Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2012.1125
libssh security update
3 December 2012
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: libssh
Publisher: Debian
Operating System: Debian GNU/Linux 6
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2012-4562 CVE-2012-4561 CVE-2012-4559
Reference: ESB-2012.1120
Original Bulletin:
http://www.debian.org/security/2012/dsa-2577
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- - -------------------------------------------------------------------------
Debian Security Advisory DSA-2577-1 security@debian.org
http://www.debian.org/security/ Yves-Alexis Perez
December 01, 2012 http://www.debian.org/security/faq
- - -------------------------------------------------------------------------
Package : libssh
Vulnerability : several
Problem type : remote
Debian-specific: no
CVE ID : CVE-2012-4559 CVE-2012-4561 CVE-2012-4562
Debian Bug
Multiple vulnerabilities were discovered in libssh by Florian Weimer and Xi
Wang:
CVE-2012-4559: multiple double free() flaws
CVE-2012-4561: multiple invalid free() flaws
CVE-2012-4562: multiple improper overflow checks
Those could lead to a denial of service by making an ssh client linked to
libssh crash, and maybe even arbitrary code execution.
For the stable distribution (squeeze), these problems have been fixed in
version 0.4.5-3+squeeze1.
For the testing distribution (wheezy), these problems have been fixed in
version 0.5.3-1.
For the unstable distribution (sid), these problems have been fixed in
version 0.5.3-1.
We recommend that you upgrade your libssh packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
iQEcBAEBCgAGBQJQuhCHAAoJEG3bU/KmdcClhN8H/2WeI/NZK6IvKI3JKRniLQxn
Z4RnjjW1au4yZ4b32+qVpLYQ0m8v5kuT5jR2geN95ZXCqk4iY4Jzg38iC1b2CPT5
8hs8y8uvzHwTgia/Rvi4fb9JnDun7bOn3ZInTGkSPpMx+bK38hRKLJ3BOzHsIfwD
WbLlm+Emhd+MJLj3GWoTudd/2wift1ATN7vQG+Dy+budAu9sVv2g3d3fvHGo9ggG
L6XCPRFzONwMgQT6jAwi2GcZYzJ8xK7KP4ELzjnf5yMKxuz2l026mhFK1JwErfWy
N/Rit3gcQ4hek+VSM9JCC5l9lzkvzE6Ldkc1CZu+kkU1Itt2Lez6zfwIJVdYRdc=
=pMqn
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBULv5Ee4yVqjM2NGpAQJ9Fw/9ENDiEQeDygFHZL4uIBHIlIbruNv1W8UB
YEWDwg6joIPIuYLJrIsg2Zp2kZZJJMGpN3N/cO7l+2Fg2GwywaaQ0oJQiPGGAFB7
zTsE4anfQPulOoBVF4notI/tPhEqbDG4Hg59Qq60bxLGYgqNXPi2BQqXnCy57BcB
EFozHEpyFc3N+N/WDnNHbLyqjIQqezVrRVKpIILVBlQzQv60wXLsj7xCwKu2W0vK
PzJBjeqmtlFEf8LDZkGfoMCCXvxwJuWDqbmuFEWUXkwxN4dykIJd1F2Osz5rdKNB
yOIzUlh+xanmWS9LTXxo9Yp7BdrL8ORxnPuV8BcbfwksodMImmyUqsby1x+wiSs2
f2QCSAP6RtqHChat2fWQ7/uzi4ftYPQCoCkmf6/QsjLA1+RT17wkbrjkkOhyd8FR
iwz+xpINLpK20SYlFICrJ1ViG+WN0Aq+s1Cav3fRLcyGEaf9IuOWZOG8L6u6qkNQ
BhfAsyqMpIFntz137juZiN8aXRkUHIzukyOazkXuJyYUtfnzzB+6uMcNUnEJ6GxJ
PM32fhk3wFoAnxiMPboFAaR52HMuuw3iX8ya5z/i91fHngMm/Z94Ci2ZF08Vum0C
mZGFCPNR5YAzeR6tEGBCMSIStjoMrAJnUOM+keOM59oArfxDF3CIvn9125EiwwjJ
kAqMzJPMf48=
=pIWd
-----END PGP SIGNATURE-----