Re: [SECURITY] [DSA 3487-1] libssh2 security update

To: debian-security@lists.debian.org
Cc: bortzmeyer@nic.fr
Subject: Re: [SECURITY] [DSA 3487-1] libssh2 security update
From: Stephane Bortzmeyer <bortzmeyer@nic.fr>
Date: Tue, 23 Feb 2016 17:30:38 +0100
Message-id: <[🔎] 20160223163038.GA864@nic.fr>
In-reply-to: <E1aYFQx-0008Nr-SD@master.debian.org>
References: <E1aYFQx-0008Nr-SD@master.debian.org>

On Tue, Feb 23, 2016 at 04:03:31PM +0000,
 Salvatore Bonaccorso <carnil@debian.org> wrote 
 a message of 50 lines which said:

> Package        : libssh2
> CVE ID         : CVE-2016-0787
...
> Andreas Schneider reported that libssh2, a SSH2 client-side library,
> passes the number of bytes to a function that expects number of bits
> during the SSHv2 handshake when libssh2 is to get a suitable value for
> 'group order' in the Diffie-Hellman negotiation. This weakens
> significantly the handshake security, potentially allowing an
> eavesdropper with enough resources to decrypt or intercept SSH sessions.

The text in
<https://www.libssh.org/2016/02/23/libssh-0-7-3-security-and-bugfix-release/>
says it is CVE-2016-0739?

Reply to:

Follow-Ups:
- Re: [SECURITY] [DSA 3487-1] libssh2 security update
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Prev by Date: Re: strange behaviour with konqueror
Next by Date: Re: [SECURITY] [DSA 3487-1] libssh2 security update
Previous by thread: Pam_tally2 logging, usage
Next by thread: Re: [SECURITY] [DSA 3487-1] libssh2 security update
Index(es):
- Date
- Thread