Hi tor-relays, This email is just to notify the list of a recent libssh vulnerability[1], and encourage any operators who may be running a vulnerable version of libssh to update.
It appears this only impacts libssh in server mode: “This is an important security and maintenance release in order to address CVE-2018-10933., libssh versions 0.6 and above have an authentication bypass vulnerability in the server code. By presenting the server an SSH2_MSG_USERAUTH_SUCCESS message in place of the SSH2_MSG_USERAUTH_REQUEST message which the server would expect to initiate authentication the attacker could successfully authenticate without any credentials. The bug was discovered by Peter Winter-Smith of NCC Group.” Thanks for being relay operators! [1]: https://www.libssh.org/2018/10/16/libssh-0-8-4-and-0-7-6-security-and-bugfix-release/ _______________________________________________ tor-relays mailing list [email protected] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
