CVE-2019-3858
First published: Thu Mar 21 2019(Updated: )
An out of bounds read flaw was discovered in libssh2 before 1.8.1 when a specially crafted SFTP packet is received from the server. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/libssh2 | 1.8.0-2.1 1.8.0-2.1+deb10u1 1.9.0-2 1.10.0-3 1.11.0-2 | |
| Libssh2 Libssh2 | <1.8.1 | |
| Fedoraproject Fedora | =29 | |
| Debian Debian Linux | =8.0 | |
| NetApp ONTAP Select Deploy administration utility | ||
| openSUSE Leap | =15.0 | |
| openSUSE Leap | =42.3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://libssh2.org/CVE-2019-3858.html
- https://libssh2.org/1.8.0-CVE/CVE-2019-3858.patch
- https://github.com/libssh2/libssh2/pull/316
- https://security-tracker.debian.org/tracker/CVE-2019-3858
- http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00040.html
- http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00003.html
- http://packetstormsecurity.com/files/152136/Slackware-Security-Advisory-libssh2-Updates.html
- http://www.openwall.com/lists/oss-security/2019/03/18/3
- http://www.securityfocus.com/bid/107485
- https://access.redhat.com/errata/RHSA-2019:2136
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3858
- https://lists.debian.org/debian-lts-announce/2019/03/msg00032.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5DK6VO2CEUTAJFYIKWNZKEKYMYR3NO2O/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XCWEA5ZCLKRDUK62QVVYMFWLWKOPX3LO/
- https://seclists.org/bugtraq/2019/Apr/25
- https://seclists.org/bugtraq/2019/Mar/25
- https://security.netapp.com/advisory/ntap-20190327-0005/
- https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2019-767
- https://www.debian.org/security/2019/dsa-4431
- https://www.libssh2.org/CVE-2019-3858.html
- https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
Frequently Asked Questions
What is CVE-2019-3858?
CVE-2019-3858 is an out of bounds read flaw in libssh2 before version 1.8.1.
What is the severity of CVE-2019-3858?
CVE-2019-3858 has a severity rating of 9.1 (critical).
How does CVE-2019-3858 affect the affected software?
CVE-2019-3858 affects the libssh2 package with versions before 1.8.1, Debian Linux 8.0, Fedora 29, openSUSE Leap 15.0 and 42.3, and NetApp ONTAP Select Deploy administration utility.
What is the impact of CVE-2019-3858?
CVE-2019-3858 could allow a remote attacker who compromises an SSH server to cause a Denial of Service or read data in the client memory.
How can I fix CVE-2019-3858?
To fix CVE-2019-3858, update to libssh2 version 1.8.1 or later.
- collector/security-tracker-debian
- collector/nvd-index
- package-manager/debian
- vendor/libssh2
- canonical/libssh2 libssh2
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/29
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/8.0
- vendor/netapp
- canonical/netapp ontap select deploy administration utility
- vendor/opensuse
- canonical/opensuse leap
- version/opensuse leap/15.0
- version/opensuse leap/42.3