{"affected":[{"ecosystem_specific":{"binaries":[{"libssh2-1":"1.9.0-lp152.8.3.1","libssh2-1-32bit":"1.9.0-lp152.8.3.1","libssh2-devel":"1.9.0-lp152.8.3.1"}]},"package":{"ecosystem":"openSUSE:Leap 15.2","name":"libssh2_org","purl":"pkg:rpm/opensuse/libssh2_org&distro=openSUSE%20Leap%2015.2"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"1.9.0-lp152.8.3.1"}],"type":"ECOSYSTEM"}]}],"aliases":[],"details":"This update for libssh2_org fixes the following issues:\n\n- Version update to 1.9.0: [bsc#1178083, jsc#SLE-16922]\n   Enhancements and bugfixes:\n    * adds ECDSA keys and host key support when using OpenSSL\n    * adds ED25519 key and host key support when using OpenSSL 1.1.1\n    * adds OpenSSH style key file reading\n    * adds AES CTR mode support when using WinCNG\n    * adds PEM passphrase protected file support for Libgcrypt and WinCNG\n    * adds SHA256 hostkey fingerprint\n    * adds libssh2_agent_get_identity_path() and libssh2_agent_set_identity_path()\n    * adds explicit zeroing of sensitive data in memory\n    * adds additional bounds checks to network buffer reads\n    * adds the ability to use the server default permissions when creating sftp directories\n    * adds support for building with OpenSSL no engine flag\n    * adds support for building with LibreSSL\n    * increased sftp packet size to 256k\n    * fixed oversized packet handling in sftp\n    * fixed building with OpenSSL 1.1\n    * fixed a possible crash if sftp stat gets an unexpected response\n    * fixed incorrect parsing of the KEX preference string value\n    * fixed conditional RSA and AES-CTR support\n    * fixed a small memory leak during the key exchange process\n    * fixed a possible memory leak of the ssh banner string\n    * fixed various small memory leaks in the backends\n    * fixed possible out of bounds read when parsing public keys from the server\n    * fixed possible out of bounds read when parsing invalid PEM files\n    * no longer null terminates the scp remote exec command\n    * now handle errors when diffie hellman key pair generation fails\n    * improved building instructions\n    * improved unit tests\n\n- Version update to 1.8.2: [bsc#1130103]\n   Bug fixes:\n    * Fixed the misapplied userauth patch that broke 1.8.1\n    * moved the MAX size declarations from the public header\nThis update was imported from the SUSE:SLE-15:Update update project.","id":"openSUSE-SU-2020:2129-1","modified":"2020-12-01T05:25:38Z","published":"2020-12-01T05:25:38Z","references":[{"type":"ADVISORY","url":"https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/HAQH2P56QS5PVJGYRATVMCCAWSF5JABQ/"},{"type":"REPORT","url":"https://bugzilla.suse.com/1130103"},{"type":"REPORT","url":"https://bugzilla.suse.com/1178083"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2019-17498"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2019-3855"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2019-3856"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2019-3857"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2019-3858"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2019-3859"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2019-3860"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2019-3861"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2019-3862"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2019-3863"}],"related":["CVE-2019-17498","CVE-2019-3855","CVE-2019-3856","CVE-2019-3857","CVE-2019-3858","CVE-2019-3859","CVE-2019-3860","CVE-2019-3861","CVE-2019-3862","CVE-2019-3863"],"summary":"Security update for libssh2_org","upstream":["CVE-2019-17498","CVE-2019-3855","CVE-2019-3856","CVE-2019-3857","CVE-2019-3858","CVE-2019-3859","CVE-2019-3860","CVE-2019-3861","CVE-2019-3862","CVE-2019-3863"]}