Your message dated Sat, 09 May 2026 19:34:56 +0000
with message-id <[email protected]>
and subject line Bug#1135647: fixed in libssh2 1.11.1-3
has caused the Debian Bug report #1135647,
regarding libssh2: CVE-2026-7598
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1135647: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135647
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libssh2
Version: 1.11.1-2
Severity: important
Tags: security upstream
Forwarded: https://github.com/libssh2/libssh2/pull/1858
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for libssh2.
CVE-2026-7598[0]:
| A security vulnerability has been detected in libssh2 up to 1.11.1.
| The impacted element is the function userauth_password of the file
| src/userauth.c. Such manipulation of the argument
| username_len/password_len leads to integer overflow. The attack may
| be launched remotely. The name of the patch is
| 256d04b60d80bf1190e96b0ad1e91b2174d744b1. A patch should be applied
| to remediate this issue.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-7598
https://www.cve.org/CVERecord?id=CVE-2026-7598
[1] https://github.com/libssh2/libssh2/pull/1858
[2]
https://github.com/libssh2/libssh2/commit/256d04b60d80bf1190e96b0ad1e91b2174d744b1
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libssh2
Source-Version: 1.11.1-3
Done: Nicolas Mora <[email protected]>
We believe that the bug you reported is fixed in the latest version of
libssh2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Nicolas Mora <[email protected]> (supplier of updated libssh2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 04 May 2026 07:35:17 -0400
Source: libssh2
Architecture: source
Version: 1.11.1-3
Distribution: unstable
Urgency: medium
Maintainer: Nicolas Mora <[email protected]>
Changed-By: Nicolas Mora <[email protected]>
Closes: 1135647
Changes:
libssh2 (1.11.1-3) unstable; urgency=medium
.
* d/patches: Fix integer overflow in userauth_password
Fixes CVE-2026-7598 (Closes: #1135647)
* d/control: Update standards version to 4.7.4
Checksums-Sha1:
2eb732ff02065e70ebacb6afad9cecbdcac891bd 2329 libssh2_1.11.1-3.dsc
61c721696f08bf91d23dd59b766bac65e9a78b04 1093012 libssh2_1.11.1.orig.tar.gz
d1d810ea2c4807fe71b0b66c784bd874ad5b9c67 488 libssh2_1.11.1.orig.tar.gz.asc
446f1a3c177c0eb0a297ca48fb7117421d67b225 17828 libssh2_1.11.1-3.debian.tar.xz
d5c766737178d449e90fd204556b3c7a87705121 6308 libssh2_1.11.1-3_amd64.buildinfo
Checksums-Sha256:
cc5b21b5f47af4751a35699a5279a726a7a52863b808c085b783ebac4364f151 2329
libssh2_1.11.1-3.dsc
d9ec76cbe34db98eec3539fe2c899d26b0c837cb3eb466a56b0f109cabf658f7 1093012
libssh2_1.11.1.orig.tar.gz
f5618c9356a1d5a8059d6cf64015d86547f06b2b8b1f542fbbaf381a736c8075 488
libssh2_1.11.1.orig.tar.gz.asc
cae9c0f9bd15d3aab10f0e96ff54389e02496ad5574852d15fedd394bb3b3da0 17828
libssh2_1.11.1-3.debian.tar.xz
a1c6ae8219c28f028859fdc49592d972ee1a4ab112f0461281eec5a07631d169 6308
libssh2_1.11.1-3_amd64.buildinfo
Files:
f10981cb95b84737ea3bf6f427484599 2329 libs optional libssh2_1.11.1-3.dsc
38857d10b5c5deb198d6989dacace2e6 1093012 libs optional
libssh2_1.11.1.orig.tar.gz
5ecd37626fbb7ca0850a56a05a37a4c2 488 libs optional
libssh2_1.11.1.orig.tar.gz.asc
74ea9f76fcc3ad1fa445a4f46c913848 17828 libs optional
libssh2_1.11.1-3.debian.tar.xz
900b5bb770e1c3f3d46c0b999e946927 6308 libs optional
libssh2_1.11.1-3_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEhAWwL8wo75dEyPJT/oITlEC9IrkFAmn/d0gACgkQ/oITlEC9
IrlcExAAn1JejcgfNpbG8Mix+bHkdETQRPVBRRgGvADzt0FIj0yea530928Sz+St
uVBRHq5sddCYcEqcQ8I/uoY3VO5phJqqWSeJYPFAORyM/1wQskORe6LVOT9r6F1W
KLepI1KuBs2FD8yDTcZH3A/93MaXygulR52D7qjenJb68wqOlHmoxjW3ZRtPzLdY
Ygecsq0pa9NniRW33rF23LykrLFE2rzG4CAmWmySIV2eQaEVNmioNN5uwEUJXt7g
E5l0mYjOeOnBfe1QGvUuaO+3EXWT7Mk0pQY7Lpkf7JS7qwd4C7mjhlyP+qHQLnzW
a0bv5lP+C8ZUzpfbWn1bgz+Qzi/VcVr1eHCwEEtacN7eipGMn6+Y9gHMsin+w8pr
qGE2oosEyKdsiNkeqFPZ40GlvS8jLauPUTvbdmJ4FamwH5IDwj3G36oOJb6gEdGN
uplQ3MvzdPxi5ol0vYs5WIKJ3GIyRlpJNRCAHRR5Ki7rgV+FdAWajs1EiLuQM9sF
cyCRIVqX1II4wSti+3UdrSC+tJxBvHFHK+hXgzVORJZHXZdV1DbgYI86thFU+vQU
+Ad/tbc0QsFcgYd7SkUGHin8i2VC2i1Ul3CRpd+aDSuH+9pU33SFT2FxJm7TSd8y
IioFK5Fbso8XNTpXdrwhJz7ge4s0/eV5JczE0/4HIi423+OsovQ=
=XlTk
-----END PGP SIGNATURE-----
pgpnFACvmNXNg.pgp
Description: PGP signature
--- End Message ---
