ELA-186-1 libssh2 security update

denial-of-service

2019-11-04
Packagelibssh2
Version1.4.2-1.1+deb7u8
Related CVE CVE-2019-17498

In libssh2, the SSH_MSG_DISCONNECT logic in packet.c has an integer overflow in a bounds check, enabling an attacker to specify an arbitrary (out-of-bounds) offset for a subsequent memory read. A crafted SSH server may be able to disclose sensitive information or cause a denial of service condition on the client system when a user connects to the server.

For Debian 7 Wheezy, these problems have been fixed in version 1.4.2-1.1+deb7u8.

We recommend that you upgrade your libssh2 packages.

Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/