Debian Bug report logs -
#911149
libssh: CVE-2018-10933: authentication bypass in server code
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Tue, 16 Oct 2018 13:09:01 UTC
Severity: grave
Tags: security, upstream
Found in versions libssh/0.6.3-4+deb8u2, libssh/0.7.3-2, libssh/0.7.3-1
Fixed in versions libssh/0.8.4-1, libssh/0.7.3-2+deb9u1
Done: Salvatore Bonaccorso <carnil@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Laurent Bigonville <bigon@debian.org>:
Bug#911149; Package src:libssh.
(Tue, 16 Oct 2018 13:09:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Laurent Bigonville <bigon@debian.org>.
(Tue, 16 Oct 2018 13:09:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: libssh
Version: 0.7.3-1
Severity: grave
Tags: security upstream
Justification: user security hole
Hi,
The following vulnerability was published for libssh.
CVE-2018-10933[0]:
authentication bypass in server code
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-10933
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10933
[1] https://www.openwall.com/lists/oss-security/2018/10/16/1
Regards,
Salvatore
Reply sent
to Laurent Bigonville <bigon@debian.org>:
You have taken responsibility.
(Tue, 16 Oct 2018 15:24:06 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Tue, 16 Oct 2018 15:24:06 GMT) (full text, mbox, link).
Message #10 received at 911149-close@bugs.debian.org (full text, mbox, reply):
Source: libssh
Source-Version: 0.8.4-1
We believe that the bug you reported is fixed in the latest version of
libssh, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 911149@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Laurent Bigonville <bigon@debian.org> (supplier of updated libssh package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 16 Oct 2018 16:44:55 +0200
Source: libssh
Binary: libssh-4 libssh-gcrypt-4 libssh-dev libssh-gcrypt-dev libssh-doc
Architecture: source amd64 all
Version: 0.8.4-1
Distribution: unstable
Urgency: medium
Maintainer: Laurent Bigonville <bigon@debian.org>
Changed-By: Laurent Bigonville <bigon@debian.org>
Description:
libssh-4 - tiny C SSH library (OpenSSL flavor)
libssh-dev - tiny C SSH library. Development files (OpenSSL flavor)
libssh-doc - tiny C SSH library. Documentation files
libssh-gcrypt-4 - tiny C SSH library (gcrypt flavor)
libssh-gcrypt-dev - tiny C SSH library. Development files (gcrypt flavor)
Closes: 911149
Changes:
libssh (0.8.4-1) unstable; urgency=medium
.
* New upstream version 0.8.4
- Fix authentication bypass in server code (CVE-2018-10933 Closes: #911149)
* debian/control: Bump Standards-Version to 4.2.1 (no further changes)
* Fix documentation generation
* debian/*.symbols: Add newly exported symbols
* debian/libssh-gcrypt-4.lintian-overrides: Update lintian-overrides file
* debian/rules: Re-enable unit testing, they were disabled by mistake since
0.8.0
Checksums-Sha1:
0df4a260c15282ff17b44d36b001f7dbe06d2ffd 2187 libssh_0.8.4-1.dsc
31167827e6d86fcee77323e744e51dfc19739ad6 425848 libssh_0.8.4.orig.tar.xz
0db32754f8367b91e3f49020cb11c3e2da98c5e8 833 libssh_0.8.4.orig.tar.xz.asc
4a043b71c63099e358ccb4a4c4be2fc45a29deed 18176 libssh_0.8.4-1.debian.tar.xz
5c91ff66062f4905864904c04494d31da534515a 567676 libssh-4-dbgsym_0.8.4-1_amd64.deb
6d63de560a323531a412776d668630e5130ef84f 195564 libssh-4_0.8.4-1_amd64.deb
9b859c014aa6d29aec023b3ef3694141e32a684b 240056 libssh-dev_0.8.4-1_amd64.deb
45e16709f6e18b0aa2d509ab48a9ce0de0e3c5c4 8689508 libssh-doc_0.8.4-1_all.deb
98419ec2715d5d86487e435350cb6d2e580f3631 574192 libssh-gcrypt-4-dbgsym_0.8.4-1_amd64.deb
08a799319a256b2ac76af65ed72da71862ef329e 198836 libssh-gcrypt-4_0.8.4-1_amd64.deb
cb32ca50d0831a2ed098610ad9a157119c0c402d 240060 libssh-gcrypt-dev_0.8.4-1_amd64.deb
b98c7f957bd172282311049083a01f885976f106 10077 libssh_0.8.4-1_amd64.buildinfo
Checksums-Sha256:
44f00d0c87db1976757f552782e901de6fc51fd0a80aa0785303d548ef4e757f 2187 libssh_0.8.4-1.dsc
6bb07713021a8586ba2120b2c36c468dc9ac8096d043f9b1726639aa4275b81b 425848 libssh_0.8.4.orig.tar.xz
7c6b84301578a5f2e10db13298fdb9b60eddebe5aceb3ad76b9019b7782cf3d9 833 libssh_0.8.4.orig.tar.xz.asc
569aad151f24e1ec611f3ad2d204cffad671698b92c88fe117eb3eec7f4ae5be 18176 libssh_0.8.4-1.debian.tar.xz
0e386063c066477fbcfd64c74eb07b0fcbbe3b870ba4953bf3be4544d7da31cc 567676 libssh-4-dbgsym_0.8.4-1_amd64.deb
e1176b23320f212bd2d4a71a76891b309b2fcb701098ea1bcc209154efe3fe5f 195564 libssh-4_0.8.4-1_amd64.deb
6bb4dafedf19796ceee956d38896816fcaf91a7324cdb5b3fabe12a1c9337bff 240056 libssh-dev_0.8.4-1_amd64.deb
bf70b448874d246fa27f2598020208eda03d6a02160b21ecc29da4459a289a76 8689508 libssh-doc_0.8.4-1_all.deb
843a199b4cb46a7cbce1d7b663416d0c28a34a0a8f7389e0f321a6447134fec8 574192 libssh-gcrypt-4-dbgsym_0.8.4-1_amd64.deb
90cc23c1a79868367af4af2edf8741bb876613f1f9ed8206f21c772b021efc7f 198836 libssh-gcrypt-4_0.8.4-1_amd64.deb
a154a02dfc51aafc40360cab8dd464f8ab623a04afd1c905f20e7a04c455c9fa 240060 libssh-gcrypt-dev_0.8.4-1_amd64.deb
04fdd4e237657902611b75018044af34660151402a5a2272a911784ae567cef4 10077 libssh_0.8.4-1_amd64.buildinfo
Files:
d052a46818befe3e445d6d51c55faf3c 2187 libs optional libssh_0.8.4-1.dsc
ae3c5e3ea288a409b45f9664af2ac23a 425848 libs optional libssh_0.8.4.orig.tar.xz
be55df6843d8d211278da471eccaa40c 833 libs optional libssh_0.8.4.orig.tar.xz.asc
24075159849e871892284aa7dce4156b 18176 libs optional libssh_0.8.4-1.debian.tar.xz
7a0ea4f4f99574c64cb6ac95bb686340 567676 debug optional libssh-4-dbgsym_0.8.4-1_amd64.deb
f7032e8907b068027aa1c2282125a80d 195564 libs optional libssh-4_0.8.4-1_amd64.deb
7949146f0e215609b2ca2e649630709e 240056 libdevel optional libssh-dev_0.8.4-1_amd64.deb
b1db433b25d68f08ae005289804e86cf 8689508 doc optional libssh-doc_0.8.4-1_all.deb
53e2c0b4e06e137d5c2ccd4d9c635fdd 574192 debug optional libssh-gcrypt-4-dbgsym_0.8.4-1_amd64.deb
4cddd6ab0c2e633218fec41560fd9848 198836 libs optional libssh-gcrypt-4_0.8.4-1_amd64.deb
79d71d83c344ec4ad0d2f5496bbbfc0e 240060 libdevel optional libssh-gcrypt-dev_0.8.4-1_amd64.deb
be4dc922ca4c422a121c385eedd70adf 10077 libs optional libssh_0.8.4-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQFFBAEBCAAvFiEEmRrdqQAhuF2x31DwH8WJHrqwQ9UFAlvF+wgRHGJpZ29uQGRl
Ymlhbi5vcmcACgkQH8WJHrqwQ9W76AgAhyUH06bTucrE+2upUJN02CDuUkwDNXSt
Zi+0n1qnNWetqqofJSwSqsxwLmgeRKKKwrilxiG/sP5hSNTBTFajzuk8QoOrTpsh
oP0CQp5mlEltO9XVxaHC2GPpElSmpjrJqoGQ40UewOwEmy1T7E/sfIJkjNGTWxlm
x/kosDK0wRkJELuMNpYuikxh6dsaSbbPFPk9OM7GU5x0xKFZu3nQ4u8MWeZMy2Jm
r6hIZcyytg7fInxrjEqmVq1bgYUhejb7aSofUjqGy5m5mM16KPFwgWgZ67hhv3Xf
LVAGXZx/pCjr+/on+MZMUF3mNIoZ4p2mnwXlb5iYFuvf+MtoOI9yoA==
=99HC
-----END PGP SIGNATURE-----
Marked as found in versions libssh/0.6.3-4+deb8u2.
Request was from Ben Hutchings <ben@decadent.org.uk>
to control@bugs.debian.org.
(Wed, 17 Oct 2018 02:27:03 GMT) (full text, mbox, link).
Marked as found in versions libssh/0.7.3-2.
Request was from Ben Hutchings <ben@decadent.org.uk>
to control@bugs.debian.org.
(Wed, 17 Oct 2018 02:27:06 GMT) (full text, mbox, link).
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Sat, 20 Oct 2018 09:48:52 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sat, 20 Oct 2018 09:48:52 GMT) (full text, mbox, link).
Message #19 received at 911149-close@bugs.debian.org (full text, mbox, reply):
Source: libssh
Source-Version: 0.7.3-2+deb9u1
We believe that the bug you reported is fixed in the latest version of
libssh, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 911149@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated libssh package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 16 Oct 2018 21:18:05 +0200
Source: libssh
Binary: libssh-4 libssh-gcrypt-4 libssh-dev libssh-gcrypt-dev libssh-doc
Architecture: source
Version: 0.7.3-2+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Laurent Bigonville <bigon@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 911149
Description:
libssh-4 - tiny C SSH library (OpenSSL flavor)
libssh-dev - tiny C SSH library. Development files (OpenSSL flavor)
libssh-doc - tiny C SSH library. Documentation files
libssh-gcrypt-4 - tiny C SSH library (gcrypt flavor)
libssh-gcrypt-dev - tiny C SSH library. Development files (gcrypt flavor)
Changes:
libssh (0.7.3-2+deb9u1) stretch-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Authentication bypass vulnerability (CVE-2018-10933) (Closes: #911149)
Checksums-Sha1:
25a69b05e8cff4da0aafff8f1f0fe7595a58966f 2463 libssh_0.7.3-2+deb9u1.dsc
9de2a8fde51aa7b7855008fafd5bf47ebb01289f 350464 libssh_0.7.3.orig.tar.xz
acba19d8f2af993e50fc74c95840b1e7b44b4e6a 24944 libssh_0.7.3-2+deb9u1.debian.tar.xz
Checksums-Sha256:
9a3e129ffb7bdf8538e55faa9aa5f9efbfe8831a1e0eae7c969a1de6fcecc928 2463 libssh_0.7.3-2+deb9u1.dsc
26ef46be555da21112c01e4b9f5e3abba9194485c8822ab55ba3d6496222af98 350464 libssh_0.7.3.orig.tar.xz
21e1bdf45dc7b592534c2dfa77b69dfe4800e0b3991e386139ab871d7510403c 24944 libssh_0.7.3-2+deb9u1.debian.tar.xz
Files:
4f59bd89d1051d14b12ec5073d0adc3a 2463 libs optional libssh_0.7.3-2+deb9u1.dsc
05465da8004f3258db946346213209de 350464 libs optional libssh_0.7.3.orig.tar.xz
fb84cfbdbd852058eedb3b28076a86b3 24944 libs optional libssh_0.7.3-2+deb9u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlvGOntfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EF4oP+waGPNml/v5vwO+qDP25QWDvgR04TotI
roar91QMGk1DXci9jX3MaWh4S8CaEJrj8C4QJTruSw54VYT6cGHFOroiZmjZ2byC
UGqpe95hftKBg11H7pA8SmUeaAabWwGfOlcOrZJtqKkUHGuNvn6vmircXfGuD37z
0asFe0T/sQft9/PQ0/M6B6mkCQwJTS0ORfTnTi6wG7xUdTlZNoHadFwxfo+qSw26
AAI5ERsQBJuXaqGEg4sq5E1XeLRPNciKOlTfIM8ziatCdh7AbQsQvwWKPldZ3j+1
NthHOtIoP4c24pKbCUh9yAM1SWLb2dBWxtiZoZjMIj53Um1LvmmD9QwX/JTaKSBm
1Mz3e36tRSTVMOVDcfDqKKI0XJ1uF3ttsQ+27g0MQvkJc6UMkjlB7mVyCHW/SYfA
ze7VG1DZmAJTcyO+qmnNYh4DDLShAzocLuWc3uuHM8jufb0x2mT7hbKHYDQObQgv
fcIl+InAbTG1XjwEmQhq8DiVJQxSTFdZK6kRtO8eQB4rgdvUPWDMYiv4oC0WL1Db
R0RwvxIX8NOYb6svqN8iR/bRVnNhfJJiaH0Csz1Li3XCfrwnPwF7Bi35twNeHBFU
yHSBrTK1WukeMYLZFiMASK7mPs0y1V6vl/Cqq4WPcdBBkrtm2ntNfsyt0lY1F05X
2UqYSj0Pe6De
=NETr
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 19 Nov 2018 07:27:25 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:18:57 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon