Subject: Re: libssh2 V1.9.0 vulnerability CVE-2019-17498

Re: libssh2 V1.9.0 vulnerability CVE-2019-17498

From: Micka <mickamusset_at_gmail.com>
Date: Thu, 11 Mar 2021 19:28:26 +0100

I found this patch :

https://github.com/Cisco-Talos/clamav-mussels-cookbook/blob/master/recipes/libssh2-1.9-patches/CVE-2019-17498-integer-overflow.patch

(not mine)

Le jeu. 11 mars 2021 à 18:49, Sarathe, Omprakash <
omprakash.sarathe_at_siemens.com> a écrit :

> Hi All,
>
>
>
> As per *CVE-2019-17498* there is a vulnerability with libssh2 version
> 1.9.0(Please see below more detail). Can you please confirm the official
> release date of libssh2 having *CVE-2019-17498* vulnerability fix.
>
>
>
>
>
> CVE-2019-17498
>
> *In libssh2 v1.9.0 and earlier versions, the SSH_MSG_DISCONNECT logic in
> packet.c has an integer overflow in a bounds check, enabling an attacker to
> specify an arbitrary (out-of-bounds) offset for a subsequent memory read. A
> crafted SSH server may be able to disclose sensitive information or cause a
> denial of service condition on the client system when a user connects to
> the server.*
>
>
>
>
>
> With Best Regards
>
> Omprakash
>
>
> _______________________________________________
> libssh2-devel https://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel
>

_______________________________________________
libssh2-devel https://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel
Received on 2021-03-11