Debian Buster: DLA-3437-1 Critical: libssh Command Injection and DoS Issues
debian lts
May 29, 2023
Two security issues have been discovered in libssh, a tiny C SSH library, which may allows an remote authenticated user to cause a denial of service or inject arbitrary commands
Summary
CVE-2019-14889
A flaw was found with the libssh API function ssh_scp_new() in
versions before 0.9.3 and before 0.8.8. When the libssh SCP client
connects to a server, the scp command, which includes a
user-provided path, is executed on the server-side. In case the
library is used in a way where users can influence the third
parameter of the function, it would become possible for an attacker
to inject arbitrary commands, leading to a compromise of the remote
target.
CVE-2023-1667
A NULL pointer dereference was found In libssh during re-keying with
algorithm guessing. This issue may allow an authenticated client to
cause a denial of service.
For Debian 10 buster, these problems have been fixed in version
0.8.7-1+deb10u2.
We recommend that you upgrade your libssh packages.
For the detailed security status of libssh please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/source-package/libssh
PREVIOUS
NEXT
Severity
critical
Lowest
Low
Medium
High
Critical
Package: libssh
Version: 0.8.7-1+deb10u2
CVE ID: CVE-2019-14889 CVE-2023-1667
Debian Bug: 946548 1035832
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!