Name : libssh2 Product : Fedora 28 Version : 1.8.1 Release : 1.fc28 URL : http://www.libssh2.org/ Summary : A library implementing the SSH2 protocol Description : libssh2 is a library implementing the SSH2 protocol as defined by Internet Drafts: SECSH-TRANS(22), SECSH-USERAUTH(25), SECSH-CONNECTION(23), SECSH-ARCH(20), SECSH-FILEXFER(06)*, SECSH-DHGEX(04), and SECSH-NUMBERS(10).
This update addresses various overflow conditions that could result in possible memory read/write out of bounds errors or zero byte allocations when connected to a malicious server. ------------------------------------------------------------------------------- - ChangeLog:
* Tue Mar 19 2019 Paul Howarth <paul@city-fan.org> - 1.8.1-1 - Update to 1.8.1 - Fixed possible integer overflow when reading a specially crafted packet (CVE-2019-3855) - Fixed possible integer overflow in userauth_keyboard_interactive with a number of extremely long prompt strings (CVE-2019-3863) - Fixed possible integer overflow if the server sent an extremely large number of keyboard prompts (CVE-2019-3856) - Fixed possible out of bounds read when processing a specially crafted packet (CVE-2019-3861) - Fixed possible integer overflow when receiving a specially crafted exit signal message channel packet (CVE-2019-3857) - Fixed possible out of bounds read when receiving a specially crafted exit status message channel packet (CVE-2019-3862) - Fixed possible zero byte allocation when reading a specially crafted SFTP packet (CVE-2019-3858) - Fixed possible out of bounds reads when processing specially crafted SFTP packets (CVE-2019-3860) - Fixed possible out of bounds reads in _libssh2_packet_require(v) (CVE-2019-3859) - Fix mis-applied patch in the fix of CVE-2019-3859 - https://github.com/libssh2/libssh2/issues/325 - https://github.com/libssh2/libssh2/pull/327 * Mon Feb 4 2019 Paul Howarth <paul@city-fan.org> - 1.8.0-10 - Explicitly run the test suite in the en_US.UTF-8 locale to work around flaky locale settings in mock builders * Fri Feb 1 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.0-9 - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild * Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.0-8 - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild ------------------------------------------------------------------------------- - References: