[Buildroot] [PATCH] package/libssh2: security bump to latest git
Peter Korsgaard
peter at korsgaard.com
Wed Mar 27 21:49:10 UTC 2019
>>>>> "Peter" == Peter Korsgaard <peter at korsgaard.com> writes:
> Bump the version to latest git to fix the following security issues:
> CVE-2019-3855
> Possible integer overflow in transport read allows out-of-bounds write
> URL: https://www.libssh2.org/CVE-2019-3855.html
> Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3855.patch
> CVE-2019-3856
> Possible integer overflow in keyboard interactive handling allows
> out-of-bounds write
> URL: https://www.libssh2.org/CVE-2019-3856.html
> Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3856.patch
> CVE-2019-3857
> Possible integer overflow leading to zero-byte allocation and out-of-bounds
> write
> URL: https://www.libssh2.org/CVE-2019-3857.html
> Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3857.patch
> CVE-2019-3858
> Possible zero-byte allocation leading to an out-of-bounds read
> URL: https://www.libssh2.org/CVE-2019-3858.html
> Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3858.patch
> CVE-2019-3859
> Out-of-bounds reads with specially crafted payloads due to unchecked use of
> `_libssh2_packet_require` and `_libssh2_packet_requirev`
> URL: https://www.libssh2.org/CVE-2019-3859.html
> Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3859.patch
> CVE-2019-3860
> Out-of-bounds reads with specially crafted SFTP packets
> URL: https://www.libssh2.org/CVE-2019-3860.html
> Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3860.patch
> CVE-2019-3861
> Out-of-bounds reads with specially crafted SSH packets
> URL: https://www.libssh2.org/CVE-2019-3861.html
> Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3861.patch
> CVE-2019-3862
> Out-of-bounds memory comparison
> URL: https://www.libssh2.org/CVE-2019-3862.html
> Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3862.patch
> CVE-2019-3863
> Integer overflow in user authenicate keyboard interactive allows
> out-of-bounds writes
> URL: https://www.libssh2.org/CVE-2019-3863.html
> Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3863.txt
> Drop 0003-openssl-fix-dereferencing-ambiguity-potentially-caus.patch as that
> is now upstream.
> Signed-off-by: Peter Korsgaard <peter at korsgaard.com>
Committed to 2018.02.x, 2018.11.x and 2019.02.x, thanks.
--
Bye, Peter Korsgaard
More information about the buildroot
mailing list