ID

VAR-201903-0388


CVE

CVE-2019-3855


TITLE

libssh2 Integer overflow vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2019-002832

DESCRIPTION

An integer overflow flaw which could lead to an out of bounds write was discovered in libssh2 before 1.8.1 in the way packets are read from the server. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server. libssh2 Contains an integer overflow vulnerability.Information is obtained and service operation is interrupted (DoS) There is a possibility of being put into a state. libssh2 is prone to multiple security vulnerabilities. Attackers can exploit these issues to execute arbitrary code, perform unauthorized actions, cause denial-of-service conditions, retrieve sensitive information; other attacks may also be possible. It can execute remote commands and file transfers, and at the same time provide a secure transmission channel for remote programs. An integer overflow vulnerability exists in libssh2. The vulnerability is caused by the '_libssh2_transport_read()' function not properly checking the packet_length value from the server. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2019-9-26-7 Xcode 11.0 Xcode 11.0 addresses the following: IDE SCM Available for: macOS Mojave 10.14.4 and later Impact: Multiple issues in libssh2 Description: Multiple issues were addressed by updating to version 2.16. CVE-2019-3855: Chris Coulson ld64 Available for: macOS Mojave 10.14.4 and later Impact: Compiling code without proper input validation could lead to arbitrary code execution with user privilege Description: Multiple issues in ld64 in the Xcode toolchains were addressed by updating to version ld64-507.4. CVE-2019-8721: Pan ZhenPeng of Qihoo 360 Nirvan Team CVE-2019-8722: Pan ZhenPeng of Qihoo 360 Nirvan Team CVE-2019-8723: Pan ZhenPeng of Qihoo 360 Nirvan Team CVE-2019-8724: Pan ZhenPeng of Qihoo 360 Nirvan Team otool Available for: macOS Mojave 10.14.4 and later Impact: Processing a maliciously crafted file may lead to arbitrary code execution Description: A memory corruption issue was addressed with improved state management. CVE-2019-8738: Pan ZhenPeng (@Peterpan0927) of Qihoo 360 Nirvan Team CVE-2019-8739: Pan ZhenPeng (@Peterpan0927) of Qihoo 360 Nirvan Team Installation note: Xcode 11.0 may be obtained from: https://developer.apple.com/xcode/downloads/ To check that the Xcode has been updated: * Select Xcode in the menu bar * Select About Xcode * The version after applying this update will be "11.0". 6) - i386, x86_64 3. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Important: libssh2 security update Advisory ID: RHSA-2019:0679-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2019:0679 Issue date: 2019-03-28 CVE Names: CVE-2019-3855 CVE-2019-3856 CVE-2019-3857 CVE-2019-3863 ==================================================================== 1. Summary: An update for libssh2 is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Client (v. 7) - x86_64 Red Hat Enterprise Linux Client Optional (v. 7) - noarch, x86_64 Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode Optional (v. 7) - noarch, x86_64 Red Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 7) - noarch, ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 7) - x86_64 Red Hat Enterprise Linux Workstation Optional (v. 7) - noarch, x86_64 Red Hat Enterprise Linux for ARM and IBM Power LE (POWER9) Server (v. 7) - aarch64, ppc64le, s390x Red Hat Enterprise Linux for ARM and IBM Power LE (POWER9) Server Optional (v. 7) - aarch64, noarch, ppc64le, s390x 3. Description: The libssh2 packages provide a library that implements the SSH2 protocol. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 After installing these updated packages, all running applications using libssh2 must be restarted for this update to take effect. 5. Package List: Red Hat Enterprise Linux Client (v. 7): Source: libssh2-1.4.3-12.el7_6.2.src.rpm x86_64: libssh2-1.4.3-12.el7_6.2.i686.rpm libssh2-1.4.3-12.el7_6.2.x86_64.rpm libssh2-debuginfo-1.4.3-12.el7_6.2.i686.rpm libssh2-debuginfo-1.4.3-12.el7_6.2.x86_64.rpm Red Hat Enterprise Linux Client Optional (v. 7): noarch: libssh2-docs-1.4.3-12.el7_6.2.noarch.rpm x86_64: libssh2-debuginfo-1.4.3-12.el7_6.2.i686.rpm libssh2-debuginfo-1.4.3-12.el7_6.2.x86_64.rpm libssh2-devel-1.4.3-12.el7_6.2.i686.rpm libssh2-devel-1.4.3-12.el7_6.2.x86_64.rpm Red Hat Enterprise Linux ComputeNode (v. 7): Source: libssh2-1.4.3-12.el7_6.2.src.rpm x86_64: libssh2-1.4.3-12.el7_6.2.i686.rpm libssh2-1.4.3-12.el7_6.2.x86_64.rpm libssh2-debuginfo-1.4.3-12.el7_6.2.i686.rpm libssh2-debuginfo-1.4.3-12.el7_6.2.x86_64.rpm Red Hat Enterprise Linux ComputeNode Optional (v. 7): noarch: libssh2-docs-1.4.3-12.el7_6.2.noarch.rpm x86_64: libssh2-debuginfo-1.4.3-12.el7_6.2.i686.rpm libssh2-debuginfo-1.4.3-12.el7_6.2.x86_64.rpm libssh2-devel-1.4.3-12.el7_6.2.i686.rpm libssh2-devel-1.4.3-12.el7_6.2.x86_64.rpm Red Hat Enterprise Linux Server (v. 7): Source: libssh2-1.4.3-12.el7_6.2.src.rpm ppc64: libssh2-1.4.3-12.el7_6.2.ppc.rpm libssh2-1.4.3-12.el7_6.2.ppc64.rpm libssh2-debuginfo-1.4.3-12.el7_6.2.ppc.rpm libssh2-debuginfo-1.4.3-12.el7_6.2.ppc64.rpm ppc64le: libssh2-1.4.3-12.el7_6.2.ppc64le.rpm libssh2-debuginfo-1.4.3-12.el7_6.2.ppc64le.rpm s390x: libssh2-1.4.3-12.el7_6.2.s390.rpm libssh2-1.4.3-12.el7_6.2.s390x.rpm libssh2-debuginfo-1.4.3-12.el7_6.2.s390.rpm libssh2-debuginfo-1.4.3-12.el7_6.2.s390x.rpm x86_64: libssh2-1.4.3-12.el7_6.2.i686.rpm libssh2-1.4.3-12.el7_6.2.x86_64.rpm libssh2-debuginfo-1.4.3-12.el7_6.2.i686.rpm libssh2-debuginfo-1.4.3-12.el7_6.2.x86_64.rpm Red Hat Enterprise Linux for ARM and IBM Power LE (POWER9) Server (v. 7): Source: libssh2-1.4.3-12.el7_6.2.src.rpm aarch64: libssh2-1.4.3-12.el7_6.2.aarch64.rpm libssh2-debuginfo-1.4.3-12.el7_6.2.aarch64.rpm ppc64le: libssh2-1.4.3-12.el7_6.2.ppc64le.rpm libssh2-debuginfo-1.4.3-12.el7_6.2.ppc64le.rpm s390x: libssh2-1.4.3-12.el7_6.2.s390.rpm libssh2-1.4.3-12.el7_6.2.s390x.rpm libssh2-debuginfo-1.4.3-12.el7_6.2.s390.rpm libssh2-debuginfo-1.4.3-12.el7_6.2.s390x.rpm Red Hat Enterprise Linux Server Optional (v. 7): noarch: libssh2-docs-1.4.3-12.el7_6.2.noarch.rpm ppc64: libssh2-debuginfo-1.4.3-12.el7_6.2.ppc.rpm libssh2-debuginfo-1.4.3-12.el7_6.2.ppc64.rpm libssh2-devel-1.4.3-12.el7_6.2.ppc.rpm libssh2-devel-1.4.3-12.el7_6.2.ppc64.rpm ppc64le: libssh2-debuginfo-1.4.3-12.el7_6.2.ppc64le.rpm libssh2-devel-1.4.3-12.el7_6.2.ppc64le.rpm s390x: libssh2-debuginfo-1.4.3-12.el7_6.2.s390.rpm libssh2-debuginfo-1.4.3-12.el7_6.2.s390x.rpm libssh2-devel-1.4.3-12.el7_6.2.s390.rpm libssh2-devel-1.4.3-12.el7_6.2.s390x.rpm x86_64: libssh2-debuginfo-1.4.3-12.el7_6.2.i686.rpm libssh2-debuginfo-1.4.3-12.el7_6.2.x86_64.rpm libssh2-devel-1.4.3-12.el7_6.2.i686.rpm libssh2-devel-1.4.3-12.el7_6.2.x86_64.rpm Red Hat Enterprise Linux for ARM and IBM Power LE (POWER9) Server Optional (v. 7): aarch64: libssh2-debuginfo-1.4.3-12.el7_6.2.aarch64.rpm libssh2-devel-1.4.3-12.el7_6.2.aarch64.rpm noarch: libssh2-docs-1.4.3-12.el7_6.2.noarch.rpm ppc64le: libssh2-debuginfo-1.4.3-12.el7_6.2.ppc64le.rpm libssh2-devel-1.4.3-12.el7_6.2.ppc64le.rpm s390x: libssh2-debuginfo-1.4.3-12.el7_6.2.s390.rpm libssh2-debuginfo-1.4.3-12.el7_6.2.s390x.rpm libssh2-devel-1.4.3-12.el7_6.2.s390.rpm libssh2-devel-1.4.3-12.el7_6.2.s390x.rpm Red Hat Enterprise Linux Workstation (v. 7): Source: libssh2-1.4.3-12.el7_6.2.src.rpm x86_64: libssh2-1.4.3-12.el7_6.2.i686.rpm libssh2-1.4.3-12.el7_6.2.x86_64.rpm libssh2-debuginfo-1.4.3-12.el7_6.2.i686.rpm libssh2-debuginfo-1.4.3-12.el7_6.2.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 7): noarch: libssh2-docs-1.4.3-12.el7_6.2.noarch.rpm x86_64: libssh2-debuginfo-1.4.3-12.el7_6.2.i686.rpm libssh2-debuginfo-1.4.3-12.el7_6.2.x86_64.rpm libssh2-devel-1.4.3-12.el7_6.2.i686.rpm libssh2-devel-1.4.3-12.el7_6.2.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2019-3855 https://access.redhat.com/security/cve/CVE-2019-3856 https://access.redhat.com/security/cve/CVE-2019-3857 https://access.redhat.com/security/cve/CVE-2019-3863 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2019 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXJznXNzjgjWX9erEAQiaLQ/+NOZQa78T9tZT0qw516dUqmfm8y03YJDd LDgRcAbSQIlYF59kO4SxBZ13APCc8ippJXzSeBS49AeQLdesjaj3bYnWXeAiDwIE wE2zqYhjBH3YUW8vmoP26sC4Ov8rijsevHQcn7PcRiTrR/gSdzU59LkxouyWokAC nFVzke+D7aQMFv6mo9EbEEH1Q85/WIfJKKB4XuCHM13L1ohLuVVQnsjxwZtq8hev FCQp1moLuyyvDGjEa0lhp05gqIoDGPccpAzlcbz/HWgkb/6nGOQeTsGkN4MPCqbA O5YilLdgg3/HASMhtWopCgLQucDI6UEdA4sqAmQFJT5sB19kfJVRDQYSKIim8Tno 7DICVw0x5p4YzexurImz5tORwsAhTsKt52Z32KEgaVfZLqBwdJP+l3mQaS4H9wZ7 z4hSB+EPaK6UbKJVq5D5/vhYJlQsSd8sDkLcz30UqNpY0o3LwqBK/8m8apikjxCu cdM0ykUZJsccAB0zwuteBP9dEvyUHFhSkpQgWDZIqHgOuE2jpCnIRpl3aRDgB+ND XkktDObjALWmIqg1Zs6+vLIDhGKG08ZNSpwaLZQrvFK59aGA/2BTDgupJh607Tv4 D/l/yO/KxEaUQa5zsFpej2gIfIFElzZc82/ZmWaViyALtpjJ/kKdC4Fzb5PlVIuH tLzz6XhldNU=R5e5 -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . 8) - aarch64, noarch, ppc64le, s390x, x86_64 3. Description: Kernel-based Virtual Machine (KVM) offers a full virtualization solution for Linux on numerous hardware platforms. The virt:rhel module contains packages which provide user-space components used to run virtual machines using KVM. The packages also provide APIs for managing and interacting with the virtualized systems. Security Fix(es): * A flaw was found in the implementation of the "fill buffer", a mechanism used by modern CPUs when a cache-miss is made on L1 CPU cache. If an attacker can generate a load operation that would create a page fault, the execution will continue speculatively with incorrect data from the fill buffer while the data is fetched from higher level caches. This response time can be measured to infer data in the fill buffer. (CVE-2018-12130) * Modern Intel microprocessors implement hardware-level micro-optimizations to improve the performance of writing data back to CPU caches. The write operation is split into STA (STore Address) and STD (STore Data) sub-operations. These sub-operations allow the processor to hand-off address generation logic into these sub-operations for optimized writes. Both of these sub-operations write to a shared distributed processor structure called the 'processor store buffer'. As a result, an unprivileged attacker could use this flaw to read private data resident within the CPU's processor store buffer. (CVE-2018-12126) * Microprocessors use a ‘load port’ subcomponent to perform load operations from memory or IO. During a load operation, the load port receives data from the memory or IO subsystem and then provides the data to the CPU registers and operations in the CPU’s pipelines. Stale load operations results are stored in the 'load port' table until overwritten by newer operations. Certain load-port operations triggered by an attacker can be used to reveal data about previous stale requests leaking data back to the attacker via a timing side-channel. (CVE-2018-12127) * Uncacheable memory on some microprocessors utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access. 7.3) - x86_64 3

Trust: 2.61

sources: NVD: CVE-2019-3855 // JVNDB: JVNDB-2019-002832 // BID: 107485 // VULHUB: VHN-155290 // VULMON: CVE-2019-3855 // PACKETSTORM: 154655 // PACKETSTORM: 153510 // PACKETSTORM: 152282 // PACKETSTORM: 152874 // PACKETSTORM: 153969 // PACKETSTORM: 153811

AFFECTED PRODUCTS

vendor:libssh2model:libssh2scope:ltversion:1.8.1

Trust: 1.8

vendor:fedoraprojectmodel:fedorascope:eqversion:28

Trust: 1.0

vendor:netappmodel:ontap select deploy administration utilityscope:eqversion: -

Trust: 1.0

vendor:debianmodel:linuxscope:eqversion:8.0

Trust: 1.0

vendor:redhatmodel:enterprise linuxscope:eqversion:8.0

Trust: 1.0

vendor:redhatmodel:enterprise linux serverscope:eqversion:7.0

Trust: 1.0

vendor:redhatmodel:enterprise linux desktopscope:eqversion:7.0

Trust: 1.0

vendor:redhatmodel:enterprise linux server tusscope:eqversion:7.6

Trust: 1.0

vendor:fedoraprojectmodel:fedorascope:eqversion:29

Trust: 1.0

vendor:applemodel:xcodescope:ltversion:11.0

Trust: 1.0

vendor:opensusemodel:leapscope:eqversion:42.3

Trust: 1.0

vendor:oraclemodel:peoplesoft enterprise peopletoolsscope:eqversion:8.57

Trust: 1.0

vendor:redhatmodel:enterprise linux workstationscope:eqversion:7.0

Trust: 1.0

vendor:oraclemodel:peoplesoft enterprise peopletoolsscope:eqversion:8.56

Trust: 1.0

vendor:redhatmodel:enterprise linux server ausscope:eqversion:7.6

Trust: 1.0

vendor:redhatmodel:enterprise linux server eusscope:eqversion:7.6

Trust: 1.0

vendor:fedoraprojectmodel:fedorascope:eqversion:30

Trust: 1.0

vendor:debianmodel:linuxscope:eqversion:9.0

Trust: 1.0

vendor:debianmodel:gnu/linuxscope: - version: -

Trust: 0.8

vendor:fedoramodel:fedorascope:eqversion:29

Trust: 0.8

vendor:netappmodel:ontap select deploy administration utilityscope: - version: -

Trust: 0.8

vendor:red hatmodel:enterprise linux desktopscope: - version: -

Trust: 0.8

vendor:red hatmodel:enterprise linux serverscope:eqversion:none

Trust: 0.8

vendor:red hatmodel:enterprise linux serverscope:eqversion:aus

Trust: 0.8

vendor:red hatmodel:enterprise linux serverscope:eqversion:eus

Trust: 0.8

vendor:red hatmodel:enterprise linux serverscope:eqversion:tus

Trust: 0.8

vendor:red hatmodel:enterprise linux workstationscope: - version: -

Trust: 0.8

vendor:redhatmodel:virtualizationscope:eqversion:4

Trust: 0.3

vendor:redhatmodel:enterprise linuxscope:eqversion:7

Trust: 0.3

vendor:redhatmodel:enterprise linuxscope:eqversion:6

Trust: 0.3

vendor:libssh2model:libssh2scope:eqversion:1.8

Trust: 0.3

vendor:libssh2model:libssh2scope:eqversion:1.7

Trust: 0.3

vendor:libssh2model:libssh2scope:eqversion:1.6

Trust: 0.3

vendor:libssh2model:libssh2scope:eqversion:1.5

Trust: 0.3

vendor:libssh2model:libssh2scope:eqversion:1.4.3

Trust: 0.3

vendor:libssh2model:libssh2scope:eqversion:1.4.2

Trust: 0.3

vendor:libssh2model:libssh2scope:eqversion:1.4.1

Trust: 0.3

vendor:libssh2model:libssh2scope:eqversion:1.4

Trust: 0.3

vendor:libssh2model:libssh2scope:eqversion:1.3

Trust: 0.3

vendor:libssh2model:libssh2scope:eqversion:1.2.8

Trust: 0.3

vendor:libssh2model:libssh2scope:eqversion:1.1

Trust: 0.3

vendor:libssh2model:libssh2scope:eqversion:0.3

Trust: 0.3

vendor:libssh2model:libssh2scope:eqversion:0.15

Trust: 0.3

vendor:libssh2model:libssh2scope:eqversion:0.11

Trust: 0.3

vendor:libssh2model:libssh2scope:eqversion:0.1

Trust: 0.3

vendor:libssh2model:libssh2scope:neversion:1.8.1

Trust: 0.3

sources: BID: 107485 // JVNDB: JVNDB-2019-002832 // NVD: CVE-2019-3855

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-3855
value: HIGH

Trust: 1.0

secalert@redhat.com: CVE-2019-3855
value: HIGH

Trust: 1.0

NVD: CVE-2019-3855
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201903-634
value: HIGH

Trust: 0.6

VULHUB: VHN-155290
value: HIGH

Trust: 0.1

VULMON: CVE-2019-3855
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2019-3855
severity: HIGH
baseScore: 9.3
vectorString: AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.6
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

VULHUB: VHN-155290
severity: HIGH
baseScore: 9.3
vectorString: AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.6
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2019-3855
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.1

Trust: 1.0

secalert@redhat.com: CVE-2019-3855
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: HIGH
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.6
impactScore: 5.9
version: 3.0

Trust: 1.0

NVD: CVE-2019-3855
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-155290 // VULMON: CVE-2019-3855 // JVNDB: JVNDB-2019-002832 // CNNVD: CNNVD-201903-634 // NVD: CVE-2019-3855 // NVD: CVE-2019-3855

PROBLEMTYPE DATA

problemtype:CWE-190

Trust: 1.9

problemtype:CWE-787

Trust: 1.1

sources: VULHUB: VHN-155290 // JVNDB: JVNDB-2019-002832 // NVD: CVE-2019-3855

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201903-634

TYPE

input validation error

Trust: 0.6

sources: CNNVD: CNNVD-201903-634

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-002832

PATCH

title:[SECURITY] [DLA 1730-1] libssh2 security updateurl:https://lists.debian.org/debian-lts-announce/2019/03/msg00032.html

Trust: 0.8

title:DSA-4431url:https://www.debian.org/security/2019/dsa-4431

Trust: 0.8

title:FEDORA-2019-f31c14682furl:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XCWEA5ZCLKRDUK62QVVYMFWLWKOPX3LO/

Trust: 0.8

title:Possible integer overflow in transport read allows out-of-bounds writeurl:https://www.libssh2.org/CVE-2019-3855.html

Trust: 0.8

title:NTAP-20190327-0005url:https://security.netapp.com/advisory/ntap-20190327-0005/

Trust: 0.8

title:Bug 1687303url:https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3855

Trust: 0.8

title:RHSA-2019:0679url:https://access.redhat.com/errata/RHSA-2019:0679

Trust: 0.8

title:libssh2 Fixes for digital error vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=90196

Trust: 0.6

title:Red Hat: Important: libssh2 security updateurl:https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20191652 - Security Advisory

Trust: 0.1

title:Red Hat: Important: libssh2 security updateurl:https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20191791 - Security Advisory

Trust: 0.1

title:Red Hat: Important: libssh2 security updateurl:https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20192399 - Security Advisory

Trust: 0.1

title:Red Hat: Important: libssh2 security updateurl:https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20190679 - Security Advisory

Trust: 0.1

title:Red Hat: Important: libssh2 security updateurl:https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20191943 - Security Advisory

Trust: 0.1

title:Debian CVElist Bug Report Logs: libssh2: CVE-2019-13115url:https://vulmon.com/vendoradvisory?qidtp=debian_cvelist_bugreportlogs&qid=fae8ca9a607a0d36a41864075e4d1739

Trust: 0.1

title:Arch Linux Issues: url:https://vulmon.com/vendoradvisory?qidtp=arch_linux_issues&qid=CVE-2019-3855

Trust: 0.1

title:Red Hat: Important: virt:rhel security updateurl:https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20191175 - Security Advisory

Trust: 0.1

title:Amazon Linux AMI: ALAS-2019-1254url:https://vulmon.com/vendoradvisory?qidtp=amazon_linux_ami&qid=ALAS-2019-1254

Trust: 0.1

title:Amazon Linux 2: ALAS2-2019-1199url:https://vulmon.com/vendoradvisory?qidtp=amazon_linux2&qid=ALAS2-2019-1199

Trust: 0.1

title:IBM: IBM Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to multiple security vulnerabilities (CVE-2019-3855, CVE-2019-3856, CVE-2019-3857, CVE-2019-3863)url:https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog&qid=90ea192442f00a544f31c35e3585a0e6

Trust: 0.1

title:Debian CVElist Bug Report Logs: libssh2: CVE-2019-3855 CVE-2019-3856 CVE-2019-3857 CVE-2019-3858 CVE-2019-3859 CVE-2019-3860 CVE-2019-3861 CVE-2019-3862 CVE-2019-3863url:https://vulmon.com/vendoradvisory?qidtp=debian_cvelist_bugreportlogs&qid=00191547a456d0cf5c7b101c1774a050

Trust: 0.1

title:Debian Security Advisories: DSA-4431-1 libssh2 -- security updateurl:https://vulmon.com/vendoradvisory?qidtp=debian_security_advisories&qid=32e9048e9588619b2dfacda6369a23ee

Trust: 0.1

title:IBM: IBM Security Bulletin: IBM QRadar Network Security is affected by multiple libssh2 vulnerabilities (CVE-2019-3863, CVE-2019-3857, CVE-2019-3856, CVE-2019-3855)url:https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog&qid=55b92934c6d6315aa40e8be4ce2a8bf4

Trust: 0.1

title:IBM: IBM Security Bulletin: Vulnerabiliies in libssh2 affect PowerKVMurl:https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog&qid=6e0e5e527a9204c06a52ef667608c6e8

Trust: 0.1

title:Arch Linux Advisories: [ASA-201903-13] libssh2: multiple issuesurl:https://vulmon.com/vendoradvisory?qidtp=arch_linux_advisories&qid=ASA-201903-13

Trust: 0.1

title:Oracle VM Server for x86 Bulletins: Oracle VM Server for x86 Bulletin - July 2019url:https://vulmon.com/vendoradvisory?qidtp=oracle_vm_server_for_x86_bulletins&qid=b76ca4c2e9a0948d77d969fddc7b121b

Trust: 0.1

title:Oracle Linux Bulletins: Oracle Linux Bulletin - April 2019url:https://vulmon.com/vendoradvisory?qidtp=oracle_linux_bulletins&qid=0cf12ffad0c479958deb0741d0970b4e

Trust: 0.1

title:Oracle Linux Bulletins: Oracle Linux Bulletin - July 2019url:https://vulmon.com/vendoradvisory?qidtp=oracle_linux_bulletins&qid=767e8ff3a913d6c9b177c63c24420933

Trust: 0.1

title:IBM: IBM Security Bulletin: Vyatta 5600 vRouter Software Patches – Release 1801-zurl:https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog&qid=4ef3e54cc5cdc194f0526779f9480f89

Trust: 0.1

title:Fortinet Security Advisories: libssh2 integer overflow and out of bounds read/write vulnerabilitiesurl:https://vulmon.com/vendoradvisory?qidtp=fortinet_security_advisories&qid=FG-IR-19-099

Trust: 0.1

title:IBM: IBM Security Bulletin: Multiple Security vulnerabilities have been fixed in the IBM Security Access Manager Applianceurl:https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog&qid=1519a5f830589c3bab8a20f4163374ae

Trust: 0.1

title:Siemens Security Advisories: Siemens Security Advisoryurl:https://vulmon.com/vendoradvisory?qidtp=siemens_security_advisories&qid=ec6577109e640dac19a6ddb978afe82d

Trust: 0.1

title:TrivyWeburl:https://github.com/KorayAgaya/TrivyWeb

Trust: 0.1

title:github_aquasecurity_trivyurl:https://github.com/back8/github_aquasecurity_trivy

Trust: 0.1

title:trivyurl:https://github.com/simiyo/trivy

Trust: 0.1

title:securityurl:https://github.com/umahari/security

Trust: 0.1

title: - url:https://github.com/Mohzeela/external-secret

Trust: 0.1

title:Vulnerability-Scanner-for-Containersurl:https://github.com/t31m0/Vulnerability-Scanner-for-Containers

Trust: 0.1

title:trivyurl:https://github.com/siddharthraopotukuchi/trivy

Trust: 0.1

title:trivyurl:https://github.com/aquasecurity/trivy

Trust: 0.1

title:trivyurl:https://github.com/knqyf263/trivy

Trust: 0.1

title:PoC-in-GitHuburl:https://github.com/developer3000S/PoC-in-GitHub

Trust: 0.1

title:CVE-POCurl:https://github.com/0xT11/CVE-POC

Trust: 0.1

title:PoC-in-GitHuburl:https://github.com/nomi-sec/PoC-in-GitHub

Trust: 0.1

title:PoC-in-GitHuburl:https://github.com/hectorgie/PoC-in-GitHub

Trust: 0.1

sources: VULMON: CVE-2019-3855 // JVNDB: JVNDB-2019-002832 // CNNVD: CNNVD-201903-634

EXTERNAL IDS

db:NVDid:CVE-2019-3855

Trust: 3.5

db:BIDid:107485

Trust: 2.1

db:PACKETSTORMid:152136

Trust: 1.8

db:OPENWALLid:OSS-SECURITY/2019/03/18/3

Trust: 1.8

db:JVNDBid:JVNDB-2019-002832

Trust: 0.8

db:CNNVDid:CNNVD-201903-634

Trust: 0.7

db:AUSCERTid:ESB-2019.4341

Trust: 0.6

db:AUSCERTid:ESB-2020.2340

Trust: 0.6

db:AUSCERTid:ESB-2021.4083

Trust: 0.6

db:AUSCERTid:ESB-2019.1274

Trust: 0.6

db:AUSCERTid:ESB-2019.4479.2

Trust: 0.6

db:AUSCERTid:ESB-2019.0911

Trust: 0.6

db:AUSCERTid:ESB-2020.4226

Trust: 0.6

db:AUSCERTid:ESB-2019.0996

Trust: 0.6

db:AUSCERTid:ESB-2019.0894

Trust: 0.6

db:PACKETSTORMid:154655

Trust: 0.2

db:PACKETSTORMid:153510

Trust: 0.2

db:PACKETSTORMid:152282

Trust: 0.2

db:PACKETSTORMid:153969

Trust: 0.2

db:PACKETSTORMid:153811

Trust: 0.2

db:PACKETSTORMid:152509

Trust: 0.1

db:PACKETSTORMid:153654

Trust: 0.1

db:VULHUBid:VHN-155290

Trust: 0.1

db:VULMONid:CVE-2019-3855

Trust: 0.1

db:PACKETSTORMid:152874

Trust: 0.1

sources: VULHUB: VHN-155290 // VULMON: CVE-2019-3855 // BID: 107485 // JVNDB: JVNDB-2019-002832 // PACKETSTORM: 154655 // PACKETSTORM: 153510 // PACKETSTORM: 152282 // PACKETSTORM: 152874 // PACKETSTORM: 153969 // PACKETSTORM: 153811 // CNNVD: CNNVD-201903-634 // NVD: CVE-2019-3855

REFERENCES

url:http://packetstormsecurity.com/files/152136/slackware-security-advisory-libssh2-updates.html

Trust: 3.0

url:http://www.securityfocus.com/bid/107485

Trust: 2.4

url:https://www.debian.org/security/2019/dsa-4431

Trust: 2.4

url:https://www.libssh2.org/cve-2019-3855.html

Trust: 2.1

url:https://nvd.nist.gov/vuln/detail/cve-2019-3855

Trust: 2.0

url:https://access.redhat.com/errata/rhsa-2019:0679

Trust: 1.9

url:https://access.redhat.com/errata/rhsa-2019:1175

Trust: 1.9

url:https://access.redhat.com/errata/rhsa-2019:1652

Trust: 1.9

url:https://access.redhat.com/errata/rhsa-2019:1943

Trust: 1.9

url:https://access.redhat.com/errata/rhsa-2019:2399

Trust: 1.9

url:https://seclists.org/bugtraq/2019/mar/25

Trust: 1.8

url:https://seclists.org/bugtraq/2019/apr/25

Trust: 1.8

url:https://seclists.org/bugtraq/2019/sep/49

Trust: 1.8

url:https://bugzilla.redhat.com/show_bug.cgi?id=cve-2019-3855

Trust: 1.8

url:https://security.netapp.com/advisory/ntap-20190327-0005/

Trust: 1.8

url:https://support.apple.com/kb/ht210609

Trust: 1.8

url:https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2019-767

Trust: 1.8

url:http://seclists.org/fulldisclosure/2019/sep/42

Trust: 1.8

url:https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html

Trust: 1.8

url:https://lists.debian.org/debian-lts-announce/2019/03/msg00032.html

Trust: 1.8

url:http://www.openwall.com/lists/oss-security/2019/03/18/3

Trust: 1.8

url:https://access.redhat.com/errata/rhsa-2019:1791

Trust: 1.8

url:http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00040.html

Trust: 1.8

url:http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00003.html

Trust: 1.8

url:https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/xcwea5zclkrduk62qvvymfwlwkopx3lo/

Trust: 1.1

url:https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5dk6vo2ceutajfyikwnzkekymyr3no2o/

Trust: 1.1

url:https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6lunhpw64igcasz4jq2j5kdxnzn53dww/

Trust: 1.1

url:https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/m7if3lnhoa75o4wzwihjlirma5ljued3/

Trust: 1.1

url:https://access.redhat.com/security/cve/cve-2019-3855

Trust: 0.8

url:https://access.redhat.com/security/cve/cve-2019-3856

Trust: 0.8

url:https://access.redhat.com/security/cve/cve-2019-3857

Trust: 0.8

url:https://access.redhat.com/security/cve/cve-2019-3863

Trust: 0.8

url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-3855\

Trust: 0.8

url:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5dk6vo2ceutajfyikwnzkekymyr3no2o/

Trust: 0.7

url:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/m7if3lnhoa75o4wzwihjlirma5ljued3/

Trust: 0.7

url:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6lunhpw64igcasz4jq2j5kdxnzn53dww/

Trust: 0.7

url:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/xcwea5zclkrduk62qvvymfwlwkopx3lo/

Trust: 0.7

url:https://www.suse.com/support/update/announcement/2019/suse-su-20190655-1.html

Trust: 0.6

url:https://fortiguard.com/psirt/fg-ir-19-099

Trust: 0.6

url:https://lists.debian.org/debian-lts-announce/2019/01/msg00028.html

Trust: 0.6

url:https://www.ibm.com/support/pages/node/1115655

Trust: 0.6

url:https://www.ibm.com/support/pages/node/1115643

Trust: 0.6

url:https://www.ibm.com/support/pages/node/1115649

Trust: 0.6

url:https://www.suse.com/support/update/announcement/2019/suse-su-201913982-1.html

Trust: 0.6

url:https://www.ibm.com/support/pages/node/6520674

Trust: 0.6

url:https://vigilance.fr/vulnerability/libssh2-multiple-vulnerabilities-28768

Trust: 0.6

url:https://www.auscert.org.au/bulletins/77838

Trust: 0.6

url:https://www.ibm.com/support/pages/node/1120209

Trust: 0.6

url:https://support.apple.com/en-us/ht210609

Trust: 0.6

url:https://www.ibm.com/support/pages/node/1116357

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2020.2340/

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2020.4226/

Trust: 0.6

url:https://www.ibm.com/support/pages/node/1170634

Trust: 0.6

url:https://www.auscert.org.au/bulletins/79010

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2019.4341/

Trust: 0.6

url:https://www.auscert.org.au/bulletins/77478

Trust: 0.6

url:https://www.auscert.org.au/bulletins/77406

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2019.4479.2/

Trust: 0.6

url:https://www.ibm.com/blogs/psirt/security-bulletin-ibm-integrated-management-module-ii-imm2-is-affected-by-multiple-vulnerabilities-in-libssh2/

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2021.4083

Trust: 0.6

url:https://www.redhat.com/mailman/listinfo/rhsa-announce

Trust: 0.5

url:https://nvd.nist.gov/vuln/detail/cve-2019-3856

Trust: 0.5

url:https://nvd.nist.gov/vuln/detail/cve-2019-3857

Trust: 0.5

url:https://nvd.nist.gov/vuln/detail/cve-2019-3863

Trust: 0.5

url:https://bugzilla.redhat.com/):

Trust: 0.5

url:https://access.redhat.com/security/team/key/

Trust: 0.5

url:https://access.redhat.com/security/updates/classification/#important

Trust: 0.5

url:https://access.redhat.com/articles/11258

Trust: 0.5

url:https://access.redhat.com/security/team/contact/

Trust: 0.5

url:http://www.libssh2.org/

Trust: 0.3

url:https://www.libssh2.org/changes.html

Trust: 0.3

url:https://access.redhat.com/security/cve/cve-2019-3858

Trust: 0.3

url:https://access.redhat.com/security/cve/cve-2019-3859

Trust: 0.3

url:https://access.redhat.com/security/cve/cve-2019-3860

Trust: 0.3

url:https://access.redhat.com/security/cve/cve-2019-3861

Trust: 0.3

url:https://access.redhat.com/security/cve/cve-2019-3862

Trust: 0.3

url:https://www.libssh2.org/cve-2019-3856.html

Trust: 0.3

url:https://www.libssh2.org/cve-2019-3857.html

Trust: 0.3

url:https://www.libssh2.org/cve-2019-3858.html

Trust: 0.3

url:https://www.libssh2.org/cve-2019-3859.html

Trust: 0.3

url:https://www.libssh2.org/cve-2019-3860.html

Trust: 0.3

url:https://www.libssh2.org/cve-2019-3861.html

Trust: 0.3

url:https://www.libssh2.org/cve-2019-3862.html

Trust: 0.3

url:https://www.libssh2.org/cve-2019-3863.html

Trust: 0.3

url:https://cwe.mitre.org/data/definitions/787.html

Trust: 0.1

url:https://cwe.mitre.org/data/definitions/190.html

Trust: 0.1

url:https://tools.cisco.com/security/center/viewalert.x?alertid=59797

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

url:https://github.com/korayagaya/trivyweb

Trust: 0.1

url:https://support.apple.com/kb/ht201222

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2019-8724

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2019-8723

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2019-8738

Trust: 0.1

url:https://www.apple.com/support/security/pgp/

Trust: 0.1

url:https://developer.apple.com/xcode/downloads/

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2019-8722

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2019-8721

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2019-8739

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2019-11091

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2018-20815

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2018-12126

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2018-12127

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2018-12126

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-11091

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2018-12130

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2018-20815

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2018-12127

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2018-12130

Trust: 0.1

sources: VULHUB: VHN-155290 // VULMON: CVE-2019-3855 // BID: 107485 // JVNDB: JVNDB-2019-002832 // PACKETSTORM: 154655 // PACKETSTORM: 153510 // PACKETSTORM: 152282 // PACKETSTORM: 152874 // PACKETSTORM: 153969 // PACKETSTORM: 153811 // CNNVD: CNNVD-201903-634 // NVD: CVE-2019-3855

CREDITS

Chris Coulson of Canonical Ltd.,Slackware Security Team

Trust: 0.6

sources: CNNVD: CNNVD-201903-634

SOURCES

db:VULHUBid:VHN-155290
db:VULMONid:CVE-2019-3855
db:BIDid:107485
db:JVNDBid:JVNDB-2019-002832
db:PACKETSTORMid:154655
db:PACKETSTORMid:153510
db:PACKETSTORMid:152282
db:PACKETSTORMid:152874
db:PACKETSTORMid:153969
db:PACKETSTORMid:153811
db:CNNVDid:CNNVD-201903-634
db:NVDid:CVE-2019-3855

LAST UPDATE DATE

2024-11-20T21:12:21.809000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-155290date:2020-10-15T00:00:00
db:VULMONid:CVE-2019-3855date:2023-11-07T00:00:00
db:BIDid:107485date:2019-03-18T00:00:00
db:JVNDBid:JVNDB-2019-002832date:2019-04-24T00:00:00
db:CNNVDid:CNNVD-201903-634date:2021-12-03T00:00:00
db:NVDid:CVE-2019-3855date:2023-11-07T03:10:14.793

SOURCES RELEASE DATE

db:VULHUBid:VHN-155290date:2019-03-21T00:00:00
db:VULMONid:CVE-2019-3855date:2019-03-21T00:00:00
db:BIDid:107485date:2019-03-18T00:00:00
db:JVNDBid:JVNDB-2019-002832date:2019-04-24T00:00:00
db:PACKETSTORMid:154655date:2019-09-29T10:11:11
db:PACKETSTORMid:153510date:2019-07-02T14:08:10
db:PACKETSTORMid:152282date:2019-03-28T16:23:48
db:PACKETSTORMid:152874date:2019-05-15T14:55:50
db:PACKETSTORMid:153969date:2019-08-07T20:10:33
db:PACKETSTORMid:153811date:2019-07-30T18:13:57
db:CNNVDid:CNNVD-201903-634date:2019-03-19T00:00:00
db:NVDid:CVE-2019-3855date:2019-03-21T21:29:00.433