DSA-3182-1 libssh2 -- libssh2ID: oval:org.secpod.oval:def:601990 | Date: (C)2015-03-20 (M)2023-02-20 |
Class: PATCH | Family: unix |
Mariusz Ziulek reported that libssh2, a SSH2 client-side library, was reading and using the SSH_MSG_KEXINIT packet without doing sufficient range checks when negotiating a new SSH session with a remote server. A malicious attacker could man in the middle a real server and cause a client using the libssh2 library to crash or otherwise read and use unintended memory areas in this process.