CVE-2020-1730 - log back

CVE-2020-1730 edited at 09 Apr 2020 10:23:02
Severity
- Unknown
+ Medium
Remote
- Unknown
+ Remote
Type
- Unknown
+ Denial of service
Description
+ A malicious client or server could crash the counterpart implemented with libssh before 0.9.4. When AES-CTR ciphers are used and don't get fully initialized, libssh will crash when it tries to cleanup the AES-CTR ciphers when closing the connection.
References
+ https://www.libssh.org/security/advisories/CVE-2020-1730.txt
+ https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.9&id=958afb1c6ad671fe2a8d671702a88843bb78fc38
Notes
+ Workaround: Disable AES-CTR ciphers. If you implement a server using libssh we advise to use a prefork model so each session runs in an own process. If you have implemented your server this way this is not really an issue. The client will kill its own connection.
CVE-2020-1730 created at 09 Apr 2020 10:16:13