ALAS2-2019-1303


Amazon Linux 2 Security Advisory: ALAS-2019-1303
Advisory Release Date: 2019-09-30 22:51 Pacific
Advisory Updated Date: 2019-10-02 23:13 Pacific
Severity: Medium
References: CVE-2019-3862 

Issue Overview:

An out of bounds read flaw was discovered in libssh2 in the way SSH_MSG_CHANNEL_REQUEST packets with an exit status message and no payload are parsed. A remote attacker who compromises a SSH server may be able to cause a denial of service or read data in the client memory. (CVE-2019-3862 )


Affected Packages:

libssh2


Issue Correction:
Run yum update libssh2 to update your system.

New Packages:
aarch64:
    libssh2-1.4.3-12.amzn2.2.2.aarch64
    libssh2-devel-1.4.3-12.amzn2.2.2.aarch64
    libssh2-debuginfo-1.4.3-12.amzn2.2.2.aarch64

i686:
    libssh2-1.4.3-12.amzn2.2.2.i686
    libssh2-devel-1.4.3-12.amzn2.2.2.i686
    libssh2-debuginfo-1.4.3-12.amzn2.2.2.i686

noarch:
    libssh2-docs-1.4.3-12.amzn2.2.2.noarch

src:
    libssh2-1.4.3-12.amzn2.2.2.src

x86_64:
    libssh2-1.4.3-12.amzn2.2.2.x86_64
    libssh2-devel-1.4.3-12.amzn2.2.2.x86_64
    libssh2-debuginfo-1.4.3-12.amzn2.2.2.x86_64