Daily Archives: March 4, 2014

2 posts

libssh 0.6.3 (Security release)

This is an important SECURITY and maintenance release in order to address CVE-2014-0017 – PRNG state reuse on forking servers.
This bug happens when a SSH server forks on new connections. OpenSSL PRNG does not always detect the change of process (PID collision) and PRNG state may be shared between two successive children. However that bug is greatly mitigated by OpenSSL ECDSA signing code itself that reseeds the PRNG on every operation.
We advise that you upgrade or patch if you use libssh to build a forked SSH server.

This is the same as before, but we messed up with the repository. So the new tarball reflects the git changes.

If you are new to libssh read The Tutorial how to get started. Please join our mailing list or visit our IRC channel if you have questions.

You can download libssh 0.6.3 here.

ChangeLog

  • CVE-2014-0017 – PRNG state reuse on forking servers
  • Fixed memory leak with ecdsa signatures.