This is an important SECURITY and maintenance release in order to address CVE-2015-3146 – Possible double free on a dangling pointer with crafted kexinit packet.
libssh versions 0.5.1 and above have a logical error in the handling of a SSH_MSG_NEWKEYS and SSH_MSG_KEXDH_REPLY package. A detected error did not set the session into the error state correctly and further processed the packet which leads to a null pointer dereference. This is the packet after the initial key exchange and doesn’t require authentication.
This could be used for a Denial of Service (DoS) attack.
The bug was found and reported by Mariusz Ziulek from the Open Web Application Security Project (OWASP).
Advisories and patches for older versions can be found here.
You can download libssh 0.6.5 here.
- Fixed CVE-2015-3146
- Fixed port handling in config file
- Fixed the build with libgcrypt
- Fixed SFTP endian issues (rlo #179)
- Fixed uninitilized sig variable (rlo #167)
- Fixed polling issues which could result in a hang
- Fixed handling of EINTR in ssh_poll() (rlo #186)
- Fixed C99 issues with __func__
- Fixed some memory leaks
- Improved macro detection on Windows