[ubuntu-hardened] LibSSH2 vulns
Marc Deslauriers
marc.deslauriers at canonical.com
Tue Feb 14 12:31:48 UTC 2017
Hi,
On 2017-02-14 02:23 AM, Seth Arnold wrote:
> On Mon, Feb 13, 2017 at 10:44:06PM -0500, Brian Morton wrote:
>> LibSSH2 is clearly affected by CVE-2016-0787 which should be a trivial fix.
>> However after a careful review of the code, I believe the package is NOT
>> affected by CVE-2016-0739. That appears to only affect libssh. Can anyone
>> confirm/deny? I think the CVE notice for 2016-0739 should be updated to
>
> Hi Brian, thanks for working on this. I couldn't find any code in libssh2
> that looked remotely like the patch we used for CVE-2016-0739 in libssh.
> Have those algorithms been removed entirely in libssh2?
>
>> Once this is confirmed I'll package a fix for 2016-0787 by itself.
>
> Excellent!
>
Despite their similar names, libssh and libssh2 are two completely different
libraries.
I've removed libssh2 from CVE-2016-0739.
Thanks,
Marc.
More information about the ubuntu-hardened
mailing list