Security update for libssh2_org
SUSE Patch
security@suse.de
SUSE Security Team
SUSE-SU-2016:0723-1
Final
1
1
2016-03-11T10:18:54Z
current
2016-03-11T10:18:54Z
2016-03-11T10:18:54Z
cve-database/bin/generate-cvrf.pl
2017-02-24T01:00:00Z
Security update for libssh2_org
This update for libssh2_org fixes the following issues:
- Add SHA256 support for DH group exchange (fate#320343, bsc#961964)
- fix CVE-2016-0787 (bsc#967026)
* Weakness in diffie-hellman secret key generation lead to much shorter DH groups
then needed, which could be used to retrieve server keys.
The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
sdksp4-libssh2_org-12445,sledsp4-libssh2_org-12445,slessp4-libssh2_org-12445
Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0)
https://www.suse.com/support/update/announcement/2016/suse-su-20160723-1/
Link for SUSE-SU-2016:0723-1
https://lists.suse.com/pipermail/sle-security-updates/2016-March/001923.html
E-Mail link for SUSE-SU-2016:0723-1
https://www.suse.com/support/security/rating/
SUSE Security Ratings
https://bugzilla.suse.com/961964
SUSE Bug 961964
https://bugzilla.suse.com/967026
SUSE Bug 967026
https://www.suse.com/security/cve/CVE-2016-0787/
SUSE CVE CVE-2016-0787 page
SUSE Linux Enterprise Desktop 11 SP4
SUSE Linux Enterprise Server 11 SP4
SUSE Linux Enterprise Server for SAP Applications 11 SP4
SUSE Linux Enterprise Software Development Kit 11 SP4
libssh2-1-1.2.9-4.2.6.1
libssh2-1-32bit-1.2.9-4.2.6.1
libssh2-1-x86-1.2.9-4.2.6.1
libssh2-devel-1.2.9-4.2.6.1
libssh2-1-1.2.9-4.2.6.1 as a component of SUSE Linux Enterprise Desktop 11 SP4
libssh2-1-1.2.9-4.2.6.1 as a component of SUSE Linux Enterprise Server 11 SP4
libssh2-1-1.2.9-4.2.6.1 as a component of SUSE Linux Enterprise Server for SAP Applications 11 SP4
libssh2-1-1.2.9-4.2.6.1 as a component of SUSE Linux Enterprise Software Development Kit 11 SP4
libssh2-1-32bit-1.2.9-4.2.6.1 as a component of SUSE Linux Enterprise Software Development Kit 11 SP4
libssh2-1-x86-1.2.9-4.2.6.1 as a component of SUSE Linux Enterprise Software Development Kit 11 SP4
libssh2-devel-1.2.9-4.2.6.1 as a component of SUSE Linux Enterprise Software Development Kit 11 SP4
The diffie_hellman_sha256 function in kex.c in libssh2 before 1.7.0 improperly truncates secrets to 128 or 256 bits, which makes it easier for man-in-the-middle attackers to decrypt or intercept SSH sessions via unspecified vectors, aka a "bits/bytes confusion bug."
CVE-2016-0787
SUSE Linux Enterprise Desktop 11 SP4:libssh2-1-1.2.9-4.2.6.1
SUSE Linux Enterprise Server 11 SP4:libssh2-1-1.2.9-4.2.6.1
SUSE Linux Enterprise Server for SAP Applications 11 SP4:libssh2-1-1.2.9-4.2.6.1
SUSE Linux Enterprise Software Development Kit 11 SP4:libssh2-1-1.2.9-4.2.6.1
SUSE Linux Enterprise Software Development Kit 11 SP4:libssh2-1-32bit-1.2.9-4.2.6.1
SUSE Linux Enterprise Software Development Kit 11 SP4:libssh2-1-x86-1.2.9-4.2.6.1
SUSE Linux Enterprise Software Development Kit 11 SP4:libssh2-devel-1.2.9-4.2.6.1
moderate
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
https://www.suse.com/support/update/announcement/2016/suse-su-20160723-1/
https://www.suse.com/security/cve/CVE-2016-0787.html
CVE-2016-0787
https://bugzilla.suse.com/1149968
SUSE Bug 1149968
https://bugzilla.suse.com/967026
SUSE Bug 967026
https://bugzilla.suse.com/968174
SUSE Bug 968174
https://bugzilla.suse.com/974691
SUSE Bug 974691