From URL: == Versions: >= 0.8.0 == == Summary: A malicious client or server could crash == the counterpart implemented with libssh == AES-CTR ciphers are used and don't get == fully initialized. It will crash when it == tries to cleanup the AES-CTR ciphers when == closing the connection. ========== Workaround ========== Disable AES-CTR ciphers. If you implement a server using libssh we advise to use a prefork model so each session runs in an own process. If you have implemented your server this way this is not really an issue. The client will kill its own connection. ---- https://www.libssh.org/2020/04/09/libssh-0-9-4-and-libssh-0-8-9-security-release/
@maintainer(s), please create an appropriate ebuild for 0.9.4.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=55ae3aadc8805c151eca047c662e0b56828299c4 commit 55ae3aadc8805c151eca047c662e0b56828299c4 Author: Lars Wendler <polynomial-c@gentoo.org> AuthorDate: 2020-04-09 11:22:06 +0000 Commit: Lars Wendler <polynomial-c@gentoo.org> CommitDate: 2020-04-09 11:22:23 +0000 net-libs/libssh: Security bump to version 0.9.4 Bug: https://bugs.gentoo.org/716788 Package-Manager: Portage-2.3.97, Repoman-2.3.22 Signed-off-by: Lars Wendler <polynomial-c@gentoo.org> net-libs/libssh/Manifest | 1 + net-libs/libssh/libssh-0.9.4.ebuild | 119 ++++++++++++++++++++++++++++++++++++ 2 files changed, 120 insertions(+)
@maintainer(s), this is a relatively minor release with some other correctness fixes in there. Please advise if ready for stabilisation or call yourself. Thanks for quick bump!
I guess it is fine. Arches please stabilise.
arm64 stable
hppa/sparc stable
GLSA Vote: Yes New GLSA request filed.
This issue was resolved and addressed in GLSA 202004-08 at https://security.gentoo.org/glsa/202004-08 by GLSA coordinator Thomas Deutschmann (whissi).
Re-opening for remaining architectures.
amd64 stable
arm stable
ppc stable
ppc64 stable
x86 stable. Maintainer(s), please cleanup.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c02c48f3a322d3f3da001b0eccbd11d5cde95d7b commit c02c48f3a322d3f3da001b0eccbd11d5cde95d7b Author: Andreas Sturmlechner <asturm@gentoo.org> AuthorDate: 2020-04-11 16:16:02 +0000 Commit: Andreas Sturmlechner <asturm@gentoo.org> CommitDate: 2020-04-11 16:16:14 +0000 net-libs/libssh: Drop 0.9.3 Bug: https://bugs.gentoo.org/716788 Package-Manager: Portage-2.3.98, Repoman-2.3.22 Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org> net-libs/libssh/Manifest | 1 - net-libs/libssh/libssh-0.9.3.ebuild | 119 ------------------------------------ 2 files changed, 120 deletions(-)
Cleanup done.
Resetting sanity check; keywords are not fully specified and arches are not CC-ed.
kde proj is done here, anyway.
