Executive Summary
Informations | |||
---|---|---|---|
Name | MDVSA-2015:086 | First vendor Publication | 2015-03-28 |
Vendor | Mandriva | Last vendor Modification | 2015-03-28 |
Severity (Vendor) | N/A | Revision | N/A |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:N/I:N/A:P) | |||
---|---|---|---|
Cvss Base Score | 5 | Attack Range | Network |
Cvss Impact Score | 2.9 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Updated libssh packages fix security vulnerabilities: When using libssh before 0.6.3, a libssh-based server, when accepting a new connection, forks and the child process handles the request. The RAND_bytes() function of openssl doesn't reset its state after the fork, but simply adds the current process id (getpid) to the PRNG state, which is not guaranteed to be unique. The most important consequence is that servers using EC (ECDSA) or DSA certificates may under certain conditions leak their private key (CVE-2014-0017). Double free vulnerability in the ssh_packet_kexinit function in kex.c in libssh 0.5.x and 0.6.x before 0.6.4 allows remote attackers to cause a denial of service via a crafted kexinit packet (CVE-2014-8132). |
Original Source
Url : http://www.mandriva.com/security/advisories?name=MDVSA-2015:086 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-310 | Cryptographic Issues |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:23904 | |||
Oval ID: | oval:org.mitre.oval:def:23904 | ||
Title: | USN-2145-1 -- libssh vulnerability | ||
Description: | A security issue was fixed in libssh. | ||
Family: | unix | Class: | patch |
Reference(s): | USN-2145-1 CVE-2014-0017 | Version: | 5 |
Platform(s): | Ubuntu 13.10 Ubuntu 12.10 Ubuntu 12.04 | Product(s): | libssh |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:24236 | |||
Oval ID: | oval:org.mitre.oval:def:24236 | ||
Title: | DSA-2879-1 libssh - security update | ||
Description: | It was discovered that libssh, a tiny C SSH library, did not reset the state of the PRNG after accepting a connection. A server mode application that forks itself to handle incoming connections could see its children sharing the same PRNG state, resulting in a cryptographic weakness and possibly the recovery of the private key. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-2879-1 CVE-2014-0017 | Version: | 5 |
Platform(s): | Debian GNU/Linux 6.0 Debian GNU/Linux 7 Debian GNU/kFreeBSD 6.0 Debian GNU/kFreeBSD 7 | Product(s): | libssh |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:25490 | |||
Oval ID: | oval:org.mitre.oval:def:25490 | ||
Title: | SUSE-SU-2014:0413-1 -- Security update for libssh2 | ||
Description: | This update of libssh fixes the following security issue: * When libssh operates in server mode, the randomness pool was not switched on fork, so two pools could operate on the same randomness and could generate the same keys. | ||
Family: | unix | Class: | patch |
Reference(s): | SUSE-SU-2014:0413-1 CVE-2014-0017 | Version: | 3 |
Platform(s): | SUSE Linux Enterprise Desktop 11 | Product(s): | libssh2 |
Definition Synopsis: | |||
CPE : Common Platform Enumeration
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2016-06-27 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201606-12.nasl - Type : ACT_GATHER_INFO |
2016-02-24 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-3488.nasl - Type : ACT_GATHER_INFO |
2015-05-20 | Name : The remote SUSE host is missing one or more security updates. File : suse_SU-2014-1731-1.nasl - Type : ACT_GATHER_INFO |
2015-04-22 | Name : The remote Slackware host is missing a security update. File : Slackware_SSA_2015-111-04.nasl - Type : ACT_GATHER_INFO |
2015-03-30 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2015-086.nasl - Type : ACT_GATHER_INFO |
2015-01-20 | Name : The remote Ubuntu host is missing a security-related patch. File : ubuntu_USN-2478-1.nasl - Type : ACT_GATHER_INFO |
2015-01-16 | Name : The remote SSH service is affected by a remote denial of service vulnerability. File : libssh_cve-2014-8132.nasl - Type : ACT_GATHER_INFO |
2015-01-13 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2015-020.nasl - Type : ACT_GATHER_INFO |
2015-01-09 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2015-7.nasl - Type : ACT_GATHER_INFO |
2015-01-05 | Name : The remote Fedora host is missing a security update. File : fedora_2014-17324.nasl - Type : ACT_GATHER_INFO |
2015-01-05 | Name : The remote Fedora host is missing a security update. File : fedora_2014-17354.nasl - Type : ACT_GATHER_INFO |
2015-01-05 | Name : The remote Fedora host is missing a security update. File : fedora_2014-17303.nasl - Type : ACT_GATHER_INFO |
2014-10-30 | Name : The remote FreeBSD host is missing a security-related update. File : freebsd_pkg_f8c88d505fb311e481bd5453ed2e2b49.nasl - Type : ACT_GATHER_INFO |
2014-08-11 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201408-03.nasl - Type : ACT_GATHER_INFO |
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2014-208.nasl - Type : ACT_GATHER_INFO |
2014-03-21 | Name : The remote SuSE 11 host is missing a security update. File : suse_11_libssh2-140307.nasl - Type : ACT_GATHER_INFO |
2014-03-17 | Name : The remote Fedora host is missing a security update. File : fedora_2014-3485.nasl - Type : ACT_GATHER_INFO |
2014-03-14 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2014-053.nasl - Type : ACT_GATHER_INFO |
2014-03-14 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-2879.nasl - Type : ACT_GATHER_INFO |
2014-03-13 | Name : The remote Ubuntu host is missing a security-related patch. File : ubuntu_USN-2145-1.nasl - Type : ACT_GATHER_INFO |
2014-03-07 | Name : The remote Fedora host is missing a security update. File : fedora_2014-3473.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2015-03-31 13:29:30 |
|
2015-03-28 13:25:04 |
|