CVE-2020-1730

Name
CVE-2020-1730
Description
A flaw was found in libssh versions before 0.8.9 and before 0.9.4 in the way it handled AES-CTR (or DES ciphers if enabled) ciphers. The server or client could crash when the connection hasn't been fully initialized and the system tries to cleanup the ciphers when closing the connection. The biggest threat from this vulnerability is system availability.
NVD Severity
medium
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
Vendor Advisory https://www.libssh.org/security/advisories/CVE-2020-1730.txt
Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1730
Mailing List https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VLSWHBQ3EPKGTGLQNH554Z746BJ3C554/
Third Party Advisory https://usn.ubuntu.com/4327-1/
Third Party Advisory https://security.netapp.com/advisory/ntap-20200424-0001/
Mailing List https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2A7BIFKUYIYKTY7FX4BEWVC2OHS5DPOU/
MISC https://www.oracle.com/security-alerts/cpuoct2020.html

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:libssh:libssh:*:*:*:*:*:*:*:* libssh >= 0.8.0 < 0.8.9
cpe:2.3:a:libssh:libssh:*:*:*:*:*:*:*:* libssh >= 0.9.0 < 0.9.4

Vulnerable and fixed packages

Source package Branch Version Maintainer Status