* LibSSH Flaw Allows Hackers to Take Over Servers Without Password

Chat about Linux in general
Post Reply
User avatar
phd21
Level 17
Level 17
Posts: 7289
Joined: Thu Jan 09, 2014 9:42 pm
Location: Florida

* LibSSH Flaw Allows Hackers to Take Over Servers Without Password

Post by phd21 » Wed Oct 17, 2018 1:03 pm

Hi Everyone that uses libssh,

FYI: This was announced today ...

LibSSH Flaw Allows Hackers to Take Over Servers Without Password
https://thehackernews.com/2018/10/libss ... brary.html
highly recommended to install the updated versions of Libssh as soon as possible
libssh 0.8.4 and 0.7.6 security and bugfix release – libssh
https://www.libssh.org/2018/10/16/libss ... x-release/

phd21 wrote:It seems to me that this will be part of regular Ubuntu 18.04 Bionic (Linux Mint 19.x) updates today or tomorrow, not sure about previous versions.
- Linux Mint 19.x (Bionic) - Under "Builds" on the right click either amd64 for 64-bit deb files or i386 for 32-bit deb files
0.8.0~20170825.94fa1e38-1ubuntu0.1 : libssh package : Ubuntu
https://launchpad.net/ubuntu/+source/li ... 1ubuntu0.1

- Linux Mint 18.x (Xenial) - Under "Builds" on the right click either amd64 for 64-bit deb files or i386 for 32-bit deb files
0.6.3-4.3ubuntu0.1 : libssh package : Ubuntu
https://launchpad.net/ubuntu/+source/li ... 3ubuntu0.1

- Linux Mint 17.x (Trusty) - Under "Builds" on the right click either amd64 for 64-bit deb files or i386 for 32-bit deb files
0.6.1-0ubuntu3.4 : libssh package : Ubuntu
https://launchpad.net/ubuntu/+source/li ... 0ubuntu3.4



Or, You can download libssh 0.8.4 or 0.7.6 source code here and try compiling it.
Index of /files
https://www.libssh.org/files/

Hope this helps ...
Last edited by xenopeek on Wed Oct 17, 2018 1:22 pm, edited 1 time in total.
Reason: clarified only is of interest to libssh users as other SSH implementations are unaffected; removed junk tags from links
Phd21: Mint KDE 17.3 & 18.3, 64-bit Awesome OS, Ancient Dell OptiPlex 780 Core2Duo E8400 3GHz,4gb Ram,256gb SDD, Video: Intel 4 Graphics, DVD Lightscribe. Why I use KDE?:https://opensource.com/life/15/4/9-reasons-to-use-kde

User avatar
xenopeek
Level 24
Level 24
Posts: 23130
Joined: Wed Jul 06, 2011 3:58 am
Location: The Netherlands

Re: * LibSSH Flaw Allows Hackers to Take Over Servers Without Password

Post by xenopeek » Wed Oct 17, 2018 1:29 pm

You're only affected if you have libssh-4 or libssh-gcrypt-4 package on your system and then only if you're running a publicly reachable SSH server on your system. The libssh-2 package is something else and not affected by CVE-2018-10933. Other SSH packages are also not affected. To best of my knowledge libssh-gcrypt-4 comes installed on Linux Mint 19 and libssh-4 on LMDE 3 and for both a patch is already available.

The security notice for Linux Mint 19 (Ubuntu 18.04), 18.x (Ubuntu 16.04) and 17.x (Ubuntu 14.04):
https://usn.ubuntu.com/3795-1/

The security notice for LMDE 3 (Debian stretch / stable) and LMDE 2 (Debian jessie / old-stable):
https://security-tracker.debian.org/tra ... age/libssh

At time of this writing only libssh-4 package on LMDE 2 is not yet patched.

If you have libssh-4 on your system and have at some point in past 4 years run a publicly reachable SSH server you might be in for a bit of a headache.
Last edited by xenopeek on Wed Oct 17, 2018 2:00 pm, edited 1 time in total.
Reason: updated with libssh-gcrypt-4 info
Image

gm10
Level 12
Level 12
Posts: 4181
Joined: Thu Jun 21, 2018 5:11 pm

Re: * LibSSH Flaw Allows Hackers to Take Over Servers Without Password

Post by gm10 » Wed Oct 17, 2018 1:42 pm

.
Last edited by gm10 on Wed Oct 17, 2018 2:02 pm, edited 2 times in total.

User avatar
xenopeek
Level 24
Level 24
Posts: 23130
Joined: Wed Jul 06, 2011 3:58 am
Location: The Netherlands

Re: * LibSSH Flaw Allows Hackers to Take Over Servers Without Password

Post by xenopeek » Wed Oct 17, 2018 2:01 pm

Very sharp, thanks. That's built from the same source package. Added it above.
Image

User avatar
smurphos
Level 8
Level 8
Posts: 2049
Joined: Fri Sep 05, 2014 12:18 am
Location: Britisher...

Re: * LibSSH Flaw Allows Hackers to Take Over Servers Without Password

Post by smurphos » Wed Oct 17, 2018 2:36 pm

OpenSSH updated today as well along with the package flagged by gm10 on my 18.3 server....LAN facing only thankfully ...

Post Reply

Return to “Chat about Linux”