- Package:
- src:libssh2
- Source:
- src:libssh2
- Submitter:
- Salvatore Bonaccorso
- Date:
- 2026-06-25 21:05:02 UTC
- Severity:
- normal
- Tags:
Hi, The following vulnerabilities were published for libssh2. CVE-2025-15661[0]: | libssh2 through 1.11.1, fixed in commit 2dae302, contains an out-of- | bounds heap read vulnerability in the sftp_symlink() function in | src/sftp.c that allows a malicious SSH server or man-in-the-middle | attacker to disclose heap memory contents or cause a crash by | sending a crafted SSH_FXP_NAME response. Attackers can supply a | link_len value larger than the actual packet data in SSH_FXP_NAME | responses for SFTP READLINK and REALPATH operations, triggering a | heap buffer over-read of up to target_len minus one bytes due to the | missing validation of available packet buffer size before the memcpy | operation. CVE-2026-55199[1]: | libssh2 through 1.11.1, fixed in commit 1762685, contains a pre- | authentication denial of service vulnerability in the | SSH_MSG_EXT_INFO handler in src/packet.c that allows a malicious SSH | server to cause a client CPU exhaustion loop by sending a crafted | extension count value. A malicious server can set nr_extensions to | 0xFFFFFFFF during key exchange, causing the client to spin in a | tight CPU loop for over 60 seconds because return values from | _libssh2_get_string() are unchecked and the session timeout does not | apply to CPU-bound loops. CVE-2026-55200[2]: | libssh2 through 1.11.1, fixed in commit 7acf3df contains an out-of- | bounds write vulnerability in ssh2_transport_read() that fails to | enforce upper bounds on packet_length field. Remote attackers can | send crafted SSH packets with excessively large packet_length values | to corrupt heap memory and achieve remote code execution. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-15661 https://www.cve.org/CVERecord?id=CVE-2025-15661 [1] https://security-tracker.debian.org/tracker/CVE-2026-55199 https://www.cve.org/CVERecord?id=CVE-2026-55199 [2] https://security-tracker.debian.org/tracker/CVE-2026-55200 https://www.cve.org/CVERecord?id=CVE-2026-55200 Regards, Salvatore
Hello Salvatore, thanks for the bug report. I prepared a new package in salsa [1], I also opened a bug upstream [2] since I had to make some changes to the patch for CVE-2026-15661: [3], [4]. Hopefully the package will be uploaded soon. /Nicolas [1] https://salsa.debian.org/debian/libssh2/-/blob/master/debian/changelog?ref_type=heads [2] https://github.com/libssh2/libssh2/issues/2125 [3] https://salsa.debian.org/debian/libssh2/-/blob/master/debian/patches/CVE-2025-15661.patch?ref_type=heads [4] https://github.com/libssh2/libssh2/commit/2dae3024897e1898d389835151f4e9606227721d
Hi Nicolas, Thank you. Note for trixie-security Moritz did prepared a security updae which should go out soon. Regards, Salvatore
I was unaware of the existing trixie pu update since it hasn't been
proposed to the stable release managers yet.
Nicolas, I prepared the following backport yesterday and have uploaded
to security-master, please also have a look over it. I'll release the
DSA tomorrow.
Cheers,
Moritz
Hello, Le 2026-06-24 à 14 h 11, Moritz Mühlenhoff a écrit : That's on me, I prepared the trixie pu package but didn't sent it to the release team because I was overwhelmed in the last weeks. I was planning to do so next week. I will not send my pu package then. I see that you backported the LIBSSH2_UNCONST macro, I didn't do that in unstable because I was asking upstream about that, they answered me that "The UNCOST cast is simply to quiet compiler warnings and is fine to ignore if back porting." [1]. So I think both approaches are fine, But I suggest to use the same patches in testing and trixie since they use the same release (1.11.1) I will probably use your patches instead for testing. Thanks for the help! /Nicolas [1] https://github.com/libssh2/libssh2/issues/2125#issuecomment-4791983426
Ah, great to have explicit confirmation from upstream! The macro was rather
straightforward, so that felt like the safer route. Especially since future
security patches to be backported might also make use of it going forward.
Sound good to me! I'll release the DSA tomorrow, autopkgtests for stable
are all fine as well.
Cheers,
Moritz
Le 2026-06-24 à 15 h 57, Moritz Mühlenhoff a écrit : I agree with your approach then. I'll upload the package for unstable today, thanks for the help! /Nicolas
We believe that the bug you reported is fixed in the latest version of
libssh2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1140401@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Nicolas Mora <babelouest@debian.org> (supplier of updated libssh2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Wed, 24 Jun 2026 09:10:36 -0400
Source: libssh2
Architecture: source
Version: 1.11.1-4
Distribution: unstable
Urgency: medium
Maintainer: Nicolas Mora <babelouest@debian.org>
Changed-By: Nicolas Mora <babelouest@debian.org>
Closes: 1140401
Changes:
libssh2 (1.11.1-4) unstable; urgency=medium
.
[ Moritz Mühlenhoff ]
* d/patches: Fix CVEs CVE-2025-15661 CVE-2026-55199 CVE-2026-55200
(Closes: #1140401)
Checksums-Sha1:
5938c3f259b2e7be98e1c959cd941ebf5be1387f 2329 libssh2_1.11.1-4.dsc
61c721696f08bf91d23dd59b766bac65e9a78b04 1093012 libssh2_1.11.1.orig.tar.gz
d1d810ea2c4807fe71b0b66c784bd874ad5b9c67 488 libssh2_1.11.1.orig.tar.gz.asc
524a6805fe1a9d3282ac28fc0df6c98015afed39 19516 libssh2_1.11.1-4.debian.tar.xz
e527a681f4b97046c1c26d8fe5f72e5e756901af 6294 libssh2_1.11.1-4_amd64.buildinfo
Checksums-Sha256:
efe3cc06d27337d41aec053dccfc6a742d22a134c1b484c2104327bc81770948 2329 libssh2_1.11.1-4.dsc
d9ec76cbe34db98eec3539fe2c899d26b0c837cb3eb466a56b0f109cabf658f7 1093012 libssh2_1.11.1.orig.tar.gz
f5618c9356a1d5a8059d6cf64015d86547f06b2b8b1f542fbbaf381a736c8075 488 libssh2_1.11.1.orig.tar.gz.asc
e899b43734e37e9f8a08d293265eea8d131bc5206634fc3b3f563ab6b5bdbbc4 19516 libssh2_1.11.1-4.debian.tar.xz
45bf25771c11e9457054cc965fd026b5dfe72c6bba8fd03f3a744272a9fe57bf 6294 libssh2_1.11.1-4_amd64.buildinfo
Files:
1702b420743ecd45f748302515c390a5 2329 libs optional libssh2_1.11.1-4.dsc
38857d10b5c5deb198d6989dacace2e6 1093012 libs optional libssh2_1.11.1.orig.tar.gz
5ecd37626fbb7ca0850a56a05a37a4c2 488 libs optional libssh2_1.11.1.orig.tar.gz.asc
372f959394ece80920ba9d59d870740b 19516 libs optional libssh2_1.11.1-4.debian.tar.xz
dc29e563e6de65f64aef9be7f6c36301 6294 libs optional libssh2_1.11.1-4_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEhAWwL8wo75dEyPJT/oITlEC9IrkFAmo8Rn0ACgkQ/oITlEC9
IrkRvBAAsSQZDCFO1kWie+qgNqSYpIubfQ4GjgFOp+k5LWZ56+Ck+RrNTqQYUmD7
ZkY8uBpQK2Q7SnCD/SyVRCYf2ni2Q+PRA6xnbeflzlIyOYY72yOmwMaqHtUrDOeX
WnqgEENdJpBtcaPWpMEQh6AnYAPmnTLXdO42gjEVQM9U51VgtS7Kqyk2VNQfYYiW
mTSPCtaryF72BJIe6RDQW3ZF6bio/4MOg4okRTvoEqiLnBo1ioUACybe9/bTzsmK
pOKzaNWqireSbTlZMxjfUwEkjSRbAUGhWrmiRYhxgu6EI6ctkYa1KVtVbPgLZfD5
qnvJysy5xIUwWizHRSmdHWYJA0NRnbNdzdbwHLPa7nphPUDeHmQzcO53IIpFYCas
aksoW+8vaSzJPUAlpRRddre7SS7IuAmUyJqd39vwhRLebtSAdW4PpaWe4OXLVj/a
PvFgdaoI+/4hHaYJVHxUBrz9Z4zvFLkWKKqY2ZQ8oru/CQWOUsEYR9WdsY1mJg93
liIQTOgYBmjgMoHQne5LyfLC+DHFOGXJiXW0qTuyhvMWJR1gedycTnnOk+6aKLr2
3ld8jMCKtmgcRgo5lKIVFgOKL/LTibbKcnCpAaXfUihYU97TuGfAE+xi+iSEyWd7
F8oBRf3Cv6CGAmUsc+ZkifSDytbukX4nS6PS9PKepPTh6fdM6oo=
=KesF
-----END PGP SIGNATURE-----
DSA has been released for Trixie. The Debian LTS team will look into an
update for Bookworm.
Cheers,
Moritz
We believe that the bug you reported is fixed in the latest version of libssh2, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1140401@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Moritz Mühlenhoff <jmm@debian.org> (supplier of updated libssh2 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@ftp-master.debian.org) Format: 1.8 Date: Tue, 23 Jun 2026 23:01:56 +0200 Source: libssh2 Architecture: source Version: 1.11.1-1+deb13u1 Distribution: trixie-security Urgency: medium Maintainer: Nicolas Mora <babelouest@debian.org> Changed-By: Moritz Mühlenhoff <jmm@debian.org> Closes: 1135647 1140401 Changes: libssh2 (1.11.1-1+deb13u1) trixie-security; urgency=medium . * CVE-2026-7598 (Closes: #1135647) * CVE-2025-15661 / CVE-2026-55199 / CVE-2026-55200 (Closes: #1140401) Checksums-Sha1: 0035d28817bd9c5967d8a9f04d246fa6720b75e3 2351 libssh2_1.11.1-1+deb13u1.dsc 61c721696f08bf91d23dd59b766bac65e9a78b04 1093012 libssh2_1.11.1.orig.tar.gz d1d810ea2c4807fe71b0b66c784bd874ad5b9c67 488 libssh2_1.11.1.orig.tar.gz.asc 0476fd56ec9daf6c4fd726d8d28fc75d59824bea 19312 libssh2_1.11.1-1+deb13u1.debian.tar.xz 7212afdc256e7e3a0a78fac3afe4046e5c12919c 7407 libssh2_1.11.1-1+deb13u1_amd64.buildinfo Checksums-Sha256: b49dae094697248bd4d3665dd73d13b27739237701b939bc7c1ebedf17dc81e4 2351 libssh2_1.11.1-1+deb13u1.dsc d9ec76cbe34db98eec3539fe2c899d26b0c837cb3eb466a56b0f109cabf658f7 1093012 libssh2_1.11.1.orig.tar.gz f5618c9356a1d5a8059d6cf64015d86547f06b2b8b1f542fbbaf381a736c8075 488 libssh2_1.11.1.orig.tar.gz.asc 095817cecf4b527b68208d72987439622877dde62cd88afe8822efc3d775e013 19312 libssh2_1.11.1-1+deb13u1.debian.tar.xz 65fce54d6aea21d8ba5aaa68cce65b9b4e386b15ab21f332a88031f8ec1e18a6 7407 libssh2_1.11.1-1+deb13u1_amd64.buildinfo Files: b84f764f6088fb8c9c8e42af6d36493d 2351 libs optional libssh2_1.11.1-1+deb13u1.dsc 38857d10b5c5deb198d6989dacace2e6 1093012 libs optional libssh2_1.11.1.orig.tar.gz 5ecd37626fbb7ca0850a56a05a37a4c2 488 libs optional libssh2_1.11.1.orig.tar.gz.asc c8a31ca825329401d4383a68dbd24059 19312 libs optional libssh2_1.11.1-1+deb13u1.debian.tar.xz 13c300983a6905433515df00016dcddb 7407 libs optional libssh2_1.11.1-1+deb13u1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmo7f+8ACgkQEMKTtsN8 TjZibA/+IJBMCDJCqe8rPcrgzmwoTyn7ZfnqH0/gs9aGMGiopcYPUh2fpFUciHkT GQhmiG/ckyjYNb3VGC7csnOuzuxgRN3s4yqQwZoEyY8EfJCOGf9d3RICYDH877+B qiwygy6kkJioAj0HeaSzLHT9KqrfhHqzAKD+OV104jrOOMAjMyuNvCUDJ4FbrfQu SPMCZZFXhd+zEfNzo0olGqBbZstdG5l2QFskUyRtpXfnj79asxcrJnNiAaHErue5 xN1cdv43cfXq23RUTEYMmOT+GjbGnJyrOrkh5XFlSOWDMvUOeaURhu54Yu2qKty/ FtIklREk9erYHwW5jsXqcLOqNhd6WIvwUelKC0cUh4eTtB3/Ak2hqk+HTmTBDVRy F5/62TZEw2nUfw467qdbWKD7xBVUuFPMGfpTDHtOKLy4hhnbddU1REqm/GZB/UAB ueO/BeSdnfwfcjGtiUheOi/y2i32Tr2dPUJF9Dxm+UvCzGPGTpiTYLQ+BLYb+RJW E4fUR5uGmYVKW2zEZoLSlFUK5eyUB/t1L6vbefAXMhgFoiHFkdXLOVCPPtP6va9V 8V1zGL7HUBBGuLaPpIy4vMukaYK6fGowjKMyYRqC2ycQJ34aTqrOQ3k/1DsyhgF5 fBIV+QFJTgQ8qitpTBty9VeSGhPV/8rtt6HoXH6sNK6s7xbSTF4= =fHbl -----END PGP SIGNATURE-----