Lucene search

DebianDEBIAN:DLA-1730-3:1714C

HistoryJul 25, 2019 - 6:35 p.m.

[SECURITY] [DLA 1730-3] libssh2 regression update

2019-07-2518:35:51

lists.debian.org

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H

5.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:N/A:P

0.003 Low

EPSS

Percentile

68.8%

JSON

Package : libssh2
Version : 1.4.3-4.1+deb8u4
CVE ID : CVE-2019-3859 CVE-2019-13115

Various security problems have been additionally fixed in libssh2, an SSH
client implementation written in C++.

CVE-2019-3859

While investigating the impact of CVE-2019-13115 in Debian jessie&#x27;s
version of libssh2, it was discovered that issues around
CVE-2019-3859 had not been fully resolved in Debian jessie&#x27;s version
of libssh2. A thorough manual (read, analyze, and copy code changes
if needed) comparison of upstream code and code in Debian jessie&#x27;s
version of libssh2 was done and various more boundary checks and
integer overflow protections got added to the package.

CVE-2019-13115

Kevin Backhouse from semmle.com discovered that initial fixes for the
CVE series CVE-2019-3855 - 2019-3863 introduced several regressions
about signedness of length return values into the upstream code.
While working on the CVE-2019-3859 update mentioned above, it was
paid attention to not introduce these upstream regression registered
as CVE-2019-13115.

For Debian 8 "Jessie", these problems have been fixed in version
1.4.3-4.1+deb8u4.

We recommend that you upgrade your libssh2 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

–

mike gabriel aka sunweaver (Debian Developer)
fon: +49 (1520) 1976 148

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31
mail: [email protected], http://sunweavers.net

Attachment:
signature.asc
Description: PGP signature

OSVersionArchitecturePackageVersionFilename
Debian10armhflibssh2-1-dev< 1.8.0-2.1+deb10u1libssh2-1-dev_1.8.0-2.1+deb10u1_armhf.deb
Debian9armellibssh2-1< 1.7.0-1+deb9u2libssh2-1_1.7.0-1+deb9u2_armel.deb
Debian9armellibssh2-1-dev< 1.7.0-1+deb9u2libssh2-1-dev_1.7.0-1+deb9u2_armel.deb
Debian9amd64libssh2-1-dbg< 1.7.0-1+deb9u2libssh2-1-dbg_1.7.0-1+deb9u2_amd64.deb
Debian8alllibssh2< 1.4.3-4.1+deb8u4libssh2_1.4.3-4.1+deb8u4_all.deb
Debian8armellibssh2-1-dev< 1.4.3-4.1+deb8u4libssh2-1-dev_1.4.3-4.1+deb8u4_armel.deb
Debian9arm64libssh2-1-dbg< 1.7.0-1+deb9u2libssh2-1-dbg_1.7.0-1+deb9u2_arm64.deb
Debian9armellibssh2-1-dbg< 1.7.0-1+deb9u2libssh2-1-dbg_1.7.0-1+deb9u2_armel.deb
Debian8amd64libssh2-1-dbg< 1.4.3-4.1+deb8u4libssh2-1-dbg_1.4.3-4.1+deb8u4_amd64.deb
Debian10i386libssh2-1< 1.8.0-2.1+deb10u1libssh2-1_1.8.0-2.1+deb10u1_i386.deb

OS	Version	Architecture	Package	Version	Filename
Debian	10	armhf	libssh2-1-dev	< 1.8.0-2.1+deb10u1	libssh2-1-dev_1.8.0-2.1+deb10u1_armhf.deb
Debian	9	armel	libssh2-1	< 1.7.0-1+deb9u2	libssh2-1_1.7.0-1+deb9u2_armel.deb
Debian	9	armel	libssh2-1-dev	< 1.7.0-1+deb9u2	libssh2-1-dev_1.7.0-1+deb9u2_armel.deb
Debian	9	amd64	libssh2-1-dbg	< 1.7.0-1+deb9u2	libssh2-1-dbg_1.7.0-1+deb9u2_amd64.deb
Debian	8	all	libssh2	< 1.4.3-4.1+deb8u4	libssh2_1.4.3-4.1+deb8u4_all.deb
Debian	8	armel	libssh2-1-dev	< 1.4.3-4.1+deb8u4	libssh2-1-dev_1.4.3-4.1+deb8u4_armel.deb
Debian	9	arm64	libssh2-1-dbg	< 1.7.0-1+deb9u2	libssh2-1-dbg_1.7.0-1+deb9u2_arm64.deb
Debian	9	armel	libssh2-1-dbg	< 1.7.0-1+deb9u2	libssh2-1-dbg_1.7.0-1+deb9u2_armel.deb
Debian	8	amd64	libssh2-1-dbg	< 1.4.3-4.1+deb8u4	libssh2-1-dbg_1.4.3-4.1+deb8u4_amd64.deb
Debian	10	i386	libssh2-1	< 1.8.0-2.1+deb10u1	libssh2-1_1.8.0-2.1+deb10u1_i386.deb