Register | Log in

libssh2

Choose email to subscribe with

general

source: libssh2 (main)
version: 1.11.1-3
maintainer: Nicolas Mora (DMD)
arch: any
std-ver: 4.7.4
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 1.9.0-2+deb11u1
oldstable: 1.10.0-3
stable: 1.11.1-1
testing: 1.11.1-3
unstable: 1.11.1-3

versioned links

1.9.0-2+deb11u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.10.0-3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.11.1-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.11.1-3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

libssh2-1-dev
libssh2-1t64

action needed

4 security issues in trixie high

There are 4 open security issues in trixie.

3 important issues:

CVE-2025-15661: libssh2 through 1.11.1, fixed in commit 2dae302, contains an out-of-bounds heap read vulnerability in the sftp_symlink() function in src/sftp.c that allows a malicious SSH server or man-in-the-middle attacker to disclose heap memory contents or cause a crash by sending a crafted SSH_FXP_NAME response. Attackers can supply a link_len value larger than the actual packet data in SSH_FXP_NAME responses for SFTP READLINK and REALPATH operations, triggering a heap buffer over-read of up to target_len minus one bytes due to the missing validation of available packet buffer size before the memcpy operation.
CVE-2026-55199: libssh2 through 1.11.1, fixed in commit 1762685, contains a pre-authentication denial of service vulnerability in the SSH_MSG_EXT_INFO handler in src/packet.c that allows a malicious SSH server to cause a client CPU exhaustion loop by sending a crafted extension count value. A malicious server can set nr_extensions to 0xFFFFFFFF during key exchange, causing the client to spin in a tight CPU loop for over 60 seconds because return values from _libssh2_get_string() are unchecked and the session timeout does not apply to CPU-bound loops.
CVE-2026-55200: libssh2 through 1.11.1, fixed in commit 7acf3df contains an out-of-bounds write vulnerability in ssh2_transport_read() that fails to enforce upper bounds on packet_length field. Remote attackers can send crafted SSH packets with excessively large packet_length values to corrupt heap memory and achieve remote code execution.

1 issue left for the package maintainer to handle:

CVE-2026-7598: (needs triaging) A security vulnerability has been detected in libssh2 up to 1.11.1. The impacted element is the function userauth_password of the file src/userauth.c. Such manipulation of the argument username_len/password_len leads to integer overflow. The attack may be launched remotely. The name of the patch is 256d04b60d80bf1190e96b0ad1e91b2174d744b1. A patch should be applied to remediate this issue.

You can find information about how to handle this issue in the security team's documentation.

Created: 2026-05-02 Last update: 2026-06-19 17:46

3 security issues in sid high

There are 3 open security issues in sid.

3 important issues:

CVE-2025-15661: libssh2 through 1.11.1, fixed in commit 2dae302, contains an out-of-bounds heap read vulnerability in the sftp_symlink() function in src/sftp.c that allows a malicious SSH server or man-in-the-middle attacker to disclose heap memory contents or cause a crash by sending a crafted SSH_FXP_NAME response. Attackers can supply a link_len value larger than the actual packet data in SSH_FXP_NAME responses for SFTP READLINK and REALPATH operations, triggering a heap buffer over-read of up to target_len minus one bytes due to the missing validation of available packet buffer size before the memcpy operation.
CVE-2026-55199: libssh2 through 1.11.1, fixed in commit 1762685, contains a pre-authentication denial of service vulnerability in the SSH_MSG_EXT_INFO handler in src/packet.c that allows a malicious SSH server to cause a client CPU exhaustion loop by sending a crafted extension count value. A malicious server can set nr_extensions to 0xFFFFFFFF during key exchange, causing the client to spin in a tight CPU loop for over 60 seconds because return values from _libssh2_get_string() are unchecked and the session timeout does not apply to CPU-bound loops.
CVE-2026-55200: libssh2 through 1.11.1, fixed in commit 7acf3df contains an out-of-bounds write vulnerability in ssh2_transport_read() that fails to enforce upper bounds on packet_length field. Remote attackers can send crafted SSH packets with excessively large packet_length values to corrupt heap memory and achieve remote code execution.

Created: 2026-06-18 Last update: 2026-06-19 17:46

3 security issues in forky high

There are 3 open security issues in forky.

3 important issues:

CVE-2025-15661: libssh2 through 1.11.1, fixed in commit 2dae302, contains an out-of-bounds heap read vulnerability in the sftp_symlink() function in src/sftp.c that allows a malicious SSH server or man-in-the-middle attacker to disclose heap memory contents or cause a crash by sending a crafted SSH_FXP_NAME response. Attackers can supply a link_len value larger than the actual packet data in SSH_FXP_NAME responses for SFTP READLINK and REALPATH operations, triggering a heap buffer over-read of up to target_len minus one bytes due to the missing validation of available packet buffer size before the memcpy operation.
CVE-2026-55199: libssh2 through 1.11.1, fixed in commit 1762685, contains a pre-authentication denial of service vulnerability in the SSH_MSG_EXT_INFO handler in src/packet.c that allows a malicious SSH server to cause a client CPU exhaustion loop by sending a crafted extension count value. A malicious server can set nr_extensions to 0xFFFFFFFF during key exchange, causing the client to spin in a tight CPU loop for over 60 seconds because return values from _libssh2_get_string() are unchecked and the session timeout does not apply to CPU-bound loops.
CVE-2026-55200: libssh2 through 1.11.1, fixed in commit 7acf3df contains an out-of-bounds write vulnerability in ssh2_transport_read() that fails to enforce upper bounds on packet_length field. Remote attackers can send crafted SSH packets with excessively large packet_length values to corrupt heap memory and achieve remote code execution.

Created: 2026-06-18 Last update: 2026-06-19 17:46

4 security issues in bullseye high

There are 4 open security issues in bullseye.

3 important issues:

CVE-2025-15661: libssh2 through 1.11.1, fixed in commit 2dae302, contains an out-of-bounds heap read vulnerability in the sftp_symlink() function in src/sftp.c that allows a malicious SSH server or man-in-the-middle attacker to disclose heap memory contents or cause a crash by sending a crafted SSH_FXP_NAME response. Attackers can supply a link_len value larger than the actual packet data in SSH_FXP_NAME responses for SFTP READLINK and REALPATH operations, triggering a heap buffer over-read of up to target_len minus one bytes due to the missing validation of available packet buffer size before the memcpy operation.
CVE-2026-55199: libssh2 through 1.11.1, fixed in commit 1762685, contains a pre-authentication denial of service vulnerability in the SSH_MSG_EXT_INFO handler in src/packet.c that allows a malicious SSH server to cause a client CPU exhaustion loop by sending a crafted extension count value. A malicious server can set nr_extensions to 0xFFFFFFFF during key exchange, causing the client to spin in a tight CPU loop for over 60 seconds because return values from _libssh2_get_string() are unchecked and the session timeout does not apply to CPU-bound loops.
CVE-2026-55200: libssh2 through 1.11.1, fixed in commit 7acf3df contains an out-of-bounds write vulnerability in ssh2_transport_read() that fails to enforce upper bounds on packet_length field. Remote attackers can send crafted SSH packets with excessively large packet_length values to corrupt heap memory and achieve remote code execution.

1 issue postponed or untriaged:

CVE-2026-7598: (postponed; to be fixed through a stable update) A security vulnerability has been detected in libssh2 up to 1.11.1. The impacted element is the function userauth_password of the file src/userauth.c. Such manipulation of the argument username_len/password_len leads to integer overflow. The attack may be launched remotely. The name of the patch is 256d04b60d80bf1190e96b0ad1e91b2174d744b1. A patch should be applied to remediate this issue.

Created: 2026-06-18 Last update: 2026-06-19 17:46

4 security issues in bookworm high

There are 4 open security issues in bookworm.

3 important issues:

CVE-2025-15661: libssh2 through 1.11.1, fixed in commit 2dae302, contains an out-of-bounds heap read vulnerability in the sftp_symlink() function in src/sftp.c that allows a malicious SSH server or man-in-the-middle attacker to disclose heap memory contents or cause a crash by sending a crafted SSH_FXP_NAME response. Attackers can supply a link_len value larger than the actual packet data in SSH_FXP_NAME responses for SFTP READLINK and REALPATH operations, triggering a heap buffer over-read of up to target_len minus one bytes due to the missing validation of available packet buffer size before the memcpy operation.
CVE-2026-55199: libssh2 through 1.11.1, fixed in commit 1762685, contains a pre-authentication denial of service vulnerability in the SSH_MSG_EXT_INFO handler in src/packet.c that allows a malicious SSH server to cause a client CPU exhaustion loop by sending a crafted extension count value. A malicious server can set nr_extensions to 0xFFFFFFFF during key exchange, causing the client to spin in a tight CPU loop for over 60 seconds because return values from _libssh2_get_string() are unchecked and the session timeout does not apply to CPU-bound loops.
CVE-2026-55200: libssh2 through 1.11.1, fixed in commit 7acf3df contains an out-of-bounds write vulnerability in ssh2_transport_read() that fails to enforce upper bounds on packet_length field. Remote attackers can send crafted SSH packets with excessively large packet_length values to corrupt heap memory and achieve remote code execution.

1 issue left for the package maintainer to handle:

CVE-2026-7598: (needs triaging) A security vulnerability has been detected in libssh2 up to 1.11.1. The impacted element is the function userauth_password of the file src/userauth.c. Such manipulation of the argument username_len/password_len leads to integer overflow. The attack may be launched remotely. The name of the patch is 256d04b60d80bf1190e96b0ad1e91b2174d744b1. A patch should be applied to remediate this issue.

You can find information about how to handle this issue in the security team's documentation.

Created: 2026-05-02 Last update: 2026-06-19 17:46

testing migrations

This package will soon be part of the auto-openssl transition. You might want to ensure that your package is ready for it. You can probably find supplementary information in the debian-release archives or in the corresponding release.debian.org bug.

news

[2026-05-18] libssh2 1.11.1-3 MIGRATED to testing (Debian testing watch)
[2026-05-09] Accepted libssh2 1.11.1-3 (source) into unstable (Nicolas Mora)
[2026-03-21] libssh2 1.11.1-2 MIGRATED to testing (Debian testing watch)
[2026-03-18] Accepted libssh2 1.11.1-2 (source) into unstable (Nicolas Mora)
[2024-10-21] libssh2 1.11.1-1 MIGRATED to testing (Debian testing watch)
[2024-10-18] Accepted libssh2 1.11.1-1 (source) into unstable (Nicolas Mora)
[2024-08-05] libssh2 1.11.0-7 MIGRATED to testing (Debian testing watch)
[2024-08-02] Accepted libssh2 1.11.0-7 (source) into unstable (Nicolas Mora)
[2024-07-29] libssh2 1.11.0-6 MIGRATED to testing (Debian testing watch)
[2024-07-25] Accepted libssh2 1.11.0-6 (source) into unstable (Nicolas Mora)
[2024-05-25] libssh2 1.11.0-5 MIGRATED to testing (Debian testing watch)
[2024-05-22] Accepted libssh2 1.11.0-5 (source) into unstable (Nicolas Mora)
[2024-04-25] libssh2 1.11.0-4.1 MIGRATED to testing (Debian testing watch)
[2024-04-23] Accepted libssh2 1.9.0-2+deb11u1 (source) into oldstable-proposed-updates (Debian FTP Masters) (signed by: Nicolas Mora)
[2024-02-28] Accepted libssh2 1.11.0-4.1 (source) into unstable (Graham Inggs)
[2024-02-02] Accepted libssh2 1.11.0-4.1~exp1 (source) into experimental (Steve Langasek)
[2024-01-09] libssh2 1.11.0-4 MIGRATED to testing (Debian testing watch)
[2024-01-02] Accepted libssh2 1.11.0-4 (source) into unstable (Nicolas Mora)
[2023-12-02] libssh2 1.11.0-3 MIGRATED to testing (Debian testing watch)
[2023-11-29] Accepted libssh2 1.11.0-3 (source) into unstable (Nicolas Mora)
[2023-09-08] Accepted libssh2 1.8.0-2.1+deb10u1 (source) into oldoldstable (Guilhem Moulin)
[2023-07-02] libssh2 1.11.0-2 MIGRATED to testing (Debian testing watch)
[2023-06-25] Accepted libssh2 1.11.0-2 (source) into unstable (Nicolas Mora)
[2023-06-05] Accepted libssh2 1.11.0-1 (source) into experimental (Nicolas Mora)
[2022-03-04] libssh2 1.10.0-3 MIGRATED to testing (Debian testing watch)
[2022-03-02] Accepted libssh2 1.10.0-3 (source) into unstable (Nicolas Mora)
[2021-12-17] Accepted libssh2 1.7.0-1+deb9u2 (source) into oldoldstable (Anton Gladky)
[2021-09-28] libssh2 1.10.0-2 MIGRATED to testing (Debian testing watch)
[2021-09-25] Accepted libssh2 1.10.0-2 (source) into unstable (Nicolas Mora)
[2021-09-01] Accepted libssh2 1.10.0-1 (source) into experimental (Nicolas Mora)

1
2

bugs [bug history graph]

all: 4
RC: 0
I&N: 4
M&W: 0
F&P: 0
patch: 0

links

homepage
lintian
buildd: logs, reproducibility, cross
popcon
browse source code
other distros
security tracker
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 1.11.1-3

Debian Package Tracker — Copyright 2013-2025 The Distro Tracker Developers

Report problems to the tracker.debian.org pseudo-package in the Debian BTS.

Documentation — Bugs — Git Repository — Contributing