Debian Security Advisory

DLA-1730-3 libssh2 -- LTS security update

Date Reported:
25 Jul 2019
Affected Packages:
Security database references:
In Mitre's CVE dictionary: CVE-2019-3859, CVE-2019-13115.
More information:

Various security problems have been additionally fixed in libssh2, an SSH client implementation written in C.

  • CVE-2019-3859

    While investigating the impact of CVE-2019-13115 in Debian jessie's version of libssh2, it was discovered that issues around CVE-2019-3859 had not been fully resolved in Debian jessie's version of libssh2. A thorough manual (read, analyze, and copy code changes if needed) comparison of upstream code and code in Debian jessie's version of libssh2 was done and various more boundary checks and integer overflow protections got added to the package.

  • CVE-2019-13115

    Kevin Backhouse from discovered that initial fixes for the CVE series CVE-2019-3855 - 2019-3863 introduced several regressions about signedness of length return values into the upstream code. While working on the CVE-2019-3859 update mentioned above, it was paid attention to not introduce these upstream regression registered as CVE-2019-13115.

For Debian 8 Jessie, these problems have been fixed in version 1.4.3-4.1+deb8u4.

We recommend that you upgrade your libssh2 packages.

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: