libssh 0.7.3 (security and bugfix release)

[Andreas Schneider <asn@xxxxxxxxxxxxxx>]

This is an important SECURITY and maintenance release in order to address 
CVE-2016-0739 – Bits/bytes confusion resulting in truncated Difffie-Hellman 
secret length.

libssh versions 0.1 and above have a bits/bytes confusion bug and generate the 
an anormaly short ephemeral secret for the diffie-hellman-group1 and diffie-
hellman-group14 key exchange methods.
The resulting secret is 128 bits long, instead of the recommended sizes of 
1024 and 2048 bits respectively. There are practical algorithms (Baby 
steps/Giant steps, Pollard’s rho) that can solve this problem in O(2^63) 
operations.

Both client and server are are vulnerable, pre-authentication. This 
vulnerability could be exploited by an eavesdropper with enough resources to 
decrypt or intercept SSH sessions. The bug was found during an internal code 
review by Aris Adamantiadis of the libssh team.

Workaround
===========

This issue may be worked around by using other key exchange methods, such as 
curve25519-sha256@xxxxxxxxxx or ecdh-sha2-nistp256, both are not vulnerable. 
By default, an unpatched libssh implementation will already attempt to use 
these two more secure methods when supported by the other party.


You can download libssh 0.7.3 here:
https://red.libssh.org/projects/libssh/files

-- 
Andreas Schneider                   GPG-ID: CC014E3D
www.cryptomilk.org                asn@xxxxxxxxxxxxxx