RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1896651 - Update for libssh-0.9.0-4.el8.x86_64 as it has bug. Rebase to libssh-0-9-6
Summary: Update for libssh-0.9.0-4.el8.x86_64 as it has bug. Rebase to libssh-0-9-6
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: libssh
Version: 8.2
Hardware: x86_64
OS: Linux
medium
high
Target Milestone: rc
: 8.0
Assignee: Norbert Pócs
QA Contact: Pavel Yadlouski
Jan Fiala
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-11-11 06:49 UTC by Dushyantk.sun@gmail.com
Modified: 2022-05-10 16:35 UTC (History)
10 users (show)

Fixed In Version: libssh-0.9.6-3.el8
Doc Type: Enhancement
Doc Text:
.`libssh` rebased to 0.9.6 The `libssh` package has been rebased to upstream version 0.9.6. This version provides bug fixes and enhancements, most notably: * Support for multiple identity files. The files are processed from the bottom to the top as listed in the `~/.ssh/config` file. * Parsing of sub-second times in SFTP is fixed. * A regression of the `ssh_channel_poll_timeout()` function returning `SSH_AGAIN` unexpectedly is now fixed. * A possible heap-buffer overflow after key re-exchange is fixed. * A handshake bug when AEAD cipher is matched but there is no HMAC overlap is fixed. * Several memory leaks on error paths are fixed.
Clone Of:
Environment:
Last Closed: 2022-05-10 15:21:19 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
Zabbix frontend snap (20.34 KB, image/png)
2020-11-11 06:49 UTC, Dushyantk.sun@gmail.com 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker CRYPTO-5103 0 None None None 2021-11-03 13:33:59 UTC
Red Hat Product Errata RHSA-2022:2031 0 None None None 2022-05-10 15:21:27 UTC

Description Dushyantk.sun@gmail.com 2020-11-11 06:49:11 UTC 
Created attachment 1728268 [details]
Zabbix frontend snap

Description of problem:

Hello Team,

We have RH Linux release 8.2.2004. We have zabbix monitoring tool installed on it and this monitoring tool needs to connect to client machine(All clients are RH 6 and 7) to fetch server details over the ssh. However due to bug in libssh-0.9.0-4 , we are seeing intermittent issue while connecting to client machine.
I can see libssh community has release the updated version which is libssh 0.9.5 
I would like to check with you if there is any timeline for releasing this package on RH 8 repo or do we have any workaround for time being until release of package
It caused us to move forward with RH 8 version in prod environment. Found link from Zabbix https://support.zabbix.com/browse/ZBX-17756 and from libssh where they have fixed available. https://www.libssh.org/2020/09/10/libssh-0-9-5/ .

Pleases let me know if need more information.

Version-Release number of selected component (if applicable):

libssh-0.9.0-4.el8.x86_64

How reproducible:
While executing remote command from Zabbix application RH  8 server to client machines, it shows "Cannot read data from SSH server"

Steps to Reproduce:
1. Intermittent connection drop to client from RH 8 
2. Executing several remote  commands 
3.

Actual results:
can not read data from ssh server on zabbix tool frontend. 

Expected results:
It should connect and execute command to fetch the details

Additional info:
Comment 2 Dushyantk.sun@gmail.com 2020-11-11 09:43:12 UTC 
Hi Sahana,

Thank you for reviewing the issue and providing feedback. 

Since update will take time , could you please let me know if we have any workaround for it.

-Dushyant
Comment 4 Dushyantk.sun@gmail.com 2020-11-11 12:35:42 UTC 
Hi Sahana,

When we install RH 8 , we got default version of libssh-0.9.4 so can not downgrade. Do we have lower version of libssh which supports on RH 8 and how to download.

But yeah will wait for release of updated package.
Comment 5 Nikos Mavrogiannopoulos 2020-11-11 12:49:58 UTC 
Thank you Dushyanth for taking the time to report this issue to us. We appreciate the feedback and use reports such as this one to guide our efforts at improving our products. That being said, this bug tracking system is not a mechanism for requesting support, and we are not able to guarantee the timeliness or suitability of a resolution.

If this issue is critical or in any way time sensitive, please raise a ticket through the regular Red Hat support channels to ensure it receives the proper attention and prioritization to assure a timely resolution. 

For information on how to contact the Red Hat production support team, please visit:
    https://www.redhat.com/en/services/support
Comment 6 Nikos Mavrogiannopoulos 2020-11-11 12:52:25 UTC 
Please also ask the support engineer to assign your ticket to this Bugzilla.
Comment 7 Dushyantk.sun@gmail.com 2020-11-11 16:49:17 UTC 
HI Nikos,

Thank you. I will check and raise case accordingly.
Comment 14 Norbert Pócs 2021-10-12 15:17:20 UTC 
Changes from the change log for 0.9.5 are:

CVE-2020-16135: Avoid null pointer dereference in sftpserver
Improve handling of library initialization
Fix parsing of subsecond times in SFTP
Make the documentation reproducible
Remove deprecated API usage in OpenSSL
Fix regression of ssh_channel_poll_timeout() returning SSH_AGAIN
Define version in one place
Prevent invalid free when using different C runtimes than OpenSSL
Compatibility improvements to testsuite


The latest upstream version 0.9.6 fixes the
 CVE-2021-3634 libssh: possible heap-based buffer overflow when rekeying
Additional changes in this release from the change log:

CVE-2021-3634: Fix possible heap-buffer overflow when rekeying with different key exchange mechanism
Fix several memory leaks on error paths
Reset pending_call_state on disconnect
Fix handshake bug with AEAD ciphers and no HMAC overlap
Use OPENSSL_CRYPTO_LIBRARIES in CMake
Ignore request success and failure message if they are not expected
Support more identity files in configuration
Avoid setting compiler flags directly in CMake
Support build directories with special characters
Include stdlib.h to avoid crash in Windows
Fix sftp_new_channel constructs an invalid object
Fix Ninja multiple rules error
Several tests fixes
Comment 18 Simo Sorce 2021-10-27 16:53:44 UTC 
Husam,
we might be able to provide it early via hotfix exception.
Comment 22 Simo Sorce 2021-11-10 17:13:09 UTC 
Norbert,
can you provide a link to the RHEL 8.6 brew build with the fix?
Comment 23 Norbert Pócs 2021-11-11 07:16:40 UTC 
(In reply to Simo Sorce from comment #22)
> Norbert,
> can you provide a link to the RHEL 8.6 brew build with the fix?

The build can be found here: https://brewweb.engineering.redhat.com/brew/buildinfo?buildID=1786749
Comment 34 errata-xmlrpc 2022-05-10 15:21:19 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Low: libssh security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:2031
Note You need to log in before you can comment on or make changes to this bug.