{ "document": { "aggregate_severity": { "text": "Moderate" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "TuxCare License Agreement", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Cloud Linux Inc. and provide a link to the original.", "title": "Terms of Use" }, { "category": "details", "text": "CVE-2023-6004: fix the possibility of injections through a hostname parameter\n in the ProxyCommand/ProxyJump features\n- CVE-2023-6918: fix the issue when unchecked return values for digests may\n cause DoS", "title": "Details" } ], "publisher": { "category": "vendor", "contact_details": "https://tuxcare.com/contact/", "name": "TuxCare", "namespace": "https://tuxcare.com/" }, "references": [ { "category": "self", "summary": "https://cve.tuxcare.com/els/releases/CLSA-2024:1709547699", "url": "https://cve.tuxcare.com/els/releases/CLSA-2024:1709547699" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.tuxcare.com/csaf/v2/els_os/almalinux9.2esu/advisories/2024/clsa-2024_1709547699.json" } ], "tracking": { "current_release_date": "2026-05-12T21:36:34Z", "generator": { "date": "2026-05-12T21:36:34Z", "engine": { "name": "pyCSAF" } }, "id": "CLSA-2024:1709547699", "initial_release_date": "2024-03-04T05:21:42Z", "revision_history": [ { "date": "2024-03-04T05:21:42Z", "number": "1", "summary": "Initial version" }, { "date": "2026-05-12T21:36:34Z", "number": "2", "summary": "Official Publication" } ], "status": "final", "version": "2" }, "title": "libssh: Fix of 2 CVEs" }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "AlmaLinux 9.2", "product": { "name": "AlmaLinux 9.2", "product_id": "AlmaLinux-9.2", "product_identification_helper": { "cpe": "cpe:2.3:o:almalinux:almalinux:9.2:*:*:*:*:*:*:*" } } } ], "category": "product_family", "name": "AlmaLinux" } ], "category": "vendor", "name": "AlmaLinux OS Foundation" }, { "branches": [ { "branches": [ { "category": "product_version", "name": "libssh-devel-0:0.10.4-8.el9.tuxcare.els1.x86_64", "product": { "name": "libssh-devel-0:0.10.4-8.el9.tuxcare.els1.x86_64", "product_id": "libssh-devel-0:0.10.4-8.el9.tuxcare.els1.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/libssh-devel@0.10.4-8.el9.tuxcare.els1?arch=x86_64" } } }, { "category": "product_version", "name": "libssh-0:0.10.4-8.el9.tuxcare.els1.x86_64", "product": { "name": "libssh-0:0.10.4-8.el9.tuxcare.els1.x86_64", "product_id": "libssh-0:0.10.4-8.el9.tuxcare.els1.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/libssh@0.10.4-8.el9.tuxcare.els1?arch=x86_64" } } } ], "category": "architecture", "name": "x86_64" }, { "branches": [ { "category": "product_version", "name": "libssh-devel-0:0.10.4-8.el9.tuxcare.els1.i686", "product": { "name": "libssh-devel-0:0.10.4-8.el9.tuxcare.els1.i686", "product_id": "libssh-devel-0:0.10.4-8.el9.tuxcare.els1.i686", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/libssh-devel@0.10.4-8.el9.tuxcare.els1?arch=i686" } } }, { "category": "product_version", "name": "libssh-0:0.10.4-8.el9.tuxcare.els1.i686", "product": { "name": "libssh-0:0.10.4-8.el9.tuxcare.els1.i686", "product_id": "libssh-0:0.10.4-8.el9.tuxcare.els1.i686", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/libssh@0.10.4-8.el9.tuxcare.els1?arch=i686" } } } ], "category": "architecture", "name": "i686" }, { "branches": [ { "category": "product_version", "name": "libssh-config-0:0.10.4-8.el9.tuxcare.els1.noarch", "product": { "name": "libssh-config-0:0.10.4-8.el9.tuxcare.els1.noarch", "product_id": "libssh-config-0:0.10.4-8.el9.tuxcare.els1.noarch", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/libssh-config@0.10.4-8.el9.tuxcare.els1?arch=noarch" } } } ], "category": "architecture", "name": "noarch" } ], "category": "vendor", "name": "TuxCare" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "libssh-devel-0:0.10.4-8.el9.tuxcare.els1.x86_64 as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:libssh-devel-0:0.10.4-8.el9.tuxcare.els1.x86_64" }, "product_reference": "libssh-devel-0:0.10.4-8.el9.tuxcare.els1.x86_64", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "libssh-devel-0:0.10.4-8.el9.tuxcare.els1.i686 as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:libssh-devel-0:0.10.4-8.el9.tuxcare.els1.i686" }, "product_reference": "libssh-devel-0:0.10.4-8.el9.tuxcare.els1.i686", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "libssh-0:0.10.4-8.el9.tuxcare.els1.i686 as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:libssh-0:0.10.4-8.el9.tuxcare.els1.i686" }, "product_reference": "libssh-0:0.10.4-8.el9.tuxcare.els1.i686", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "libssh-0:0.10.4-8.el9.tuxcare.els1.x86_64 as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:libssh-0:0.10.4-8.el9.tuxcare.els1.x86_64" }, "product_reference": "libssh-0:0.10.4-8.el9.tuxcare.els1.x86_64", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "libssh-config-0:0.10.4-8.el9.tuxcare.els1.noarch as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:libssh-config-0:0.10.4-8.el9.tuxcare.els1.noarch" }, "product_reference": "libssh-config-0:0.10.4-8.el9.tuxcare.els1.noarch", "relates_to_product_reference": "AlmaLinux-9.2" } ] }, "vulnerabilities": [ { "cve": "CVE-2023-6004", "cwe": { "id": "CWE-74", "name": "Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')" }, "notes": [ { "category": "description", "text": "A flaw was found in libssh. By utilizing the ProxyCommand or ProxyJump feature, users can exploit unchecked hostname syntax on the client. This issue may allow an attacker to inject malicious code into the command of the features mentioned through the hostname parameter.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AlmaLinux-9.2:libssh-0:0.10.4-8.el9.tuxcare.els1.i686", "AlmaLinux-9.2:libssh-0:0.10.4-8.el9.tuxcare.els1.x86_64", "AlmaLinux-9.2:libssh-config-0:0.10.4-8.el9.tuxcare.els1.noarch", "AlmaLinux-9.2:libssh-devel-0:0.10.4-8.el9.tuxcare.els1.i686", "AlmaLinux-9.2:libssh-devel-0:0.10.4-8.el9.tuxcare.els1.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2023-6004" }, { "category": "external", "summary": "https://access.redhat.com/errata/RHSA-2024:2504", "url": "https://access.redhat.com/errata/RHSA-2024:2504" }, { "category": "external", "summary": "https://access.redhat.com/errata/RHSA-2024:3233", "url": "https://access.redhat.com/errata/RHSA-2024:3233" }, { "category": "external", "summary": "https://access.redhat.com/security/cve/CVE-2023-6004", "url": "https://access.redhat.com/security/cve/CVE-2023-6004" }, { "category": "external", "summary": "https://bugzilla.redhat.com/show_bug.cgi?id=2251110", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2251110" }, { "category": "external", "summary": "https://www.libssh.org/security/advisories/CVE-2023-6004.txt", "url": "https://www.libssh.org/security/advisories/CVE-2023-6004.txt" }, { "category": "external", "summary": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LZQVUHWVWRH73YBXUQJOD6CKHDQBU3DM/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LZQVUHWVWRH73YBXUQJOD6CKHDQBU3DM/" }, { "category": "external", "summary": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MKQRBF3DWMWPH36LBCOBUTSIZRTPEZXB/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MKQRBF3DWMWPH36LBCOBUTSIZRTPEZXB/" }, { "category": "external", "summary": "https://security.netapp.com/advisory/ntap-20240223-0004/", "url": "https://security.netapp.com/advisory/ntap-20240223-0004/" } ], "release_date": "2024-01-03T17:15:00Z", "remediations": [ { "category": "vendor_fix", "date": "2024-03-04T05:21:42Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els/releases/CLSA-2024:1709547699", "product_ids": [ "AlmaLinux-9.2:libssh-0:0.10.4-8.el9.tuxcare.els1.i686", "AlmaLinux-9.2:libssh-0:0.10.4-8.el9.tuxcare.els1.x86_64", "AlmaLinux-9.2:libssh-config-0:0.10.4-8.el9.tuxcare.els1.noarch", "AlmaLinux-9.2:libssh-devel-0:0.10.4-8.el9.tuxcare.els1.i686", "AlmaLinux-9.2:libssh-devel-0:0.10.4-8.el9.tuxcare.els1.x86_64" ], "url": "https://cve.tuxcare.com/els/releases/CLSA-2024:1709547699" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L", "version": "3.1" }, "products": [ "AlmaLinux-9.2:libssh-0:0.10.4-8.el9.tuxcare.els1.i686", "AlmaLinux-9.2:libssh-0:0.10.4-8.el9.tuxcare.els1.x86_64", "AlmaLinux-9.2:libssh-config-0:0.10.4-8.el9.tuxcare.els1.noarch", "AlmaLinux-9.2:libssh-devel-0:0.10.4-8.el9.tuxcare.els1.i686", "AlmaLinux-9.2:libssh-devel-0:0.10.4-8.el9.tuxcare.els1.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ] }, { "cve": "CVE-2023-6918", "cwe": { "id": "CWE-252", "name": "Unchecked Return Value" }, "notes": [ { "category": "description", "text": "A flaw was found in the libssh implements abstract layer for message digest (MD) operations implemented by different supported crypto backends. The return values from these were not properly checked, which could cause low-memory situations failures, NULL dereferences, crashes, or usage of the uninitialized memory as an input for the KDF. In this case, non-matching keys will result in decryption/integrity failures, terminating the connection.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AlmaLinux-9.2:libssh-0:0.10.4-8.el9.tuxcare.els1.i686", "AlmaLinux-9.2:libssh-0:0.10.4-8.el9.tuxcare.els1.x86_64", "AlmaLinux-9.2:libssh-config-0:0.10.4-8.el9.tuxcare.els1.noarch", "AlmaLinux-9.2:libssh-devel-0:0.10.4-8.el9.tuxcare.els1.i686", "AlmaLinux-9.2:libssh-devel-0:0.10.4-8.el9.tuxcare.els1.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2023-6918" }, { "category": "external", "summary": "https://access.redhat.com/errata/RHSA-2024:2504", "url": "https://access.redhat.com/errata/RHSA-2024:2504" }, { "category": "external", "summary": "https://access.redhat.com/errata/RHSA-2024:3233", "url": "https://access.redhat.com/errata/RHSA-2024:3233" }, { "category": "external", "summary": "https://access.redhat.com/security/cve/CVE-2023-6918", "url": "https://access.redhat.com/security/cve/CVE-2023-6918" }, { "category": "external", "summary": "https://bugzilla.redhat.com/show_bug.cgi?id=2254997", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2254997" }, { "category": "external", "summary": "https://www.libssh.org/2023/12/18/libssh-0-10-6-and-libssh-0-9-8-security-releases/", "url": "https://www.libssh.org/2023/12/18/libssh-0-10-6-and-libssh-0-9-8-security-releases/" }, { "category": "external", "summary": "https://www.libssh.org/security/advisories/CVE-2023-6918.txt", "url": "https://www.libssh.org/security/advisories/CVE-2023-6918.txt" }, { "category": "external", "summary": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LZQVUHWVWRH73YBXUQJOD6CKHDQBU3DM/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LZQVUHWVWRH73YBXUQJOD6CKHDQBU3DM/" }, { "category": "external", "summary": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MKQRBF3DWMWPH36LBCOBUTSIZRTPEZXB/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MKQRBF3DWMWPH36LBCOBUTSIZRTPEZXB/" }, { "category": "external", "summary": "https://security.netapp.com/advisory/ntap-20250214-0009/", "url": "https://security.netapp.com/advisory/ntap-20250214-0009/" } ], "release_date": "2023-12-19T00:15:00Z", "remediations": [ { "category": "vendor_fix", "date": "2024-03-04T05:21:42Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els/releases/CLSA-2024:1709547699", "product_ids": [ "AlmaLinux-9.2:libssh-0:0.10.4-8.el9.tuxcare.els1.i686", "AlmaLinux-9.2:libssh-0:0.10.4-8.el9.tuxcare.els1.x86_64", "AlmaLinux-9.2:libssh-config-0:0.10.4-8.el9.tuxcare.els1.noarch", "AlmaLinux-9.2:libssh-devel-0:0.10.4-8.el9.tuxcare.els1.i686", "AlmaLinux-9.2:libssh-devel-0:0.10.4-8.el9.tuxcare.els1.x86_64" ], "url": "https://cve.tuxcare.com/els/releases/CLSA-2024:1709547699" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1" }, "products": [ "AlmaLinux-9.2:libssh-0:0.10.4-8.el9.tuxcare.els1.i686", "AlmaLinux-9.2:libssh-0:0.10.4-8.el9.tuxcare.els1.x86_64", "AlmaLinux-9.2:libssh-config-0:0.10.4-8.el9.tuxcare.els1.noarch", "AlmaLinux-9.2:libssh-devel-0:0.10.4-8.el9.tuxcare.els1.i686", "AlmaLinux-9.2:libssh-devel-0:0.10.4-8.el9.tuxcare.els1.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ] } ] }