Bug#924965: marked as done (libssh2: CVE-2019-3855 CVE-2019-3856 CVE-2019-3857 CVE-2019-3858 CVE-2019-3859 CVE-2019-3860 CVE-2019-3861 CVE-2019-3862 CVE-2019-3863)

[Debian Bug Tracking System]

Your message dated Wed, 03 Apr 2019 04:33:39 +0000
with message-id <e1hbxal-000csp...@fasolo.debian.org>
and subject line Bug#924965: fixed in libssh2 1.8.0-2.1
has caused the Debian Bug report #924965,
regarding libssh2: CVE-2019-3855 CVE-2019-3856 CVE-2019-3857 CVE-2019-3858 
CVE-2019-3859 CVE-2019-3860 CVE-2019-3861 CVE-2019-3862 CVE-2019-3863
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
924965: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924965
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: libssh2
Version: 1.8.0-2
Severity: grave
Tags: security upstream
Control: found -1 1.7.0-1

Hi,

The following vulnerabilities were published for libssh2.

CVE-2019-3855[0]:
Possible integer overflow in transport read allows out-of-bounds write

CVE-2019-3856[1]:
|Possible integer overflow in keyboard interactive handling allows
|out-of-bounds write

CVE-2019-3857[2]:
|Possible integer overflow leading to zero-byte allocation and
|out-of-bounds write

CVE-2019-3858[3]:
Possible zero-byte allocation leading to an out-of-bounds read

CVE-2019-3859[4]:
|Out-of-bounds reads with specially crafted payloads due to unchecked
|use of `_libssh2_packet_require` and `_libssh2_packet_requirev`

CVE-2019-3860[5]:
Out-of-bounds reads with specially crafted SFTP packets

CVE-2019-3861[6]:
Out-of-bounds reads with specially crafted SSH packets

CVE-2019-3862[7]:
Out-of-bounds memory comparison

CVE-2019-3863[8]:
|Integer overflow in user authenicate keyboard interactive allows
|out-of-bounds writes

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-3855
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3855
[1] https://security-tracker.debian.org/tracker/CVE-2019-3856
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3856
[2] https://security-tracker.debian.org/tracker/CVE-2019-3857
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3857
[3] https://security-tracker.debian.org/tracker/CVE-2019-3858
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3858
[4] https://security-tracker.debian.org/tracker/CVE-2019-3859
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3859
[5] https://security-tracker.debian.org/tracker/CVE-2019-3860
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3860
[6] https://security-tracker.debian.org/tracker/CVE-2019-3861
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3861
[7] https://security-tracker.debian.org/tracker/CVE-2019-3862
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3862
[8] https://security-tracker.debian.org/tracker/CVE-2019-3863
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3863

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

Source: libssh2
Source-Version: 1.8.0-2.1

We believe that the bug you reported is fixed in the latest version of
libssh2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 924...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <car...@debian.org> (supplier of updated libssh2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 31 Mar 2019 16:06:20 +0200
Source: libssh2
Architecture: source
Version: 1.8.0-2.1
Distribution: unstable
Urgency: high
Maintainer: Mikhail Gusarov <dotted...@debian.org>
Changed-By: Salvatore Bonaccorso <car...@debian.org>
Closes: 924965
Changes:
 libssh2 (1.8.0-2.1) unstable; urgency=high
 .
   * Non-maintainer upload.
   * Possible integer overflow in transport read allows out-of-bounds write
     (CVE-2019-3855) (Closes: #924965)
   * Possible integer overflow in keyboard interactive handling allows
     out-of-bounds write (CVE-2019-3856) (Closes: #924965)
   * Possible integer overflow leading to zero-byte allocation and
     out-of-bounds write (CVE-2019-3857) (Closes: #924965)
   * Possible zero-byte allocation leading to an out-of-bounds read
     (CVE-2019-3858) (Closes: #924965)
   * Out-of-bounds reads with specially crafted payloads due to unchecked use
     of _libssh2_packet_require and _libssh2_packet_requirev (CVE-2019-3859)
     (Closes: #924965)
   * Out-of-bounds reads with specially crafted SFTP packets (CVE-2019-3860)
     (Closes: #924965)
   * Out-of-bounds reads with specially crafted SSH packets (CVE-2019-3861)
     (Closes: #924965)
   * Out-of-bounds memory comparison (CVE-2019-3862) (Closes: #924965)
   * Integer overflow in user authenicate keyboard interactive allows
     out-of-bounds writes (CVE-2019-3863) (Closes: #924965)
   * Fixed misapplied patch for user auth.
   * moved MAX size declarations
Checksums-Sha1: 
 ea52c0c9ea4070938837edf966b0556c94c20a13 1958 libssh2_1.8.0-2.1.dsc
 dd1c81a0565ec7a0db13379640b7f517736666dc 13988 libssh2_1.8.0-2.1.debian.tar.xz
Checksums-Sha256: 
 33f070a4a32db5d3952457986d8f80c9cf874dd144d81f5bce062171564b35d9 1958 
libssh2_1.8.0-2.1.dsc
 e3c34166cddaba7f2162132ef4f4bdc1490c499ee6610bde81f773adef43489e 13988 
libssh2_1.8.0-2.1.debian.tar.xz
Files: 
 f61a7eb27d62cf3092298e96022b2db6 1958 libs optional libssh2_1.8.0-2.1.dsc
 9431d1061db4430c603b9eab82c17130 13988 libs optional 
libssh2_1.8.0-2.1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlyjv0VfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89E4B0P/AwlLKeFxLswD8Q38KyM8VnMdBvSwpdS
hPMqWto9UnC6g+yq661ItTXSH8DwaKOHpz0v5kbfO86Q5jsBoaIwG5LQQTFk3D0z
x9X+9NZ0yxnPXI9imE5N6sXj4/Q/nlTzhW1bEelx367hLIRVzM0p7Y1/npsljBs9
MS12ad2oDfdME7nG55r9ONoY6m5Y6K41WGpXw4CBurP98iwxMAtWU9P7L9sHPUun
jWHlwn+v8pei4DgB/OXvEFK+0kPX0+DLx70VJ+F2qxnED6+NI3L32tNKKVDrW9GT
u3Sho3q18dsAB11bBgoNnYTZSVXl5YNhkQok/h63Ri31W+tJIddQ7rftnSoxBx3t
lUps+PpR+0Cm1LiKZ2p6q2FY1EgX2jTcTtpbO+mQFibyrK9buNvFgYktYRpijMnI
w1R+lmgDGrgLmgBNY9A+wIg3jS28CkgMHTyU6nEnwG0BUGK4Vj19Nm+GTYEz9geX
TaTTZanAY/Ku1qBVL4U03ePctjsRBO3DcFS2AVGKeX+lhvw6aL1Kg6GH4WI0drbd
vFi0VLqHRC8Lb3A1lDc0fGtld2tVngZQWwwnJaMXwXFzZFN29tITrfha9uRbBuIW
bkR699eQJycq63oTuxpl0zHT9vgdPD3F2fsxg7wp2J2QO826xqEmErv6VfuS3dmH
NEkmBwxU4OHE
=tsOJ
-----END PGP SIGNATURE-----

--- End Message ---