curl: libssh SFTP initialization ignores CURLOPT_TIMEOUT, hangs indefinitely

Hi all, The libssh backend in lib/vssh/libssh.c ignores CURLOPTTIMEOUT / --max-time during SFTP subsystem negotiation. A server that completes SSH authentication and then stalls before answering the SSHFXPINIT packet will pin the curl process indefinitely — no timeout fires, no error is returned,...

Improper Authentication

Overview Affected versions of this package are vulnerable to Improper Authentication via CURLSSHAUTHAGENT flag for public key authentication. An attacker can gain unauthorized access by leveraging a locally running SSH agent to bypass the intended key passphrase requirement. Note: This issue...