Amazon Linux 1 Security Advisory: ALAS-2023-1756
Advisory Release Date: 2023-05-25 17:41 Pacific
Advisory Updated Date: 2023-06-06 18:36 Pacific
An out of bounds read flaw was discovered in libssh2 before 1.8.1 in the _libssh2_packet_require and _libssh2_packet_requirev functions. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory. (CVE-2019-3859)
An out of bounds read flaw was discovered in libssh2 before 1.8.1 in the way SFTP packets with empty payloads are parsed. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory. (CVE-2019-3860)
Affected Packages:
libssh2
Issue Correction:
Run yum update libssh2 to update your system.
i686:
libssh2-debuginfo-1.4.2-3.13.amzn1.i686
libssh2-devel-1.4.2-3.13.amzn1.i686
libssh2-1.4.2-3.13.amzn1.i686
libssh2-docs-1.4.2-3.13.amzn1.i686
src:
libssh2-1.4.2-3.13.amzn1.src
x86_64:
libssh2-1.4.2-3.13.amzn1.x86_64
libssh2-debuginfo-1.4.2-3.13.amzn1.x86_64
libssh2-docs-1.4.2-3.13.amzn1.x86_64
libssh2-devel-1.4.2-3.13.amzn1.x86_64