libssh 0.5.4 (SECURITY RELEASE)

This is an important SECURITY and maintenance release in order to address CVE-2013-0176 – NULL dereference leads to denial of service.

The crash could kill a SSH server using libssh. However it depends on the the server process model how bad the situation can be. If you use a forked model to implement your server, the user will just kill its own connection.

Thanks to Yong Chuan Koh, X-Force Research for the report.

If you are new to libssh read The Tutorial how to get started. Please join our mailing list or visit our irc channel if you have questions.

You can download libssh 0.5.4 here. For Windows binaries we suggest to use the MSVC and MinGW binaries from the KDE Windows project here. Packages for Fedora and for openSUSE are available here.

ChangeLog

  • CVE-2013-0176 – NULL dereference leads to denial of service
  • Fixed several NULL pointer dereferences in SSHv1.
  • Fixed a free crash bug in options parsing.

flattr this!

The Buzz {2 trackbacks/pingbacks}

  1. Pingback: LinuxLife Blog » Security: Denial of Service in libssh (Mandriva) on February 10, 2013
  2. Pingback: DoS flaw in libssh | Web Security Watch on February 28, 2013

The Conversation {2 comments}

  1. noud {Friday February 1, 2013 @ 1:56 am}

    NetBSD refuses to update to this version.
    http://mail-index.netbsd.org/tech-pkg/2013/01/31/msg010721.html

  2. ptr {Tuesday February 12, 2013 @ 2:21 pm}

    version returned is still 0.5.2

    libssh.h

    /* libssh version */
    #define LIBSSH_VERSION_MAJOR 0
    #define LIBSSH_VERSION_MINOR 5
    #define LIBSSH_VERSION_MICRO 2

Speak Your Peace

  • Comment Policy:Could go here if there's a nagging need Login Instructions: Would go here if there's a desire.