Sent from my Android Smartphone ---------- Forwarded message ---------- From: "Andreas Schneider" <[email protected]> Date: Apr 30, 2015 10:33 AM Subject: libssh 0.6.5 has been released to address CVE-2015-3146 To: <[email protected]> Cc:
ibssh versions 0.5.1 and above have a logical error in the handling of a SSH_MSG_NEWKEYS and SSH_MSG_KEXDH_REPLY package. A detected error did not set the session into the error state correctly and further processed the packet which leads to a null pointer dereference. This is the packet after the initial key exchange and doesn’t require authentication. This could be used for a Denial of Service (DoS) attack. The bug was found and reported by Mariusz Ziulek from the Open Web Application Security Project (OWASP). https://www.libssh.org/2015/04/30/libssh-0-6-5-security-and-bugfix-release/ -- Andreas Schneider GPG-ID: CC014E3D www.cryptomilk.org [email protected]
_______________________________________________ x2go-dev mailing list [email protected] http://lists.x2go.org/listinfo/x2go-dev
