Issued:
2019-08-06
Updated:
2019-08-06

RHSA-2019:2136 - Security Advisory

Synopsis

Moderate: libssh2 security, bug fix, and enhancement update

Type/Severity

Security Advisory: Moderate

Topic

An update for libssh2 is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

The libssh2 packages provide a library that implements the SSH2 protocol.

The following packages have been upgraded to a later upstream version: libssh2 (1.8.0). (BZ#1592784)

Security Fix(es):

  • libssh2: Zero-byte allocation with a specially crafted SFTP packed leading to an out-of-bounds read (CVE-2019-3858)
  • libssh2: Out-of-bounds reads with specially crafted SSH packets (CVE-2019-3861)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.7 Release Notes linked from the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing these updated packages, all running applications using libssh2 must be restarted for this update to take effect.

Affected Products

  • Red Hat Enterprise Linux Server 7 x86_64
  • Red Hat Enterprise Linux Workstation 7 x86_64
  • Red Hat Enterprise Linux Desktop 7 x86_64
  • Red Hat Enterprise Linux for IBM z Systems 7 s390x
  • Red Hat Enterprise Linux for Power, big endian 7 ppc64
  • Red Hat Enterprise Linux for Scientific Computing 7 x86_64
  • Red Hat Enterprise Linux for Power, little endian 7 ppc64le

Fixes

  • BZ - 1687306 - CVE-2019-3858 libssh2: Zero-byte allocation with a specially crafted SFTP packed leading to an out-of-bounds read
  • BZ - 1687311 - CVE-2019-3861 libssh2: Out-of-bounds reads with specially crafted SSH packets

CVEs

References

Red Hat Enterprise Linux Server 7

SRPM
libssh2-1.8.0-3.el7.src.rpm SHA-256: 683e074d2ba4e8e86686c0a0aabc30b64cf04c8f3174fc54845c43b14c506705
x86_64
libssh2-1.8.0-3.el7.i686.rpm SHA-256: 413b3b18597e69551edd925aa5d475e864896b19e9d8ee2b19e82e26886781ec
libssh2-1.8.0-3.el7.x86_64.rpm SHA-256: 48e93a8a3105a77678fc808ae277848e3ef51abf5d8adb174d920d5f102a934c
libssh2-debuginfo-1.8.0-3.el7.i686.rpm SHA-256: 54443eabdd8114df9f65043c8a611bfa8bc74d13fbedea0974233d71ee072df9
libssh2-debuginfo-1.8.0-3.el7.i686.rpm SHA-256: 54443eabdd8114df9f65043c8a611bfa8bc74d13fbedea0974233d71ee072df9
libssh2-debuginfo-1.8.0-3.el7.x86_64.rpm SHA-256: aa69174f58e0667456c3b3f24f4cfa2287d391e7ba18cd4f4a42ddd8168a0e8e
libssh2-debuginfo-1.8.0-3.el7.x86_64.rpm SHA-256: aa69174f58e0667456c3b3f24f4cfa2287d391e7ba18cd4f4a42ddd8168a0e8e
libssh2-devel-1.8.0-3.el7.i686.rpm SHA-256: 70d979c68ece746fd4db7c74a92976f706a5547c876e092fa68e3b50f5838733
libssh2-devel-1.8.0-3.el7.x86_64.rpm SHA-256: 3aa9c8fade7d0069e032197f2e28d45f70a51001e28749fa3bf255ec9818520d
libssh2-docs-1.8.0-3.el7.noarch.rpm SHA-256: 131fc4052904b43271d009e8a962dc4cf40b510d354d204cceb4f13fa1b99b78

Red Hat Enterprise Linux Workstation 7

SRPM
libssh2-1.8.0-3.el7.src.rpm SHA-256: 683e074d2ba4e8e86686c0a0aabc30b64cf04c8f3174fc54845c43b14c506705
x86_64
libssh2-1.8.0-3.el7.i686.rpm SHA-256: 413b3b18597e69551edd925aa5d475e864896b19e9d8ee2b19e82e26886781ec
libssh2-1.8.0-3.el7.x86_64.rpm SHA-256: 48e93a8a3105a77678fc808ae277848e3ef51abf5d8adb174d920d5f102a934c
libssh2-debuginfo-1.8.0-3.el7.i686.rpm SHA-256: 54443eabdd8114df9f65043c8a611bfa8bc74d13fbedea0974233d71ee072df9
libssh2-debuginfo-1.8.0-3.el7.i686.rpm SHA-256: 54443eabdd8114df9f65043c8a611bfa8bc74d13fbedea0974233d71ee072df9
libssh2-debuginfo-1.8.0-3.el7.x86_64.rpm SHA-256: aa69174f58e0667456c3b3f24f4cfa2287d391e7ba18cd4f4a42ddd8168a0e8e
libssh2-debuginfo-1.8.0-3.el7.x86_64.rpm SHA-256: aa69174f58e0667456c3b3f24f4cfa2287d391e7ba18cd4f4a42ddd8168a0e8e
libssh2-devel-1.8.0-3.el7.i686.rpm SHA-256: 70d979c68ece746fd4db7c74a92976f706a5547c876e092fa68e3b50f5838733
libssh2-devel-1.8.0-3.el7.x86_64.rpm SHA-256: 3aa9c8fade7d0069e032197f2e28d45f70a51001e28749fa3bf255ec9818520d
libssh2-docs-1.8.0-3.el7.noarch.rpm SHA-256: 131fc4052904b43271d009e8a962dc4cf40b510d354d204cceb4f13fa1b99b78

Red Hat Enterprise Linux Desktop 7

SRPM
libssh2-1.8.0-3.el7.src.rpm SHA-256: 683e074d2ba4e8e86686c0a0aabc30b64cf04c8f3174fc54845c43b14c506705
x86_64
libssh2-1.8.0-3.el7.i686.rpm SHA-256: 413b3b18597e69551edd925aa5d475e864896b19e9d8ee2b19e82e26886781ec
libssh2-1.8.0-3.el7.x86_64.rpm SHA-256: 48e93a8a3105a77678fc808ae277848e3ef51abf5d8adb174d920d5f102a934c
libssh2-debuginfo-1.8.0-3.el7.i686.rpm SHA-256: 54443eabdd8114df9f65043c8a611bfa8bc74d13fbedea0974233d71ee072df9
libssh2-debuginfo-1.8.0-3.el7.i686.rpm SHA-256: 54443eabdd8114df9f65043c8a611bfa8bc74d13fbedea0974233d71ee072df9
libssh2-debuginfo-1.8.0-3.el7.x86_64.rpm SHA-256: aa69174f58e0667456c3b3f24f4cfa2287d391e7ba18cd4f4a42ddd8168a0e8e
libssh2-debuginfo-1.8.0-3.el7.x86_64.rpm SHA-256: aa69174f58e0667456c3b3f24f4cfa2287d391e7ba18cd4f4a42ddd8168a0e8e
libssh2-devel-1.8.0-3.el7.i686.rpm SHA-256: 70d979c68ece746fd4db7c74a92976f706a5547c876e092fa68e3b50f5838733
libssh2-devel-1.8.0-3.el7.x86_64.rpm SHA-256: 3aa9c8fade7d0069e032197f2e28d45f70a51001e28749fa3bf255ec9818520d
libssh2-docs-1.8.0-3.el7.noarch.rpm SHA-256: 131fc4052904b43271d009e8a962dc4cf40b510d354d204cceb4f13fa1b99b78

Red Hat Enterprise Linux for IBM z Systems 7

SRPM
libssh2-1.8.0-3.el7.src.rpm SHA-256: 683e074d2ba4e8e86686c0a0aabc30b64cf04c8f3174fc54845c43b14c506705
s390x
libssh2-1.8.0-3.el7.s390.rpm SHA-256: d619c64beceee60cad8a9660dd7d3d63aaf86ecfb142d206af3deed6b22a8d1c
libssh2-1.8.0-3.el7.s390x.rpm SHA-256: 503adc703a01089520b4cfba1f67e46e57c9fa9b223aa0937e31b0cdac7b673b
libssh2-debuginfo-1.8.0-3.el7.s390.rpm SHA-256: c0b697272aa5264e9e099110ac10f7e00feda391ee6a31822a0b8fb4312bea1c
libssh2-debuginfo-1.8.0-3.el7.s390.rpm SHA-256: c0b697272aa5264e9e099110ac10f7e00feda391ee6a31822a0b8fb4312bea1c
libssh2-debuginfo-1.8.0-3.el7.s390x.rpm SHA-256: 2425d5118db70ff2b653bd168de7938c16fedab526a9924e97dcd220a0342ab7
libssh2-debuginfo-1.8.0-3.el7.s390x.rpm SHA-256: 2425d5118db70ff2b653bd168de7938c16fedab526a9924e97dcd220a0342ab7
libssh2-devel-1.8.0-3.el7.s390.rpm SHA-256: 6758f26ec7fa5206df61c728af4018ae44291ef05364c5245ed09fc39fb7c4b6
libssh2-devel-1.8.0-3.el7.s390x.rpm SHA-256: d47d96cebb8f12f5bd4bd20f0e3440f4fe3a3358776df9c3ee3a5305a18621d1
libssh2-docs-1.8.0-3.el7.noarch.rpm SHA-256: 131fc4052904b43271d009e8a962dc4cf40b510d354d204cceb4f13fa1b99b78

Red Hat Enterprise Linux for Power, big endian 7

SRPM
libssh2-1.8.0-3.el7.src.rpm SHA-256: 683e074d2ba4e8e86686c0a0aabc30b64cf04c8f3174fc54845c43b14c506705
ppc64
libssh2-1.8.0-3.el7.ppc.rpm SHA-256: cd8bae392799a7d79ef29e700e2666c7089974a92a450df887e5f06c6cfdb898
libssh2-1.8.0-3.el7.ppc64.rpm SHA-256: 286cc55cf2fd7ea0214f88c4e27babaeb5f25e4c2e5482c266f97d6819c9988e
libssh2-debuginfo-1.8.0-3.el7.ppc.rpm SHA-256: 3c521af8efeaa9e27c8f1deb04bb569eb4e4b98d54fad85d25ad50ef912a4d67
libssh2-debuginfo-1.8.0-3.el7.ppc.rpm SHA-256: 3c521af8efeaa9e27c8f1deb04bb569eb4e4b98d54fad85d25ad50ef912a4d67
libssh2-debuginfo-1.8.0-3.el7.ppc64.rpm SHA-256: a5a70ed591c9725d3b3fb6c3d22efdefc3f227118f6e4335c152de107fe53917
libssh2-debuginfo-1.8.0-3.el7.ppc64.rpm SHA-256: a5a70ed591c9725d3b3fb6c3d22efdefc3f227118f6e4335c152de107fe53917
libssh2-devel-1.8.0-3.el7.ppc.rpm SHA-256: 8857338b786381b4dcf50eb3a7ec3317950f1b47b4e3930473b8220b39d6b56f
libssh2-devel-1.8.0-3.el7.ppc64.rpm SHA-256: e13236d00b72edcd66d34ba07b359291d4eee9868bd950afaefda605f5584e1b
libssh2-docs-1.8.0-3.el7.noarch.rpm SHA-256: 131fc4052904b43271d009e8a962dc4cf40b510d354d204cceb4f13fa1b99b78

Red Hat Enterprise Linux for Scientific Computing 7

SRPM
libssh2-1.8.0-3.el7.src.rpm SHA-256: 683e074d2ba4e8e86686c0a0aabc30b64cf04c8f3174fc54845c43b14c506705
x86_64
libssh2-1.8.0-3.el7.i686.rpm SHA-256: 413b3b18597e69551edd925aa5d475e864896b19e9d8ee2b19e82e26886781ec
libssh2-1.8.0-3.el7.x86_64.rpm SHA-256: 48e93a8a3105a77678fc808ae277848e3ef51abf5d8adb174d920d5f102a934c
libssh2-debuginfo-1.8.0-3.el7.i686.rpm SHA-256: 54443eabdd8114df9f65043c8a611bfa8bc74d13fbedea0974233d71ee072df9
libssh2-debuginfo-1.8.0-3.el7.i686.rpm SHA-256: 54443eabdd8114df9f65043c8a611bfa8bc74d13fbedea0974233d71ee072df9
libssh2-debuginfo-1.8.0-3.el7.x86_64.rpm SHA-256: aa69174f58e0667456c3b3f24f4cfa2287d391e7ba18cd4f4a42ddd8168a0e8e
libssh2-debuginfo-1.8.0-3.el7.x86_64.rpm SHA-256: aa69174f58e0667456c3b3f24f4cfa2287d391e7ba18cd4f4a42ddd8168a0e8e
libssh2-devel-1.8.0-3.el7.i686.rpm SHA-256: 70d979c68ece746fd4db7c74a92976f706a5547c876e092fa68e3b50f5838733
libssh2-devel-1.8.0-3.el7.x86_64.rpm SHA-256: 3aa9c8fade7d0069e032197f2e28d45f70a51001e28749fa3bf255ec9818520d
libssh2-docs-1.8.0-3.el7.noarch.rpm SHA-256: 131fc4052904b43271d009e8a962dc4cf40b510d354d204cceb4f13fa1b99b78

Red Hat Enterprise Linux for Power, little endian 7

SRPM
libssh2-1.8.0-3.el7.src.rpm SHA-256: 683e074d2ba4e8e86686c0a0aabc30b64cf04c8f3174fc54845c43b14c506705
ppc64le
libssh2-1.8.0-3.el7.ppc64le.rpm SHA-256: 1a6fa3d65b587dc7720c071657eea5b04ef6fda92760a60c8f584cf97a67be93
libssh2-debuginfo-1.8.0-3.el7.ppc64le.rpm SHA-256: 3e2605e2beaef0283ea643cf966e4ecfdbb6db3d130a419fcde18838874b3e58
libssh2-debuginfo-1.8.0-3.el7.ppc64le.rpm SHA-256: 3e2605e2beaef0283ea643cf966e4ecfdbb6db3d130a419fcde18838874b3e58
libssh2-devel-1.8.0-3.el7.ppc64le.rpm SHA-256: fb2dc180994d6c0e16536028a6b660d2b380cf2c5a45d08acca1010f4d85f1ea
libssh2-docs-1.8.0-3.el7.noarch.rpm SHA-256: 131fc4052904b43271d009e8a962dc4cf40b510d354d204cceb4f13fa1b99b78

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.