Hey folks, thought I’d share this vulnerability here as I know many of you manage a lot of servers for yourselves and clients. The fix will landing in all the main distros soon
This is an important security and maintenance release in order to address CVE-2018-10933.
libssh versions 0.6 and above have an authentication bypass vulnerability in the server code. By presenting the server an SSH2_MSG_USERAUTH_SUCCESS message in place of the SSH2_MSG_USERAUTH_REQUEST message which the server would expect to initiate authentication, the attacker could successfully authentciate without any credentials.
Track CVE-2018-10933 for your distro.