[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[tor-relays] libssh vulnerability (CVE-2018-10933)
Hi tor-relays,
This email is just to notify the list of a recent libssh vulnerability[1], and encourage any operators who may be running a vulnerable version of libssh to update.
It appears this only impacts libssh in server mode:
“This is an important security and maintenance release in order to address CVE-2018-10933., libssh versions 0.6 and above have an authentication bypass vulnerability in the server code. By presenting the server an SSH2_MSG_USERAUTH_SUCCESS message in place of the SSH2_MSG_USERAUTH_REQUEST message which the server would expect to initiate authentication the attacker could successfully authenticate without any credentials.
The bug was discovered by Peter Winter-Smith of NCC Group.”
Thanks for being relay operators!
[1]: https://www.libssh.org/2018/10/16/libssh-0-8-4-and-0-7-6-security-and-bugfix-release/
_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays