First published: Mon Mar 11 2019(Updated: )
A malicious server could send a specially crafted packet which could result in an unchecked integer overflow. The value would then be used to allocate memory causing a possible memory write out of bounds error.
Credit: Chris Coulson secalert@redhat.com secalert@redhat.com
Affected Software | Affected Version | How to fix |
---|---|---|
debian/libssh2 | <=1.8.0-2<=1.4.3-4.1+deb8u1<=1.4.3-1<=1.7.0-1 | 1.4.3-4.1+deb8u2 1.8.0-2.1 1.7.0-1+deb9u1 |
Apple Xcode | <11.0 | 11.0 |
debian/libssh2 | 1.8.0-2.1 1.8.0-2.1+deb10u1 1.9.0-2 1.10.0-3 1.11.0-2 | |
Libssh2 Libssh2 | <1.8.1 | |
Fedoraproject Fedora | =28 | |
Fedoraproject Fedora | =29 | |
Fedoraproject Fedora | =30 | |
Debian Debian Linux | =8.0 | |
Debian Debian Linux | =9.0 | |
NetApp ONTAP Select Deploy administration utility | ||
Redhat Enterprise Linux | =8.0 | |
Redhat Enterprise Linux Desktop | =7.0 | |
Redhat Enterprise Linux Server | =7.0 | |
Redhat Enterprise Linux Server Aus | =7.6 | |
Redhat Enterprise Linux Server Eus | =7.6 | |
Redhat Enterprise Linux Server Tus | =7.6 | |
Redhat Enterprise Linux Workstation | =7.0 | |
openSUSE Leap | =42.3 | |
Apple Xcode | <11.0 | |
Oracle PeopleSoft Enterprise PeopleTools | =8.56 | |
Oracle PeopleSoft Enterprise PeopleTools | =8.57 | |
redhat/libssh2 | <1.8.1 | 1.8.1 |
<1.8.1 | ||
=28 | ||
=29 | ||
=30 | ||
=8.0 | ||
=9.0 | ||
=8.0 | ||
=7.0 | ||
=7.0 | ||
=7.6 | ||
=7.6 | ||
=7.6 | ||
=7.0 | ||
=42.3 | ||
<11.0 | ||
=8.56 | ||
=8.57 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Found alongside the following vulnerabilities)
CVE-2019-3855 is an integer overflow flaw in libssh2 before version 1.8.1.
CVE-2019-3855 has a severity rating of 8.8, which is classified as critical.
CVE-2019-3855 could lead to an out-of-bounds write and allow a remote attacker to execute code when a user connects to a compromised SSH server.
The affected software includes libssh2 versions before 1.8.1, Xcode before version 11.0, and various versions of Debian, Fedora, Redhat, and other products.
To fix CVE-2019-3855, update libssh2 to version 1.8.1 or later, and ensure you are using the latest versions of other affected software.