Daily Archives: August 13, 2015

OpenSSH Releases v7.0 To Patch Security Issues

OpenSSH has released v7.0 of their popular SSH implementation. This version resolves 2 issues (1x use-after-free (defined) and 1x privilege separation weakness) in the portable version of OpenSSH and 2 further issues in the standard version.

Of the 2 remaining issues, one is a fix for the issue that I previously discussed regarding how keyboard-interactive logins can be used misused to brute-force your password. The remaining issue involves resolving an issue that could allow local attackers to write arbitrary messages to logged-in users.

Another change in this new release of OpenSSH is that this release also resolves the Logjam security issue by rejecting 1024-bit diffie hellman key exchanges.

You can install this update by using your Linux package manager to download the necessary files for your version of OpenSSH. Steps to do this for popular Linux distributions are provided on the “Protecting Your PC” of this blog. Additionally this FAQ (from the OpenBSD website) may be of assistance.

If you use OpenSSH, please install the appropriate update when you can. If OpenSSH is installed on a critical production system or systems that contain your critical data, please back up your data before installing this update in order to prevent data loss in the rare event that an update causes unexpected issues.

Thank you.

Wireshark Releases Security Update

Yesterday the Wireshark Foundation released an update for Wireshark (version 1.12.7) that includes fixes for software bugs and security issues (9 security issues resolved, no CVEs yet assigned).

For Linux distributions updates can be obtained using the operating systems standard package manager (if the latest version is not installed automatically you can instead compile the source code). This forum thread and this forum thread may also be helpful to you with installing Wireshark on your Linux based system. For Mac OS X and Windows, the update is available within the downloads section of the Wireshark website. In addition, a detailed FAQ for Wireshark is available here.

If you use Wireshark, please install the appropriate update when you can. If Wireshark is installed on a critical production system or systems that contain your critical data, please back up your data before installing this update in order to prevent data loss in the rare event that an update causes unexpected issues.

Thank you.