Debian Bug report logs -
#815662
libssh4: 2016-0787: Weak Diffie-Hellman secret generation
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Tue, 23 Feb 2016 13:27:15 UTC
Severity: grave
Tags: fixed-upstream, patch, security, upstream
Found in version libssh4/1.2.6-1
Fixed in versions libssh4/1.4.2-1.1+deb7u2, libssh4/1.2.6-1+deb6u2, libssh4/1.4.3-4.1+deb8u1, libssh4/1.5.0-2.1
Done: Salvatore Bonaccorso <carnil@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Mikhail Gusarov <dottedmag@debian.org>:
Bug#815662; Package src:libssh4.
(Tue, 23 Feb 2016 13:27:19 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Mikhail Gusarov <dottedmag@debian.org>.
(Tue, 23 Feb 2016 13:27:19 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: libssh4
Version: 1.2.6-1
Severity: grave
Tags: security upstream patch fixed-upstream
Hi,
the following vulnerability was published for libssh4.
CVE-2016-0787[0]:
Weak Diffie-Hellman secret generation in libssh4 before 1.7.0
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2016-0787
[1] https://www.libssh4.org/changes.html
Regards,
Salvatore
Marked as fixed in versions libssh4/1.2.6-1+deb6u2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 23 Feb 2016 13:39:11 GMT) (full text, mbox, link).
Added tag(s) pending.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 23 Feb 2016 13:39:15 GMT) (full text, mbox, link).
Marked as fixed in versions libssh4/1.4.2-1.1+deb7u2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 23 Feb 2016 15:48:05 GMT) (full text, mbox, link).
Marked as fixed in versions libssh4/1.4.3-4.1+deb8u1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 23 Feb 2016 15:48:06 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Mikhail Gusarov <dottedmag@debian.org>:
Bug#815662; Package src:libssh4.
(Tue, 23 Feb 2016 19:36:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Mikhail Gusarov <dottedmag@debian.org>.
(Tue, 23 Feb 2016 19:36:03 GMT) (full text, mbox, link).
Message #18 received at 815662@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi Mikhail,
I've prepared an NMU for libssh4 (versioned as 1.5.0-2.1) and
uploaded it to DELAYED/5. Please feel free to tell me if I
should delay it longer.
Regards,
Salvatore
[libssh4-1.5.0-2.1-nmu.diff (text/x-diff, attachment)]
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Sun, 28 Feb 2016 23:39:05 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sun, 28 Feb 2016 23:39:05 GMT) (full text, mbox, link).
Message #23 received at 815662-close@bugs.debian.org (full text, mbox, reply):
Source: libssh4
Source-Version: 1.5.0-2.1
We believe that the bug you reported is fixed in the latest version of
libssh4, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 815662@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated libssh4 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 23 Feb 2016 20:22:46 +0100
Source: libssh4
Binary: libssh4-1 libssh4-1-dev libssh4-1-dbg
Architecture: source
Version: 1.5.0-2.1
Distribution: unstable
Urgency: medium
Maintainer: Mikhail Gusarov <dottedmag@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 815662
Description:
libssh4-1 - SSH2 client-side library
libssh4-1-dbg - SSH2 client-side library (debug package)
libssh4-1-dev - SSH2 client-side library (development headers)
Changes:
libssh4 (1.5.0-2.1) unstable; urgency=medium
.
* Non-maintainer upload.
* CVE-2016-0787: bits/bytes confusion resulting in truncated
Diffie-Hellman secret length (Closes: #815662)
Checksums-Sha1:
d85ac40d5ef7ade31d0a5d1d11deeac1449ab46d 1854 libssh4_1.5.0-2.1.dsc
61c9266ee5ad8ea79e31d7d0a9c06164be09d6f0 6840 libssh4_1.5.0-2.1.debian.tar.xz
Checksums-Sha256:
4360d32eee336a792f254c519a7087d89753d9db8ac824af33382399e02af218 1854 libssh4_1.5.0-2.1.dsc
0b28eaa37f4d11e8e529883c95387549854ba370989ff7fa6eed059ac4d3aa43 6840 libssh4_1.5.0-2.1.debian.tar.xz
Files:
8df09b0207557deec9186244a107f5da 1854 libs optional libssh4_1.5.0-2.1.dsc
2d9518a458f096b9a3947e35f8081c1d 6840 libs optional libssh4_1.5.0-2.1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJWzLKzAAoJEAVMuPMTQ89EW3AP/RH27uvoPaGWoyT+aDhyNabq
g5my9Lmd9Sb5YqQf9/sL1EDFP7lp4pIM96skadkxBv4jwBwNCTXJ5VdJ5v+Vrz72
tsrVq7bpN0yj3rslEmgAy8xGzKYZyyKYQecNZB2L7PQ28spQykPSLpLCRgttnM/X
BEJvAccBXoWjroOyAsI+I20/IQxb4a7w9kNUTPQDcQfYHdnGCZ1TODf9IE/mCRHa
qd1nn4QIh0nw6Le6Zc2S4Y0iji7ZuF6D1vFRchIAtFxWkQo3ysKIvXSkKxGsmnAR
0WGuWBt4zpndgQ8qQoWff7WziFX5Q85UcMo8nVE0T9Ipt3D6MsBZGa2Po82ejht5
6JnI1ajaIElnEZiiBZV7eDFNq+bYaCbGrWDUvvE7htkCL/5f15EInNFhHn9rYRiW
FF1QLQHrvybaq8uDl4ArIQT36HYgj1ebTTirvMPzhjh44R3UdwHx+CGLiKS1D+qa
RLtJB/61+p6jeAPFcXl5XzJDvM9de5ikXYpHAPjR5fk/oBJbQsqjEU/l4CbSewtk
0vOqIYeBb4/+MI4qJeHDfnmMl/YYx9ZIMgovt4/ehIVlG2mw7HX679Kg+L4tFmeY
31netLiclHbrN6oyzgAY1rpJ5t6EHtK3gEMpCYxIjpAIt7iBnmtuiUy/EBjutnzT
b3eifsq8OPYy7W/KonCw
=9nso
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 03 Apr 2016 07:36:34 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:56:12 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon