Red Hat Security Advisory 2019-1943-01

Red Hat Security Advisory 2019-1943-01: Posted Jul 30, 2019; Authored by Red Hat | Site access.redhat.com; Red Hat Security Advisory 2019-1943-01 - The libssh2 packages provide a library that implements the SSH2 protocol. Issues addressed include an out of bounds write vulnerability.; tags | advisory, protocol; systems | linux, redhat; advisories | CVE-2019-3855, CVE-2019-3856, CVE-2019-3857, CVE-2019-3863; SHA-256 | bf9ebcd03d05517eaa570c57eaf138bcf1ac38c3e68af231f714e6b0bfb01bbc; Download | Favorite | View

Red Hat Security Advisory 2019-1943-01

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: libssh2 security update
Advisory ID:       RHSA-2019:1943-01
Product:           Red Hat Enterprise Linux
Advisory URL:      https://access.redhat.com/errata/RHSA-2019:1943
Issue date:        2019-07-30
CVE Names:         CVE-2019-3855 CVE-2019-3856 CVE-2019-3857 
                   CVE-2019-3863 
=====================================================================

1. Summary:

An update for libssh2 is now available for Red Hat Enterprise Linux 7.4
Extended Update Support.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux ComputeNode EUS (v. 7.4) - x86_64
Red Hat Enterprise Linux ComputeNode Optional EUS (v. 7.4) - noarch, x86_64
Red Hat Enterprise Linux Server EUS (v. 7.4) - ppc64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux Server Optional EUS (v. 7.4) - noarch, ppc64, ppc64le, s390x, x86_64

3. Description:

The libssh2 packages provide a library that implements the SSH2 protocol.

Security Fix(es):

* libssh2: Integer overflow in transport read resulting in out of bounds
write (CVE-2019-3855)

* libssh2: Integer overflow in keyboard interactive handling resulting in
out of bounds write (CVE-2019-3856)

* libssh2: Integer overflow in SSH packet processing channel resulting in
out of bounds write (CVE-2019-3857)

* libssh2: Integer overflow in user authenticate keyboard interactive
allows out-of-bounds writes (CVE-2019-3863)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing these updated packages, all running applications using
libssh2 must be restarted for this update to take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

1687303 - CVE-2019-3855 libssh2: Integer overflow in transport read resulting in out of bounds write
1687304 - CVE-2019-3856 libssh2: Integer overflow in keyboard interactive handling resulting in out of bounds write
1687305 - CVE-2019-3857 libssh2: Integer overflow in SSH packet processing channel resulting in out of bounds write
1687313 - CVE-2019-3863 libssh2: Integer overflow in user authenticate keyboard interactive allows out-of-bounds writes

6. Package List:

Red Hat Enterprise Linux ComputeNode EUS (v. 7.4):

Source:
libssh2-1.4.3-11.el7_4.1.src.rpm

x86_64:
libssh2-1.4.3-11.el7_4.1.i686.rpm
libssh2-1.4.3-11.el7_4.1.x86_64.rpm
libssh2-debuginfo-1.4.3-11.el7_4.1.i686.rpm
libssh2-debuginfo-1.4.3-11.el7_4.1.x86_64.rpm

Red Hat Enterprise Linux ComputeNode Optional EUS (v. 7.4):

noarch:
libssh2-docs-1.4.3-11.el7_4.1.noarch.rpm

x86_64:
libssh2-debuginfo-1.4.3-11.el7_4.1.i686.rpm
libssh2-debuginfo-1.4.3-11.el7_4.1.x86_64.rpm
libssh2-devel-1.4.3-11.el7_4.1.i686.rpm
libssh2-devel-1.4.3-11.el7_4.1.x86_64.rpm

Red Hat Enterprise Linux Server EUS (v. 7.4):

Source:
libssh2-1.4.3-11.el7_4.1.src.rpm

ppc64:
libssh2-1.4.3-11.el7_4.1.ppc.rpm
libssh2-1.4.3-11.el7_4.1.ppc64.rpm
libssh2-debuginfo-1.4.3-11.el7_4.1.ppc.rpm
libssh2-debuginfo-1.4.3-11.el7_4.1.ppc64.rpm

ppc64le:
libssh2-1.4.3-11.el7_4.1.ppc64le.rpm
libssh2-debuginfo-1.4.3-11.el7_4.1.ppc64le.rpm

s390x:
libssh2-1.4.3-11.el7_4.1.s390.rpm
libssh2-1.4.3-11.el7_4.1.s390x.rpm
libssh2-debuginfo-1.4.3-11.el7_4.1.s390.rpm
libssh2-debuginfo-1.4.3-11.el7_4.1.s390x.rpm

x86_64:
libssh2-1.4.3-11.el7_4.1.i686.rpm
libssh2-1.4.3-11.el7_4.1.x86_64.rpm
libssh2-debuginfo-1.4.3-11.el7_4.1.i686.rpm
libssh2-debuginfo-1.4.3-11.el7_4.1.x86_64.rpm

Red Hat Enterprise Linux Server Optional EUS (v. 7.4):

noarch:
libssh2-docs-1.4.3-11.el7_4.1.noarch.rpm

ppc64:
libssh2-debuginfo-1.4.3-11.el7_4.1.ppc.rpm
libssh2-debuginfo-1.4.3-11.el7_4.1.ppc64.rpm
libssh2-devel-1.4.3-11.el7_4.1.ppc.rpm
libssh2-devel-1.4.3-11.el7_4.1.ppc64.rpm

ppc64le:
libssh2-debuginfo-1.4.3-11.el7_4.1.ppc64le.rpm
libssh2-devel-1.4.3-11.el7_4.1.ppc64le.rpm

s390x:
libssh2-debuginfo-1.4.3-11.el7_4.1.s390.rpm
libssh2-debuginfo-1.4.3-11.el7_4.1.s390x.rpm
libssh2-devel-1.4.3-11.el7_4.1.s390.rpm
libssh2-devel-1.4.3-11.el7_4.1.s390x.rpm

x86_64:
libssh2-debuginfo-1.4.3-11.el7_4.1.i686.rpm
libssh2-debuginfo-1.4.3-11.el7_4.1.x86_64.rpm
libssh2-devel-1.4.3-11.el7_4.1.i686.rpm
libssh2-devel-1.4.3-11.el7_4.1.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2019-3855
https://access.redhat.com/security/cve/CVE-2019-3856
https://access.redhat.com/security/cve/CVE-2019-3857
https://access.redhat.com/security/cve/CVE-2019-3863
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2019 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBXUAJg9zjgjWX9erEAQjU+xAAiz4nZ+jJLtCpmhpZ0T4jhP13V4DqcfUQ
MUZKNOBBhzlevn+qi2ArbZreg/ZLzGS3xbt7hX2MzamnuPF+/W7XO8koECRaLyOu
cwKm5mcFQ3SRZKmTcpcGl6Y5j0npOuQx2UJiDRVe4Zcb3Tf0d5f3lg7dayLP9RFG
zdXsm1Jn5VJYaNZbs7HgyIBktJKlnFT4qu0DmKyWY/b8sOnx3Oseiy4pX8dlZ3QD
R+W8E1iaAcpZ62X305LyKuKysTLy5L/Ym5xnMlAgptcEoS2pLIO+3V9kuUZ7/Izm
CuuefspEPVVHGc//PJtD0oafDZ6HAhEAF00G0NZofos9/tgTn0JkWUUq7UQbSSPf
RVuyByP3UhZCoRsqkKnv8ACpYl7S5Vn96nSC854mmYVNwyU9ZPHtLdjrM2rH+iJs
Jz21IZ9qeJbCysIBy2ptXjbmDvm6a/S2kgj4649ogzveUSZGM5abImLpSeDlPzV6
Iajo8of0e2dL3mse247caenC+YLUjgcW3xIsdRQO4xOS2bSrCraWjSsVD26h5brr
lCa+KL5FZObYBqX4Fa2u4HAhKopYm6dr3Mzlt0yISHW4xokn3dSTVsl0dOOL330k
2Fjr8WzWvsY/pGWjfE+PrQbrBK5rgZCAV49CIt9CUJwOCWVw2XEvZygj21rs7JD6
sCL11mIiwWw=
=Eh8E
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce

Top Authors In Last 30 Days

Red Hat 210 files
Ubuntu 64 files
Debian 27 files
LiquidWorm 11 files
Valentin Lobstein 11 files
nu11secur1ty 8 files
Apple 6 files
Google Security Research 5 files
Ersin Erenler 4 files
E1.Coders 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,014)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,227)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,501)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,439)
UNIX (9,391)
UnixWare (187)
Windows (6,649)
Other

Red Hat Security Advisory 2019-1943-01

Red Hat Security Advisory 2019-1943-01

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Red Hat Security Advisory 2019-1943-01

Share This

Red Hat Security Advisory 2019-1943-01

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems