| Package | libssh |
|---|---|
| Version | 0.8.7-1+deb10u3 (buster) |
| Related CVEs | CVE-2020-16135 CVE-2023-6004 CVE-2023-6918 |
Several vulnerabilities were discovered in libssh, a tiny C SSH library.
CVE-2020-16135
A NULL pointer dereference was found in sftpserver, which would lead
to denial of service.
CVE-2023-6004
It was reported that using the ProxyCommand or the ProxyJump feature
may allow an attacker to inject malicious code through specially
crafted hostnames.
CVE-2023-6918
Jack Weinstein reported that missing checks for return values for
digests may result in denial of service (application crashes) or
usage of uninitialized memory.
For Debian 10 buster, these problems have been fixed in version 0.8.7-1+deb10u3.
We recommend that you upgrade your libssh packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.