Details of VAR-201903-0388

ID

VAR-201903-0388

CVE

CVE-2019-3855

TITLE

libssh2 Integer overflow vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2019-002832

DESCRIPTION

An integer overflow flaw which could lead to an out of bounds write was discovered in libssh2 before 1.8.1 in the way packets are read from the server. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server. libssh2 Contains an integer overflow vulnerability.Information is obtained and service operation is interrupted (DoS) There is a possibility of being put into a state. libssh2 is prone to multiple security vulnerabilities. Attackers can exploit these issues to execute arbitrary code, perform unauthorized actions, cause denial-of-service conditions, retrieve sensitive information; other attacks may also be possible. It can execute remote commands and file transfers, and at the same time provide a secure transmission channel for remote programs. An integer overflow vulnerability exists in libssh2. The vulnerability is caused by the '_libssh2_transport_read()' function not properly checking the packet_length value from the server. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2019-9-26-7 Xcode 11.0 Xcode 11.0 addresses the following: IDE SCM Available for: macOS Mojave 10.14.4 and later Impact: Multiple issues in libssh2 Description: Multiple issues were addressed by updating to version 2.16. CVE-2019-3855: Chris Coulson ld64 Available for: macOS Mojave 10.14.4 and later Impact: Compiling code without proper input validation could lead to arbitrary code execution with user privilege Description: Multiple issues in ld64 in the Xcode toolchains were addressed by updating to version ld64-507.4. CVE-2019-8721: Pan ZhenPeng of Qihoo 360 Nirvan Team CVE-2019-8722: Pan ZhenPeng of Qihoo 360 Nirvan Team CVE-2019-8723: Pan ZhenPeng of Qihoo 360 Nirvan Team CVE-2019-8724: Pan ZhenPeng of Qihoo 360 Nirvan Team otool Available for: macOS Mojave 10.14.4 and later Impact: Processing a maliciously crafted file may lead to arbitrary code execution Description: A memory corruption issue was addressed with improved state management. CVE-2019-8738: Pan ZhenPeng (@Peterpan0927) of Qihoo 360 Nirvan Team CVE-2019-8739: Pan ZhenPeng (@Peterpan0927) of Qihoo 360 Nirvan Team Installation note: Xcode 11.0 may be obtained from: https://developer.apple.com/xcode/downloads/ To check that the Xcode has been updated: * Select Xcode in the menu bar * Select About Xcode * The version after applying this update will be "11.0". -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Important: libssh2 security update Advisory ID: RHSA-2019:0679-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2019:0679 Issue date: 2019-03-28 CVE Names: CVE-2019-3855 CVE-2019-3856 CVE-2019-3857 CVE-2019-3863 ==================================================================== 1. Summary: An update for libssh2 is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Client (v. 7) - x86_64 Red Hat Enterprise Linux Client Optional (v. 7) - noarch, x86_64 Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode Optional (v. 7) - noarch, x86_64 Red Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 7) - noarch, ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 7) - x86_64 Red Hat Enterprise Linux Workstation Optional (v. 7) - noarch, x86_64 Red Hat Enterprise Linux for ARM and IBM Power LE (POWER9) Server (v. 7) - aarch64, ppc64le, s390x Red Hat Enterprise Linux for ARM and IBM Power LE (POWER9) Server Optional (v. 7) - aarch64, noarch, ppc64le, s390x 3. Description: The libssh2 packages provide a library that implements the SSH2 protocol. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 After installing these updated packages, all running applications using libssh2 must be restarted for this update to take effect. 5. Package List: Red Hat Enterprise Linux Client (v. 7): Source: libssh2-1.4.3-12.el7_6.2.src.rpm x86_64: libssh2-1.4.3-12.el7_6.2.i686.rpm libssh2-1.4.3-12.el7_6.2.x86_64.rpm libssh2-debuginfo-1.4.3-12.el7_6.2.i686.rpm libssh2-debuginfo-1.4.3-12.el7_6.2.x86_64.rpm Red Hat Enterprise Linux Client Optional (v. 7): noarch: libssh2-docs-1.4.3-12.el7_6.2.noarch.rpm x86_64: libssh2-debuginfo-1.4.3-12.el7_6.2.i686.rpm libssh2-debuginfo-1.4.3-12.el7_6.2.x86_64.rpm libssh2-devel-1.4.3-12.el7_6.2.i686.rpm libssh2-devel-1.4.3-12.el7_6.2.x86_64.rpm Red Hat Enterprise Linux ComputeNode (v. 7): Source: libssh2-1.4.3-12.el7_6.2.src.rpm x86_64: libssh2-1.4.3-12.el7_6.2.i686.rpm libssh2-1.4.3-12.el7_6.2.x86_64.rpm libssh2-debuginfo-1.4.3-12.el7_6.2.i686.rpm libssh2-debuginfo-1.4.3-12.el7_6.2.x86_64.rpm Red Hat Enterprise Linux ComputeNode Optional (v. 7): noarch: libssh2-docs-1.4.3-12.el7_6.2.noarch.rpm x86_64: libssh2-debuginfo-1.4.3-12.el7_6.2.i686.rpm libssh2-debuginfo-1.4.3-12.el7_6.2.x86_64.rpm libssh2-devel-1.4.3-12.el7_6.2.i686.rpm libssh2-devel-1.4.3-12.el7_6.2.x86_64.rpm Red Hat Enterprise Linux Server (v. 7): Source: libssh2-1.4.3-12.el7_6.2.src.rpm ppc64: libssh2-1.4.3-12.el7_6.2.ppc.rpm libssh2-1.4.3-12.el7_6.2.ppc64.rpm libssh2-debuginfo-1.4.3-12.el7_6.2.ppc.rpm libssh2-debuginfo-1.4.3-12.el7_6.2.ppc64.rpm ppc64le: libssh2-1.4.3-12.el7_6.2.ppc64le.rpm libssh2-debuginfo-1.4.3-12.el7_6.2.ppc64le.rpm s390x: libssh2-1.4.3-12.el7_6.2.s390.rpm libssh2-1.4.3-12.el7_6.2.s390x.rpm libssh2-debuginfo-1.4.3-12.el7_6.2.s390.rpm libssh2-debuginfo-1.4.3-12.el7_6.2.s390x.rpm x86_64: libssh2-1.4.3-12.el7_6.2.i686.rpm libssh2-1.4.3-12.el7_6.2.x86_64.rpm libssh2-debuginfo-1.4.3-12.el7_6.2.i686.rpm libssh2-debuginfo-1.4.3-12.el7_6.2.x86_64.rpm Red Hat Enterprise Linux for ARM and IBM Power LE (POWER9) Server (v. 7): Source: libssh2-1.4.3-12.el7_6.2.src.rpm aarch64: libssh2-1.4.3-12.el7_6.2.aarch64.rpm libssh2-debuginfo-1.4.3-12.el7_6.2.aarch64.rpm ppc64le: libssh2-1.4.3-12.el7_6.2.ppc64le.rpm libssh2-debuginfo-1.4.3-12.el7_6.2.ppc64le.rpm s390x: libssh2-1.4.3-12.el7_6.2.s390.rpm libssh2-1.4.3-12.el7_6.2.s390x.rpm libssh2-debuginfo-1.4.3-12.el7_6.2.s390.rpm libssh2-debuginfo-1.4.3-12.el7_6.2.s390x.rpm Red Hat Enterprise Linux Server Optional (v. 7): noarch: libssh2-docs-1.4.3-12.el7_6.2.noarch.rpm ppc64: libssh2-debuginfo-1.4.3-12.el7_6.2.ppc.rpm libssh2-debuginfo-1.4.3-12.el7_6.2.ppc64.rpm libssh2-devel-1.4.3-12.el7_6.2.ppc.rpm libssh2-devel-1.4.3-12.el7_6.2.ppc64.rpm ppc64le: libssh2-debuginfo-1.4.3-12.el7_6.2.ppc64le.rpm libssh2-devel-1.4.3-12.el7_6.2.ppc64le.rpm s390x: libssh2-debuginfo-1.4.3-12.el7_6.2.s390.rpm libssh2-debuginfo-1.4.3-12.el7_6.2.s390x.rpm libssh2-devel-1.4.3-12.el7_6.2.s390.rpm libssh2-devel-1.4.3-12.el7_6.2.s390x.rpm x86_64: libssh2-debuginfo-1.4.3-12.el7_6.2.i686.rpm libssh2-debuginfo-1.4.3-12.el7_6.2.x86_64.rpm libssh2-devel-1.4.3-12.el7_6.2.i686.rpm libssh2-devel-1.4.3-12.el7_6.2.x86_64.rpm Red Hat Enterprise Linux for ARM and IBM Power LE (POWER9) Server Optional (v. 7): aarch64: libssh2-debuginfo-1.4.3-12.el7_6.2.aarch64.rpm libssh2-devel-1.4.3-12.el7_6.2.aarch64.rpm noarch: libssh2-docs-1.4.3-12.el7_6.2.noarch.rpm ppc64le: libssh2-debuginfo-1.4.3-12.el7_6.2.ppc64le.rpm libssh2-devel-1.4.3-12.el7_6.2.ppc64le.rpm s390x: libssh2-debuginfo-1.4.3-12.el7_6.2.s390.rpm libssh2-debuginfo-1.4.3-12.el7_6.2.s390x.rpm libssh2-devel-1.4.3-12.el7_6.2.s390.rpm libssh2-devel-1.4.3-12.el7_6.2.s390x.rpm Red Hat Enterprise Linux Workstation (v. 7): Source: libssh2-1.4.3-12.el7_6.2.src.rpm x86_64: libssh2-1.4.3-12.el7_6.2.i686.rpm libssh2-1.4.3-12.el7_6.2.x86_64.rpm libssh2-debuginfo-1.4.3-12.el7_6.2.i686.rpm libssh2-debuginfo-1.4.3-12.el7_6.2.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 7): noarch: libssh2-docs-1.4.3-12.el7_6.2.noarch.rpm x86_64: libssh2-debuginfo-1.4.3-12.el7_6.2.i686.rpm libssh2-debuginfo-1.4.3-12.el7_6.2.x86_64.rpm libssh2-devel-1.4.3-12.el7_6.2.i686.rpm libssh2-devel-1.4.3-12.el7_6.2.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2019-3855 https://access.redhat.com/security/cve/CVE-2019-3856 https://access.redhat.com/security/cve/CVE-2019-3857 https://access.redhat.com/security/cve/CVE-2019-3863 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2019 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXJznXNzjgjWX9erEAQiaLQ/+NOZQa78T9tZT0qw516dUqmfm8y03YJDd LDgRcAbSQIlYF59kO4SxBZ13APCc8ippJXzSeBS49AeQLdesjaj3bYnWXeAiDwIE wE2zqYhjBH3YUW8vmoP26sC4Ov8rijsevHQcn7PcRiTrR/gSdzU59LkxouyWokAC nFVzke+D7aQMFv6mo9EbEEH1Q85/WIfJKKB4XuCHM13L1ohLuVVQnsjxwZtq8hev FCQp1moLuyyvDGjEa0lhp05gqIoDGPccpAzlcbz/HWgkb/6nGOQeTsGkN4MPCqbA O5YilLdgg3/HASMhtWopCgLQucDI6UEdA4sqAmQFJT5sB19kfJVRDQYSKIim8Tno 7DICVw0x5p4YzexurImz5tORwsAhTsKt52Z32KEgaVfZLqBwdJP+l3mQaS4H9wZ7 z4hSB+EPaK6UbKJVq5D5/vhYJlQsSd8sDkLcz30UqNpY0o3LwqBK/8m8apikjxCu cdM0ykUZJsccAB0zwuteBP9dEvyUHFhSkpQgWDZIqHgOuE2jpCnIRpl3aRDgB+ND XkktDObjALWmIqg1Zs6+vLIDhGKG08ZNSpwaLZQrvFK59aGA/2BTDgupJh607Tv4 D/l/yO/KxEaUQa5zsFpej2gIfIFElzZc82/ZmWaViyALtpjJ/kKdC4Fzb5PlVIuH tLzz6XhldNU=R5e5 -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . 7.3) - x86_64 3. 7.5) - noarch, ppc64, ppc64le, s390x, x86_64 3. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4431-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso April 13, 2019 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : libssh2 CVE ID : CVE-2019-3855 CVE-2019-3856 CVE-2019-3857 CVE-2019-3858 CVE-2019-3859 CVE-2019-3860 CVE-2019-3861 CVE-2019-3862 CVE-2019-3863 Debian Bug : 924965 Chris Coulson discovered several vulnerabilities in libssh2, a SSH2 client-side library, which could result in denial of service, information leaks or the execution of arbitrary code. For the stable distribution (stretch), these problems have been fixed in version 1.7.0-1+deb9u1. We recommend that you upgrade your libssh2 packages

Trust: 2.52

sources: NVD: CVE-2019-3855 // JVNDB: JVNDB-2019-002832 // BID: 107485 // VULHUB: VHN-155290 // PACKETSTORM: 154655 // PACKETSTORM: 152282 // PACKETSTORM: 153969 // PACKETSTORM: 153654 // PACKETSTORM: 153811 // PACKETSTORM: 152509

AFFECTED PRODUCTS

vendor:	libssh2	model:	libssh2	scope:	lt	version:	1.8.1	Trust: 1.8
vendor:	fedoraproject	model:	fedora	scope:	eq	version:	28	Trust: 1.0
vendor:	redhat	model:	enterprise linux server aus	scope:	eq	version:	7.6	Trust: 1.0
vendor:	fedoraproject	model:	fedora	scope:	eq	version:	30	Trust: 1.0
vendor:	netapp	model:	ontap select deploy administration utility	scope:	eq	version:	-	Trust: 1.0
vendor:	opensuse	model:	leap	scope:	eq	version:	42.3	Trust: 1.0
vendor:	oracle	model:	peoplesoft enterprise peopletools	scope:	eq	version:	8.57	Trust: 1.0
vendor:	redhat	model:	enterprise linux	scope:	eq	version:	8.0	Trust: 1.0
vendor:	redhat	model:	enterprise linux server tus	scope:	eq	version:	7.6	Trust: 1.0
vendor:	redhat	model:	enterprise linux desktop	scope:	eq	version:	7.0	Trust: 1.0
vendor:	redhat	model:	enterprise linux workstation	scope:	eq	version:	7.0	Trust: 1.0
vendor:	debian	model:	linux	scope:	eq	version:	8.0	Trust: 1.0
vendor:	fedoraproject	model:	fedora	scope:	eq	version:	29	Trust: 1.0
vendor:	redhat	model:	enterprise linux server	scope:	eq	version:	7.0	Trust: 1.0
vendor:	redhat	model:	enterprise linux server eus	scope:	eq	version:	7.6	Trust: 1.0
vendor:	apple	model:	xcode	scope:	lt	version:	11.0	Trust: 1.0
vendor:	oracle	model:	peoplesoft enterprise peopletools	scope:	eq	version:	8.56	Trust: 1.0
vendor:	debian	model:	linux	scope:	eq	version:	9.0	Trust: 1.0
vendor:	debian	model:	gnu/linux	scope:	-	version:	-	Trust: 0.8
vendor:	fedora	model:	fedora	scope:	eq	version:	29	Trust: 0.8
vendor:	netapp	model:	ontap select deploy administration utility	scope:	-	version:	-	Trust: 0.8
vendor:	red hat	model:	enterprise linux desktop	scope:	-	version:	-	Trust: 0.8
vendor:	red hat	model:	enterprise linux server	scope:	eq	version:	none	Trust: 0.8
vendor:	red hat	model:	enterprise linux server	scope:	eq	version:	aus	Trust: 0.8
vendor:	red hat	model:	enterprise linux server	scope:	eq	version:	eus	Trust: 0.8
vendor:	red hat	model:	enterprise linux server	scope:	eq	version:	tus	Trust: 0.8
vendor:	red hat	model:	enterprise linux workstation	scope:	-	version:	-	Trust: 0.8
vendor:	redhat	model:	virtualization	scope:	eq	version:	4	Trust: 0.3
vendor:	redhat	model:	enterprise linux	scope:	eq	version:	7	Trust: 0.3
vendor:	redhat	model:	enterprise linux	scope:	eq	version:	6	Trust: 0.3
vendor:	libssh2	model:	libssh2	scope:	eq	version:	1.8	Trust: 0.3
vendor:	libssh2	model:	libssh2	scope:	eq	version:	1.7	Trust: 0.3
vendor:	libssh2	model:	libssh2	scope:	eq	version:	1.6	Trust: 0.3
vendor:	libssh2	model:	libssh2	scope:	eq	version:	1.5	Trust: 0.3
vendor:	libssh2	model:	libssh2	scope:	eq	version:	1.4.3	Trust: 0.3
vendor:	libssh2	model:	libssh2	scope:	eq	version:	1.4.2	Trust: 0.3
vendor:	libssh2	model:	libssh2	scope:	eq	version:	1.4.1	Trust: 0.3
vendor:	libssh2	model:	libssh2	scope:	eq	version:	1.4	Trust: 0.3
vendor:	libssh2	model:	libssh2	scope:	eq	version:	1.3	Trust: 0.3
vendor:	libssh2	model:	libssh2	scope:	eq	version:	1.2.8	Trust: 0.3
vendor:	libssh2	model:	libssh2	scope:	eq	version:	1.1	Trust: 0.3
vendor:	libssh2	model:	libssh2	scope:	eq	version:	0.3	Trust: 0.3
vendor:	libssh2	model:	libssh2	scope:	eq	version:	0.15	Trust: 0.3
vendor:	libssh2	model:	libssh2	scope:	eq	version:	0.11	Trust: 0.3
vendor:	libssh2	model:	libssh2	scope:	eq	version:	0.1	Trust: 0.3
vendor:	libssh2	model:	libssh2	scope:	ne	version:	1.8.1	Trust: 0.3

sources: BID: 107485 // JVNDB: JVNDB-2019-002832 // NVD: CVE-2019-3855

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-3855
value:	HIGH
Trust: 1.0
secalert@redhat.com:	CVE-2019-3855
value:	HIGH
Trust: 1.0
NVD:	CVE-2019-3855
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-201903-634
value:	HIGH
Trust: 0.6
VULHUB:	VHN-155290
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2019-3855
severity:	HIGH
baseScore:	9.3
vectorString:	AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.6
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-155290
severity:	HIGH
baseScore:	9.3
vectorString:	AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.6
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2019-3855
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.1
Trust: 1.0
secalert@redhat.com:	CVE-2019-3855
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	HIGH
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.6
impactScore:	5.9
version:	3.0
Trust: 1.0
NVD:	CVE-2019-3855
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-155290 // JVNDB: JVNDB-2019-002832 // CNNVD: CNNVD-201903-634 // NVD: CVE-2019-3855 // NVD: CVE-2019-3855

PROBLEMTYPE DATA

problemtype:	CWE-190	Trust: 1.9
problemtype:	CWE-787	Trust: 1.1

sources: VULHUB: VHN-155290 // JVNDB: JVNDB-2019-002832 // NVD: CVE-2019-3855

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201903-634

TYPE

input validation error

Trust: 0.6

sources: CNNVD: CNNVD-201903-634

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-002832

PATCH

title:	[SECURITY] [DLA 1730-1] libssh2 security update	url:	https://lists.debian.org/debian-lts-announce/2019/03/msg00032.html	Trust: 0.8
title:	DSA-4431	url:	https://www.debian.org/security/2019/dsa-4431	Trust: 0.8
title:	FEDORA-2019-f31c14682f	url:	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XCWEA5ZCLKRDUK62QVVYMFWLWKOPX3LO/	Trust: 0.8
title:	Possible integer overflow in transport read allows out-of-bounds write	url:	https://www.libssh2.org/CVE-2019-3855.html	Trust: 0.8
title:	NTAP-20190327-0005	url:	https://security.netapp.com/advisory/ntap-20190327-0005/	Trust: 0.8
title:	Bug 1687303	url:	https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3855	Trust: 0.8
title:	RHSA-2019:0679	url:	https://access.redhat.com/errata/RHSA-2019:0679	Trust: 0.8
title:	libssh2 Fixes for digital error vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=90196	Trust: 0.6

sources: JVNDB: JVNDB-2019-002832 // CNNVD: CNNVD-201903-634

EXTERNAL IDS

db:	NVD	id:	CVE-2019-3855	Trust: 3.4
db:	BID	id:	107485	Trust: 2.0
db:	PACKETSTORM	id:	152136	Trust: 1.7
db:	OPENWALL	id:	OSS-SECURITY/2019/03/18/3	Trust: 1.7
db:	JVNDB	id:	JVNDB-2019-002832	Trust: 0.8
db:	CNNVD	id:	CNNVD-201903-634	Trust: 0.7
db:	AUSCERT	id:	ESB-2019.4341	Trust: 0.6
db:	AUSCERT	id:	ESB-2020.2340	Trust: 0.6
db:	AUSCERT	id:	ESB-2021.4083	Trust: 0.6
db:	AUSCERT	id:	ESB-2019.1274	Trust: 0.6
db:	AUSCERT	id:	ESB-2019.4479.2	Trust: 0.6
db:	AUSCERT	id:	ESB-2019.0911	Trust: 0.6
db:	AUSCERT	id:	ESB-2020.4226	Trust: 0.6
db:	AUSCERT	id:	ESB-2019.0996	Trust: 0.6
db:	AUSCERT	id:	ESB-2019.0894	Trust: 0.6
db:	PACKETSTORM	id:	152509	Trust: 0.2
db:	PACKETSTORM	id:	153654	Trust: 0.2
db:	PACKETSTORM	id:	154655	Trust: 0.2
db:	PACKETSTORM	id:	152282	Trust: 0.2
db:	PACKETSTORM	id:	153969	Trust: 0.2
db:	PACKETSTORM	id:	153811	Trust: 0.2
db:	PACKETSTORM	id:	153510	Trust: 0.1
db:	VULHUB	id:	VHN-155290	Trust: 0.1

sources: VULHUB: VHN-155290 // BID: 107485 // PACKETSTORM: 154655 // PACKETSTORM: 152282 // PACKETSTORM: 153969 // PACKETSTORM: 153654 // PACKETSTORM: 153811 // PACKETSTORM: 152509 // JVNDB: JVNDB-2019-002832 // CNNVD: CNNVD-201903-634 // NVD: CVE-2019-3855

REFERENCES

url:	http://packetstormsecurity.com/files/152136/slackware-security-advisory-libssh2-updates.html	Trust: 2.9
url:	http://www.securityfocus.com/bid/107485	Trust: 2.3
url:	https://www.debian.org/security/2019/dsa-4431	Trust: 2.3
url:	https://www.libssh2.org/cve-2019-3855.html	Trust: 2.0
url:	https://nvd.nist.gov/vuln/detail/cve-2019-3855	Trust: 2.0
url:	https://access.redhat.com/errata/rhsa-2019:0679	Trust: 1.8
url:	https://access.redhat.com/errata/rhsa-2019:1791	Trust: 1.8
url:	https://access.redhat.com/errata/rhsa-2019:1943	Trust: 1.8
url:	https://access.redhat.com/errata/rhsa-2019:2399	Trust: 1.8
url:	https://seclists.org/bugtraq/2019/mar/25	Trust: 1.7
url:	https://seclists.org/bugtraq/2019/apr/25	Trust: 1.7
url:	https://seclists.org/bugtraq/2019/sep/49	Trust: 1.7
url:	https://bugzilla.redhat.com/show_bug.cgi?id=cve-2019-3855	Trust: 1.7
url:	https://security.netapp.com/advisory/ntap-20190327-0005/	Trust: 1.7
url:	https://support.apple.com/kb/ht210609	Trust: 1.7
url:	https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2019-767	Trust: 1.7
url:	http://seclists.org/fulldisclosure/2019/sep/42	Trust: 1.7
url:	https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html	Trust: 1.7
url:	https://lists.debian.org/debian-lts-announce/2019/03/msg00032.html	Trust: 1.7
url:	http://www.openwall.com/lists/oss-security/2019/03/18/3	Trust: 1.7
url:	https://access.redhat.com/errata/rhsa-2019:1175	Trust: 1.7
url:	https://access.redhat.com/errata/rhsa-2019:1652	Trust: 1.7
url:	http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00040.html	Trust: 1.7
url:	http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00003.html	Trust: 1.7
url:	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6lunhpw64igcasz4jq2j5kdxnzn53dww/	Trust: 1.0
url:	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/m7if3lnhoa75o4wzwihjlirma5ljued3/	Trust: 1.0
url:	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/xcwea5zclkrduk62qvvymfwlwkopx3lo/	Trust: 1.0
url:	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5dk6vo2ceutajfyikwnzkekymyr3no2o/	Trust: 1.0
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-3855\	Trust: 0.8
url:	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5dk6vo2ceutajfyikwnzkekymyr3no2o/	Trust: 0.7
url:	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/m7if3lnhoa75o4wzwihjlirma5ljued3/	Trust: 0.7
url:	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6lunhpw64igcasz4jq2j5kdxnzn53dww/	Trust: 0.7
url:	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/xcwea5zclkrduk62qvvymfwlwkopx3lo/	Trust: 0.7
url:	https://access.redhat.com/security/cve/cve-2019-3855	Trust: 0.7
url:	https://access.redhat.com/security/cve/cve-2019-3856	Trust: 0.7
url:	https://access.redhat.com/security/cve/cve-2019-3857	Trust: 0.7
url:	https://access.redhat.com/security/cve/cve-2019-3863	Trust: 0.7
url:	https://www.suse.com/support/update/announcement/2019/suse-su-20190655-1.html	Trust: 0.6
url:	https://fortiguard.com/psirt/fg-ir-19-099	Trust: 0.6
url:	https://lists.debian.org/debian-lts-announce/2019/01/msg00028.html	Trust: 0.6
url:	https://www.ibm.com/support/pages/node/1115655	Trust: 0.6
url:	https://www.ibm.com/support/pages/node/1115643	Trust: 0.6
url:	https://www.ibm.com/support/pages/node/1115649	Trust: 0.6
url:	https://www.suse.com/support/update/announcement/2019/suse-su-201913982-1.html	Trust: 0.6
url:	https://www.ibm.com/support/pages/node/6520674	Trust: 0.6
url:	https://vigilance.fr/vulnerability/libssh2-multiple-vulnerabilities-28768	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/77838	Trust: 0.6
url:	https://www.ibm.com/support/pages/node/1120209	Trust: 0.6
url:	https://support.apple.com/en-us/ht210609	Trust: 0.6
url:	https://www.ibm.com/support/pages/node/1116357	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2020.2340/	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2020.4226/	Trust: 0.6
url:	https://www.ibm.com/support/pages/node/1170634	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/79010	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2019.4341/	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/77478	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/77406	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2019.4479.2/	Trust: 0.6
url:	https://www.ibm.com/blogs/psirt/security-bulletin-ibm-integrated-management-module-ii-imm2-is-affected-by-multiple-vulnerabilities-in-libssh2/	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2021.4083	Trust: 0.6
url:	https://nvd.nist.gov/vuln/detail/cve-2019-3856	Trust: 0.5
url:	https://nvd.nist.gov/vuln/detail/cve-2019-3857	Trust: 0.5
url:	https://nvd.nist.gov/vuln/detail/cve-2019-3863	Trust: 0.5
url:	https://www.redhat.com/mailman/listinfo/rhsa-announce	Trust: 0.4
url:	https://bugzilla.redhat.com/):	Trust: 0.4
url:	https://access.redhat.com/security/team/key/	Trust: 0.4
url:	https://access.redhat.com/articles/11258	Trust: 0.4
url:	https://access.redhat.com/security/updates/classification/#important	Trust: 0.4
url:	https://access.redhat.com/security/team/contact/	Trust: 0.4
url:	http://www.libssh2.org/	Trust: 0.3
url:	https://www.libssh2.org/changes.html	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2019-3858	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2019-3859	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2019-3860	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2019-3861	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2019-3862	Trust: 0.3
url:	https://www.libssh2.org/cve-2019-3856.html	Trust: 0.3
url:	https://www.libssh2.org/cve-2019-3857.html	Trust: 0.3
url:	https://www.libssh2.org/cve-2019-3858.html	Trust: 0.3
url:	https://www.libssh2.org/cve-2019-3859.html	Trust: 0.3
url:	https://www.libssh2.org/cve-2019-3860.html	Trust: 0.3
url:	https://www.libssh2.org/cve-2019-3861.html	Trust: 0.3
url:	https://www.libssh2.org/cve-2019-3862.html	Trust: 0.3
url:	https://www.libssh2.org/cve-2019-3863.html	Trust: 0.3
url:	https://support.apple.com/kb/ht201222	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-8724	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-8723	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-8738	Trust: 0.1
url:	https://www.apple.com/support/security/pgp/	Trust: 0.1
url:	https://developer.apple.com/xcode/downloads/	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-8722	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-8721	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-8739	Trust: 0.1
url:	https://security-tracker.debian.org/tracker/libssh2	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-3859	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-3860	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-3861	Trust: 0.1
url:	https://www.debian.org/security/faq	Trust: 0.1
url:	https://www.debian.org/security/	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-3862	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-3858	Trust: 0.1

CREDITS

Chris Coulson of Canonical Ltd.,Slackware Security Team

Trust: 0.6

sources: CNNVD: CNNVD-201903-634

SOURCES

db:	VULHUB	id:	VHN-155290
db:	BID	id:	107485
db:	PACKETSTORM	id:	154655
db:	PACKETSTORM	id:	152282
db:	PACKETSTORM	id:	153969
db:	PACKETSTORM	id:	153654
db:	PACKETSTORM	id:	153811
db:	PACKETSTORM	id:	152509
db:	JVNDB	id:	JVNDB-2019-002832
db:	CNNVD	id:	CNNVD-201903-634
db:	NVD	id:	CVE-2019-3855

LAST UPDATE DATE

2025-06-26T22:27:51.071000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-155290	date:	2020-10-15T00:00:00
db:	BID	id:	107485	date:	2019-03-18T00:00:00
db:	JVNDB	id:	JVNDB-2019-002832	date:	2019-04-24T00:00:00
db:	CNNVD	id:	CNNVD-201903-634	date:	2021-12-03T00:00:00
db:	NVD	id:	CVE-2019-3855	date:	2024-11-21T04:42:43.427

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-155290	date:	2019-03-21T00:00:00
db:	BID	id:	107485	date:	2019-03-18T00:00:00
db:	PACKETSTORM	id:	154655	date:	2019-09-29T10:11:11
db:	PACKETSTORM	id:	152282	date:	2019-03-28T16:23:48
db:	PACKETSTORM	id:	153969	date:	2019-08-07T20:10:33
db:	PACKETSTORM	id:	153654	date:	2019-07-16T20:10:44
db:	PACKETSTORM	id:	153811	date:	2019-07-30T18:13:57
db:	PACKETSTORM	id:	152509	date:	2019-04-15T16:33:02
db:	JVNDB	id:	JVNDB-2019-002832	date:	2019-04-24T00:00:00
db:	CNNVD	id:	CNNVD-201903-634	date:	2019-03-19T00:00:00
db:	NVD	id:	CVE-2019-3855	date:	2019-03-21T21:29:00.433