Security update for libssh2_org SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2016:0718-1 Final 1 1 2016-03-11T09:18:12Z current 2016-03-11T09:18:12Z 2016-03-11T09:18:12Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for libssh2_org This update for libssh2_org fixes the following issues: Security issue fixed: - CVE-2016-0787 (bsc#967026): Weakness in diffie-hellman secret key generation lead to much shorter DH groups then needed, which could be used to retrieve server keys. A feature was added: - Support of SHA256 digests for DH group exchanges was added (fate#320343, bsc#961964) Bug fixed: - Properly detect EVP_aes_128_ctr at configure time (bsc#933336) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-SLE-DESKTOP-12-2016-413,SUSE-SLE-DESKTOP-12-SP1-2016-413,SUSE-SLE-SDK-12-2016-413,SUSE-SLE-SDK-12-SP1-2016-413,SUSE-SLE-SERVER-12-2016-413,SUSE-SLE-SERVER-12-SP1-2016-413 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2016/suse-su-20160718-1/ Link for SUSE-SU-2016:0718-1 https://lists.suse.com/pipermail/sle-security-updates/2016-March/001922.html E-Mail link for SUSE-SU-2016:0718-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/933336 SUSE Bug 933336 https://bugzilla.suse.com/961964 SUSE Bug 961964 https://bugzilla.suse.com/967026 SUSE Bug 967026 https://www.suse.com/security/cve/CVE-2016-0787/ SUSE CVE CVE-2016-0787 page SUSE Linux Enterprise Desktop 12 SUSE Linux Enterprise Desktop 12 SP1 SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Server 12 SP1 SUSE Linux Enterprise Server for SAP Applications 12 SUSE Linux Enterprise Server for SAP Applications 12 SP1 SUSE Linux Enterprise Software Development Kit 12 SUSE Linux Enterprise Software Development Kit 12 SP1 libssh2-1-1.4.3-16.1 libssh2-1-32bit-1.4.3-16.1 libssh2-devel-1.4.3-16.1 libssh2-1-1.4.3-16.1 as a component of SUSE Linux Enterprise Desktop 12 libssh2-1-32bit-1.4.3-16.1 as a component of SUSE Linux Enterprise Desktop 12 libssh2-1-1.4.3-16.1 as a component of SUSE Linux Enterprise Desktop 12 SP1 libssh2-1-32bit-1.4.3-16.1 as a component of SUSE Linux Enterprise Desktop 12 SP1 libssh2-1-1.4.3-16.1 as a component of SUSE Linux Enterprise Server 12 libssh2-1-32bit-1.4.3-16.1 as a component of SUSE Linux Enterprise Server 12 libssh2-1-1.4.3-16.1 as a component of SUSE Linux Enterprise Server 12 SP1 libssh2-1-32bit-1.4.3-16.1 as a component of SUSE Linux Enterprise Server 12 SP1 libssh2-1-1.4.3-16.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 libssh2-1-32bit-1.4.3-16.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 libssh2-1-1.4.3-16.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP1 libssh2-1-32bit-1.4.3-16.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP1 libssh2-devel-1.4.3-16.1 as a component of SUSE Linux Enterprise Software Development Kit 12 libssh2-devel-1.4.3-16.1 as a component of SUSE Linux Enterprise Software Development Kit 12 SP1 The diffie_hellman_sha256 function in kex.c in libssh2 before 1.7.0 improperly truncates secrets to 128 or 256 bits, which makes it easier for man-in-the-middle attackers to decrypt or intercept SSH sessions via unspecified vectors, aka a "bits/bytes confusion bug." CVE-2016-0787 SUSE Linux Enterprise Desktop 12 SP1:libssh2-1-1.4.3-16.1 SUSE Linux Enterprise Desktop 12 SP1:libssh2-1-32bit-1.4.3-16.1 SUSE Linux Enterprise Desktop 12:libssh2-1-1.4.3-16.1 SUSE Linux Enterprise Desktop 12:libssh2-1-32bit-1.4.3-16.1 SUSE Linux Enterprise Server 12 SP1:libssh2-1-1.4.3-16.1 SUSE Linux Enterprise Server 12 SP1:libssh2-1-32bit-1.4.3-16.1 SUSE Linux Enterprise Server 12:libssh2-1-1.4.3-16.1 SUSE Linux Enterprise Server 12:libssh2-1-32bit-1.4.3-16.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:libssh2-1-1.4.3-16.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:libssh2-1-32bit-1.4.3-16.1 SUSE Linux Enterprise Server for SAP Applications 12:libssh2-1-1.4.3-16.1 SUSE Linux Enterprise Server for SAP Applications 12:libssh2-1-32bit-1.4.3-16.1 SUSE Linux Enterprise Software Development Kit 12 SP1:libssh2-devel-1.4.3-16.1 SUSE Linux Enterprise Software Development Kit 12:libssh2-devel-1.4.3-16.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2016/suse-su-20160718-1/ https://www.suse.com/security/cve/CVE-2016-0787.html CVE-2016-0787 https://bugzilla.suse.com/1149968 SUSE Bug 1149968 https://bugzilla.suse.com/967026 SUSE Bug 967026 https://bugzilla.suse.com/968174 SUSE Bug 968174 https://bugzilla.suse.com/974691 SUSE Bug 974691