{"schema_version":"1.7.2","id":"OESA-2023-1291","modified":"2023-05-26T11:05:17Z","published":"2023-05-26T11:05:17Z","upstream":["CVE-2023-1667","CVE-2023-2283"],"summary":"libssh security update","details":"The ssh library was designed to be used by programmers needing a working SSH implementation by the mean of a library. The complete control of the client is made by the programmer. With libssh, you can remotely execute programs, transfer files, use a secure and transparent tunnel for your remote programs. With its Secure FTP implementation, you can play with remote files easily, without third-party programs others than libcrypto (from openssl).\r\n\r\nSecurity Fix(es):\r\n\r\nA NULL pointer dereference was found In libssh during re-keying with algorithm guessing. This issue may allow an authenticated client to cause a denial of service.(CVE-2023-1667)\r\n\r\nA vulnerability was found in libssh, where the authentication check of the connecting client can be bypassed in the`pki_verify_data_signature` function in memory allocation problems. This issue may happen if there is insufficient memory or the memory usage is limited. The problem is caused by the return value `rc,` which is initialized to SSH_ERROR and later rewritten to save the return value of the function call `pki_key_check_hash_compatible.` The value of the variable is not changed between this point and the cryptographic verification. Therefore any error between them calls `goto error` returning SSH_OK.(CVE-2023-2283)","affected":[{"package":{"ecosystem":"openEuler:22.03-LTS","name":"libssh","purl":"pkg:rpm/openEuler/libssh\u0026distro=openEuler-22.03-LTS"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.9.6-7.oe2203"}]}],"ecosystem_specific":{"aarch64":["libssh-0.9.6-7.oe2203.aarch64.rpm","libssh-debugsource-0.9.6-7.oe2203.aarch64.rpm","libssh-debuginfo-0.9.6-7.oe2203.aarch64.rpm","libssh-devel-0.9.6-7.oe2203.aarch64.rpm"],"noarch":["libssh-help-0.9.6-7.oe2203.noarch.rpm"],"src":["libssh-0.9.6-7.oe2203.src.rpm"],"x86_64":["libssh-devel-0.9.6-7.oe2203.x86_64.rpm","libssh-debugsource-0.9.6-7.oe2203.x86_64.rpm","libssh-debuginfo-0.9.6-7.oe2203.x86_64.rpm","libssh-0.9.6-7.oe2203.x86_64.rpm"]}}],"references":[{"type":"ADVISORY","url":"https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1291"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-1667"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-2283"}],"database_specific":{"severity":"Medium"}}