Security update for libssh

Announcement ID:	SUSE-SU-2024:0525-1
Rating:	important
References:	bsc#1158095 bsc#1168699 bsc#1174713 bsc#1189608 bsc#1211188 bsc#1211190 bsc#1218126 bsc#1218186 bsc#1218209 jsc#PED-7719
Cross-References:	CVE-2019-14889 CVE-2020-16135 CVE-2020-1730 CVE-2021-3634 CVE-2023-1667 CVE-2023-2283 CVE-2023-48795 CVE-2023-6004 CVE-2023-6918
CVSS scores:	CVE-2019-14889 ( SUSE ): 7.1 CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H CVE-2019-14889 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2019-14889 ( NVD ): 7.1 CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H CVE-2020-16135 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-16135 ( NVD ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-1730 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2020-1730 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2021-3634 ( SUSE ): 3.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L CVE-2021-3634 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2023-1667 ( SUSE ): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L CVE-2023-1667 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2023-2283 ( SUSE ): 4.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N CVE-2023-2283 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVE-2023-48795 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N CVE-2023-48795 ( NVD ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N CVE-2023-6004 ( SUSE ): 4.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L CVE-2023-6004 ( NVD ): 4.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L CVE-2023-6918 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2023-6918 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Affected Products:	SUSE Enterprise Storage 7.1 SUSE Linux Enterprise High Performance Computing 15 SP2 SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 SUSE Linux Enterprise High Performance Computing 15 SP3 SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 SUSE Linux Enterprise Micro 5.1 SUSE Linux Enterprise Micro 5.2 SUSE Linux Enterprise Micro for Rancher 5.2 SUSE Linux Enterprise Server 15 SP2 SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 SUSE Linux Enterprise Server 15 SP3 SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 SUSE Linux Enterprise Server for SAP Applications 15 SP2 SUSE Linux Enterprise Server for SAP Applications 15 SP3

An update that solves nine vulnerabilities and contains one feature can now be installed.

Description:

This update for libssh fixes the following issues:

Update to version 0.9.8 (jsc#PED-7719):

• Fix CVE-2023-6004: Command injection using proxycommand (bsc#1218209)
• Fix CVE-2023-48795: Potential downgrade attack using strict kex (bsc#1218126)
• Fix CVE-2023-6918: Missing checks for return values of MD functions (bsc#1218186)
• Allow @ in usernames when parsing from URI composes

Update to version 0.9.7:

• Fix CVE-2023-1667: a NULL dereference during rekeying with algorithm guessing (bsc#1211188)
• Fix CVE-2023-2283: a possible authorization bypass in pki_verify_data_signature under low-memory conditions (bsc#1211190)
• Fix several memory leaks in GSSAPI handling code

Update to version 0.9.6 (bsc#1189608, CVE-2021-3634):

• https://git.libssh.org/projects/libssh.git/tag/?h=libssh-0.9.6

Update to 0.9.5 (bsc#1174713, CVE-2020-16135):

• CVE-2020-16135: Avoid null pointer dereference in sftpserver (T232)
• Improve handling of library initialization (T222)
• Fix parsing of subsecond times in SFTP (T219)
• Make the documentation reproducible
• Remove deprecated API usage in OpenSSL
• Fix regression of ssh_channel_poll_timeout() returning SSH_AGAIN
• Define version in one place (T226)
• Prevent invalid free when using different C runtimes than OpenSSL (T229)
• Compatibility improvements to testsuite

Update to version 0.9.4

• https://www.libssh.org/2020/04/09/libssh-0-9-4-and-libssh-0-8-9-security-release/
• Fix possible Denial of Service attack when using AES-CTR-ciphers CVE-2020-1730 (bsc#1168699)

Update to version 0.9.3

• Fixed CVE-2019-14889 - SCP: Unsanitized location leads to command execution (bsc#1158095)
• SSH-01-003 Client: Missing NULL check leads to crash in erroneous state
• SSH-01-006 General: Various unchecked Null-derefs cause DOS
• SSH-01-007 PKI Gcrypt: Potential UAF/double free with RSA pubkeys
• SSH-01-010 SSH: Deprecated hash function in fingerprinting
• SSH-01-013 Conf-Parsing: Recursive wildcards in hostnames lead to DOS
• SSH-01-014 Conf-Parsing: Integer underflow leads to OOB array access
• SSH-01-001 State Machine: Initial machine states should be set explicitly
• SSH-01-002 Kex: Differently bound macros used to iterate same array
• SSH-01-005 Code-Quality: Integer sign confusion during assignments
• SSH-01-008 SCP: Protocol Injection via unescaped File Names
• SSH-01-009 SSH: Update documentation which RFCs are implemented
• SSH-01-012 PKI: Information leak via uninitialized stack buffer

Update to version 0.9.2

• Fixed libssh-config.cmake
• Fixed issues with rsa algorithm negotiation (T191)
• Fixed detection of OpenSSL ed25519 support (T197)

Update to version 0.9.1

• Added support for Ed25519 via OpenSSL
• Added support for X25519 via OpenSSL
• Added support for localuser in Match keyword
• Fixed Match keyword to be case sensitive
• Fixed compilation with LibreSSL
• Fixed error report of channel open (T75)
• Fixed sftp documentation (T137)
• Fixed known_hosts parsing (T156)
• Fixed build issue with MinGW (T157)
• Fixed build with gcc 9 (T164)
• Fixed deprecation issues (T165)

• Fixed known_hosts directory creation (T166)

• Split out configuration to separate package to not mess up the library packaging and coinstallation

Update to verion 0.9.0

• Added support for AES-GCM
• Added improved rekeying support
• Added performance improvements
• Disabled blowfish support by default
• Fixed several ssh config parsing issues
• Added support for DH Group Exchange KEX
• Added support for Encrypt-then-MAC mode
• Added support for parsing server side configuration file
• Added support for ECDSA/Ed25519 certificates
• Added FIPS 140-2 compatibility
• Improved known_hosts parsing
• Improved documentation

• Improved OpenSSL API usage for KEX, DH, and signatures

• Add libssh client and server config files

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2
  zypper in -t patch SUSE-SLE-Product-HPC-15-SP2-LTSS-2024-525=1
• SUSE Linux Enterprise High Performance Computing LTSS 15 SP3
  zypper in -t patch SUSE-SLE-Product-HPC-15-SP3-LTSS-2024-525=1
• SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2
  zypper in -t patch SUSE-SLE-Product-SLES-15-SP2-LTSS-2024-525=1
• SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3
  zypper in -t patch SUSE-SLE-Product-SLES-15-SP3-LTSS-2024-525=1
• SUSE Linux Enterprise Server for SAP Applications 15 SP2
  zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP2-2024-525=1
• SUSE Linux Enterprise Server for SAP Applications 15 SP3
  zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP3-2024-525=1
• SUSE Enterprise Storage 7.1
  zypper in -t patch SUSE-Storage-7.1-2024-525=1
• SUSE Linux Enterprise Micro 5.1
  zypper in -t patch SUSE-SUSE-MicroOS-5.1-2024-525=1
• SUSE Linux Enterprise Micro 5.2
  zypper in -t patch SUSE-SUSE-MicroOS-5.2-2024-525=1
• SUSE Linux Enterprise Micro for Rancher 5.2
  zypper in -t patch SUSE-SUSE-MicroOS-5.2-2024-525=1

Package List:

• SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (aarch64 x86_64)
  • libssh4-0.9.8-150200.13.3.1
  • libssh-devel-0.9.8-150200.13.3.1
  • libssh-config-0.9.8-150200.13.3.1
  • libssh4-debuginfo-0.9.8-150200.13.3.1
  • libssh-debugsource-0.9.8-150200.13.3.1
• SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (x86_64)
  • libssh4-32bit-0.9.8-150200.13.3.1
  • libssh4-32bit-debuginfo-0.9.8-150200.13.3.1
• SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (aarch64 x86_64)
  • libssh4-0.9.8-150200.13.3.1
  • libssh-devel-0.9.8-150200.13.3.1
  • libssh-config-0.9.8-150200.13.3.1
  • libssh4-debuginfo-0.9.8-150200.13.3.1
  • libssh-debugsource-0.9.8-150200.13.3.1
• SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (x86_64)
  • libssh4-32bit-0.9.8-150200.13.3.1
  • libssh4-32bit-debuginfo-0.9.8-150200.13.3.1
• SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (aarch64 ppc64le s390x x86_64)
  • libssh4-0.9.8-150200.13.3.1
  • libssh-devel-0.9.8-150200.13.3.1
  • libssh-config-0.9.8-150200.13.3.1
  • libssh4-debuginfo-0.9.8-150200.13.3.1
  • libssh-debugsource-0.9.8-150200.13.3.1
• SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (x86_64)
  • libssh4-32bit-0.9.8-150200.13.3.1
  • libssh4-32bit-debuginfo-0.9.8-150200.13.3.1
• SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (aarch64 ppc64le s390x x86_64)
  • libssh4-0.9.8-150200.13.3.1
  • libssh-devel-0.9.8-150200.13.3.1
  • libssh-config-0.9.8-150200.13.3.1
  • libssh4-debuginfo-0.9.8-150200.13.3.1
  • libssh-debugsource-0.9.8-150200.13.3.1
• SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (x86_64)
  • libssh4-32bit-0.9.8-150200.13.3.1
  • libssh4-32bit-debuginfo-0.9.8-150200.13.3.1
• SUSE Linux Enterprise Server for SAP Applications 15 SP2 (ppc64le x86_64)
  • libssh4-0.9.8-150200.13.3.1
  • libssh-devel-0.9.8-150200.13.3.1
  • libssh-config-0.9.8-150200.13.3.1
  • libssh4-debuginfo-0.9.8-150200.13.3.1
  • libssh-debugsource-0.9.8-150200.13.3.1
• SUSE Linux Enterprise Server for SAP Applications 15 SP2 (x86_64)
  • libssh4-32bit-0.9.8-150200.13.3.1
  • libssh4-32bit-debuginfo-0.9.8-150200.13.3.1
• SUSE Linux Enterprise Server for SAP Applications 15 SP3 (ppc64le x86_64)
  • libssh4-0.9.8-150200.13.3.1
  • libssh-devel-0.9.8-150200.13.3.1
  • libssh-config-0.9.8-150200.13.3.1
  • libssh4-debuginfo-0.9.8-150200.13.3.1
  • libssh-debugsource-0.9.8-150200.13.3.1
• SUSE Linux Enterprise Server for SAP Applications 15 SP3 (x86_64)
  • libssh4-32bit-0.9.8-150200.13.3.1
  • libssh4-32bit-debuginfo-0.9.8-150200.13.3.1
• SUSE Enterprise Storage 7.1 (aarch64 x86_64)
  • libssh4-0.9.8-150200.13.3.1
  • libssh-devel-0.9.8-150200.13.3.1
  • libssh-config-0.9.8-150200.13.3.1
  • libssh4-debuginfo-0.9.8-150200.13.3.1
  • libssh-debugsource-0.9.8-150200.13.3.1
• SUSE Enterprise Storage 7.1 (x86_64)
  • libssh4-32bit-0.9.8-150200.13.3.1
  • libssh4-32bit-debuginfo-0.9.8-150200.13.3.1
• SUSE Linux Enterprise Micro 5.1 (aarch64 s390x x86_64)
  • libssh4-0.9.8-150200.13.3.1
  • libssh-config-0.9.8-150200.13.3.1
  • libssh4-debuginfo-0.9.8-150200.13.3.1
  • libssh-debugsource-0.9.8-150200.13.3.1
• SUSE Linux Enterprise Micro 5.2 (aarch64 s390x x86_64)
  • libssh4-0.9.8-150200.13.3.1
  • libssh-config-0.9.8-150200.13.3.1
  • libssh4-debuginfo-0.9.8-150200.13.3.1
  • libssh-debugsource-0.9.8-150200.13.3.1
• SUSE Linux Enterprise Micro for Rancher 5.2 (aarch64 s390x x86_64)
  • libssh4-0.9.8-150200.13.3.1
  • libssh-config-0.9.8-150200.13.3.1
  • libssh4-debuginfo-0.9.8-150200.13.3.1
  • libssh-debugsource-0.9.8-150200.13.3.1

References:

• https://www.suse.com/security/cve/CVE-2019-14889.html
• https://www.suse.com/security/cve/CVE-2020-16135.html
• https://www.suse.com/security/cve/CVE-2020-1730.html
• https://www.suse.com/security/cve/CVE-2021-3634.html
• https://www.suse.com/security/cve/CVE-2023-1667.html
• https://www.suse.com/security/cve/CVE-2023-2283.html
• https://www.suse.com/security/cve/CVE-2023-48795.html
• https://www.suse.com/security/cve/CVE-2023-6004.html
• https://www.suse.com/security/cve/CVE-2023-6918.html
• https://bugzilla.suse.com/show_bug.cgi?id=1158095
• https://bugzilla.suse.com/show_bug.cgi?id=1168699
• https://bugzilla.suse.com/show_bug.cgi?id=1174713
• https://bugzilla.suse.com/show_bug.cgi?id=1189608
• https://bugzilla.suse.com/show_bug.cgi?id=1211188
• https://bugzilla.suse.com/show_bug.cgi?id=1211190
• https://bugzilla.suse.com/show_bug.cgi?id=1218126
• https://bugzilla.suse.com/show_bug.cgi?id=1218186
• https://bugzilla.suse.com/show_bug.cgi?id=1218209
• https://jira.suse.com/browse/PED-7719