On Thu, Apr 30, 2015 at 11:35 AM, Michael DePaulo <mikedep...@gmail.com> wrote: > Sent from my Android Smartphone > > ---------- Forwarded message ---------- > From: "Andreas Schneider" <a...@cryptomilk.org> > Date: Apr 30, 2015 10:33 AM > Subject: libssh 0.6.5 has been released to address CVE-2015-3146 > To: <lib...@libssh.org> > Cc: > > ibssh versions 0.5.1 and above have a logical error in the handling of a > SSH_MSG_NEWKEYS and SSH_MSG_KEXDH_REPLY package. A detected error did not > set > the session into the error state correctly and further processed the packet > which leads to a null pointer dereference. This is the packet after the > initial key exchange and doesn’t require authentication. > > This could be used for a Denial of Service (DoS) attack. > > The bug was found and reported by Mariusz Ziulek from the Open Web > Application > Security Project (OWASP). > > https://www.libssh.org/2015/04/30/libssh-0-6-5-security-and-bugfix-release/ > > -- > Andreas Schneider GPG-ID: CC014E3D > www.cryptomilk.org a...@cryptomilk.org > >
I asked on IRC (#libssh on FreeNode) if it affects the ssh client functionality. They said it affects both server and client. I find a DoS attack on a client to be a bit odd, but I will update libssh anyway for X2Go Client for Windows 4.0.3.2-YYYYMMDD anyway. _______________________________________________ x2go-dev mailing list x2go-dev@lists.x2go.org http://lists.x2go.org/listinfo/x2go-dev