English | Deutsch | Español
 
Home ▼
Home About Us Contact Us Privacy Partner Programs Testimonials In Press Mailing Lists Abuse Developer APIs
Bookkeeping
Online ▼
Home Free Trial FAQ
Open/Create Company File Accept an Invite Order/Renew
Security
Audits ▼
Home Dedicated audits Advanced audits Standard audits Recurring audits No Risk audits Desktop audits Basic audit Security Seal FAQ Price/Feature Summary Order New Tests All Tests Confidentiality Vulnerability search Run Audit Scheduler IP Permissions Audit Configuration Editor Scan Queue Reminder Notification Schedule Seal Reports Reports Style Editor
Managed
DNS ▼
About Order FAQ Acceptable Use Policy Dynamic DNS Clients
Configure Domains Dyanmic DNS Update Password
Network
Monitor ▼
Enterprise Package Advanced Package Standard Package Free Trial FAQ Price/Feature Summary Order/Renew Examples
Configure/Status Alert Profiles
Research
Reports ▼
Home FAQ Glossary Archive
 Login/Register 
 
 Vulnerability   
Search   		     Search 324607 CVE descriptions
and 145615 test descriptions,
access 10,000+ cross references.
Tests   CVE   All  

Test ID:1.3.6.1.4.1.25623.1.0.891730
Category:Debian Local Security Checks
Title:Debian: Security Advisory (DLA-1730-1)
Summary:The remote host is missing an update for the Debian 'libssh2' package(s) announced via the DLA-1730-1 advisory.
Description:Summary:
The remote host is missing an update for the Debian 'libssh2' package(s) announced via the DLA-1730-1 advisory.

Vulnerability Insight:
Several vulnerabilities have recently been discovered in libssh2, a client-side C library implementing the SSH2 protocol

CVE-2019-3855

An integer overflow flaw which could have lead to an out of bounds write was discovered in libssh2 in the way packets were read from the server. A remote attacker who compromised an SSH server could have been able to execute code on the client system when a user connected to the server.

CVE-2019-3856

An integer overflow flaw, which could have lead to an out of bounds write, was discovered in libssh2 in the way keyboard prompt requests were parsed. A remote attacker who compromised an SSH server could have been able to execute code on the client system when a user connected to the server.

CVE-2019-3857

An integer overflow flaw which could have lead to an out of bounds write was discovered in libssh2 in the way SSH_MSG_CHANNEL_REQUEST packets with an exit signal were parsed. A remote attacker who compromises an SSH server could have been able to execute code on the client system when a user connected to the server.

CVE-2019-3858

An out of bounds read flaw was discovered in libssh2 when a specially crafted SFTP packet was received from the server. A remote attacker who compromised an SSH server could have been able to cause a Denial of Service or read data in the client memory.

CVE-2019-3859

An out of bounds read flaw was discovered in libssh2's _libssh2_packet_require and _libssh2_packet_requirev functions. A remote attacker who compromised an SSH server could have be able to cause a Denial of Service or read data in the client memory.

CVE-2019-3860

An out of bounds read flaw was discovered in libssh2 in the way SFTP packets with empty payloads were parsed. A remote attacker who compromised an SSH server could have be able to cause a Denial of Service or read data in the client memory.

CVE-2019-3861

An out of bounds read flaw was discovered in libssh2 in the way SSH packets with a padding length value greater than the packet length were parsed. A remote attacker who compromised a SSH server could have been able to cause a Denial of Service or read data in the client memory.

CVE-2019-3862

An out of bounds read flaw was discovered in libssh2 in the way SSH_MSG_CHANNEL_REQUEST packets with an exit status message and no payload were parsed. A remote attacker who compromised an SSH server could have been able to cause a Denial of Service or read data in the client memory.

CVE-2019-3863

A server could have sent multiple keyboard interactive response messages whose total length were greater than unsigned char max characters. This value was used as an index to copy memory causing an out of bounds memory write error.

For Debian 8 Jessie, these problems have been fixed in version 1.4.3-4.1+deb8u2.

We recommend that you upgrade your libssh2 packages.

Further information about Debian LTS security advisories, how to apply these ... [Please see the references for more information on the vulnerabilities]

Affected Software/OS:
'libssh2' package(s) on Debian 8.

Solution:
Please install the updated package(s).

CVSS Score:
9.3

CVSS Vector:
AV:N/AC:M/Au:N/C:C/I:C/A:C

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2019-13115
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M7IF3LNHOA75O4WZWIHJLIRMA5LJUED3/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6LUNHPW64IGCASZ4JQ2J5KDXNZN53DWW/
http://packetstormsecurity.com/files/172834/libssh2-1.8.2-Out-Of-Bounds-Read.html
https://blog.semmle.com/libssh2-integer-overflow/
https://github.com/libssh2/libssh2/compare/02ecf17...42d37aa
https://github.com/libssh2/libssh2/pull/350
https://libssh2.org/changes.html
https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@%3Cissues.bookkeeper.apache.org%3E
https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@%3Cissues.bookkeeper.apache.org%3E
https://lists.debian.org/debian-lts-announce/2019/07/msg00024.html
https://lists.debian.org/debian-lts-announce/2021/12/msg00013.html
https://lists.debian.org/debian-lts-announce/2023/09/msg00006.html
Common Vulnerability Exposure (CVE) ID: CVE-2019-3855
BugTraq ID: 107485
http://www.securityfocus.com/bid/107485
Bugtraq: 20190319 [slackware-security] libssh2 (SSA:2019-077-01) (Google Search)
https://seclists.org/bugtraq/2019/Mar/25
Bugtraq: 20190415 [SECURITY] [DSA 4431-1] libssh2 security update (Google Search)
https://seclists.org/bugtraq/2019/Apr/25
Bugtraq: 20190927 APPLE-SA-2019-9-26-7 Xcode 11.0 (Google Search)
https://seclists.org/bugtraq/2019/Sep/49
Debian Security Information: DSA-4431 (Google Search)
https://www.debian.org/security/2019/dsa-4431
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5DK6VO2CEUTAJFYIKWNZKEKYMYR3NO2O/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XCWEA5ZCLKRDUK62QVVYMFWLWKOPX3LO/
http://seclists.org/fulldisclosure/2019/Sep/42
http://packetstormsecurity.com/files/152136/Slackware-Security-Advisory-libssh2-Updates.html
https://www.libssh2.org/CVE-2019-3855.html
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
https://lists.debian.org/debian-lts-announce/2019/03/msg00032.html
http://www.openwall.com/lists/oss-security/2019/03/18/3
RedHat Security Advisories: RHSA-2019:0679
https://access.redhat.com/errata/RHSA-2019:0679
RedHat Security Advisories: RHSA-2019:1175
https://access.redhat.com/errata/RHSA-2019:1175
RedHat Security Advisories: RHSA-2019:1652
https://access.redhat.com/errata/RHSA-2019:1652
RedHat Security Advisories: RHSA-2019:1791
https://access.redhat.com/errata/RHSA-2019:1791
RedHat Security Advisories: RHSA-2019:1943
https://access.redhat.com/errata/RHSA-2019:1943
RedHat Security Advisories: RHSA-2019:2399
https://access.redhat.com/errata/RHSA-2019:2399
SuSE Security Announcement: openSUSE-SU-2019:1075 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00040.html
SuSE Security Announcement: openSUSE-SU-2019:1109 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00003.html
Common Vulnerability Exposure (CVE) ID: CVE-2019-3856
https://www.libssh2.org/CVE-2019-3856.html
Common Vulnerability Exposure (CVE) ID: CVE-2019-3857
https://www.libssh2.org/CVE-2019-3857.html
Common Vulnerability Exposure (CVE) ID: CVE-2019-3858
https://www.libssh2.org/CVE-2019-3858.html
RedHat Security Advisories: RHSA-2019:2136
https://access.redhat.com/errata/RHSA-2019:2136
Common Vulnerability Exposure (CVE) ID: CVE-2019-3859
https://www.libssh2.org/CVE-2019-3859.html
https://lists.debian.org/debian-lts-announce/2019/04/msg00006.html
SuSE Security Announcement: openSUSE-SU-2019:1290 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00102.html
SuSE Security Announcement: openSUSE-SU-2019:1291 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00103.html
Common Vulnerability Exposure (CVE) ID: CVE-2019-3860
https://www.libssh2.org/CVE-2019-3860.html
https://lists.debian.org/debian-lts-announce/2019/07/msg00028.html
SuSE Security Announcement: openSUSE-SU-2019:1640 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00072.html
Common Vulnerability Exposure (CVE) ID: CVE-2019-3861
https://www.libssh2.org/CVE-2019-3861.html
Common Vulnerability Exposure (CVE) ID: CVE-2019-3862
https://www.libssh2.org/CVE-2019-3862.html
https://www.oracle.com/security-alerts/cpujan2020.html
RedHat Security Advisories: RHSA-2019:1884
https://access.redhat.com/errata/RHSA-2019:1884
Common Vulnerability Exposure (CVE) ID: CVE-2019-3863
https://www.libssh2.org/CVE-2019-3863.html
CopyrightCopyright (C) 2019 Greenbone AG

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit.

To run a free test of this vulnerability against your system, register below.



© 1998-2025 E-Soft Inc. All rights reserved.