Details of VAR-201903-0388

ID

VAR-201903-0388

CVE

CVE-2019-3855

TITLE

libssh2 Integer overflow vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2019-002832

DESCRIPTION

An integer overflow flaw which could lead to an out of bounds write was discovered in libssh2 before 1.8.1 in the way packets are read from the server. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server. libssh2 Contains an integer overflow vulnerability.Information is obtained and service operation is interrupted (DoS) There is a possibility of being put into a state. libssh2 is prone to multiple security vulnerabilities. Attackers can exploit these issues to execute arbitrary code, perform unauthorized actions, cause denial-of-service conditions, retrieve sensitive information; other attacks may also be possible. It can execute remote commands and file transfers, and at the same time provide a secure transmission channel for remote programs. An integer overflow vulnerability exists in libssh2. The vulnerability is caused by the '_libssh2_transport_read()' function not properly checking the packet_length value from the server. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Important: libssh2 security update Advisory ID: RHSA-2019:1652-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2019:1652 Issue date: 2019-07-02 CVE Names: CVE-2019-3855 CVE-2019-3856 CVE-2019-3857 CVE-2019-3863 ==================================================================== 1. Summary: An update for libssh2 is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node (v. 6) - x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64 3. Description: The libssh2 packages provide a library that implements the SSH2 protocol. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 After installing these updated packages, all running applications using libssh2 must be restarted for this update to take effect. 5. Package List: Red Hat Enterprise Linux Desktop (v. 6): Source: libssh2-1.4.2-3.el6_10.1.src.rpm i386: libssh2-1.4.2-3.el6_10.1.i686.rpm libssh2-debuginfo-1.4.2-3.el6_10.1.i686.rpm x86_64: libssh2-1.4.2-3.el6_10.1.i686.rpm libssh2-1.4.2-3.el6_10.1.x86_64.rpm libssh2-debuginfo-1.4.2-3.el6_10.1.i686.rpm libssh2-debuginfo-1.4.2-3.el6_10.1.x86_64.rpm Red Hat Enterprise Linux Desktop Optional (v. 6): i386: libssh2-debuginfo-1.4.2-3.el6_10.1.i686.rpm libssh2-devel-1.4.2-3.el6_10.1.i686.rpm libssh2-docs-1.4.2-3.el6_10.1.i686.rpm x86_64: libssh2-debuginfo-1.4.2-3.el6_10.1.i686.rpm libssh2-debuginfo-1.4.2-3.el6_10.1.x86_64.rpm libssh2-devel-1.4.2-3.el6_10.1.i686.rpm libssh2-devel-1.4.2-3.el6_10.1.x86_64.rpm libssh2-docs-1.4.2-3.el6_10.1.x86_64.rpm Red Hat Enterprise Linux HPC Node (v. 6): Source: libssh2-1.4.2-3.el6_10.1.src.rpm x86_64: libssh2-1.4.2-3.el6_10.1.i686.rpm libssh2-1.4.2-3.el6_10.1.x86_64.rpm libssh2-debuginfo-1.4.2-3.el6_10.1.i686.rpm libssh2-debuginfo-1.4.2-3.el6_10.1.x86_64.rpm Red Hat Enterprise Linux HPC Node Optional (v. 6): x86_64: libssh2-debuginfo-1.4.2-3.el6_10.1.i686.rpm libssh2-debuginfo-1.4.2-3.el6_10.1.x86_64.rpm libssh2-devel-1.4.2-3.el6_10.1.i686.rpm libssh2-devel-1.4.2-3.el6_10.1.x86_64.rpm libssh2-docs-1.4.2-3.el6_10.1.x86_64.rpm Red Hat Enterprise Linux Server (v. 6): Source: libssh2-1.4.2-3.el6_10.1.src.rpm i386: libssh2-1.4.2-3.el6_10.1.i686.rpm libssh2-debuginfo-1.4.2-3.el6_10.1.i686.rpm ppc64: libssh2-1.4.2-3.el6_10.1.ppc.rpm libssh2-1.4.2-3.el6_10.1.ppc64.rpm libssh2-debuginfo-1.4.2-3.el6_10.1.ppc.rpm libssh2-debuginfo-1.4.2-3.el6_10.1.ppc64.rpm s390x: libssh2-1.4.2-3.el6_10.1.s390.rpm libssh2-1.4.2-3.el6_10.1.s390x.rpm libssh2-debuginfo-1.4.2-3.el6_10.1.s390.rpm libssh2-debuginfo-1.4.2-3.el6_10.1.s390x.rpm x86_64: libssh2-1.4.2-3.el6_10.1.i686.rpm libssh2-1.4.2-3.el6_10.1.x86_64.rpm libssh2-debuginfo-1.4.2-3.el6_10.1.i686.rpm libssh2-debuginfo-1.4.2-3.el6_10.1.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 6): i386: libssh2-debuginfo-1.4.2-3.el6_10.1.i686.rpm libssh2-devel-1.4.2-3.el6_10.1.i686.rpm libssh2-docs-1.4.2-3.el6_10.1.i686.rpm ppc64: libssh2-debuginfo-1.4.2-3.el6_10.1.ppc.rpm libssh2-debuginfo-1.4.2-3.el6_10.1.ppc64.rpm libssh2-devel-1.4.2-3.el6_10.1.ppc.rpm libssh2-devel-1.4.2-3.el6_10.1.ppc64.rpm libssh2-docs-1.4.2-3.el6_10.1.ppc64.rpm s390x: libssh2-debuginfo-1.4.2-3.el6_10.1.s390.rpm libssh2-debuginfo-1.4.2-3.el6_10.1.s390x.rpm libssh2-devel-1.4.2-3.el6_10.1.s390.rpm libssh2-devel-1.4.2-3.el6_10.1.s390x.rpm libssh2-docs-1.4.2-3.el6_10.1.s390x.rpm x86_64: libssh2-debuginfo-1.4.2-3.el6_10.1.i686.rpm libssh2-debuginfo-1.4.2-3.el6_10.1.x86_64.rpm libssh2-devel-1.4.2-3.el6_10.1.i686.rpm libssh2-devel-1.4.2-3.el6_10.1.x86_64.rpm libssh2-docs-1.4.2-3.el6_10.1.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: libssh2-1.4.2-3.el6_10.1.src.rpm i386: libssh2-1.4.2-3.el6_10.1.i686.rpm libssh2-debuginfo-1.4.2-3.el6_10.1.i686.rpm x86_64: libssh2-1.4.2-3.el6_10.1.i686.rpm libssh2-1.4.2-3.el6_10.1.x86_64.rpm libssh2-debuginfo-1.4.2-3.el6_10.1.i686.rpm libssh2-debuginfo-1.4.2-3.el6_10.1.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 6): i386: libssh2-debuginfo-1.4.2-3.el6_10.1.i686.rpm libssh2-devel-1.4.2-3.el6_10.1.i686.rpm libssh2-docs-1.4.2-3.el6_10.1.i686.rpm x86_64: libssh2-debuginfo-1.4.2-3.el6_10.1.i686.rpm libssh2-debuginfo-1.4.2-3.el6_10.1.x86_64.rpm libssh2-devel-1.4.2-3.el6_10.1.i686.rpm libssh2-devel-1.4.2-3.el6_10.1.x86_64.rpm libssh2-docs-1.4.2-3.el6_10.1.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2019-3855 https://access.redhat.com/security/cve/CVE-2019-3856 https://access.redhat.com/security/cve/CVE-2019-3857 https://access.redhat.com/security/cve/CVE-2019-3863 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2019 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXRtECtzjgjWX9erEAQi/TQ/8DrWhCl0cm7Mq3Jwxy7irw+8oTuFRBJa+ wEHbwmn7aZSP+cWmc2mkK6w/UCY8E6GopyBU+EG+K3IGvMviMkLCNBXqQ677l1ha nCCsq792PNwopzH3f+iVtdw2m7CD4gDSpiNLi+mdKSP+wpvbDEQLkA98pG5G/BxB dQg87Yd9W8cDg2yqVX7e83L6htZsH60M+YzCqXvqLMLqaV1pMc0XQOT22mIXqcy5 VxoS8Rk7TVAZEMsaw7niKA+flJEUbaBLVgNyp7lR34LoYbJ6mJbFpMtWn34LDaFT jaLVhblIqUAGDDKZvgLv6nxw0olqgUx7XB94upIuDlqItaowfG8K2iVqdg9X5BWM RacPOrYgFMz9PeAyvfDRQavkKog2CiXnwtaqaiCQq24+ltOUpCWATA+GfMgoHTcA cPmKfcHCFrqQtn5uHUQkClOPLf2Y3/PMZ2kndMzfq83pk/MNTo6FrmriLTZlVjXV aSXdsJmJTk4vwDoUfVAJStYtaVUOkQbi7abc/6zqyXBfZYtOXcW/wOxpEkzSyjqs wTrOt44CtQue4JSGUc0jVu2EPHOUhdjsukcEGZUy7Kz6UmDDS7ZF2oZa1SPOy6/N ZYScGaajW4cxDffPNPF2GRm83o5IwZFrEOx5Mgwr8683XU+QK7Ygz+SwS/GizPyB a9Sb8jA7bhE=R9ze -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [slackware-security] libssh2 (SSA:2019-077-01) New libssh2 packages are available for Slackware 14.2 and -current to fix security issues. Here are the details from the Slackware 14.2 ChangeLog: +--------------------------+ patches/packages/libssh2-1.8.1-i586-1_slack14.2.txz: Upgraded. Fixed several security issues. For more information, see: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3855 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3856 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3857 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3858 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3859 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3860 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3861 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3862 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3863 (* Security fix *) +--------------------------+ Where to find the new packages: +-----------------------------+ Thanks to the friendly folks at the OSU Open Source Lab (http://osuosl.org) for donating FTP and rsync hosting to the Slackware project! :-) Also see the "Get Slack" section on http://slackware.com for additional mirror sites near you. Updated package for Slackware 14.2: ftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/libssh2-1.8.1-i586-1_slack14.2.txz Updated package for Slackware x86_64 14.2: ftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/libssh2-1.8.1-x86_64-1_slack14.2.txz Updated package for Slackware -current: ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/l/libssh2-1.8.1-i586-1.txz Updated package for Slackware x86_64 -current: ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/l/libssh2-1.8.1-x86_64-1.txz MD5 signatures: +-------------+ Slackware 14.2 package: 42862bdd55431f6c32f38250275b70fc libssh2-1.8.1-i586-1_slack14.2.txz Slackware x86_64 14.2 package: 3932a95faa37ee1575300fff666b1f4b libssh2-1.8.1-x86_64-1_slack14.2.txz Slackware -current package: a8a256fffd0ee22986b4a8ebeb1f6b68 l/libssh2-1.8.1-i586-1.txz Slackware x86_64 -current package: 14e5f9dd239afd45c3faa27fc02f7c25 l/libssh2-1.8.1-x86_64-1.txz Installation instructions: +------------------------+ Upgrade the package as root: # upgradepkg libssh2-1.8.1-i586-1_slack14.2.txz +-----+ Slackware Linux Security Team http://slackware.com/gpg-key security@slackware.com +------------------------------------------------------------------------+ | To leave the slackware-security mailing list: | +------------------------------------------------------------------------+ | Send an email to majordomo@slackware.com with this text in the body of | | the email message: | | | | unsubscribe slackware-security | | | | You will get a confirmation message back containing instructions to | | complete the process. Please do not reply to this email address

Trust: 2.43

sources: NVD: CVE-2019-3855 // JVNDB: JVNDB-2019-002832 // BID: 107485 // VULHUB: VHN-155290 // VULMON: CVE-2019-3855 // PACKETSTORM: 153510 // PACKETSTORM: 153654 // PACKETSTORM: 152136 // PACKETSTORM: 153811

AFFECTED PRODUCTS

vendor:	libssh2	model:	libssh2	scope:	lt	version:	1.8.1	Trust: 1.8
vendor:	fedoraproject	model:	fedora	scope:	eq	version:	28	Trust: 1.0
vendor:	redhat	model:	enterprise linux server aus	scope:	eq	version:	7.6	Trust: 1.0
vendor:	fedoraproject	model:	fedora	scope:	eq	version:	30	Trust: 1.0
vendor:	netapp	model:	ontap select deploy administration utility	scope:	eq	version:	-	Trust: 1.0
vendor:	opensuse	model:	leap	scope:	eq	version:	42.3	Trust: 1.0
vendor:	oracle	model:	peoplesoft enterprise peopletools	scope:	eq	version:	8.57	Trust: 1.0
vendor:	redhat	model:	enterprise linux	scope:	eq	version:	8.0	Trust: 1.0
vendor:	redhat	model:	enterprise linux server tus	scope:	eq	version:	7.6	Trust: 1.0
vendor:	redhat	model:	enterprise linux desktop	scope:	eq	version:	7.0	Trust: 1.0
vendor:	redhat	model:	enterprise linux workstation	scope:	eq	version:	7.0	Trust: 1.0
vendor:	debian	model:	linux	scope:	eq	version:	8.0	Trust: 1.0
vendor:	fedoraproject	model:	fedora	scope:	eq	version:	29	Trust: 1.0
vendor:	redhat	model:	enterprise linux server	scope:	eq	version:	7.0	Trust: 1.0
vendor:	redhat	model:	enterprise linux server eus	scope:	eq	version:	7.6	Trust: 1.0
vendor:	apple	model:	xcode	scope:	lt	version:	11.0	Trust: 1.0
vendor:	oracle	model:	peoplesoft enterprise peopletools	scope:	eq	version:	8.56	Trust: 1.0
vendor:	debian	model:	linux	scope:	eq	version:	9.0	Trust: 1.0
vendor:	debian	model:	gnu/linux	scope:	-	version:	-	Trust: 0.8
vendor:	fedora	model:	fedora	scope:	eq	version:	29	Trust: 0.8
vendor:	netapp	model:	ontap select deploy administration utility	scope:	-	version:	-	Trust: 0.8
vendor:	red hat	model:	enterprise linux desktop	scope:	-	version:	-	Trust: 0.8
vendor:	red hat	model:	enterprise linux server	scope:	eq	version:	none	Trust: 0.8
vendor:	red hat	model:	enterprise linux server	scope:	eq	version:	aus	Trust: 0.8
vendor:	red hat	model:	enterprise linux server	scope:	eq	version:	eus	Trust: 0.8
vendor:	red hat	model:	enterprise linux server	scope:	eq	version:	tus	Trust: 0.8
vendor:	red hat	model:	enterprise linux workstation	scope:	-	version:	-	Trust: 0.8
vendor:	redhat	model:	virtualization	scope:	eq	version:	4	Trust: 0.3
vendor:	redhat	model:	enterprise linux	scope:	eq	version:	7	Trust: 0.3
vendor:	redhat	model:	enterprise linux	scope:	eq	version:	6	Trust: 0.3
vendor:	libssh2	model:	libssh2	scope:	eq	version:	1.8	Trust: 0.3
vendor:	libssh2	model:	libssh2	scope:	eq	version:	1.7	Trust: 0.3
vendor:	libssh2	model:	libssh2	scope:	eq	version:	1.6	Trust: 0.3
vendor:	libssh2	model:	libssh2	scope:	eq	version:	1.5	Trust: 0.3
vendor:	libssh2	model:	libssh2	scope:	eq	version:	1.4.3	Trust: 0.3
vendor:	libssh2	model:	libssh2	scope:	eq	version:	1.4.2	Trust: 0.3
vendor:	libssh2	model:	libssh2	scope:	eq	version:	1.4.1	Trust: 0.3
vendor:	libssh2	model:	libssh2	scope:	eq	version:	1.4	Trust: 0.3
vendor:	libssh2	model:	libssh2	scope:	eq	version:	1.3	Trust: 0.3
vendor:	libssh2	model:	libssh2	scope:	eq	version:	1.2.8	Trust: 0.3
vendor:	libssh2	model:	libssh2	scope:	eq	version:	1.1	Trust: 0.3
vendor:	libssh2	model:	libssh2	scope:	eq	version:	0.3	Trust: 0.3
vendor:	libssh2	model:	libssh2	scope:	eq	version:	0.15	Trust: 0.3
vendor:	libssh2	model:	libssh2	scope:	eq	version:	0.11	Trust: 0.3
vendor:	libssh2	model:	libssh2	scope:	eq	version:	0.1	Trust: 0.3
vendor:	libssh2	model:	libssh2	scope:	ne	version:	1.8.1	Trust: 0.3

sources: BID: 107485 // JVNDB: JVNDB-2019-002832 // NVD: CVE-2019-3855

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-3855
value:	HIGH
Trust: 1.0
secalert@redhat.com:	CVE-2019-3855
value:	HIGH
Trust: 1.0
NVD:	CVE-2019-3855
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-201903-634
value:	HIGH
Trust: 0.6
VULHUB:	VHN-155290
value:	HIGH
Trust: 0.1
VULMON:	CVE-2019-3855
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2019-3855
severity:	HIGH
baseScore:	9.3
vectorString:	AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.6
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
VULHUB:	VHN-155290
severity:	HIGH
baseScore:	9.3
vectorString:	AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.6
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2019-3855
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.1
Trust: 1.0
secalert@redhat.com:	CVE-2019-3855
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	HIGH
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.6
impactScore:	5.9
version:	3.0
Trust: 1.0
NVD:	CVE-2019-3855
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-155290 // VULMON: CVE-2019-3855 // JVNDB: JVNDB-2019-002832 // CNNVD: CNNVD-201903-634 // NVD: CVE-2019-3855 // NVD: CVE-2019-3855

PROBLEMTYPE DATA

problemtype:	CWE-190	Trust: 1.9
problemtype:	CWE-787	Trust: 1.1

sources: VULHUB: VHN-155290 // JVNDB: JVNDB-2019-002832 // NVD: CVE-2019-3855

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201903-634

TYPE

input validation error

Trust: 0.6

sources: CNNVD: CNNVD-201903-634

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-002832

PATCH

title:	[SECURITY] [DLA 1730-1] libssh2 security update	url:	https://lists.debian.org/debian-lts-announce/2019/03/msg00032.html	Trust: 0.8
title:	DSA-4431	url:	https://www.debian.org/security/2019/dsa-4431	Trust: 0.8
title:	FEDORA-2019-f31c14682f	url:	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XCWEA5ZCLKRDUK62QVVYMFWLWKOPX3LO/	Trust: 0.8
title:	Possible integer overflow in transport read allows out-of-bounds write	url:	https://www.libssh2.org/CVE-2019-3855.html	Trust: 0.8
title:	NTAP-20190327-0005	url:	https://security.netapp.com/advisory/ntap-20190327-0005/	Trust: 0.8
title:	Bug 1687303	url:	https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3855	Trust: 0.8
title:	RHSA-2019:0679	url:	https://access.redhat.com/errata/RHSA-2019:0679	Trust: 0.8
title:	libssh2 Fixes for digital error vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=90196	Trust: 0.6
title:	Red Hat: Important: libssh2 security update	url:	https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20191652 - Security Advisory	Trust: 0.1
title:	Red Hat: Important: libssh2 security update	url:	https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20191791 - Security Advisory	Trust: 0.1
title:	Red Hat: Important: libssh2 security update	url:	https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20192399 - Security Advisory	Trust: 0.1
title:	Red Hat: Important: libssh2 security update	url:	https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20190679 - Security Advisory	Trust: 0.1
title:	Red Hat: Important: libssh2 security update	url:	https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20191943 - Security Advisory	Trust: 0.1
title:	Debian CVElist Bug Report Logs: libssh2: CVE-2019-13115	url:	https://vulmon.com/vendoradvisory?qidtp=debian_cvelist_bugreportlogs&qid=fae8ca9a607a0d36a41864075e4d1739	Trust: 0.1
title:	Arch Linux Issues:	url:	https://vulmon.com/vendoradvisory?qidtp=arch_linux_issues&qid=CVE-2019-3855	Trust: 0.1
title:	Red Hat: Important: virt:rhel security update	url:	https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20191175 - Security Advisory	Trust: 0.1
title:	Amazon Linux AMI: ALAS-2019-1254	url:	https://vulmon.com/vendoradvisory?qidtp=amazon_linux_ami&qid=ALAS-2019-1254	Trust: 0.1
title:	Amazon Linux 2: ALAS2-2019-1199	url:	https://vulmon.com/vendoradvisory?qidtp=amazon_linux2&qid=ALAS2-2019-1199	Trust: 0.1
title:	IBM: IBM Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to multiple security vulnerabilities (CVE-2019-3855, CVE-2019-3856, CVE-2019-3857, CVE-2019-3863)	url:	https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog&qid=90ea192442f00a544f31c35e3585a0e6	Trust: 0.1
title:	Debian CVElist Bug Report Logs: libssh2: CVE-2019-3855 CVE-2019-3856 CVE-2019-3857 CVE-2019-3858 CVE-2019-3859 CVE-2019-3860 CVE-2019-3861 CVE-2019-3862 CVE-2019-3863	url:	https://vulmon.com/vendoradvisory?qidtp=debian_cvelist_bugreportlogs&qid=00191547a456d0cf5c7b101c1774a050	Trust: 0.1
title:	Debian Security Advisories: DSA-4431-1 libssh2 -- security update	url:	https://vulmon.com/vendoradvisory?qidtp=debian_security_advisories&qid=32e9048e9588619b2dfacda6369a23ee	Trust: 0.1
title:	IBM: IBM Security Bulletin: IBM QRadar Network Security is affected by multiple libssh2 vulnerabilities (CVE-2019-3863, CVE-2019-3857, CVE-2019-3856, CVE-2019-3855)	url:	https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog&qid=55b92934c6d6315aa40e8be4ce2a8bf4	Trust: 0.1
title:	IBM: IBM Security Bulletin: Vulnerabiliies in libssh2 affect PowerKVM	url:	https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog&qid=6e0e5e527a9204c06a52ef667608c6e8	Trust: 0.1
title:	Arch Linux Advisories: [ASA-201903-13] libssh2: multiple issues	url:	https://vulmon.com/vendoradvisory?qidtp=arch_linux_advisories&qid=ASA-201903-13	Trust: 0.1
title:	Oracle VM Server for x86 Bulletins: Oracle VM Server for x86 Bulletin - July 2019	url:	https://vulmon.com/vendoradvisory?qidtp=oracle_vm_server_for_x86_bulletins&qid=b76ca4c2e9a0948d77d969fddc7b121b	Trust: 0.1
title:	Oracle Linux Bulletins: Oracle Linux Bulletin - April 2019	url:	https://vulmon.com/vendoradvisory?qidtp=oracle_linux_bulletins&qid=0cf12ffad0c479958deb0741d0970b4e	Trust: 0.1
title:	Oracle Linux Bulletins: Oracle Linux Bulletin - July 2019	url:	https://vulmon.com/vendoradvisory?qidtp=oracle_linux_bulletins&qid=767e8ff3a913d6c9b177c63c24420933	Trust: 0.1
title:	IBM: IBM Security Bulletin: Vyatta 5600 vRouter Software Patches – Release 1801-z	url:	https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog&qid=4ef3e54cc5cdc194f0526779f9480f89	Trust: 0.1
title:	Fortinet Security Advisories: libssh2 integer overflow and out of bounds read/write vulnerabilities	url:	https://vulmon.com/vendoradvisory?qidtp=fortinet_security_advisories&qid=FG-IR-19-099	Trust: 0.1
title:	IBM: IBM Security Bulletin: Multiple Security vulnerabilities have been fixed in the IBM Security Access Manager Appliance	url:	https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog&qid=1519a5f830589c3bab8a20f4163374ae	Trust: 0.1
title:	Siemens Security Advisories: Siemens Security Advisory	url:	https://vulmon.com/vendoradvisory?qidtp=siemens_security_advisories&qid=ec6577109e640dac19a6ddb978afe82d	Trust: 0.1
title:	TrivyWeb	url:	https://github.com/KorayAgaya/TrivyWeb	Trust: 0.1
title:	github_aquasecurity_trivy	url:	https://github.com/back8/github_aquasecurity_trivy	Trust: 0.1
title:	trivy	url:	https://github.com/simiyo/trivy	Trust: 0.1
title:	security	url:	https://github.com/umahari/security	Trust: 0.1
title:	-	url:	https://github.com/Mohzeela/external-secret	Trust: 0.1
title:	Vulnerability-Scanner-for-Containers	url:	https://github.com/t31m0/Vulnerability-Scanner-for-Containers	Trust: 0.1
title:	trivy	url:	https://github.com/siddharthraopotukuchi/trivy	Trust: 0.1
title:	trivy	url:	https://github.com/aquasecurity/trivy	Trust: 0.1
title:	trivy	url:	https://github.com/knqyf263/trivy	Trust: 0.1
title:	PoC-in-GitHub	url:	https://github.com/developer3000S/PoC-in-GitHub	Trust: 0.1
title:	CVE-POC	url:	https://github.com/0xT11/CVE-POC	Trust: 0.1
title:	PoC-in-GitHub	url:	https://github.com/nomi-sec/PoC-in-GitHub	Trust: 0.1
title:	PoC-in-GitHub	url:	https://github.com/hectorgie/PoC-in-GitHub	Trust: 0.1

sources: VULMON: CVE-2019-3855 // JVNDB: JVNDB-2019-002832 // CNNVD: CNNVD-201903-634

EXTERNAL IDS

db:	NVD	id:	CVE-2019-3855	Trust: 3.3
db:	BID	id:	107485	Trust: 2.1
db:	PACKETSTORM	id:	152136	Trust: 1.9
db:	OPENWALL	id:	OSS-SECURITY/2019/03/18/3	Trust: 1.8
db:	JVNDB	id:	JVNDB-2019-002832	Trust: 0.8
db:	CNNVD	id:	CNNVD-201903-634	Trust: 0.7
db:	AUSCERT	id:	ESB-2019.4341	Trust: 0.6
db:	AUSCERT	id:	ESB-2020.2340	Trust: 0.6
db:	AUSCERT	id:	ESB-2021.4083	Trust: 0.6
db:	AUSCERT	id:	ESB-2019.1274	Trust: 0.6
db:	AUSCERT	id:	ESB-2019.4479.2	Trust: 0.6
db:	AUSCERT	id:	ESB-2019.0911	Trust: 0.6
db:	AUSCERT	id:	ESB-2020.4226	Trust: 0.6
db:	AUSCERT	id:	ESB-2019.0996	Trust: 0.6
db:	AUSCERT	id:	ESB-2019.0894	Trust: 0.6
db:	PACKETSTORM	id:	153654	Trust: 0.2
db:	PACKETSTORM	id:	153510	Trust: 0.2
db:	PACKETSTORM	id:	153811	Trust: 0.2
db:	PACKETSTORM	id:	152509	Trust: 0.1
db:	PACKETSTORM	id:	154655	Trust: 0.1
db:	PACKETSTORM	id:	152282	Trust: 0.1
db:	PACKETSTORM	id:	153969	Trust: 0.1
db:	VULHUB	id:	VHN-155290	Trust: 0.1
db:	VULMON	id:	CVE-2019-3855	Trust: 0.1

sources: VULHUB: VHN-155290 // VULMON: CVE-2019-3855 // BID: 107485 // JVNDB: JVNDB-2019-002832 // PACKETSTORM: 153510 // PACKETSTORM: 153654 // PACKETSTORM: 152136 // PACKETSTORM: 153811 // CNNVD: CNNVD-201903-634 // NVD: CVE-2019-3855

REFERENCES

url:	http://packetstormsecurity.com/files/152136/slackware-security-advisory-libssh2-updates.html	Trust: 3.0
url:	http://www.securityfocus.com/bid/107485	Trust: 2.4
url:	https://www.debian.org/security/2019/dsa-4431	Trust: 2.4
url:	https://www.libssh2.org/cve-2019-3855.html	Trust: 2.1
url:	https://access.redhat.com/errata/rhsa-2019:1652	Trust: 1.9
url:	https://access.redhat.com/errata/rhsa-2019:1791	Trust: 1.9
url:	https://access.redhat.com/errata/rhsa-2019:1943	Trust: 1.9
url:	https://seclists.org/bugtraq/2019/mar/25	Trust: 1.8
url:	https://seclists.org/bugtraq/2019/apr/25	Trust: 1.8
url:	https://seclists.org/bugtraq/2019/sep/49	Trust: 1.8
url:	https://bugzilla.redhat.com/show_bug.cgi?id=cve-2019-3855	Trust: 1.8
url:	https://security.netapp.com/advisory/ntap-20190327-0005/	Trust: 1.8
url:	https://support.apple.com/kb/ht210609	Trust: 1.8
url:	https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2019-767	Trust: 1.8
url:	http://seclists.org/fulldisclosure/2019/sep/42	Trust: 1.8
url:	https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html	Trust: 1.8
url:	https://lists.debian.org/debian-lts-announce/2019/03/msg00032.html	Trust: 1.8
url:	http://www.openwall.com/lists/oss-security/2019/03/18/3	Trust: 1.8
url:	https://access.redhat.com/errata/rhsa-2019:0679	Trust: 1.8
url:	https://access.redhat.com/errata/rhsa-2019:1175	Trust: 1.8
url:	https://access.redhat.com/errata/rhsa-2019:2399	Trust: 1.8
url:	http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00040.html	Trust: 1.8
url:	http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00003.html	Trust: 1.8
url:	https://nvd.nist.gov/vuln/detail/cve-2019-3855	Trust: 1.8
url:	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/xcwea5zclkrduk62qvvymfwlwkopx3lo/	Trust: 1.1
url:	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5dk6vo2ceutajfyikwnzkekymyr3no2o/	Trust: 1.1
url:	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6lunhpw64igcasz4jq2j5kdxnzn53dww/	Trust: 1.1
url:	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/m7if3lnhoa75o4wzwihjlirma5ljued3/	Trust: 1.1
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-3855\	Trust: 0.8
url:	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5dk6vo2ceutajfyikwnzkekymyr3no2o/	Trust: 0.7
url:	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/m7if3lnhoa75o4wzwihjlirma5ljued3/	Trust: 0.7
url:	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6lunhpw64igcasz4jq2j5kdxnzn53dww/	Trust: 0.7
url:	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/xcwea5zclkrduk62qvvymfwlwkopx3lo/	Trust: 0.7
url:	https://access.redhat.com/security/cve/cve-2019-3855	Trust: 0.6
url:	https://access.redhat.com/security/cve/cve-2019-3856	Trust: 0.6
url:	https://access.redhat.com/security/cve/cve-2019-3857	Trust: 0.6
url:	https://access.redhat.com/security/cve/cve-2019-3863	Trust: 0.6
url:	https://www.suse.com/support/update/announcement/2019/suse-su-20190655-1.html	Trust: 0.6
url:	https://fortiguard.com/psirt/fg-ir-19-099	Trust: 0.6
url:	https://lists.debian.org/debian-lts-announce/2019/01/msg00028.html	Trust: 0.6
url:	https://www.ibm.com/support/pages/node/1115655	Trust: 0.6
url:	https://www.ibm.com/support/pages/node/1115643	Trust: 0.6
url:	https://www.ibm.com/support/pages/node/1115649	Trust: 0.6
url:	https://www.suse.com/support/update/announcement/2019/suse-su-201913982-1.html	Trust: 0.6
url:	https://www.ibm.com/support/pages/node/6520674	Trust: 0.6
url:	https://vigilance.fr/vulnerability/libssh2-multiple-vulnerabilities-28768	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/77838	Trust: 0.6
url:	https://www.ibm.com/support/pages/node/1120209	Trust: 0.6
url:	https://support.apple.com/en-us/ht210609	Trust: 0.6
url:	https://www.ibm.com/support/pages/node/1116357	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2020.2340/	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2020.4226/	Trust: 0.6
url:	https://www.ibm.com/support/pages/node/1170634	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/79010	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2019.4341/	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/77478	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/77406	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2019.4479.2/	Trust: 0.6
url:	https://www.ibm.com/blogs/psirt/security-bulletin-ibm-integrated-management-module-ii-imm2-is-affected-by-multiple-vulnerabilities-in-libssh2/	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2021.4083	Trust: 0.6
url:	https://nvd.nist.gov/vuln/detail/cve-2019-3856	Trust: 0.4
url:	https://nvd.nist.gov/vuln/detail/cve-2019-3857	Trust: 0.4
url:	https://nvd.nist.gov/vuln/detail/cve-2019-3863	Trust: 0.4
url:	http://www.libssh2.org/	Trust: 0.3
url:	https://www.libssh2.org/changes.html	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2019-3858	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2019-3859	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2019-3860	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2019-3861	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2019-3862	Trust: 0.3
url:	https://www.libssh2.org/cve-2019-3856.html	Trust: 0.3
url:	https://www.libssh2.org/cve-2019-3857.html	Trust: 0.3
url:	https://www.libssh2.org/cve-2019-3858.html	Trust: 0.3
url:	https://www.libssh2.org/cve-2019-3859.html	Trust: 0.3
url:	https://www.libssh2.org/cve-2019-3860.html	Trust: 0.3
url:	https://www.libssh2.org/cve-2019-3861.html	Trust: 0.3
url:	https://www.libssh2.org/cve-2019-3862.html	Trust: 0.3
url:	https://www.libssh2.org/cve-2019-3863.html	Trust: 0.3
url:	https://www.redhat.com/mailman/listinfo/rhsa-announce	Trust: 0.3
url:	https://bugzilla.redhat.com/):	Trust: 0.3
url:	https://access.redhat.com/security/team/key/	Trust: 0.3
url:	https://access.redhat.com/security/updates/classification/#important	Trust: 0.3
url:	https://access.redhat.com/articles/11258	Trust: 0.3
url:	https://access.redhat.com/security/team/contact/	Trust: 0.3
url:	https://cwe.mitre.org/data/definitions/787.html	Trust: 0.1
url:	https://cwe.mitre.org/data/definitions/190.html	Trust: 0.1
url:	https://tools.cisco.com/security/center/viewalert.x?alertid=59797	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://github.com/korayagaya/trivyweb	Trust: 0.1
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-3861	Trust: 0.1
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-3859	Trust: 0.1
url:	http://slackware.com	Trust: 0.1
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-3860	Trust: 0.1
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-3863	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-3861	Trust: 0.1
url:	http://slackware.com/gpg-key	Trust: 0.1
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-3862	Trust: 0.1
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-3857	Trust: 0.1
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-3858	Trust: 0.1
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-3856	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-3862	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-3859	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-3860	Trust: 0.1
url:	http://osuosl.org)	Trust: 0.1
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-3855	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-3858	Trust: 0.1

CREDITS

Chris Coulson of Canonical Ltd.,Slackware Security Team

Trust: 0.6

sources: CNNVD: CNNVD-201903-634

SOURCES

db:	VULHUB	id:	VHN-155290
db:	VULMON	id:	CVE-2019-3855
db:	BID	id:	107485
db:	JVNDB	id:	JVNDB-2019-002832
db:	PACKETSTORM	id:	153510
db:	PACKETSTORM	id:	153654
db:	PACKETSTORM	id:	152136
db:	PACKETSTORM	id:	153811
db:	CNNVD	id:	CNNVD-201903-634
db:	NVD	id:	CVE-2019-3855

LAST UPDATE DATE

2025-02-20T21:37:05.962000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-155290	date:	2020-10-15T00:00:00
db:	VULMON	id:	CVE-2019-3855	date:	2023-11-07T00:00:00
db:	BID	id:	107485	date:	2019-03-18T00:00:00
db:	JVNDB	id:	JVNDB-2019-002832	date:	2019-04-24T00:00:00
db:	CNNVD	id:	CNNVD-201903-634	date:	2021-12-03T00:00:00
db:	NVD	id:	CVE-2019-3855	date:	2024-11-21T04:42:43.427

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-155290	date:	2019-03-21T00:00:00
db:	VULMON	id:	CVE-2019-3855	date:	2019-03-21T00:00:00
db:	BID	id:	107485	date:	2019-03-18T00:00:00
db:	JVNDB	id:	JVNDB-2019-002832	date:	2019-04-24T00:00:00
db:	PACKETSTORM	id:	153510	date:	2019-07-02T14:08:10
db:	PACKETSTORM	id:	153654	date:	2019-07-16T20:10:44
db:	PACKETSTORM	id:	152136	date:	2019-03-19T20:53:48
db:	PACKETSTORM	id:	153811	date:	2019-07-30T18:13:57
db:	CNNVD	id:	CNNVD-201903-634	date:	2019-03-19T00:00:00
db:	NVD	id:	CVE-2019-3855	date:	2019-03-21T21:29:00.433