Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.2795.2 [SECURITY] [DLA 1730-3] libssh2 regression update 31 July 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: libssh2 Publisher: Debian Operating System: Debian GNU/Linux 8 Impact/Access: Access Privileged Data -- Remote with User Interaction Denial of Service -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2019-13115 CVE-2019-3859 Reference: ESB-2019.1447 ESB-2019.1301 ESB-2019.1274 ESB-2019.1110 Original Bulletin: https://lists.debian.org/debian-lts-announce/2019/07/msg00024.html Comment: This bulletin contains two (2) Debian security advisories. Revision History: July 31 2019: Regression fix added July 26 2019: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- Package : libssh2 Version : 1.4.3-4.1+deb8u4 CVE ID : CVE-2019-3859 CVE-2019-13115 Various security problems have been additionally fixed in libssh2, an SSH client implementation written in C++. CVE-2019-3859 While investigating the impact of CVE-2019-13115 in Debian jessie's version of libssh2, it was discovered that issues around CVE-2019-3859 had not been fully resolved in Debian jessie's version of libssh2. A thorough manual (read, analyze, and copy code changes if needed) comparison of upstream code and code in Debian jessie's version of libssh2 was done and various more boundary checks and integer overflow protections got added to the package. CVE-2019-13115 Kevin Backhouse from semmle.com discovered that initial fixes for the CVE series CVE-2019-3855 - 2019-3863 introduced several regressions about signedness of length return values into the upstream code. While working on the CVE-2019-3859 update mentioned above, it was paid attention to not introduce these upstream regression registered as CVE-2019-13115. For Debian 8 "Jessie", these problems have been fixed in version 1.4.3-4.1+deb8u4. We recommend that you upgrade your libssh2 packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -- mike gabriel aka sunweaver (Debian Developer) fon: +49 (1520) 1976 148 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunweaver@debian.org, http://sunweavers.net - ------------------------------------------------------------------------------- Package : libssh2 Version : 1.4.3-4.1+deb8u5 CVE ID : CVE-2019-3860 Several more boundary checks have been backported to libssh2's src/sftp.c. Furthermore, all boundary checks in src/sftp.c now result in an LIBSSH2_ERROR_BUFFER_TOO_SMALL error code, rather than a LIBSSH2_ERROR_ OUT_OF_BOUNDARY error code. As a side note, it was discovered that libssh2's SFTP implementation from Debian jessie only works well against OpenSSH SFTP servers from Debian wheezy, tests against newer OpenSSH versions (such as available in Debian jessie and beyond) interim-fail with SFTP protocol error "Error opening remote file". Operation might continue after this error, this depends on application implementations. For Debian 8 "Jessie", this problem has been fixed in version 1.4.3-4.1+deb8u5. We recommend that you upgrade your libssh2 packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -- mike gabriel aka sunweaver (Debian Developer) fon: +49 (1520) 1976 148 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunweaver@debian.org, http://sunweavers.net - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXUE+l2aOgq3Tt24GAQgiBxAAv36GqSoPy/nuncxMV66844e1vCETbPY4 UqV5mAwuzgz1lAtkXL1+qw63q/qNDNFmnIzKwqmzeYCYrLRp7r8zhY83jZojtrx3 CqywKStcjgyRQrmBfV+i3/GM/XRGbiZyylpsZJoIPjYLF+TjBNQQjMqUrUGjJRJH q2dUKCI2wE/6Q/qrZyXQPxwQ8F4rT/UWNjEmvawnKtDdqb0h6mHd2zKR1zbU5QKB jDGeJmWeZYypOnSDPoquJOZndeRIPWwTnQl8UTAJGzMB8weyqf7R0R18Mcv8/vq9 vG1N4TfD5t3ElakKnu7NYzJNc56L0wYIIwCbC/IXbJ2EBwPfacHSEgwXwp8iANis E2nx6Hwe0ANCGFVc7O911k9v7xwsqbDEnCk0m0UM/wFFynv2qqlnqOtcv5DuwSS3 FmXxioNeb0cyAlWymBugcJxzLW12nLiPKzpJWVB28iefI6Up58QFku8HOMIIKumb LTsyOuxfo7fvAWOTarjILjDVTTLSK9YaYNiWIjn7by1ymai6/Y3lf+LfewQv6SnH uehtEYA7veytA9j9I93iDKw0lE2J292NRD57QgPZVCaOBuRYiumeNTec6dJaY7Xv dcF2fTxYCMUQ4YdGJgoLeTnP+HfkmecYHx+IfuHm4XOu3tR4z0De+dGsXqIlzmEU RrbNQWDCuXo= =F6jK -----END PGP SIGNATURE-----