In libssh before versions 0.10.5 and 0.9.7 a NULL pointer dereference during rekeying with algorithm guessing may lead to remote denial of service from authenticated clients.
Created libssh tracking bugs for this issue: Affects: epel-7 [bug 2196099] Affects: fedora-all [bug 2196098]
There's no tracker for rhel-8.6.0.z, is it not getting fixed there? (see also https://bugzilla.redhat.com/show_bug.cgi?id=2182202#c5)
Correct. No plans to fix this yet in 8.6.z. This CVE affects SSH servers built with libssh. The client use in ansible is not affected, I believe. https://www.libssh.org/2023/05/04/libssh-0-10-5-and-libssh-0-9-7-security-releases/
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:3839 https://access.redhat.com/errata/RHSA-2023:3839
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2023-1667
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:6643 https://access.redhat.com/errata/RHSA-2023:6643
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Via RHSA-2024:0538 https://access.redhat.com/errata/RHSA-2024:0538