libssh2-1.8.0-3.el7

エラータID: AXSA:2019-4034:04

Release date: 
Monday, August 19, 2019 - 14:51
Subject: 
libssh2-1.8.0-3.el7
Affected Channels: 
Asianux Server 7 for x86_64
Severity: 
Moderate
Description: 

The libssh2 packages provide a library that implements the SSH2 protocol.

The following packages have been upgraded to a later upstream version: libssh2 (1.8.0). (BZ#1592784)

Security Fix(es):

* libssh2: Zero-byte allocation with a specially crafted SFTP packed leading to an out-of-bounds read (CVE-2019-3858)

* libssh2: Out-of-bounds reads with specially crafted SSH packets (CVE-2019-3861)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2019-3858
An out of bounds read flaw was discovered in libssh2 before 1.8.1 when a specially crafted SFTP packet is received from the server. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory.
CVE-2019-3861
An out of bounds read flaw was discovered in libssh2 before 1.8.1 in the way SSH packets with a padding length value greater than the packet length are parsed. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory.

Solution: 

Update packages.

CVEs: 
CVE-2019-3858
An out of bounds read flaw was discovered in libssh2 before 1.8.1 when a specially crafted SFTP packet is received from the server. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory.
CVE-2019-3861
An out of bounds read flaw was discovered in libssh2 before 1.8.1 in the way SSH packets with a padding length value greater than the packet length are parsed. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory.
Additional Info: 

N/A

Download: 

SRPMS
  1. libssh2-1.8.0-3.el7.src.rpm
    MD5: 9f1fe29dbcbb8f62a84c886127f16eb5
    SHA-256: 5a905b7d57e6a9005fc92e3258a805bd5b13a711be7290561c97e3c47a203d5e
    Size: 859.29 kB

Asianux Server 7 for x86_64
  1. libssh2-1.8.0-3.el7.x86_64.rpm
    MD5: 194571a3adab3aa03a4f17eee7eeb7f2
    SHA-256: 8477f5617709e868930e77298dc3361ad25fe1abe2f54fc17cdb96a0f0b8657e
    Size: 86.65 kB
  2. libssh2-1.8.0-3.el7.i686.rpm
    MD5: 2930f36589ad9e5eea699b43bbf7b879
    SHA-256: ecfe61cb6cf6f9519ef61066ca6994c85fcd7227a675b097cb147fd926a19193
    Size: 87.09 kB