CVE-2023-6918
Publication date 19 December 2023
Last updated 24 July 2024
Ubuntu priority
A flaw was found in the libssh implements abstract layer for message digest (MD) operations implemented by different supported crypto backends. The return values from these were not properly checked, which could cause low-memory situations failures, NULL dereferences, crashes, or usage of the uninitialized memory as an input for the KDF. In this case, non-matching keys will result in decryption/integrity failures, terminating the connection.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| libssh | ||
| 22.04 LTS jammy |
Fixed 0.9.6-2ubuntu0.22.04.3
|
|
| 20.04 LTS focal |
Fixed 0.9.3-2ubuntu2.5
|
|
| 18.04 LTS bionic |
Fixed 0.8.0~20170825.94fa1e38-1ubuntu0.7+esm3
|
|
| 16.04 LTS xenial |
Fixed 0.6.3-4.3ubuntu0.6+esm1
|
|
| 14.04 LTS trusty | Ignored end of standard support |
Get expanded security coverage with Ubuntu Pro
Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.
Get Ubuntu ProPatch details
| Package | Patch details |
|---|---|
| libssh |
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
5.3 · Medium
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity impact | None |
| Availability impact | Low |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
References
Related Ubuntu Security Notices (USN)
- USN-6592-1
- libssh vulnerabilities
- 22 January 2024
- USN-6592-2
- libssh vulnerabilities
- 5 February 2024