[ubuntu-hardened] LibSSH2 vulns
Brian Morton
rokclimb15 at gmail.com
Tue Feb 14 03:44:06 UTC 2017
Hi security team,
In reference to https://wiki.ubuntu.com/MeetingLogs/Security/20161212 I am
working on libssh2 packaging for
http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-0739.html
and http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-0787.html
LibSSH2 is clearly affected by CVE-2016-0787 which should be a trivial fix.
However after a careful review of the code, I believe the package is NOT
affected by CVE-2016-0739. That appears to only affect libssh. Can anyone
confirm/deny? I think the CVE notice for 2016-0739 should be updated to
only reflect libssh. The issues are so similar that they're effectively the
same in terms of the internal lib functions involved, but I want to make
sure the correct CVE references each package based on the issue description.
Once this is confirmed I'll package a fix for 2016-0787 by itself.
Thanks,
Brian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-hardened/attachments/20170213/5ac57311/attachment.html>
More information about the ubuntu-hardened
mailing list