I ran a quick SFTP performance test with #curl built to use #libssh 0.11.1 vs one built that uses #libssh2 1.11.1 over a 400ms latency connection.
One of them managed to perform this at 1049K/sec, the other reached only 249K/sec.
And the winner is...
libssh2
Funny detail: I sped it up for this kind of use case **fifteen years ago** and blogged about it: https://daniel.haxx.se/blog/2010/12/08/making-sftp-transfers-fast/
Guile-SSH 0.18.0 released:
https://github.com/artyom-poptsov/guile-ssh/releases/tag/v0.18.0
It seems that I fixed Guile-SSH build with libssh 0.11. The changes are on the "master" branch and will be in included in the next release.
GitHub CI job shows that everything builds fine as well. I'm using GNU Guix to test Guile-SSH against libssh 0.11, so likely if it builds on my machine this way then it builds on others. Nevertheless if you'll experience any Guile-SSH errors please report them to me.
The libssh team is proud to announce the release of libssh version 0.11.0. This latest version brings exciting new features such as better async SFTP IO, PKCS#11 provider support for OpenSSL 3.0, testing for GSSAPI authentication, and proxy jump, along with many other enhancements and features. More at: https://www.libssh.org/2024/08/08/libssh-0-11-0-release/ #libssh #ssh
"🚨 Alert: CVE-2023-2283 - F5 Networks Vulnerability 🛡️"
A medium vulnerability found in libssh, CVE-2023-2283, impacts F5 Networks, posing a medium severity threat (CVSS 4.8). It affects BIG-IP products and allows unauthorized SSH sessions due to a flaw in libssh. This vulnerability highlights the importance of rigorous memory management and authentication checks in network security protocols. Immediate patching is advised to prevent potential breaches.
A vulnerability was discovered in libssh, where the authentication check of the connecting client can be bypassed in the pki_verify_data_signature function due to memory allocation issues. This issue may occur if there is insufficient memory or if memory usage is limited. The problem is caused by the return value rc, which is initialized to SSH_ERROR and later overwritten to store the return value of the function call pki_key_check_hash_compatible. The value of the variable is not altered between this point and the cryptographic verification. Therefore, any error occurring between these calls triggers goto error, resulting in a return of SSH_OK. This mistake makes it easier for unauthorized users to gain access.
Stay vigilant and secure your systems! 🚀🔐
Tags: #CyberSecurity #Vulnerability #CVE2023 #F5Networks #PatchNow #NetworkSecurity #SSH #Libssh
For an in-depth analysis, refer to the detailed bulletin here.
#libssh had a successful summer of code. We will get two new nice features in libssh, more details:
https://www.libssh.org/2023/09/07/wrapping-up-2023-gsoc/
@campuscodi: A few notes and thoughts on CVE-2023-2283 in #libssh:
* libssh (libssh-4 in Debian and derivatives) ≠ libssh2 (libssh2-1 in Debian and derivatives)
* Obviously only servers using libssh to let users log in should be affected by any authentication bypass. Most libssh reverse dependencies though seem to be client-side applications.
The only potential libssh server-side reverse dependencies I found so far are:
* #cryptsetup-ssh
* #tmate-ssh-server
* maybe #cockpit-bridge
I've just bumped the copyright year in the https://libssh.org header file. #libssh is getting 20 years old this year!
I'm proud to announce the release of #libssh 0.9.0 with a lot of new features (AES-GCM, ETM, FIPS, ...), improvements and bug fixes. We also improved our test infrastructure to avoid introducing regressions. Learn more about it at: https://www.libssh.org/2019/06/28/libssh-0-9-0/
Ma (modeste) contribution à #libssh a été acceptée. Le build system vient de prendre un petit coup de jeune
https://git.libssh.org/projects/libssh.git/commit/?id=aa899f
#libssh : une vulnérabilité pour vous laisser entrer #zdnet https://www.zdnet.fr/actualites/libssh-une-vulnerabilite-pour-vous-laisser-entrer-39875281.htm
In the spirit of the occasion #pictureoftheday #infosec #libssh 😂
#LibSSH vulnerable to an attack where the actor sends a successful #authentication message to the server instead of sending an authentication request. #GitHub are not affected apparently. Neither is the famous #OpenSSH. Rest easy folks #infosec #security
https://arstechnica.com/information-technology/2018/10/bug-in-libssh-makes-it-amazingly-easy-for-hackers-to-gain-root-access/
'17 Oct 2018 08:39:13' #libssh fix (against CVE-2018-10933) landed in #FreeBSD https://www.freshports.org/security/libssh/
I wonder how many things utilize this ssh library? #libssh "libssh versions 0.6 and above have an authentication bypass vulnerability in the server code."
https://www.libssh.org/2018/10/16/libssh-0-8-4-and-0-7-6-security-and-bugfix-release/
I've just relased #libssh 0.8.4 and 0.7.6 to address CVE-2018-10933. This is an auth bypass in the server. Please update as soon as possible! https://www.libssh.org/2018/10/16/libssh-0-8-4-and-0-7-6-security-and-bugfix-release/
