Learn about Centmin Mod LEMP Stack today
Register Now

Security Security Vulnerabilitys for libssh2 (CVE-2016-0787) & libssh (CVE-2016-0739)

Discussion in 'CentOS, Redhat & Oracle Linux News' started by eva2000, Feb 24, 2016.

  1. eva2000

    eva2000 Administrator Staff Member

    30,841
    6,903
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,393
    Local Time:
    5:45 PM
    Nginx 1.13.x
    MariaDB 5.5
    More Redhat and CentOS security vulnerabilities for libssh2 (CVE-2016-0787) & libssh (CVE-2016-0739). Seems libssh2 (CVE-2016-0787) affects both CentOS 6 and CentOS 7. While libssh (CVE-2016-0739) only affects CentOS 7 and is not installed in Centmin Mod LEMP stack default installs.

    Details



    On CentOS 7.2 with Centmin Mod installed - only libssh2 is installed while libssh isn't installed, so only libssh2 needs an update
    Code (Text):
    yum list libssh* -q
    Installed Packages
    libssh2.x86_64                  1.4.3-10.el7_2.1                                           @updates
    Available Packages
    libssh.x86_64                     0.7.1-1.el7                                                extras
    libssh-devel.x86_64          0.7.1-1.el7                                                extras
    libssh2.i686                     1.4.3-10.el7_2.1                                           updates
    libssh2-devel.i686          1.4.3-10.el7_2.1                                           updates
    libssh2-devel.x86_64        1.4.3-10.el7_2.1                                           updates
    libssh2-docs.noarch          1.4.3-10.el7_2.1                                           updates
    


    System libssh/libssh2 updates



    Redhat and CentOS always backports fixes in their version of software so the major version number remains with incremental version number bumps i.e. libssh2 1.4.3-10 where -10 is the bump
    • For CentOS 6.7 updated libssh2 version = 1.4.2-2.el6_7.1
    • For CentOS 7.2 updated libssh2 version = 1.4.3-10.el7_2.1
    Check current installed libssh2's change log first 3 entries as changes are added in reverse descending date order.

    From CentOS 6.7
    Code (Text):
    rpm -qa --changelog libssh2 | head -n3
    * Fri Feb 19 2016 Kamil Dudka <kdudka@redhat.com> - 1.4.2-2.el6_7.1
    - use secrects of the appropriate length in Diffie-Hellman (CVE-2016-0787)
    


    From CentOS 7.2
    Code (Text):
    rpm -qa --changelog libssh2 | head -n3
    * Fri Feb 19 2016 Kamil Dudka <kdudka@redhat.com> 1.4.3-10.el7_2.1
    - use secrects of the appropriate length in Diffie-Hellman (CVE-2016-0787)
    


    To update and then read 2nd post in this thread to restart services that use libssh2
    Code (Text):
    yum -y update libssh2
     
    Last edited: Mar 11, 2016
  2. eva2000

    eva2000 Administrator Staff Member

    30,841
    6,903
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,393
    Local Time:
    5:45 PM
    Nginx 1.13.x
    MariaDB 5.5
    libssh2 yum package security update has been released. Update your servers ! ;) :)

    So to restart services which use libssh2:

    For CentOS 6.x command to find services that you need to restart
    Code (Text):
    for s in $(lsof | awk '/libssh2/ {print $1}' | uniq ); do if [ -f /etc/init.d/$s ]; then echo $s; fi; done

    For CentOS 6.x command to restart existing running services that you need to restart
    Code (Text):
    for s in $(lsof | awk '/libssh2/ {print $1}' | uniq ); do if [ -f /etc/init.d/$s ]; then ps aux | grep $s | grep -v grep >/dev/null; ON=$?;    if [[ "$ON" = '0' ]]; then echo $s;  echo "/etc/init.d/$s restart";  /etc/init.d/$s restart; fi;    fi; done

    For CentOS 7.x command to run
    Code (Text):
    systemctl daemon-reexec


    On all my 100+ Centmin Mod LEMP servers CentOS 6/7 only service that uses libssh2 seems to be PHP-FPM, so
    Code (Text):
    service php-fpm restart

    or
    Code (Text):
    fpmrestart

    would also take care of it
     
    Last edited: Mar 11, 2016