Summary: | <net-libs/libssh-0.6.4: Double free on dangling pointers in initial key exchange packet (CVE-2014-8132) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | netmon |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.libssh.org/2014/12/19/libssh-0-6-4-security-and-bugfix-release/ | ||
Whiteboard: | B3 [glsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 533424 | ||
Bug Blocks: |
Description
Agostino Sarubbo
2014-12-23 08:17:56 UTC
CVE-2014-8132 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8132): Double free vulnerability in the ssh_packet_kexinit function in kex.c in libssh 0.5.x and 0.6.x before 0.6.4 allows remote attackers to cause a denial of service via a crafted kexinit packet. I guess I'm waiting for KDE people to give an OK. (In reply to Jeroen Roovers from comment #2) > I guess I'm waiting for KDE people to give an OK. Arches please stabilize =net-libs/libssh-0.6.4. amd64 stable x86 stable ppc stable ppc64 stable. Maintainer(s), please cleanup. Security, please vote. Thanks all. Cleanuo done by Jeroen. Removing kde herd from cc here as it is nothing to do for us anymore. + + 18 Feb 2015; Jeroen Roovers <jer@gentoo.org> -libssh-0.6.3.ebuild, + -libssh-0.6.3-r1.ebuild: + Old. + Maintainer(s), Thank you for cleanup! Security Please Vote. First Vote: Yes YES too, request filed. This issue was resolved and addressed in GLSA 201606-12 at https://security.gentoo.org/glsa/201606-12 by GLSA coordinator Aaron Bauman (b-man). |