Test ID:	1.3.6.1.4.1.25623.1.1.10.2014.0119
Category:	Mageia Linux Local Security Checks
Title:	Mageia: Security Advisory (MGASA-2014-0119)
Summary:	The remote host is missing an update for the 'libssh' package(s) announced via the MGASA-2014-0119 advisory.
Description:	Summary: The remote host is missing an update for the 'libssh' package(s) announced via the MGASA-2014-0119 advisory. Vulnerability Insight: When using libssh before 0.6.3, a libssh-based server, when accepting a new connection, forks and the child process handles the request. The RAND_bytes() function of openssl doesn't reset its state after the fork, but simply adds the current process id (getpid) to the PRNG state, which is not guaranteed to be unique. The most important consequence is that servers using EC (ECDSA) or DSA certificates may under certain conditions leak their private key (CVE-2014-0017). Affected Software/OS: 'libssh' package(s) on Mageia 3, Mageia 4. Solution: Please install the updated package(s). CVSS Score: 1.9 CVSS Vector: AV:L/AC:M/Au:N/C:P/I:N/A:N
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2014-0017 57407 http://secunia.com/advisories/57407 DSA-2879 http://www.debian.org/security/2014/dsa-2879 USN-2145-1 http://www.ubuntu.com/usn/USN-2145-1 [oss-security] 20140305 libssh and stunnel PRNG flaws http://www.openwall.com/lists/oss-security/2014/03/05/1 http://www.libssh.org/2014/03/04/libssh-0-6-3-security-release/ https://bugzilla.redhat.com/show_bug.cgi?id=1072191 openSUSE-SU-2014:0366 http://lists.opensuse.org/opensuse-updates/2014-03/msg00036.html openSUSE-SU-2014:0370 http://lists.opensuse.org/opensuse-updates/2014-03/msg00040.html
Copyright	Copyright (C) 2022 Greenbone AG

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit. To run a free test of this vulnerability against your system, register below.