* LibSSH Flaw Allows Hackers to Take Over Servers Without Password

Chat about Linux in general
Post Reply
User avatar
phd21
Level 18
Level 18
Posts: 8341
Joined: Thu Jan 09, 2014 9:42 pm
Location: Florida

* LibSSH Flaw Allows Hackers to Take Over Servers Without Password

Post by phd21 » Wed Oct 17, 2018 1:03 pm

Hi Everyone that uses libssh,

FYI: This was announced today ...

LibSSH Flaw Allows Hackers to Take Over Servers Without Password
https://thehackernews.com/2018/10/libss ... brary.html
highly recommended to install the updated versions of Libssh as soon as possible
libssh 0.8.4 and 0.7.6 security and bugfix release – libssh
https://www.libssh.org/2018/10/16/libss ... x-release/

phd21 wrote:It seems to me that this will be part of regular Ubuntu 18.04 Bionic (Linux Mint 19.x) updates today or tomorrow, not sure about previous versions.
- Linux Mint 19.x (Bionic) - Under "Builds" on the right click either amd64 for 64-bit deb files or i386 for 32-bit deb files
0.8.0~20170825.94fa1e38-1ubuntu0.1 : libssh package : Ubuntu
https://launchpad.net/ubuntu/+source/li ... 1ubuntu0.1

- Linux Mint 18.x (Xenial) - Under "Builds" on the right click either amd64 for 64-bit deb files or i386 for 32-bit deb files
0.6.3-4.3ubuntu0.1 : libssh package : Ubuntu
https://launchpad.net/ubuntu/+source/li ... 3ubuntu0.1

- Linux Mint 17.x (Trusty) - Under "Builds" on the right click either amd64 for 64-bit deb files or i386 for 32-bit deb files
0.6.1-0ubuntu3.4 : libssh package : Ubuntu
https://launchpad.net/ubuntu/+source/li ... 0ubuntu3.4



Or, You can download libssh 0.8.4 or 0.7.6 source code here and try compiling it.
Index of /files
https://www.libssh.org/files/

Hope this helps ...
Last edited by xenopeek on Wed Oct 17, 2018 1:22 pm, edited 1 time in total.
Reason: clarified only is of interest to libssh users as other SSH implementations are unaffected; removed junk tags from links
Phd21: Mint KDE 18.3 & 19, 64-bit Awesome OS, Ancient Dell OptiPlex 780 Core2Duo E8400 3GHz,4gb Ram,256gb SDD, Video: Intel 4 Graphics, DVD Lightscribe. Why I use KDE?:https://opensource.com/life/15/4/9-reasons-to-use-kde

User avatar
xenopeek
Level 24
Level 24
Posts: 23714
Joined: Wed Jul 06, 2011 3:58 am
Location: The Netherlands

Re: * LibSSH Flaw Allows Hackers to Take Over Servers Without Password

Post by xenopeek » Wed Oct 17, 2018 1:29 pm

You're only affected if you have libssh-4 or libssh-gcrypt-4 package on your system and then only if you're running a publicly reachable SSH server on your system. The libssh-2 package is something else and not affected by CVE-2018-10933. Other SSH packages are also not affected. To best of my knowledge libssh-gcrypt-4 comes installed on Linux Mint 19 and libssh-4 on LMDE 3 and for both a patch is already available.

The security notice for Linux Mint 19 (Ubuntu 18.04), 18.x (Ubuntu 16.04) and 17.x (Ubuntu 14.04):
https://usn.ubuntu.com/3795-1/

The security notice for LMDE 3 (Debian stretch / stable) and LMDE 2 (Debian jessie / old-stable):
https://security-tracker.debian.org/tra ... age/libssh

At time of this writing only libssh-4 package on LMDE 2 is not yet patched.

If you have libssh-4 on your system and have at some point in past 4 years run a publicly reachable SSH server you might be in for a bit of a headache.
Last edited by xenopeek on Wed Oct 17, 2018 2:00 pm, edited 1 time in total.
Reason: updated with libssh-gcrypt-4 info
Image

gm10
Level 16
Level 16
Posts: 6249
Joined: Thu Jun 21, 2018 5:11 pm

Re: * LibSSH Flaw Allows Hackers to Take Over Servers Without Password

Post by gm10 » Wed Oct 17, 2018 1:42 pm

.
Last edited by gm10 on Wed Oct 17, 2018 2:02 pm, edited 2 times in total.

User avatar
xenopeek
Level 24
Level 24
Posts: 23714
Joined: Wed Jul 06, 2011 3:58 am
Location: The Netherlands

Re: * LibSSH Flaw Allows Hackers to Take Over Servers Without Password

Post by xenopeek » Wed Oct 17, 2018 2:01 pm

Very sharp, thanks. That's built from the same source package. Added it above.
Image

User avatar
smurphos
Level 10
Level 10
Posts: 3225
Joined: Fri Sep 05, 2014 12:18 am
Location: Britisher
Contact:

Re: * LibSSH Flaw Allows Hackers to Take Over Servers Without Password

Post by smurphos » Wed Oct 17, 2018 2:36 pm

OpenSSH updated today as well along with the package flagged by gm10 on my 18.3 server....LAN facing only thankfully ...
For custom Nemo actions, useful scripts for the Cinnamon desktop, and Cinnamox themes visit my Github pages.

Post Reply

Return to “Chat about Linux”