Re: [SECURITY] [DSA 3487-1] libssh2 security update
On Tue, Feb 23, 2016 at 04:03:31PM +0000,
Salvatore Bonaccorso <carnil@debian.org> wrote
a message of 50 lines which said:
> Package : libssh2
> CVE ID : CVE-2016-0787
...
> Andreas Schneider reported that libssh2, a SSH2 client-side library,
> passes the number of bytes to a function that expects number of bits
> during the SSHv2 handshake when libssh2 is to get a suitable value for
> 'group order' in the Diffie-Hellman negotiation. This weakens
> significantly the handshake security, potentially allowing an
> eavesdropper with enough resources to decrypt or intercept SSH sessions.
The text in
<https://www.libssh.org/2016/02/23/libssh-0-7-3-security-and-bugfix-release/>
says it is CVE-2016-0739?
Reply to: