Debian Security Advisory
DLA-171-1 libssh2 -- LTS security update
- Date Reported:
- 14 Mar 2015
- Affected Packages:
- Security database references:
- In the Debian bugtracking system: Bug 780249.
In Mitre's CVE dictionary: CVE-2015-1782.
- More information:
Mariusz Ziulek reported that libssh2, a SSH2 client-side library, was reading and using the SSH_MSG_KEXINIT packet without doing sufficient range checks when negotiating a new SSH session with a remote server. A malicious attacker could man in the middle a real server and cause a client using the libssh2 library to crash (denial of service) or otherwise read and use unintended memory areas in this process.
For Debian 6
Squeeze, these issues have been fixed in libssh2 version 1.2.6-1+deb6u1