| View previous topic :: View next topic |
| Author |
Message |
angryMethane
n00b
Joined: 07 Oct 2018
Posts: 8
|
 Posted: Wed Oct 17, 2018 2:02 am Post subject: libssh 0.8.4 and 0.7.6 security and bugfix release |
 |
|
| Code: |
libssh versions 0.6 and above have an authentication bypass vulnerability in
the server code. By presenting the server an SSH2_MSG_USERAUTH_SUCCESS message
in place of the SSH2_MSG_USERAUTH_REQUEST message which the server would expect
to initiate authentication, the attacker could successfully authentciate
without any credentials.
|
Read more at: https://www.libssh.org/security/advisories/CVE-2018-10933.txt
When Gentoo upgrade libssh?  |
|
| Back to top |
|
 |
Ant P.
Watchman
Joined: 18 Apr 2009
Posts: 6920
|
| Posted: Wed Oct 17, 2018 2:33 am Post subject: |
|
|
| Are you using an in-tree package that uses the server parts of libssh? Which one? |
|
| Back to top |
|
|
eccerr0r
Watchman
Joined: 01 Jul 2004
Posts: 9679
Location: almost Mile High in the USA
|
| Posted: Wed Oct 17, 2018 2:35 am Post subject: |
|
|
Ouch.
So what apps use libssh for server?
Ffmpeg if you have USE=ssh will use libssh, but I'm not sure if it uses server mode...
Luckily I don't have libssh installed on outward facing servers... I think...
_________________
Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching? |
|
| Back to top |
|
|
Ant P.
Watchman
Joined: 18 Apr 2009
Posts: 6920
|
| Posted: Wed Oct 17, 2018 2:57 am Post subject: |
|
|
| eccerr0r wrote: | Ouch.
So what apps use libssh for server? |
That's my point; nothing does.
Taking the results of eix -c --depend 'libssh\b', I see:
- libvirt, kodi, ffmpeg: these provide server functions but completely unrelated to ssh
- A bunch of network security scanning tools
- Client software, mostly multimedia things, which use it to access files like a network share
Overlays are mostly the same story. In summary: this is needless hysteria. |
|
| Back to top |
|
|
angryMethane
n00b
Joined: 07 Oct 2018
Posts: 8
|
| Posted: Wed Oct 17, 2018 4:58 am Post subject: |
|
|
| Ant P. wrote: | | Are you using an in-tree package that uses the server parts of libssh? Which one? |
libvirt and qemu. |
|
| Back to top |
|
|
Ant P.
Watchman
Joined: 18 Apr 2009
Posts: 6920
|
| Posted: Wed Oct 17, 2018 6:41 am Post subject: |
|
|
| What port are you running their SSH servers on? Can't be 22, because openssh is already using that. |
|
| Back to top |
|
|
eccerr0r
Watchman
Joined: 01 Jul 2004
Posts: 9679
Location: almost Mile High in the USA
|
| Posted: Wed Oct 17, 2018 3:12 pm Post subject: |
|
|
Yeah I think the hype is overblown, though it is a security hole nonetheless.
I was worried about two major ssh servers that actually run as root:
- OpenSSH, but this is standalone and does not use libssh
- Dropbear, and once again it has its own ssh implementation.
All other applications may use libssh but for client side connectivity and thus do not have root access. The reason why it still may be a problem is if these applications implement an internal server, which seems kind of pointless.
So, while it is a bug, this is not as big a story as it seems, at least for Gentoo. Can't say the same for other OS.
_________________
Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching? |
|
| Back to top |
|
|
angryMethane
n00b
Joined: 07 Oct 2018
Posts: 8
|
| Posted: Thu Oct 18, 2018 2:01 pm Post subject: |
|
|
| eccerr0r wrote: | Yeah I think the hype is overblown, though it is a security hole nonetheless.
I was worried about two major ssh servers that actually run as root:
- OpenSSH, but this is standalone and does not use libssh
- Dropbear, and once again it has its own ssh implementation.
All other applications may use libssh but for client side connectivity and thus do not have root access. The reason why it still may be a problem is if these applications implement an internal server, which seems kind of pointless.
So, while it is a bug, this is not as big a story as it seems, at least for Gentoo. Can't say the same for other OS. |
In my opinion, the right attitude towards vulnerable softwares is to patch them as soon as possible no matter what damage it would cause. |
|
| Back to top |
|
|
eccerr0r
Watchman
Joined: 01 Jul 2004
Posts: 9679
Location: almost Mile High in the USA
|
| Posted: Thu Oct 18, 2018 2:18 pm Post subject: |
|
|
| angryMethane wrote: | | In my opinion, the right attitude towards vulnerable softwares is to patch them as soon as possible no matter what damage it would cause. |
It's a good attitude if you don't understand the bug, but it's also worth to step back and do an actual assessment of the issue at hand, and not make hasty moves that may cause unneeded panic.
Before I forget, thank you for posting about the bug, I had not seen it until you wrote about it. I really appreciate it.
_________________
Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching? |
|
| Back to top |
|
|
asturm
Developer
Joined: 05 Apr 2007
Posts: 8936
|
| Posted: Sat Oct 20, 2018 12:07 pm Post subject: Re: libssh 0.8.4 and 0.7.6 security and bugfix release |
|
|
^ Posted: Wed Oct 17, 2018
| Code: | commit b9446a58ef8701d59c8d267bfcd156a68de3f39b
Date: Tue Oct 16 17:46:52 2018 +0200
net-libs/libssh: 0.8.4 version bump for CVE-2018-10933
commit f683743f3d5db4b12427583d9a4d215cd502885f
Date: Wed Oct 17 13:59:01 2018 +0200
net-libs/libssh: x86 stable (bug #668788)
commit b26ddba94beb0c70f08ade881b97be08cb7bd468
Date: Wed Oct 17 18:09:17 2018 +0200
net-libs/libssh: amd64 stable wrt bug #668788 |
|
|
| Back to top |
|
|
|
Networking & Security
