Updated libssh2 packages fix security vulnerability
Publication date: 30 Nov 2019Modification date: 30 Nov 2019
Type: security
Affected Mageia releases : 7
CVE: CVE-2019-17498
Description
The updated packages fix a security vulnerability:
In libssh2 v1.9.0 and earlier versions, the SSH_MSG_DISCONNECT logic in
packet.c has an integer overflow in a bounds check, enabling an attacker
to specify an arbitrary (out-of-bounds) offset for a subsequent memory
read. A crafted SSH server may be able to disclose sensitive information
or cause a denial of service condition on the client system when a user
connects to the server. (CVE-2019-17498)
References
- https://bugs.mageia.org/show_bug.cgi?id=25704
- https://www.debian.org/lts/security/2019/dla-1991
- https://lists.debian.org/debian-lts-announce/2019/11/msg00010.html
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=943562
- https://security-tracker.debian.org/tracker/CVE-2019-17498
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17498
SRPMS
7/core
- libssh2-1.8.2-1.1.mga7