{ "document": { "aggregate_severity": { "text": "Medium" }, "category": "csaf_vex", "csaf_version": "2.0", "distribution": { "text": "TuxCare License Agreement", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Cloud Linux Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://tuxcare.com/contact/", "name": "TuxCare", "namespace": "https://tuxcare.com/" }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://security.tuxcare.com/csaf/v2/els_os/ubuntu16.04els/vex/2023/cve-2023-6918-els_os-ubuntu16_04els.json" } ], "tracking": { "current_release_date": "2026-06-13T14:57:40Z", "generator": { "date": "2026-06-13T14:57:40Z", "engine": { "name": "pyCSAF" } }, "id": "CVE-2023-6918-ELS_OS-UBUNTU16.04ELS", "initial_release_date": "2023-12-19T00:15:00Z", "revision_history": [ { "date": "2023-12-19T00:15:00Z", "number": "1", "summary": "Initial version" }, { "date": "2025-11-29T17:56:41Z", "number": "2", "summary": "Official Publication" }, { "date": "2025-12-23T22:15:38Z", "number": "3", "summary": "Update document" }, { "date": "2026-06-13T14:57:40Z", "number": "4", "summary": "Update document" } ], "status": "final", "version": "4" }, "title": "Security update on CVE-2023-6918" }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Ubuntu 16.04", "product": { "name": "Ubuntu 16.04", "product_id": "Ubuntu-16", "product_identification_helper": { "cpe": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*" } } } ], "category": "product_family", "name": "Ubuntu" } ], "category": "vendor", "name": "Canonical Ltd." }, { "branches": [ { "branches": [ { "category": "product_version", "name": "libssh2-1-0:1.5.0-2ubuntu0.1+tuxcare.els1.amd64", "product": { "name": "libssh2-1-0:1.5.0-2ubuntu0.1+tuxcare.els1.amd64", "product_id": "libssh2-1-0:1.5.0-2ubuntu0.1+tuxcare.els1.amd64", "product_identification_helper": { "purl": "pkg:deb/cloudlinux/libssh2-1@1.5.0-2ubuntu0.1%2Btuxcare.els1?arch=amd64" } } }, { "category": "product_version", "name": "libssh2-1-dev-0:1.5.0-2ubuntu0.1+tuxcare.els1.amd64", "product": { "name": "libssh2-1-dev-0:1.5.0-2ubuntu0.1+tuxcare.els1.amd64", "product_id": "libssh2-1-dev-0:1.5.0-2ubuntu0.1+tuxcare.els1.amd64", "product_identification_helper": { "purl": "pkg:deb/cloudlinux/libssh2-1-dev@1.5.0-2ubuntu0.1%2Btuxcare.els1?arch=amd64" } } }, { "category": "product_version", "name": "libssh2-1-dev-0:1.5.0-2ubuntu0.1+tuxcare.els3.amd64", "product": { "name": "libssh2-1-dev-0:1.5.0-2ubuntu0.1+tuxcare.els3.amd64", "product_id": "libssh2-1-dev-0:1.5.0-2ubuntu0.1+tuxcare.els3.amd64", "product_identification_helper": { "purl": "pkg:deb/cloudlinux/libssh2-1-dev@1.5.0-2ubuntu0.1%2Btuxcare.els3?arch=amd64" } } }, { "category": "product_version", "name": "libssh2-1-dev-0:1.5.0-2ubuntu0.1+tuxcare.els5.amd64", "product": { "name": "libssh2-1-dev-0:1.5.0-2ubuntu0.1+tuxcare.els5.amd64", "product_id": "libssh2-1-dev-0:1.5.0-2ubuntu0.1+tuxcare.els5.amd64", "product_identification_helper": { "purl": "pkg:deb/cloudlinux/libssh2-1-dev@1.5.0-2ubuntu0.1%2Btuxcare.els5?arch=amd64" } } }, { "category": "product_version", "name": "libssh2-1-dev-0:1.5.0-2ubuntu0.1+tuxcare.els4.amd64", "product": { "name": "libssh2-1-dev-0:1.5.0-2ubuntu0.1+tuxcare.els4.amd64", "product_id": "libssh2-1-dev-0:1.5.0-2ubuntu0.1+tuxcare.els4.amd64", "product_identification_helper": { "purl": "pkg:deb/cloudlinux/libssh2-1-dev@1.5.0-2ubuntu0.1%2Btuxcare.els4?arch=amd64" } } }, { "category": "product_version", "name": "libssh2-1-0:1.5.0-2ubuntu0.1+tuxcare.els4.amd64", "product": { "name": "libssh2-1-0:1.5.0-2ubuntu0.1+tuxcare.els4.amd64", "product_id": "libssh2-1-0:1.5.0-2ubuntu0.1+tuxcare.els4.amd64", "product_identification_helper": { "purl": "pkg:deb/cloudlinux/libssh2-1@1.5.0-2ubuntu0.1%2Btuxcare.els4?arch=amd64" } } }, { "category": "product_version", "name": "libssh2-1-0:1.5.0-2ubuntu0.1+tuxcare.els3.amd64", "product": { "name": "libssh2-1-0:1.5.0-2ubuntu0.1+tuxcare.els3.amd64", "product_id": "libssh2-1-0:1.5.0-2ubuntu0.1+tuxcare.els3.amd64", "product_identification_helper": { "purl": "pkg:deb/cloudlinux/libssh2-1@1.5.0-2ubuntu0.1%2Btuxcare.els3?arch=amd64" } } }, { "category": "product_version", "name": "libssh2-1-0:1.5.0-2ubuntu0.1+tuxcare.els5.amd64", "product": { "name": "libssh2-1-0:1.5.0-2ubuntu0.1+tuxcare.els5.amd64", "product_id": "libssh2-1-0:1.5.0-2ubuntu0.1+tuxcare.els5.amd64", "product_identification_helper": { "purl": "pkg:deb/cloudlinux/libssh2-1@1.5.0-2ubuntu0.1%2Btuxcare.els5?arch=amd64" } } } ], "category": "architecture", "name": "amd64" } ], "category": "vendor", "name": "CloudLinux" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "libssh2-1-0:1.5.0-2ubuntu0.1+tuxcare.els1.amd64 as a component of Ubuntu 16.04", "product_id": "Ubuntu-16:libssh2-1-0:1.5.0-2ubuntu0.1+tuxcare.els1.amd64" }, "product_reference": "libssh2-1-0:1.5.0-2ubuntu0.1+tuxcare.els1.amd64", "relates_to_product_reference": "Ubuntu-16" }, { "category": "default_component_of", "full_product_name": { "name": "libssh2-1-dev-0:1.5.0-2ubuntu0.1+tuxcare.els1.amd64 as a component of Ubuntu 16.04", "product_id": "Ubuntu-16:libssh2-1-dev-0:1.5.0-2ubuntu0.1+tuxcare.els1.amd64" }, "product_reference": "libssh2-1-dev-0:1.5.0-2ubuntu0.1+tuxcare.els1.amd64", "relates_to_product_reference": "Ubuntu-16" }, { "category": "default_component_of", "full_product_name": { "name": "libssh2-1-dev-0:1.5.0-2ubuntu0.1+tuxcare.els3.amd64 as a component of Ubuntu 16.04", "product_id": "Ubuntu-16:libssh2-1-dev-0:1.5.0-2ubuntu0.1+tuxcare.els3.amd64" }, "product_reference": "libssh2-1-dev-0:1.5.0-2ubuntu0.1+tuxcare.els3.amd64", "relates_to_product_reference": "Ubuntu-16" }, { "category": "default_component_of", "full_product_name": { "name": "libssh2-1-dev-0:1.5.0-2ubuntu0.1+tuxcare.els5.amd64 as a component of Ubuntu 16.04", "product_id": "Ubuntu-16:libssh2-1-dev-0:1.5.0-2ubuntu0.1+tuxcare.els5.amd64" }, "product_reference": "libssh2-1-dev-0:1.5.0-2ubuntu0.1+tuxcare.els5.amd64", "relates_to_product_reference": "Ubuntu-16" }, { "category": "default_component_of", "full_product_name": { "name": "libssh2-1-dev-0:1.5.0-2ubuntu0.1+tuxcare.els4.amd64 as a component of Ubuntu 16.04", "product_id": "Ubuntu-16:libssh2-1-dev-0:1.5.0-2ubuntu0.1+tuxcare.els4.amd64" }, "product_reference": "libssh2-1-dev-0:1.5.0-2ubuntu0.1+tuxcare.els4.amd64", "relates_to_product_reference": "Ubuntu-16" }, { "category": "default_component_of", "full_product_name": { "name": "libssh2-1-0:1.5.0-2ubuntu0.1+tuxcare.els4.amd64 as a component of Ubuntu 16.04", "product_id": "Ubuntu-16:libssh2-1-0:1.5.0-2ubuntu0.1+tuxcare.els4.amd64" }, "product_reference": "libssh2-1-0:1.5.0-2ubuntu0.1+tuxcare.els4.amd64", "relates_to_product_reference": "Ubuntu-16" }, { "category": "default_component_of", "full_product_name": { "name": "libssh2-1-0:1.5.0-2ubuntu0.1+tuxcare.els3.amd64 as a component of Ubuntu 16.04", "product_id": "Ubuntu-16:libssh2-1-0:1.5.0-2ubuntu0.1+tuxcare.els3.amd64" }, "product_reference": "libssh2-1-0:1.5.0-2ubuntu0.1+tuxcare.els3.amd64", "relates_to_product_reference": "Ubuntu-16" }, { "category": "default_component_of", "full_product_name": { "name": "libssh2-1-0:1.5.0-2ubuntu0.1+tuxcare.els5.amd64 as a component of Ubuntu 16.04", "product_id": "Ubuntu-16:libssh2-1-0:1.5.0-2ubuntu0.1+tuxcare.els5.amd64" }, "product_reference": "libssh2-1-0:1.5.0-2ubuntu0.1+tuxcare.els5.amd64", "relates_to_product_reference": "Ubuntu-16" } ] }, "vulnerabilities": [ { "cve": "CVE-2023-6918", "cwe": { "id": "CWE-252", "name": "Unchecked Return Value" }, "notes": [ { "category": "description", "text": "A flaw was found in the libssh implements abstract layer for message digest (MD) operations implemented by different supported crypto backends. The return values from these were not properly checked, which could cause low-memory situations failures, NULL dereferences, crashes, or usage of the uninitialized memory as an input for the KDF. In this case, non-matching keys will result in decryption/integrity failures, terminating the connection.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" }, { "category": "other", "text": "TuxCare has assessed that this vulnerability does not impact any currently supported TuxCare products. This evaluation may change as new information becomes available. For additional details regarding this vulnerability and affected products, refer to the provided references.", "title": "Statement" } ], "product_status": { "known_not_affected": [ "Ubuntu-16:libssh2-1-0:1.5.0-2ubuntu0.1+tuxcare.els1.amd64", "Ubuntu-16:libssh2-1-0:1.5.0-2ubuntu0.1+tuxcare.els3.amd64", "Ubuntu-16:libssh2-1-0:1.5.0-2ubuntu0.1+tuxcare.els4.amd64", "Ubuntu-16:libssh2-1-0:1.5.0-2ubuntu0.1+tuxcare.els5.amd64", "Ubuntu-16:libssh2-1-dev-0:1.5.0-2ubuntu0.1+tuxcare.els1.amd64", "Ubuntu-16:libssh2-1-dev-0:1.5.0-2ubuntu0.1+tuxcare.els3.amd64", "Ubuntu-16:libssh2-1-dev-0:1.5.0-2ubuntu0.1+tuxcare.els4.amd64", "Ubuntu-16:libssh2-1-dev-0:1.5.0-2ubuntu0.1+tuxcare.els5.amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2023-6918" }, { "category": "external", "summary": "https://access.redhat.com/errata/RHSA-2024:2504", "url": "https://access.redhat.com/errata/RHSA-2024:2504" }, { "category": "external", "summary": "https://access.redhat.com/errata/RHSA-2024:3233", "url": "https://access.redhat.com/errata/RHSA-2024:3233" }, { "category": "external", "summary": "https://access.redhat.com/security/cve/CVE-2023-6918", "url": "https://access.redhat.com/security/cve/CVE-2023-6918" }, { "category": "external", "summary": "https://bugzilla.redhat.com/show_bug.cgi?id=2254997", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2254997" }, { "category": "external", "summary": "https://www.libssh.org/2023/12/18/libssh-0-10-6-and-libssh-0-9-8-security-releases/", "url": "https://www.libssh.org/2023/12/18/libssh-0-10-6-and-libssh-0-9-8-security-releases/" }, { "category": "external", "summary": "https://www.libssh.org/security/advisories/CVE-2023-6918.txt", "url": "https://www.libssh.org/security/advisories/CVE-2023-6918.txt" }, { "category": "external", "summary": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LZQVUHWVWRH73YBXUQJOD6CKHDQBU3DM/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LZQVUHWVWRH73YBXUQJOD6CKHDQBU3DM/" }, { "category": "external", "summary": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MKQRBF3DWMWPH36LBCOBUTSIZRTPEZXB/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MKQRBF3DWMWPH36LBCOBUTSIZRTPEZXB/" }, { "category": "external", "summary": "https://security.netapp.com/advisory/ntap-20250214-0009/", "url": "https://security.netapp.com/advisory/ntap-20250214-0009/" } ], "release_date": "2023-12-19T00:15:00Z", "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1" }, "products": [ "Ubuntu-16:libssh2-1-0:1.5.0-2ubuntu0.1+tuxcare.els1.amd64", "Ubuntu-16:libssh2-1-0:1.5.0-2ubuntu0.1+tuxcare.els3.amd64", "Ubuntu-16:libssh2-1-0:1.5.0-2ubuntu0.1+tuxcare.els4.amd64", "Ubuntu-16:libssh2-1-0:1.5.0-2ubuntu0.1+tuxcare.els5.amd64", "Ubuntu-16:libssh2-1-dev-0:1.5.0-2ubuntu0.1+tuxcare.els1.amd64", "Ubuntu-16:libssh2-1-dev-0:1.5.0-2ubuntu0.1+tuxcare.els3.amd64", "Ubuntu-16:libssh2-1-dev-0:1.5.0-2ubuntu0.1+tuxcare.els4.amd64", "Ubuntu-16:libssh2-1-dev-0:1.5.0-2ubuntu0.1+tuxcare.els5.amd64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" }, { "category": "impact", "date": "2026-06-12T12:58:32.808590Z", "details": "Not affected: CVE-2023-6918 targets libssh’s message-digest abstraction and applies to libssh versions prior to 0.10.6 (and 0.9.x prior to 0.9.8), not libssh2. Libssh and libssh2 are separate libraries with different codebases; the vulnerable libssh MD abstraction does not exist in libssh2. Since the environment uses libssh2 1.5.0, the vulnerable code path is absent and this CVE is not applicable.", "product_ids": [ "Ubuntu-16:libssh2-1-0:1.5.0-2ubuntu0.1+tuxcare.els1.amd64", "Ubuntu-16:libssh2-1-0:1.5.0-2ubuntu0.1+tuxcare.els3.amd64", "Ubuntu-16:libssh2-1-0:1.5.0-2ubuntu0.1+tuxcare.els4.amd64", "Ubuntu-16:libssh2-1-0:1.5.0-2ubuntu0.1+tuxcare.els5.amd64", "Ubuntu-16:libssh2-1-dev-0:1.5.0-2ubuntu0.1+tuxcare.els1.amd64", "Ubuntu-16:libssh2-1-dev-0:1.5.0-2ubuntu0.1+tuxcare.els3.amd64", "Ubuntu-16:libssh2-1-dev-0:1.5.0-2ubuntu0.1+tuxcare.els4.amd64", "Ubuntu-16:libssh2-1-dev-0:1.5.0-2ubuntu0.1+tuxcare.els5.amd64" ] } ] } ] }