Debian Security Advisory

DLA-171-1 libssh2 -- LTS security update

Date Reported:
14 Mar 2015
Affected Packages:
Security database references:
In the Debian bugtracking system: Bug 780249.
In Mitre's CVE dictionary: CVE-2015-1782.
More information:

Mariusz Ziulek reported that libssh2, a SSH2 client-side library, was reading and using the SSH_MSG_KEXINIT packet without doing sufficient range checks when negotiating a new SSH session with a remote server. A malicious attacker could man in the middle a real server and cause a client using the libssh2 library to crash (denial of service) or otherwise read and use unintended memory areas in this process.

For Debian 6 Squeeze, these issues have been fixed in libssh2 version 1.2.6-1+deb6u1