Skip to content

fix: CVE-2025-15661 and CVE-2026-55199 for libssh2#3

Closed
deepin-ci-robot wants to merge 2 commits into
masterfrom
fix/CVE-2025-15661-multi
Closed

fix: CVE-2025-15661 and CVE-2026-55199 for libssh2#3
deepin-ci-robot wants to merge 2 commits into
masterfrom
fix/CVE-2025-15661-multi

Conversation

@deepin-ci-robot

@deepin-ci-robot deepin-ci-robot commented Jun 24, 2026

Copy link
Copy Markdown
Contributor

Fix two CVEs in libssh2:

CVE-2025-15661

Heap buffer over-read in sftp_symlink() via crafted SSH_FXP_NAME response.
Upstream: 2dae3024897e1898d389835151f4e9606227721d

CVE-2026-55199

Pre-authentication DoS via SSH_MSG_EXT_INFO handler causing CPU exhaustion.
Upstream: 17626857d20b3c9a1addfa45979dadcee1cd84a4

@github-actions

Copy link
Copy Markdown

TAG Bot

TAG: 1.11.1-1deepin4
EXISTED: no
DISTRIBUTION: unstable

@deepin-ci-robot

Copy link
Copy Markdown
Contributor Author

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign zccrs for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

deepin-ci-robot and others added 2 commits June 26, 2026 13:25
Fix heap buffer over-read in sftp_symlink() by using the string_buf
struct to guard against out-of-bounds reads and malformed packets.

Upstream: libssh2/libssh2@2dae302
Generated-By: uos/deepseek-v4-flash
Co-Authored-By: hudeng <hudeng@deepin.org>
Fix pre-authentication DoS by checking return values from
_libssh2_get_string() in the SSH_MSG_EXT_INFO handler.

Upstream: libssh2/libssh2@1762685
Generated-By: uos/deepseek-v4-flash
Co-Authored-By: hudeng <hudeng@deepin.org>
@deepin-ci-robot deepin-ci-robot force-pushed the fix/CVE-2025-15661-multi branch from 078696d to 899b522 Compare June 26, 2026 05:26
@hudeng-go hudeng-go closed this Jul 1, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants