ELA-923-1 libssh security update

multiple vulnerabilities

2023-08-16
Packagelibssh
Version0.6.3-4+deb8u6 (jessie), 0.7.3-2+deb9u4 (stretch)
Related CVEs CVE-2019-14889 CVE-2023-1667


Two security issues have been discovered in libssh, a tiny C SSH library, which may allow a remote authenticated user to cause a denial of service or inject arbitrary commands.

CVE-2019-14889

A flaw was found with the libssh API function ssh_scp_new() in
versions before 0.9.3 and before 0.8.8. When the libssh SCP client
connects to a server, the scp command, which includes a
user-provided path, is executed on the server-side. In case the
library is used in a way where users can influence the third
parameter of the function, it would become possible for an attacker
to inject arbitrary commands, leading to a compromise of the remote
target.

Note that this CVE was previously fixed in jessie and that it has
now been fixed in stretch.

CVE-2023-1667

A NULL pointer dereference was found In libssh during re-keying with
algorithm guessing. This issue may allow an authenticated client to
cause a denial of service.


For Debian 8 jessie, these problems have been fixed in version 0.6.3-4+deb8u6.

For Debian 9 stretch, these problems have been fixed in version 0.7.3-2+deb9u4.

We recommend that you upgrade your libssh packages.

Further information about Extended LTS security advisories can be found in the dedicated section of our website.