-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Mon, 25 Mar 2019 15:10:21 +0100 Source: libssh2 Binary: libssh2-1 libssh2-1-dev libssh2-1-dbg Architecture: source amd64 Version: 1.4.3-4.1+deb8u2 Distribution: jessie-security Urgency: medium Maintainer: Mikhail Gusarov <dottedmag@debian.org> Changed-By: Mike Gabriel <sunweaver@debian.org> Description: libssh2-1 - SSH2 client-side library libssh2-1-dbg - SSH2 client-side library (debug package) libssh2-1-dev - SSH2 client-side library (development headers) Closes: 924965 Changes: libssh2 (1.4.3-4.1+deb8u2) jessie-security; urgency=medium . * Non-maintainer upload by the LTS team. (Closes: #924965). * CVE-2019-3855: Do packet length bounds check in _libssh2_transport_read() (src/transport.c). * CVE-2019-3856, CVE-2019-3863: Bounds checks in userauth_keyboard_interactive() (src/userauth.c). * CVE-2019-3857: Fix possible out zero byte/incorrect bounds allocation in _libssh2_packet_add() (src/packet.c). * CVE-2019-3858: Prevent zero-byte allocation in sftp_packet_read() which could lead to an out-of-bounds read. * CVE-2019-3859: Response length check in session_startup() (src/transport.c), and bounds checks in various functions (src/kex.c, src/channel.c). * CVE-2019-3860: Add a required_size parameter to sftp_packet_require et. al. to require callers of these functions to handle packets that are too short. * CVE-2019-3861: Sanitize padding_length - _libssh2_transport_read(). This prevents an underflow resulting in a potential out-of-bounds read if a server sends a too-large padding_length, possibly with malicious intent. * CVE-2019-3862: Additional length checks to prevent out-of-bounds reads and writes in _libssh2_packet_add(). Checksums-Sha1: b1c4fcb56ba49ccf418e05acfc85d4d92fabe35f 1928 libssh2_1.4.3-4.1+deb8u2.dsc d1975057ffd8baaab4ad8fa663942cf32794e278 15352 libssh2_1.4.3-4.1+deb8u2.debian.tar.xz 30f62d9308d91943f5cf3a75ab7b01b02b51db5b 127306 libssh2-1_1.4.3-4.1+deb8u2_amd64.deb a0615d5becf8eda87f8050304a100fa5d3e84401 291884 libssh2-1-dev_1.4.3-4.1+deb8u2_amd64.deb a9750274bdd78f1b9366e00e43980b80d5ea25ef 232346 libssh2-1-dbg_1.4.3-4.1+deb8u2_amd64.deb Checksums-Sha256: 95da6c89b7bddca29753eef98cea1456071f2a6bacdce63522eb63ce698137e1 1928 libssh2_1.4.3-4.1+deb8u2.dsc b297c276f699c86da6e9190b5ece186f6712833034b2b5f5439f014338b42c77 15352 libssh2_1.4.3-4.1+deb8u2.debian.tar.xz ae7732bc4c922ee4b973cf124dc4e25be0f7c2a31ee2f2e3895fd83457abc180 127306 libssh2-1_1.4.3-4.1+deb8u2_amd64.deb e4ac22336122a18a8f9d3164180e88f0d2ef15367ec8abb01d8b98a572c639cc 291884 libssh2-1-dev_1.4.3-4.1+deb8u2_amd64.deb 1b0ad2969d8d0edd06fd34630840f6313eda3c5fbf0bfda61604f51b0412987f 232346 libssh2-1-dbg_1.4.3-4.1+deb8u2_amd64.deb Files: 61426bba6c2406fe6d88737a1bc22700 1928 libs optional libssh2_1.4.3-4.1+deb8u2.dsc d28cc909be104e1be6590ec33e976018 15352 libs optional libssh2_1.4.3-4.1+deb8u2.debian.tar.xz c1ffb41738accf8c497486fb89b60349 127306 libs optional libssh2-1_1.4.3-4.1+deb8u2_amd64.deb 9053b1c38654779a37024bb7b01f693e 291884 libdevel optional libssh2-1-dev_1.4.3-4.1+deb8u2_amd64.deb 08ba2d2b77d32955fd81fed6ef5a0739 232346 debug extra libssh2-1-dbg_1.4.3-4.1+deb8u2_amd64.deb -----BEGIN PGP SIGNATURE----- iQJJBAEBCAAzFiEEm/uu6GwKpf+/IgeCmvRrMCV3GzEFAlyaJ/QVHHN1bndlYXZl ckBkZWJpYW4ub3JnAAoJEJr0azAldxsxYxUP/1XZZri7jvL1u3nLpI/jXi5VF38Z kuz4Pvz419TZet3pYw+9jLsoUEo8LoOi/qrNRdc/+OZUyg3BBmtNGif5041NkW0h 1lBCDC1QLL7JqYf0+a5v5YGysYJ89yxcl8Meg+y7UytQIIhct0U6rYYyGurVM0U6 aNvHoiMkaYdvs0ddc5JMJdJ2fPLnBHumdKjwwYrb69EKBDeEhC5bTxrJRZiE1FHN hbimGHbVr7RzRms2LOUqlGq9j+QT5bwehCmZHWcn/SHeSjObrH7zf+U7pLmMkPhU Xj+YqVZ21JmD/kP0jSdEtjURi1ObsdLRgbXY6GiBR2SeN49IYoUz7YX/SpECtUU/ 7kTjdOQaNcjOnVakiNPRJvr7b/RpPl8QfGUOvoT3kyEHQuSY1/QuzymJBcDGDaSu FYeMVXnQZJME/Rma3kFO2eSzHhPtr7aA5zcY0GJv6fC5fT0pPqPF3CJ3jxZnku1B plAgrioMmXuBlOECNMgu+LQBCS6+sw8F4rbZWhIVXEQzfJ+GoGEDD2QuON4fCyvD FgyoovLM758Vw1K7OndF9s1eoVUA2cabjbo4H6jGX2aodPK6Jm0dslxI2j6I2pzf Q8fBrpipyqqMnK/eAio78nFHu+MMYT2oEexZdFYbqeMqzpAmAMH5QD1jS9lBqj9h 6cfWqCRaXGNVJEfA =V99n -----END PGP SIGNATURE-----
