[CLSA-2026:1776855642] Fix CVE(s): CVE-2019-17498, CVE-2019-3857

Type:

security

Severity:

Critical

Release date:

2026-04-22 11:00:47 UTC

Description:

   * SECURITY UPDATE: Integer overflow leading to out-of-bounds write when
     SSH_MSG_CHANNEL_REQUEST packets with exit signal messages are parsed.
     - debian/patches/CVE-2019-3857.patch: check namelen + 1 does not
       overflow before allocation in exit-signal handling.
     - CVE-2019-3857
   * SECURITY UPDATE: Integer overflow in bounds check in SSH_MSG_DISCONNECT
     packet parsing enabling out-of-bounds read.
     - debian/patches/CVE-2019-17498.patch: harden bounds checking in
       SSH_MSG_DISCONNECT, SSH_MSG_DEBUG, and SSH_MSG_GLOBAL_REQUEST
       handlers to prevent unsigned integer underflow and overflow.
     - CVE-2019-17498

Updated packages:

libssh2-1_1.5.0-2ubuntu0.1+tuxcare.els3_amd64.deb
sha:cf251024f392b11247fac4abd21ceae5a57a7cc0
libssh2-1-dev_1.5.0-2ubuntu0.1+tuxcare.els3_amd64.deb
sha:9934034b9ace7144f62ae975b266df81c1eafcb8

Notes:

This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.