| Package | libssh2 |
|---|---|
| Version | 1.4.2-1.1+deb7u8 |
| Related CVEs | CVE-2019-17498 |
In libssh2, the SSH_MSG_DISCONNECT logic in packet.c has an integer overflow in a bounds check, enabling an attacker to specify an arbitrary (out-of-bounds) offset for a subsequent memory read. A crafted SSH server may be able to disclose sensitive information or cause a denial of service condition on the client system when a user connects to the server.
For Debian 7 Wheezy, these problems have been fixed in version 1.4.2-1.1+deb7u8.
We recommend that you upgrade your libssh2 packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.