Recent security update broke server-side keyboard-interactive authentication
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
| libssh (Debian) |
Fix Released
|
Unknown
|
||
| libssh (Ubuntu) |
Undecided
|
Unassigned | ||
| Trusty |
High
|
Marc Deslauriers | ||
| Xenial |
High
|
Marc Deslauriers | ||
| Bionic |
High
|
Marc Deslauriers | ||
| Cosmic |
High
|
Marc Deslauriers |
Bug Description
0.8.4 and the backported fixes for CVE-2018-10933 cause server-side keyboard-
This was fixed upstream as part of the 0.8.5 release, so disco is fine. For 16.04/18.04/18.10, please backport the fix:
https:/
CVE References
tags: | added: bionic cosmic regression-release xenial |
Changed in libssh (Ubuntu): | |
status: | New → Fix Released |
Changed in libssh (Ubuntu Xenial): | |
status: | New → Triaged |
Changed in libssh (Ubuntu Bionic): | |
status: | New → Triaged |
Changed in libssh (Ubuntu Cosmic): | |
status: | New → Triaged |
Changed in libssh (Ubuntu Xenial): | |
importance: | Undecided → High |
Changed in libssh (Ubuntu Bionic): | |
importance: | Undecided → High |
Changed in libssh (Ubuntu Cosmic): | |
importance: | Undecided → High |
Changed in libssh (Debian): | |
status: | Unknown → New |
Changed in libssh (Ubuntu Xenial): | |
assignee: | nobody → Marc Deslauriers (mdeslaur) |
Changed in libssh (Ubuntu Bionic): | |
assignee: | nobody → Marc Deslauriers (mdeslaur) |
Changed in libssh (Ubuntu Cosmic): | |
assignee: | nobody → Marc Deslauriers (mdeslaur) |
Changed in libssh (Ubuntu Trusty): | |
status: | New → Triaged |
assignee: | nobody → Marc Deslauriers (mdeslaur) |
importance: | Undecided → High |
information type: | Public → Public Security |
Marc Deslauriers (mdeslaur) wrote : | #1 |
Marc Deslauriers (mdeslaur) wrote : | #2 |
Packages that fix this regression and a couple of others are available for testing in the security team PPA here:
https:/
Launchpad Janitor (janitor) wrote : | #3 |
This bug was fixed in the package libssh - 0.8.1-1ubuntu0.3
---------------
libssh (0.8.1-1ubuntu0.3) cosmic-security; urgency=medium
* SECURITY REGRESSION: fix multiple regressions (LP: #1805348)
- debian/
after sending INFO_REQUEST in src/server.c.
- debian/
src/packet.c.
- debian/
after sending GSSAPI_RESPONSE in src/gssapi.c.
-- Marc Deslauriers <email address hidden> Tue, 27 Nov 2018 09:59:21 -0500
Changed in libssh (Ubuntu Cosmic): | |
status: | Triaged → Fix Released |
Launchpad Janitor (janitor) wrote : | #4 |
This bug was fixed in the package libssh - 0.6.1-0ubuntu3.5
---------------
libssh (0.6.1-0ubuntu3.5) trusty-security; urgency=medium
* SECURITY REGRESSION: fix multiple regressions (LP: #1805348)
- debian/
after sending INFO_REQUEST in src/server.c.
- debian/
src/packet.c.
- debian/
after sending GSSAPI_RESPONSE in src/gssapi.c.
-- Marc Deslauriers <email address hidden> Tue, 27 Nov 2018 10:05:25 -0500
Changed in libssh (Ubuntu Trusty): | |
status: | Triaged → Fix Released |
Launchpad Janitor (janitor) wrote : | #5 |
This bug was fixed in the package libssh - 0.6.3-4.3ubuntu0.2
---------------
libssh (0.6.3-
* SECURITY REGRESSION: fix multiple regressions (LP: #1805348)
- debian/
after sending INFO_REQUEST in src/server.c.
- debian/
src/packet.c.
- debian/
after sending GSSAPI_RESPONSE in src/gssapi.c.
-- Marc Deslauriers <email address hidden> Tue, 27 Nov 2018 10:04:57 -0500
Changed in libssh (Ubuntu Xenial): | |
status: | Triaged → Fix Released |
Launchpad Janitor (janitor) wrote : | #6 |
This bug was fixed in the package libssh - 0.8.0~20170825.
---------------
libssh (0.8.0~
* SECURITY REGRESSION: fix multiple regressions (LP: #1805348)
- debian/
after sending INFO_REQUEST in src/server.c.
- debian/
src/packet.c.
- debian/
after sending GSSAPI_RESPONSE in src/gssapi.c.
-- Marc Deslauriers <email address hidden> Tue, 27 Nov 2018 10:01:15 -0500
Changed in libssh (Ubuntu Bionic): | |
status: | Triaged → Fix Released |
Martin Pitt (pitti) wrote : | #7 |
Wow, thanks Marc, this was super-fast!
Changed in libssh (Debian): | |
status: | New → Fix Released |
Thanks for reporting this pitti, I'll prepare a regression fix!