A security update for Fedora 43 has been released, which includes a new version of the libssh library (version 0.11.4-1.fc43). This update fixes several security issues, including CVEs related to path traversal, denial of service, and buffer underflow vulnerabilities.

[SECURITY] Fedora 43 Update: libssh-0.11.4-1.fc43

[SECURITY] Fedora 43 Update: libssh-0.11.4-1.fc43

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-53b80475c3
2026-02-13 01:28:05.709454+00:00
--------------------------------------------------------------------------------

Name : libssh
Product : Fedora 43
Version : 0.11.4
Release : 1.fc43
URL : http://www.libssh.org
Summary : A library implementing the SSH protocol
Description :
The ssh library was designed to be used by programmers needing a working SSH
implementation by the mean of a library. The complete control of the client is
made by the programmer. With libssh, you can remotely execute programs, transfer
files, use a secure and transparent tunnel for your remote programs. With its
Secure FTP implementation, you can play with remote files easily, without
third-party programs others than libcrypto (from openssl).

--------------------------------------------------------------------------------
Update Information:

New upstream release fixing several security issues
--------------------------------------------------------------------------------
ChangeLog:

* Tue Feb 10 2026 Jakub Jelen [jjelen@redhat.com] - 0.11.4-1
- New upstream release fixing following security issues:
- CVE-2025-14821: libssh loads configuration files from the C:\etc directory on Windows
- CVE-2026-0964: SCP Protocol Path Traversal in ssh_scp_pull_request()
- CVE-2026-0965: Possible Denial of Service when parsing unexpected configuration files
- CVE-2026-0966: Buffer underflow in ssh_get_hexa() on invalid input
- CVE-2026-0967: Specially crafted patterns could cause DoS
- CVE-2026-0968: OOB Read in sftp_parse_longname()
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2438452 - libssh-0.12.0 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2438452
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-53b80475c3' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new