Security Security Vulnerabilitys for libssh2 (CVE-2016-0787) & libssh (CVE-2016-0739)

More Redhat and CentOS security vulnerabilities for libssh2 (CVE-2016-0787) & libssh (CVE-2016-0739). Seems libssh2 (CVE-2016-0787) affects both CentOS 6 and CentOS 7. While libssh (CVE-2016-0739) only affects CentOS 7 and is not installed in Centmin Mod LEMP stack default installs.

Details

• CVE-2016-0787 - Red Hat Customer Portal (more info)
• libssh2 Security Advisory: Truncated Difffie-Hellman secret length
  
• CVE-2016-0739 - Red Hat Customer Portal (more info)
• https://www.libssh.org/security/advisories/CVE-2016-0739.txt
• Bug 1306021 – CVE-2016-0787 libssh2: bits/bytes confusion resulting in truncated Diffie-Hellman secret length
  
• Bug 1305971 – CVE-2016-0739 libssh: bits/bytes confusion resulting in truncated Difffie-Hellman secret length

On CentOS 7.2 with Centmin Mod installed - only libssh2 is installed while libssh isn't installed, so only libssh2 needs an update

Code (Text):

yum list libssh* -q
Installed Packages
libssh2.x86_64                  1.4.3-10.el7_2.1                                           @updates
Available Packages
libssh.x86_64                     0.7.1-1.el7                                                extras
libssh-devel.x86_64          0.7.1-1.el7                                                extras
libssh2.i686                     1.4.3-10.el7_2.1                                           updates
libssh2-devel.i686          1.4.3-10.el7_2.1                                           updates
libssh2-devel.x86_64        1.4.3-10.el7_2.1                                           updates
libssh2-docs.noarch          1.4.3-10.el7_2.1                                           updates

System libssh/libssh2 updates

Redhat and CentOS always backports fixes in their version of software so the major version number remains with incremental version number bumps i.e. libssh2 1.4.3-10 where -10 is the bump

• For CentOS 6.7 updated libssh2 version = 1.4.2-2.el6_7.1
• For CentOS 7.2 updated libssh2 version = 1.4.3-10.el7_2.1

Check current installed libssh2's change log first 3 entries as changes are added in reverse descending date order.

From CentOS 6.7

Code (Text):

rpm -qa --changelog libssh2 | head -n3
* Fri Feb 19 2016 Kamil Dudka <kdudka@redhat.com> - 1.4.2-2.el6_7.1
- use secrects of the appropriate length in Diffie-Hellman (CVE-2016-0787)

From CentOS 7.2

Code (Text):

rpm -qa --changelog libssh2 | head -n3
* Fri Feb 19 2016 Kamil Dudka <kdudka@redhat.com> 1.4.3-10.el7_2.1
- use secrects of the appropriate length in Diffie-Hellman (CVE-2016-0787)

To update and then read 2nd post in this thread to restart services that use libssh2

Code (Text):

yum -y update libssh2

---

 

libssh2 yum package security update has been released. Update your servers !

So to restart services which use libssh2:

For CentOS 6.x command to find services that you need to restart

Code (Text):

for s in $(lsof | awk '/libssh2/ {print $1}' | uniq ); do if [ -f /etc/init.d/$s ]; then echo $s; fi; done

For CentOS 6.x command to restart existing running services that you need to restart

Code (Text):

for s in $(lsof | awk '/libssh2/ {print $1}' | uniq ); do if [ -f /etc/init.d/$s ]; then ps aux | grep $s | grep -v grep >/dev/null; ON=$?;    if [[ "$ON" = '0' ]]; then echo $s;  echo "/etc/init.d/$s restart";  /etc/init.d/$s restart; fi;    fi; done

For CentOS 7.x command to run

Code (Text):

systemctl daemon-reexec

On all my 100+ Centmin Mod LEMP servers CentOS 6/7 only service that uses libssh2 seems to be PHP-FPM, so

Code (Text):

service php-fpm restart

or

Code (Text):

fpmrestart

would also take care of it