Bug#924965: libssh2: CVE-2019-3855 CVE-2019-3856 CVE-2019-3857 CVE-2019-3858 CVE-2019-3859 CVE-2019-3860 CVE-2019-3861 CVE-2019-3862 CVE-2019-3863

Tue, 19 Mar 2019 02:27:40 -0700 

Source: libssh2
Version: 1.8.0-2
Severity: grave
Tags: security upstream
Control: found -1 1.7.0-1

Hi,

The following vulnerabilities were published for libssh2.

CVE-2019-3855[0]:
Possible integer overflow in transport read allows out-of-bounds write

CVE-2019-3856[1]:
|Possible integer overflow in keyboard interactive handling allows
|out-of-bounds write

CVE-2019-3857[2]:
|Possible integer overflow leading to zero-byte allocation and
|out-of-bounds write

CVE-2019-3858[3]:
Possible zero-byte allocation leading to an out-of-bounds read

CVE-2019-3859[4]:
|Out-of-bounds reads with specially crafted payloads due to unchecked
|use of `_libssh2_packet_require` and `_libssh2_packet_requirev`

CVE-2019-3860[5]:
Out-of-bounds reads with specially crafted SFTP packets

CVE-2019-3861[6]:
Out-of-bounds reads with specially crafted SSH packets

CVE-2019-3862[7]:
Out-of-bounds memory comparison

CVE-2019-3863[8]:
|Integer overflow in user authenicate keyboard interactive allows
|out-of-bounds writes

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-3855
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3855
[1] https://security-tracker.debian.org/tracker/CVE-2019-3856
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3856
[2] https://security-tracker.debian.org/tracker/CVE-2019-3857
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3857
[3] https://security-tracker.debian.org/tracker/CVE-2019-3858
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3858
[4] https://security-tracker.debian.org/tracker/CVE-2019-3859
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3859
[5] https://security-tracker.debian.org/tracker/CVE-2019-3860
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3860
[6] https://security-tracker.debian.org/tracker/CVE-2019-3861
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3861
[7] https://security-tracker.debian.org/tracker/CVE-2019-3862
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3862
[8] https://security-tracker.debian.org/tracker/CVE-2019-3863
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3863

Regards,
Salvatore

Reply via email to