* LibSSH Flaw Allows Hackers to Take Over Servers Without Password

[phd21]

Hi Everyone that uses libssh,

FYI: This was announced today ...

LibSSH Flaw Allows Hackers to Take Over Servers Without Password
https://thehackernews.com/2018/10/libss ... brary.html

highly recommended to install the updated versions of Libssh as soon as possible

libssh 0.8.4 and 0.7.6 security and bugfix release – libssh
https://www.libssh.org/2018/10/16/libss ... x-release/

It seems to me that this will be part of regular Ubuntu 18.04 Bionic (Linux Mint 19.x) updates today or tomorrow, not sure about previous versions.

- Linux Mint 19.x (Bionic) - Under "Builds" on the right click either amd64 for 64-bit deb files or i386 for 32-bit deb files
0.8.0~20170825.94fa1e38-1ubuntu0.1 : libssh package : Ubuntu
https://launchpad.net/ubuntu/+source/li ... 1ubuntu0.1

- Linux Mint 18.x (Xenial) - Under "Builds" on the right click either amd64 for 64-bit deb files or i386 for 32-bit deb files
0.6.3-4.3ubuntu0.1 : libssh package : Ubuntu
https://launchpad.net/ubuntu/+source/li ... 3ubuntu0.1

- Linux Mint 17.x (Trusty) - Under "Builds" on the right click either amd64 for 64-bit deb files or i386 for 32-bit deb files
0.6.1-0ubuntu3.4 : libssh package : Ubuntu
https://launchpad.net/ubuntu/+source/li ... 0ubuntu3.4



Or, You can download libssh 0.8.4 or 0.7.6 source code here and try compiling it.
Index of /files
https://www.libssh.org/files/

Hope this helps ...

[xenopeek]

You're only affected if you have libssh-4 or libssh-gcrypt-4 package on your system and then only if you're running a publicly reachable SSH server on your system. The libssh-2 package is something else and not affected by CVE-2018-10933. Other SSH packages are also not affected. To best of my knowledge libssh-gcrypt-4 comes installed on Linux Mint 19 and libssh-4 on LMDE 3 and for both a patch is already available.

The security notice for Linux Mint 19 (Ubuntu 18.04), 18.x (Ubuntu 16.04) and 17.x (Ubuntu 14.04):
https://usn.ubuntu.com/3795-1/

The security notice for LMDE 3 (Debian stretch / stable) and LMDE 2 (Debian jessie / old-stable):
https://security-tracker.debian.org/tra ... age/libssh

At time of this writing only libssh-4 package on LMDE 2 is not yet patched.

If you have libssh-4 on your system and have at some point in past 4 years run a publicly reachable SSH server you might be in for a bit of a headache.

[gm10]

.

[xenopeek]

Very sharp, thanks. That's built from the same source package. Added it above.

[smurphos]

OpenSSH updated today as well along with the package flagged by gm10 on my 18.3 server....LAN facing only thankfully ...