{"id":"MGASA-2014-0119","summary":"Updated libssh package fixes security vulnerability","details":"When using libssh before 0.6.3, a libssh-based server, when accepting a\nnew connection, forks and the child process handles the request. The\nRAND_bytes() function of openssl doesn't reset its state after the fork,\nbut simply adds the current process id (getpid) to the PRNG state, which\nis not guaranteed to be unique. The most important consequence is that\nservers using EC (ECDSA) or DSA certificates may under certain conditions\nleak their private key (CVE-2014-0017).\n","modified":"2026-02-04T03:50:21.944580Z","published":"2014-03-05T23:17:12Z","related":["CVE-2014-0017"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2014-0119.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=12942"},{"type":"REPORT","url":"http://www.libssh.org/2014/03/04/libssh-0-6-3-security-release/"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-0017"}],"affected":[{"package":{"name":"libssh","ecosystem":"Mageia:3","purl":"pkg:rpm/mageia/libssh?arch=source&distro=mageia-3"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.5.4-1.1.mga3"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2014-0119.json"}},{"package":{"name":"libssh","ecosystem":"Mageia:4","purl":"pkg:rpm/mageia/libssh?arch=source&distro=mageia-4"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.5.5-2.1.mga4"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2014-0119.json"}}],"schema_version":"1.7.3","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}