Debian Long Term Support / LTS Security Information / 2015 / Security Information -- DLA-171-1 libssh2

Debian Security Advisory

DLA-171-1 libssh2 -- LTS security update

Date Reported:

14 Mar 2015

Affected Packages:

libssh2

Vulnerable:

Yes

Security database references:

In the Debian bugtracking system: Bug 780249.
In Mitre's CVE dictionary: CVE-2015-1782.

More information:

Mariusz Ziulek reported that libssh2, a SSH2 client-side library, was reading and using the SSH_MSG_KEXINIT packet without doing sufficient range checks when negotiating a new SSH session with a remote server. A malicious attacker could man in the middle a real server and cause a client using the libssh2 library to crash (denial of service) or otherwise read and use unintended memory areas in this process.

For Debian 6 Squeeze, these issues have been fixed in libssh2 version 1.2.6-1+deb6u1