# libssh 0.8.4 and 0.7.6 security and bugfix release

## angryMethane

```

libssh versions 0.6 and above have an authentication bypass vulnerability in

the server code.  By presenting the server an SSH2_MSG_USERAUTH_SUCCESS message

in place of the SSH2_MSG_USERAUTH_REQUEST message which the server would expect

to initiate authentication, the attacker could successfully authentciate

without any credentials.

```

Read more at: https://www.libssh.org/security/advisories/CVE-2018-10933.txt

When Gentoo upgrade libssh?  :Rolling Eyes: 

----------

## Ant P.

Are you using an in-tree package that uses the server parts of libssh? Which one?

----------

## eccerr0r

Ouch.

So what apps use libssh for server?

Ffmpeg if you have USE=ssh will use libssh, but I'm not sure if it uses server mode...

Luckily I don't have libssh installed on outward facing servers... I think...

----------

## Ant P.

 *eccerr0r wrote:*   

> Ouch.
> 
> So what apps use libssh for server?

 

That's my point; nothing does.

Taking the results of eix -c --depend 'libssh\b', I see:

libvirt, kodi, ffmpeg: these provide server functions but completely unrelated to ssh

A bunch of network security scanning tools

Client software, mostly multimedia things, which use it to access files like a network share

Overlays are mostly the same story. In summary: this is needless hysteria.

----------

## angryMethane

 *Ant P. wrote:*   

> Are you using an in-tree package that uses the server parts of libssh? Which one?

 

libvirt and qemu.

----------

## Ant P.

What port are you running their SSH servers on? Can't be 22, because openssh is already using that.

----------

## eccerr0r

Yeah I think the hype is overblown, though it is a security hole nonetheless.

I was worried about two major ssh servers that actually run as root:

- OpenSSH, but this is standalone and does not use libssh

- Dropbear, and once again it has its own ssh implementation.

All other applications may use libssh but for client side connectivity and thus do not have root access.  The reason why it still may be a problem is if these applications implement an internal server, which seems kind of pointless.

So, while it is a bug, this is not as big a story as it seems, at least for Gentoo.  Can't say the same for other OS.

----------

## angryMethane

 *eccerr0r wrote:*   

> Yeah I think the hype is overblown, though it is a security hole nonetheless.
> 
> I was worried about two major ssh servers that actually run as root:
> 
> - OpenSSH, but this is standalone and does not use libssh
> ...

 

In my opinion, the right attitude towards vulnerable softwares is to patch them as soon as possible no matter what damage it would cause.

----------

## eccerr0r

 *angryMethane wrote:*   

> In my opinion, the right attitude towards vulnerable softwares is to patch them as soon as possible no matter what damage it would cause.

 

It's a good attitude if you don't understand the bug, but it's also worth to step back and do an actual assessment of the issue at hand, and not make hasty moves that may cause unneeded panic.

Before I forget, thank you for posting about the bug, I had not seen it until you wrote about it.  I really appreciate it.

----------

## asturm

 *angryMethane wrote:*   

> Read more at: https://www.libssh.org/security/advisories/CVE-2018-10933.txt
> 
> When Gentoo upgrade libssh? 

 

^ Posted: Wed Oct 17, 2018

```
commit b9446a58ef8701d59c8d267bfcd156a68de3f39b

Date:   Tue Oct 16 17:46:52 2018 +0200

net-libs/libssh: 0.8.4 version bump for CVE-2018-10933

commit f683743f3d5db4b12427583d9a4d215cd502885f

Date:   Wed Oct 17 13:59:01 2018 +0200

net-libs/libssh: x86 stable (bug #668788)

commit b26ddba94beb0c70f08ade881b97be08cb7bd468

Date:   Wed Oct 17 18:09:17 2018 +0200

net-libs/libssh: amd64 stable wrt bug #668788
```

----------

