ALAS-2023-1756


Amazon Linux 1 Security Advisory: ALAS-2023-1756
Advisory Release Date: 2023-05-25 17:41 Pacific
Advisory Updated Date: 2023-06-06 18:36 Pacific
Severity: Medium

Issue Overview:

An out of bounds read flaw was discovered in libssh2 before 1.8.1 in the _libssh2_packet_require and _libssh2_packet_requirev functions. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory. (CVE-2019-3859)

An out of bounds read flaw was discovered in libssh2 before 1.8.1 in the way SFTP packets with empty payloads are parsed. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory. (CVE-2019-3860)


Affected Packages:

libssh2


Issue Correction:
Run yum update libssh2 to update your system.

New Packages:
i686:
    libssh2-debuginfo-1.4.2-3.13.amzn1.i686
    libssh2-devel-1.4.2-3.13.amzn1.i686
    libssh2-1.4.2-3.13.amzn1.i686
    libssh2-docs-1.4.2-3.13.amzn1.i686

src:
    libssh2-1.4.2-3.13.amzn1.src

x86_64:
    libssh2-1.4.2-3.13.amzn1.x86_64
    libssh2-debuginfo-1.4.2-3.13.amzn1.x86_64
    libssh2-docs-1.4.2-3.13.amzn1.x86_64
    libssh2-devel-1.4.2-3.13.amzn1.x86_64