And already committed on the master branch :
https://github.com/libssh2/libssh2/pull/402
I hope that one day there will be an official release :)
Micka,
Le jeu. 11 mars 2021 à 19:28, Micka <mickamusset_at_gmail.com> a écrit :
> I found this patch :
>
>
> https://github.com/Cisco-Talos/clamav-mussels-cookbook/blob/master/recipes/libssh2-1.9-patches/CVE-2019-17498-integer-overflow.patch
>
> (not mine)
>
> Le jeu. 11 mars 2021 à 18:49, Sarathe, Omprakash <
> omprakash.sarathe_at_siemens.com> a écrit :
>
>> Hi All,
>>
>>
>>
>> As per *CVE-2019-17498* there is a vulnerability with libssh2 version
>> 1.9.0(Please see below more detail). Can you please confirm the official
>> release date of libssh2 having *CVE-2019-17498* vulnerability fix.
>>
>>
>>
>>
>>
>> CVE-2019-17498
>>
>> *In libssh2 v1.9.0 and earlier versions, the SSH_MSG_DISCONNECT logic in
>> packet.c has an integer overflow in a bounds check, enabling an attacker to
>> specify an arbitrary (out-of-bounds) offset for a subsequent memory read. A
>> crafted SSH server may be able to disclose sensitive information or cause a
>> denial of service condition on the client system when a user connects to
>> the server.*
>>
>>
>>
>>
>>
>> With Best Regards
>>
>> Omprakash
>>
>>
>> _______________________________________________
>> libssh2-devel https://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel
>>
>
_______________________________________________
libssh2-devel https://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel
Received on 2021-03-11