UbuntuUpdates.org

Package "libssh-4"

Name: libssh-4

Description:

tiny C SSH library (OpenSSL flavor)
Latest version: 0.8.0~20170825.94fa1e38-1ubuntu0.7
Release: bionic (18.04)
Level: updates
Repository: main
Head package: libssh
Homepage: https://www.libssh.org/

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Download "libssh-4"

32-bit deb package
64-bit deb package
APT INSTALL

Other versions of "libssh-4" in Bionic

Repository Area Version
base main 0.8.0~20170825.94fa1e38-1build1
security main 0.8.0~20170825.94fa1e38-1ubuntu0.7

Changelog

Version: 0.8.0~20170825.94fa1e38-1ubuntu0.7 2020-08-04 16:06:51 UTC

  libssh (0.8.0~20170825.94fa1e38-1ubuntu0.7) bionic-security; urgency=medium

  * SECURITY UPDATE: NULL pointer dereference
    - debian/patches/CVE-2020-16135-*.patch: fix a NULL dereference
      checking the return of ssh_buffer_new() and added others checks
      in src/sftpservcer.c, src/buffer.c.
    - CVE-2020-16135

 -- <email address hidden> (Leonidas S. Barbosa) Fri, 31 Jul 2020 15:46:18 -0300
Source diff to previous version
CVE-2020-16135 libssh 0.9.4 has a NULL pointer dereference in tftpserver.c if ssh_buffer_new returns NULL.

Version: 0.8.0~20170825.94fa1e38-1ubuntu0.6 2020-04-09 14:07:13 UTC

  libssh (0.8.0~20170825.94fa1e38-1ubuntu0.6) bionic-security; urgency=medium

  * SECURITY UPDATE: denial of service via AES-CTR ciphers
    - debian/patches/CVE-2020-1730.patch: fix a possible segfault when
      zeroing AES-CTR key in src/libcrypto.c.
    - CVE-2020-1730

 -- Marc Deslauriers <email address hidden> Tue, 07 Apr 2020 13:16:14 -0400
Source diff to previous version

Version: 0.8.0~20170825.94fa1e38-1ubuntu0.5 2019-12-10 20:06:58 UTC

  libssh (0.8.0~20170825.94fa1e38-1ubuntu0.5) bionic-security; urgency=medium

  * SECURITY UPDATE: unsanitized location in scp could lead to unwanted
    command execution
    - debian/patches/CVE-2019-14889-1.patch: reformat code in scp/scp.c.
    - debian/patches/CVE-2019-14889-2.patch: log SCP warnings received from
      the server in src/scp.c.
    - debian/patches/CVE-2019-14889-3.patch: add function to quote file
      names in include/libssh/misc.h, src/misc.c.
    - debian/patches/CVE-2019-14889-4.patch: don't allow file path longer
      than 32kb in src/scp.c.
    - debian/patches/CVE-2019-14889-5.patch: quote location to be used on
      shell in src/scp.c.
    - CVE-2019-14889

 -- Marc Deslauriers <email address hidden> Tue, 10 Dec 2019 10:30:36 -0500
Source diff to previous version
CVE-2019-14889 Unsanitized location in scp could lead to unwanted command execution

Version: 0.8.0~20170825.94fa1e38-1ubuntu0.2 2018-11-29 16:07:12 UTC

  libssh (0.8.0~20170825.94fa1e38-1ubuntu0.2) bionic-security; urgency=medium

  * SECURITY REGRESSION: fix multiple regressions (LP: #1805348)
    - debian/patches/CVE-2018-10933-regression.patch: set correct state
      after sending INFO_REQUEST in src/server.c.
    - debian/patches/CVE-2018-10933-regression2.patch: add missing break in
      src/packet.c.
    - debian/patches/CVE-2018-10933-regression3.patch: set correct state
      after sending GSSAPI_RESPONSE in src/gssapi.c.

 -- Marc Deslauriers <email address hidden> Tue, 27 Nov 2018 10:01:15 -0500
Source diff to previous version
1805348 Recent security update broke server-side keyboard-interactive authentication
CVE-2018-10933 A vulnerability was found in libssh's server-side state machine before versions 0.7.6 and 0.8.4. A malicious client could create channels without fir

Version: 0.8.0~20170825.94fa1e38-1ubuntu0.1 2018-10-17 14:06:36 UTC

  libssh (0.8.0~20170825.94fa1e38-1ubuntu0.1) bionic-security; urgency=medium

  * SECURITY UPDATE: authentication bypass vulnerability
    - debian/patches/CVE-2018-10933-*.patch: add upstream patches to
      correct the issue.
    - CVE-2018-10933

 -- Marc Deslauriers <email address hidden> Tue, 16 Oct 2018 14:26:47 -0400


About   -   Send Feedback to @ubuntu_updates