Bug 34268 – libssh: Insecure PRNG seeding (3.1)

Bug 34268 - libssh: Insecure PRNG seeding (3.1)


Summary:	libssh: Insecure PRNG seeding (3.1)

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	Security updates
Version:	UCS 3.2
Hardware:	Other Linux

Importance:	P3 normal (vote)
Target Milestone:	UCS 3.1-ES
Assigned To:	Philipp Hahn
QA Contact:	Arvid Requate

URL:
Keywords:

Depends on:
Blocks:	41498
	Show dependency tree / graph

Reported:	2014-03-06 09:54 CET by Moritz Muehlenhoff
Modified:	2016-12-12 16:34 CET (History)
CC List:	2 users (show)

See Also:
What kind of report is it?:	---
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):	Security
Max CVSS v3 score:

Flags:	requate: Patch_Available+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Moritz Muehlenhoff

2014-03-06 09:54:40 CET

CVE-2014-0017

The PRNG is not always correctly reseeding when a new process is forked.

Comment 1 Moritz Muehlenhoff

2014-06-02 07:59:19 CEST

The maintenance with bug and security fixes for UCS 3.1-x has ended on 31st of May 2014.

The maintenance of the UCS 3.x major series is continued by UCS 3.2-x that is supplied with bug and security fixes.

Customers still on UCS 3.1-x are encouraged to update to UCS 3.2. Please contact your partner or Univention for any questions.

Comment 2 Arvid Requate

2016-02-23 17:09:11 CET

Another issue has been fixed in upstream Debian package version 0.4.5-3+squeeze3:

* Weak Diffie-Hellman secret generation in libssh (CVE-2016-0739)

Comment 3 Philipp Hahn

2016-05-25 13:28:52 CEST

repo_admin.py -U -r 3.1 -s extsec3.1 -d squeeze-lts -p libssh # 0.4.5-3+squeeze3

Package: libssh
Version: 0.4.5-3.17.201605251207
Branch: ucs_3.1-0
Scope: extsec3.1

r69528 | Bug #34268: libssh
 branches/ucs-3.1/ucs-3.1-1/doc/errata/staging/libssh.txt

Comment 4 Arvid Requate

2016-06-08 22:13:17 CEST

* Imported version is latest in squeeze-lts
* Package is updatable

But the versioning is such that the package will remain installed in UCS 3.3:

Version:        0.4.5-3.5.201303011058:         ucs_3.1-0-ucs3.1-1
Version:        0.4.5-3.17.201605251207:        ucs_3.1-0-extsec3.1
Version:        0.4.5-3.16.201605091706:        ucs_3.3-0

I think we need to adjust the build version increment.

Comment 5 Philipp Hahn

2016-06-09 09:38:32 CEST

(In reply to Arvid Requate from comment #4)
> * Imported version is latest in squeeze-lts
> * Package is updatable
> 
> But the versioning is such that the package will remain installed in UCS 3.3:
> 
> Version:        0.4.5-3.5.201303011058:         ucs_3.1-0-ucs3.1-1
> Version:        0.4.5-3.17.201605251207:        ucs_3.1-0-extsec3.1
> Version:        0.4.5-3.16.201605091706:        ucs_3.3-0
> 
> I think we need to adjust the build version increment.

$ printf 14 > /var/univention/buildsystem2/config/versions/libssh
$ b31-scope extsec3.1 libssh
$ printf 17 > /var/univention/buildsystem2/config/versions/libssh

Package: libssh
Version: 0.4.5-3.15.201606090935
Branch: ucs_3.1-0
Scope: extsec3.1

r70001 | Bug #34268: libssh
 branches/ucs-3.1/ucs-3.1-1/doc/errata/staging/libssh.txt

Comment 6 Arvid Requate

2016-12-12 16:13:29 CET

Ok, 0.4.5-3+squeeze3 is imported, built and updatable.
Versioning and advisory are ok too.

Comment 7 Janek Walkenhorst

2016-12-12 16:34:50 CET

<http://errata.software-univention.de/ucs/3.1/290.html>