Arch Linux Security Advisory ASA-201501-12 ========================================== Severity: Medium Date : 2015-01-19 CVE-ID : CVE-2014-8132 Package : libssh Type : denial of service Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE Summary ======= The package libssh before version 0.6.4-1 is vulnerable to denial of service. Resolution ========== Upgrade to 0.6.4-1. # pacman -Syu "libssh>=0.6.4-1" The problem has been fixed upstream in version 0.6.4. Workaround ========== None. Description =========== It was discovered that a double free vulnerability in the ssh_packet_kexinit function in kex.c allows remote attackers to cause a denial of service via a crafted kexinit packet. Impact ====== A remote attacker is able to send a specially crafted kexinit packet causing libssh to crash, resulting in a denial of service. References ========== https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8132 https://www.libssh.org/2014/12/19/libssh-0-6-4-security-and-bugfix-release/ https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-8132