Debian Bug report logs -
#815663
libssh: CVE-2016-0739: Weak Diffie-Hellman secret generation
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Tue, 23 Feb 2016 13:27:19 UTC
Severity: grave
Tags: fixed-upstream, patch, security, upstream
Found in version libssh/0.4.5-3
Fixed in versions libssh/0.4.5-3+squeeze3, libssh/0.6.3-4+deb8u2, libssh/0.5.4-1+deb7u3, libssh/0.6.3-4.3
Done: Salvatore Bonaccorso <carnil@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Laurent Bigonville <bigon@debian.org>:
Bug#815663; Package src:libssh.
(Tue, 23 Feb 2016 13:27:23 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Laurent Bigonville <bigon@debian.org>.
(Tue, 23 Feb 2016 13:27:23 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: libssh
Version: 0.4.5-3
Severity: grave
Tags: security upstream patch fixed-upstream
Hi,
the following vulnerability was published for libssh.
CVE-2016-0739[0]:
Weak Diffie-Hellman secret generation in libssh
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2016-0739
[1] https://www.libssh.org/2016/02/23/libssh-0-7-3-security-and-bugfix-release/
Regards,
Salvatore
Marked as fixed in versions libssh/0.4.5-3+squeeze3.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 23 Feb 2016 13:39:08 GMT) (full text, mbox, link).
Added tag(s) pending.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 23 Feb 2016 13:39:19 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Laurent Bigonville <bigon@debian.org>:
Bug#815663; Package src:libssh.
(Tue, 23 Feb 2016 19:18:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Laurent Bigonville <bigon@debian.org>.
(Tue, 23 Feb 2016 19:18:08 GMT) (full text, mbox, link).
Message #14 received at 815663@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi Laurent,
I've prepared an NMU for libssh (versioned as 0.6.3-4.3) and
uploaded it to DELAYED/5. Please feel free to tell me if I
should delay it longer.
Regards,
Salvatore
[libssh-0.6.3-4.3-nmu.diff (text/x-diff, attachment)]
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Wed, 24 Feb 2016 23:21:13 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Wed, 24 Feb 2016 23:21:14 GMT) (full text, mbox, link).
Message #19 received at 815663-close@bugs.debian.org (full text, mbox, reply):
Source: libssh
Source-Version: 0.6.3-4+deb8u2
We believe that the bug you reported is fixed in the latest version of
libssh, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 815663@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated libssh package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 23 Feb 2016 16:00:29 +0100
Source: libssh
Binary: libssh-4 libssh-gcrypt-4 libssh-dev libssh-gcrypt-dev libssh-dbg libssh-doc
Architecture: all source
Version: 0.6.3-4+deb8u2
Distribution: jessie-security
Urgency: high
Maintainer: Laurent Bigonville <bigon@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 815663
Description:
libssh-4 - tiny C SSH library (OpenSSL flavor)
libssh-dbg - tiny C SSH library. Debug symbols
libssh-dev - tiny C SSH library. Development files (OpenSSL flavor)
libssh-doc - tiny C SSH library. Documentation files
libssh-gcrypt-4 - tiny C SSH library (gcrypt flavor)
libssh-gcrypt-dev - tiny C SSH library. Development files (gcrypt flavor)
Changes:
libssh (0.6.3-4+deb8u2) jessie-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* CVE-2016-0739: Truncated Diffie-Hellman secret length (Closes: #815663)
Checksums-Sha1:
a830844974a7e6763d40f653b75fdadfcd962d73 2320 libssh_0.6.3-4+deb8u2.dsc
8189255e0f684d36b7ca62739fa0cd5f1030a467 279492 libssh_0.6.3.orig.tar.xz
304013847f4921fa0735386cf9df44e9fe366e1b 18684 libssh_0.6.3-4+deb8u2.debian.tar.xz
4713c90e3c6a923f9d54b5c0e211d948d6a806ea 199414 libssh-doc_0.6.3-4+deb8u2_all.deb
Checksums-Sha256:
56093ce89933c72a571a2b74a43f1287a034109042958c01cb9718bdb8e409e0 2320 libssh_0.6.3-4+deb8u2.dsc
2bb5d7c595059f990a8915c190169257328ffa828ced0c05b09bbe186092cacb 279492 libssh_0.6.3.orig.tar.xz
2eb01665f2773e87110346001b0f28e72594b02de7aead185b0470da76c1e3cd 18684 libssh_0.6.3-4+deb8u2.debian.tar.xz
d4a6cb9fbdbd7ad1da46876dee32c5e8a626db7254b3ee1817f70be71d3dd648 199414 libssh-doc_0.6.3-4+deb8u2_all.deb
Files:
b2eea797e389eee1cbb09f45dcd8ad38 2320 libs optional libssh_0.6.3-4+deb8u2.dsc
66cf16e77f60913b4d54f18c92cdbf71 279492 libs optional libssh_0.6.3.orig.tar.xz
4b441a2812976158e8ed609e0bb31686 18684 libs optional libssh_0.6.3-4+deb8u2.debian.tar.xz
15fbc91840ac5d0c996678b22dca65e7 199414 doc optional libssh-doc_0.6.3-4+deb8u2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJWzHc0AAoJEAVMuPMTQ89EV4kQAJiWvUtkaW+vynpJalWC2dPJ
RuqpPJgZqRh6Puq0ZMmaP0HTdXRvlamJKKDoA8qU9uNUH2sn/PjGlq90jKjO7Rog
0MWfbQauozQ5bZkcQPLb4BvF+MH/lu0xoLI6pzpJRhB/3ZkiT38UIbdlhiJ+7lc9
YXgSfhm0fxANzJe8jHIwx/apRdX1XAzetx6MT/QIMHECPH9nDoytSeLwz0KUCfEa
KJBhAUb3qcR3321tHeqFyGJSVlUoRXREzpgRBYwIXka8sLnpw/Vl95vkwCelK/Qt
rJMlj6Z0axky4WJbsFuS9odBPycUULx6oKctSLCc2jK4ZoGGc+7PMINchLC1j5Vx
mBBTRFY6bXb+QHhT8EWQ2Hp3PZ9FSDqSmjHsyptKVD5usFB1nIWKCTY6+AF1uQk8
OpO1xCW61uXnOlM/Q9yCGCwX+UBJwl8Eyibw6i65wZDCNB5Pxq8wSdWFeoa17BmF
KQge8JAkPeCGrgtMZyiee93XGxLri7QGV1G/8Ud42yjOhWK/qALmiImO4qCjdeAI
3CLNuOLihuTQoPT0m9ikFHdDZWcjWIO9/2Fuo9F8rIuoNMrwIOECCfhUPKfPJA4D
vjRFn+k7lvKGonjeAxUT9h4a5+29rP+mGx68niOL6ZnOq45V5UMXZlxrkWtEZ1KX
H7Dnbp9mMgzxj+PT9B0d
=B+w8
-----END PGP SIGNATURE-----
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Wed, 24 Feb 2016 23:21:20 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Wed, 24 Feb 2016 23:21:21 GMT) (full text, mbox, link).
Message #24 received at 815663-close@bugs.debian.org (full text, mbox, reply):
Source: libssh
Source-Version: 0.5.4-1+deb7u3
We believe that the bug you reported is fixed in the latest version of
libssh, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 815663@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated libssh package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 23 Feb 2016 16:23:48 +0100
Source: libssh
Binary: libssh-4 libssh-dev libssh-dbg libssh-doc
Architecture: source all amd64
Version: 0.5.4-1+deb7u3
Distribution: wheezy-security
Urgency: high
Maintainer: Laurent Bigonville <bigon@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description:
libssh-4 - tiny C SSH library
libssh-dbg - tiny C SSH library. Debug symbols
libssh-dev - tiny C SSH library. Development files
libssh-doc - tiny C SSH library. Documentation files
Closes: 815663
Changes:
libssh (0.5.4-1+deb7u3) wheezy-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* CVE-2016-0739: Truncated Diffie-Hellman secret length (Closes: #815663)
Checksums-Sha1:
17a5e233212ea15d9c520cd6d5324f30face2d12 2038 libssh_0.5.4-1+deb7u3.dsc
429a29615657d14515af7a5df049558a19c82f93 12022 libssh_0.5.4-1+deb7u3.debian.tar.gz
7a129b0e41ab9578ad6efda8754d627d3990430f 273820 libssh-doc_0.5.4-1+deb7u3_all.deb
f5bab7cd6b075effc4981bae7c9fff916de98358 131162 libssh-4_0.5.4-1+deb7u3_amd64.deb
31b245b2817087a132465ff26518058be9cc59b7 184446 libssh-dev_0.5.4-1+deb7u3_amd64.deb
258483b50aa9ad3b6a96acecb705fef53f37934f 360890 libssh-dbg_0.5.4-1+deb7u3_amd64.deb
Checksums-Sha256:
fbbdd26b19f1d0d5a5bdb38b20a7a91952364a6541d08eee54dd4f95f9ca83d4 2038 libssh_0.5.4-1+deb7u3.dsc
066588214af8f0047e4f74b15773c17c515ffe4b4b4831fd5b5c6db34a0d02fb 12022 libssh_0.5.4-1+deb7u3.debian.tar.gz
205ff7b037570b1298f9bbc8d9a4842ec299fb48a2f99c168a9de05250456577 273820 libssh-doc_0.5.4-1+deb7u3_all.deb
73e73397e067b8412c7e6e999b96ccbf95263b94df4859dd251b4082c1ec4912 131162 libssh-4_0.5.4-1+deb7u3_amd64.deb
96de663ccd5d124e4b8787f759572720dde61de8b6486de5926069bfeeac5bf1 184446 libssh-dev_0.5.4-1+deb7u3_amd64.deb
a7d69f7d2cf38c4b0e2bc889f8ed3c60d4fa0800bc8c7c370beef92c0e4ae59e 360890 libssh-dbg_0.5.4-1+deb7u3_amd64.deb
Files:
183575b77dc43940ceb3f2aa16563b5a 2038 libs optional libssh_0.5.4-1+deb7u3.dsc
5e812e589c3e7ebd415b2d8062869e86 12022 libs optional libssh_0.5.4-1+deb7u3.debian.tar.gz
4704811d8cb09b4328b996da13da0ec3 273820 doc optional libssh-doc_0.5.4-1+deb7u3_all.deb
4a459305ab870c7ec057c2bbf59f4e6a 131162 libs optional libssh-4_0.5.4-1+deb7u3_amd64.deb
6b883bc75ea4cae05c6c103307fe54f1 184446 libdevel optional libssh-dev_0.5.4-1+deb7u3_amd64.deb
6b5ec67b8eac17cc8c6f840d23c1dce5 360890 debug extra libssh-dbg_0.5.4-1+deb7u3_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJWzHo4AAoJEAVMuPMTQ89EguoQAJX3faWXbUZ174fvxj/N/Oa/
7SwNLQyhVN+RovU0nw1gvyqmdwarjL43R8IvQBo22aildNDdzyQ/QG+duz8Ybv5U
bF25ged0FtisVFNphA0Hrn0eprJtnOsHvnc8Dp/5evglCrCoDoWBoEmpM/A7QHg7
9BlOwjjvRglxbGtH3Lv4so47k/O84lEDopQfWbnhkLxmbGCpy890JzDEk0gJNCur
BiCQeP+aJKd1ciLtiqBvyWUMrn+Y2NRmivRqoJFhn7fl9LPR3Hf5IFi/6JtdFdjB
tJChJpnONIG3kDA/n5dNW7CX2OhbWPPyIalH2UzQaTF6p14NiVlZECaez5LhfY2R
FxzwiXqDTjRQmre17TcV5NMgZjT74WOP2I6weIyosm5iskHhM1xRF0zdpIrMfd99
xqq1CcbHByEcswq3atneqwJDrlHJXLarsi3fJf80Y62vnPsrg4cW4VkqjfTCMg97
UhApBuyySjm4KE4EOet3GlpBweeQAAyBhNU5lKVbp1CsZMvoi5Fdmy5yX698YNby
PEvyMaeVjOA+8BOU5zNDAw12U4xAqITvi7d+IJIiK94mKN0f7e0Si0ChJNs79bMm
7sqcV8kTZKohgIENgqYwbixel8dY7/oqzSXVuKG6SMvNFIhLQe227/uYad7XuQCp
EUuaGIX60yQCwL3hAGmc
=Er+7
-----END PGP SIGNATURE-----
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Sun, 28 Feb 2016 19:51:22 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sun, 28 Feb 2016 19:51:22 GMT) (full text, mbox, link).
Message #29 received at 815663-close@bugs.debian.org (full text, mbox, reply):
Source: libssh
Source-Version: 0.6.3-4.3
We believe that the bug you reported is fixed in the latest version of
libssh, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 815663@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated libssh package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 23 Feb 2016 19:54:04 +0100
Source: libssh
Binary: libssh-4 libssh-gcrypt-4 libssh-dev libssh-gcrypt-dev libssh-dbg libssh-doc
Architecture: source
Version: 0.6.3-4.3
Distribution: unstable
Urgency: medium
Maintainer: Laurent Bigonville <bigon@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 815663
Description:
libssh-4 - tiny C SSH library (OpenSSL flavor)
libssh-dbg - tiny C SSH library. Debug symbols
libssh-dev - tiny C SSH library. Development files (OpenSSL flavor)
libssh-doc - tiny C SSH library. Documentation files
libssh-gcrypt-4 - tiny C SSH library (gcrypt flavor)
libssh-gcrypt-dev - tiny C SSH library. Development files (gcrypt flavor)
Changes:
libssh (0.6.3-4.3) unstable; urgency=medium
.
* Non-maintainer upload.
* CVE-2016-0739: Truncated Diffie-Hellman secret length (Closes: #815663)
Checksums-Sha1:
8f712c2573ef9624f490336651509855ecc31b8f 2300 libssh_0.6.3-4.3.dsc
3feb7821a464f0c5fad3d9e46b2baaa4bde3311e 19220 libssh_0.6.3-4.3.debian.tar.xz
Checksums-Sha256:
92d09fc1d26aacc3163a609d5f889474c6ed46497b9045edabab6077cb96a605 2300 libssh_0.6.3-4.3.dsc
e525ed1b21b11f9506424a4d7856c8b8e94f10bf70caf5ee04ea3f91ad112a99 19220 libssh_0.6.3-4.3.debian.tar.xz
Files:
a8baf0c0ed8213f3bdef27f713272ad2 2300 libs optional libssh_0.6.3-4.3.dsc
449777b2c7d5550d227784264e55e626 19220 libs optional libssh_0.6.3-4.3.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJWzK6dAAoJEAVMuPMTQ89ETHcP/RDcqwq5EtdK1uySrQGGT9sQ
edM9pVXTtjyPzkFATauUNXjJ86x2u07s6r1pLnMzTQf1aG3GiKgrMwWcoKWQi5oe
5CkWNIhLXLrFRRNMRIxPZVapOwLngRKoXfF/aNf7ZUsKzGc4dKjofcq7E1zQ9+ka
c8vnTTR66TKlyo05IAZA3UvEl2V4iszM2yOjWnE7a9oCWh+DW5EoMTYLGszv9RPt
Yvb0QyAcSr5DPHLQJeE1dytjOsuXn78NfUsgQVHIEfjPK02QWzUVBUZ1dnOenO74
0HBDQDtRJdsf0V6BBlOro9sUn5sxXQ546cMpNfJ4ndqTA0kbpcimsqKoebVsAzEs
bOQsIJ2b/4E4TLV9dEW7g5ICt+3clGA7CC2N/WHawsCldxs8PlJ3QaLhMcc7rT0M
t+kAZBYs2NAuuk3B0FfNcJnsIWR+CoROIW8/PTzgUijk+YWty9JS00/icuFLvzSp
VDKAWBwAYXp3n781UDf9ArIaeIjmcZDJSWLYMNNoZoWbyUUbgk1K0C2/8pkEgRoz
PF3NFMJQmH7Dytf9NtSHFUQSmcHRdX7s0tW4jD12q0uIsSMFiaF47jjyKgPwJ6GA
LWhbnYhIxPGi3O7pNl4XDICTmT95HaMXZmbhgrP7AgIIrYjLSLdv4ZQOm0PkiChb
r8BzE/ZK0alwr5YG5QUO
=p+Wj
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 03 Apr 2016 07:36:44 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:46:45 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon