Debian 9817 Published by

A libssh security update has been released for Debian GNU/Linux 10 LTS to address two security issues.

[SECURITY] [DLA 3437-1] libssh security update

Debian LTS Advisory DLA-3437-1 Tobias Frost
May 29, 2023

Package : libssh
Version : 0.8.7-1+deb10u2
CVE ID : CVE-2019-14889 CVE-2023-1667
Debian Bug : 946548 1035832

Two security issues have been discovered in libssh, a tiny C SSH
library, which may allows an remote authenticated user to cause a denial
of service or inject arbitrary commands.


A flaw was found with the libssh API function ssh_scp_new() in
versions before 0.9.3 and before 0.8.8. When the libssh SCP client
connects to a server, the scp command, which includes a
user-provided path, is executed on the server-side. In case the
library is used in a way where users can influence the third
parameter of the function, it would become possible for an attacker
to inject arbitrary commands, leading to a compromise of the remote


A NULL pointer dereference was found In libssh during re-keying with
algorithm guessing. This issue may allow an authenticated client to
cause a denial of service.

For Debian 10 buster, these problems have been fixed in version

We recommend that you upgrade your libssh packages.

For the detailed security status of libssh please refer to
its security tracker page at:

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: