[SECURITY] [DLA 4385-1] libssh security update

To: <debian-lts-announce@lists.debian.org>
Subject: [SECURITY] [DLA 4385-1] libssh security update
From: Emilio Pozuelo Monfort <pochu@debian.org>
Date: Thu, 27 Nov 2025 11:26:47 +0100
Message-id: <[🔎] 20251127102647.37A2E5F00083@kamino>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4385-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/               Emilio Pozuelo Monfort
November 27, 2025                             https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : libssh
Version        : 0.9.8-0+deb11u2
CVE ID         : CVE-2025-4877 CVE-2025-4878 CVE-2025-5318 CVE-2025-5372
                 CVE-2025-8114 CVE-2025-8277
Debian Bug     : 1108407 1109860 1114859

Several vulnerabilities have been found in libssh, a tiny C SSH library.

CVE-2025-4877

    Ronald Crane found that bin_to_base64() could experience an integer
    overflow and subsequent under allocation, leading to an out of
    bounds write on 32-bit builds.

CVE-2025-4878

    Ronald Crane found that privatekey_from_file() used an uninitialized
    variable under certain conditions, which could lead to signing
    failure, use-after-free or memory corruption.

CVE-2025-5318

    Ronald Crane found that sftp_handle() had an incorrect check, which
    could lead to an out of bounds read.

CVE-2025-5372

    Ronald Crane found that ssh_kdf() returned a success code on
    certain failures, which could lead to use of uninitialized
    cryptographic keys and failing to encrypt/decrypt following
    communication.

CVE-2025-8114

    Philippe Antoine found a null pointer dereference issue when libssh
    calculates the session id for the key exchange (KEX) process and an
    error happens when allocating memory using cryptographic functions,
    leading to a crash.

CVE-2025-8277

    Francesco Rollo a memory leak during the KEX process when a client
    sets the `first_kex_packet_follows` flag in the KEXINIT message and
    repeatedly makes incorrect KEX guesses.

For Debian 11 bullseye, these problems have been fixed in version
0.9.8-0+deb11u2.

We recommend that you upgrade your libssh packages.

For the detailed security status of libssh please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libssh

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAmkoJ2QACgkQnUbEiOQ2
gwI7Rg/+NXCNg6FJjtFTQ6QXHSkAl+49XxfB96+n1OYNrPjUk4QakiZM1f28poi0
68QZh0ZjWC5gPZE7oZi25C28zLyev3Xqr3QeUSh1GYSV5Go7mA3WiIthtE67nSuF
hhJGkzr/BCJDF3t39LbvXwkl3TH22kXTc8ouNQRdeHOAGESuVknyFkcROWgTWs/h
nupLG1vdJcuD8vwb8Jkbhkv8JwCZk1JFI76xCGNjBXCvpq+iWqlPywi7UrTL322W
A1BX72kF+TyKn5pg3YHPXXtt6dZgQAUxePjg82qm62Qvuib38GmgpUSOrp0Q3f4H
VS0mU4v95/JFLTmr/2UEdi/SMJ0ES/oPak+3SaTpn2PGB5AhsU9XgS8Yz0zE0/xl
mr20W7kRq1l7eZS+Xe1P467kz3GUNq7oYuhKY060WKIZK9HM4MOkcdYXl2fv/1nK
NjKiyOcllhC4pdNVljvKwHVF0MsFIspuw/Kh00d62sMNNwsZGu/0YELHfr/Xi8Ob
Se9jvf+NLL9W3ZryI7N0TLwJbCQtSxektETPmS5cdHYZT1U366Lc+0MOjHBRI2BI
CEXVdES9b/3usMU5/ZrHNmM4PUPE84Gjf9Mey4mLt4RUQX2PkHhnjiRp0/sDdE1x
TB12xI/OuSVGXbiLqZEVJ6CvozL7G3jPRciPn9Q+JgVA37KBMeY=
=L7sO
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 4384-1] samba security update
Next by Date: [SECURITY] [DLA 4386-1] sogo security update
Previous by thread: [SECURITY] [DLA 4384-1] samba security update
Next by thread: [SECURITY] [DLA 4386-1] sogo security update
Index(es):
- Date
- Thread