1lpeYI+1gFsdqZAFmlFvH94CoWyKN9fm0MlcxiVqtdwqV
YWdJ9De4oyqagkr4yz8wKpyR0M7VJ0aNGfTAMsTypYsh6+dyKHGqZhZksyB7KPB3
SYb8qVTWeuYMTIO7I1AfH/wnKjluDtiO1tNvGWaf9Y4HejbEond9Sg==
=kU3y
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Fri Apr 10 08:35:49 2020;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon