Bug#1140401: marked as done (libssh2: CVE-2025-15661 CVE-2026-55199 CVE-2026-55200)

[Debian Bug Tracking System]

Your message dated Wed, 24 Jun 2026 21:36:45 +0000
with message-id <e1wcvh3-00000001atr-1...@fasolo.debian.org>
and subject line Bug#1140401: fixed in libssh2 1.11.1-4
has caused the Debian Bug report #1140401,
regarding libssh2: CVE-2025-15661 CVE-2026-55199 CVE-2026-55200
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1140401: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1140401
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: libssh2
Version: 1.11.1-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>

Hi,

The following vulnerabilities were published for libssh2.

CVE-2025-15661[0]:
| libssh2 through 1.11.1, fixed in commit 2dae302, contains an out-of-
| bounds heap read vulnerability in the sftp_symlink() function in
| src/sftp.c that allows a malicious SSH server or man-in-the-middle
| attacker to disclose heap memory contents or cause a crash by
| sending a crafted SSH_FXP_NAME response. Attackers can supply a
| link_len value larger than the actual packet data in SSH_FXP_NAME
| responses for SFTP READLINK and REALPATH operations, triggering a
| heap buffer over-read of up to target_len minus one bytes due to the
| missing validation of available packet buffer size before the memcpy
| operation.


CVE-2026-55199[1]:
| libssh2 through 1.11.1, fixed in commit 1762685, contains a pre-
| authentication denial of service vulnerability in the
| SSH_MSG_EXT_INFO handler in src/packet.c that allows a malicious SSH
| server to cause a client CPU exhaustion loop by sending a crafted
| extension count value. A malicious server can set nr_extensions to
| 0xFFFFFFFF during key exchange, causing the client to spin in a
| tight CPU loop for over 60 seconds because return values from
| _libssh2_get_string() are unchecked and the session timeout does not
| apply to CPU-bound loops.


CVE-2026-55200[2]:
| libssh2 through 1.11.1, fixed in commit 7acf3df contains an out-of-
| bounds write vulnerability in ssh2_transport_read() that fails to
| enforce upper bounds on packet_length field. Remote attackers can
| send crafted SSH packets with excessively large packet_length values
| to corrupt heap memory and achieve remote code execution.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-15661
    https://www.cve.org/CVERecord?id=CVE-2025-15661
[1] https://security-tracker.debian.org/tracker/CVE-2026-55199
    https://www.cve.org/CVERecord?id=CVE-2026-55199
[2] https://security-tracker.debian.org/tracker/CVE-2026-55200
    https://www.cve.org/CVERecord?id=CVE-2026-55200

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

Source: libssh2
Source-Version: 1.11.1-4
Done: Nicolas Mora <babelou...@debian.org>

We believe that the bug you reported is fixed in the latest version of
libssh2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1140...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nicolas Mora <babelou...@debian.org> (supplier of updated libssh2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 24 Jun 2026 09:10:36 -0400
Source: libssh2
Architecture: source
Version: 1.11.1-4
Distribution: unstable
Urgency: medium
Maintainer: Nicolas Mora <babelou...@debian.org>
Changed-By: Nicolas Mora <babelou...@debian.org>
Closes: 1140401
Changes:
 libssh2 (1.11.1-4) unstable; urgency=medium
 .
   [ Moritz Mühlenhoff ]
   * d/patches: Fix CVEs CVE-2025-15661 CVE-2026-55199 CVE-2026-55200
     (Closes: #1140401)
Checksums-Sha1:
 5938c3f259b2e7be98e1c959cd941ebf5be1387f 2329 libssh2_1.11.1-4.dsc
 61c721696f08bf91d23dd59b766bac65e9a78b04 1093012 libssh2_1.11.1.orig.tar.gz
 d1d810ea2c4807fe71b0b66c784bd874ad5b9c67 488 libssh2_1.11.1.orig.tar.gz.asc
 524a6805fe1a9d3282ac28fc0df6c98015afed39 19516 libssh2_1.11.1-4.debian.tar.xz
 e527a681f4b97046c1c26d8fe5f72e5e756901af 6294 libssh2_1.11.1-4_amd64.buildinfo
Checksums-Sha256:
 efe3cc06d27337d41aec053dccfc6a742d22a134c1b484c2104327bc81770948 2329 
libssh2_1.11.1-4.dsc
 d9ec76cbe34db98eec3539fe2c899d26b0c837cb3eb466a56b0f109cabf658f7 1093012 
libssh2_1.11.1.orig.tar.gz
 f5618c9356a1d5a8059d6cf64015d86547f06b2b8b1f542fbbaf381a736c8075 488 
libssh2_1.11.1.orig.tar.gz.asc
 e899b43734e37e9f8a08d293265eea8d131bc5206634fc3b3f563ab6b5bdbbc4 19516 
libssh2_1.11.1-4.debian.tar.xz
 45bf25771c11e9457054cc965fd026b5dfe72c6bba8fd03f3a744272a9fe57bf 6294 
libssh2_1.11.1-4_amd64.buildinfo
Files:
 1702b420743ecd45f748302515c390a5 2329 libs optional libssh2_1.11.1-4.dsc
 38857d10b5c5deb198d6989dacace2e6 1093012 libs optional 
libssh2_1.11.1.orig.tar.gz
 5ecd37626fbb7ca0850a56a05a37a4c2 488 libs optional 
libssh2_1.11.1.orig.tar.gz.asc
 372f959394ece80920ba9d59d870740b 19516 libs optional 
libssh2_1.11.1-4.debian.tar.xz
 dc29e563e6de65f64aef9be7f6c36301 6294 libs optional 
libssh2_1.11.1-4_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEhAWwL8wo75dEyPJT/oITlEC9IrkFAmo8Rn0ACgkQ/oITlEC9
IrkRvBAAsSQZDCFO1kWie+qgNqSYpIubfQ4GjgFOp+k5LWZ56+Ck+RrNTqQYUmD7
ZkY8uBpQK2Q7SnCD/SyVRCYf2ni2Q+PRA6xnbeflzlIyOYY72yOmwMaqHtUrDOeX
WnqgEENdJpBtcaPWpMEQh6AnYAPmnTLXdO42gjEVQM9U51VgtS7Kqyk2VNQfYYiW
mTSPCtaryF72BJIe6RDQW3ZF6bio/4MOg4okRTvoEqiLnBo1ioUACybe9/bTzsmK
pOKzaNWqireSbTlZMxjfUwEkjSRbAUGhWrmiRYhxgu6EI6ctkYa1KVtVbPgLZfD5
qnvJysy5xIUwWizHRSmdHWYJA0NRnbNdzdbwHLPa7nphPUDeHmQzcO53IIpFYCas
aksoW+8vaSzJPUAlpRRddre7SS7IuAmUyJqd39vwhRLebtSAdW4PpaWe4OXLVj/a
PvFgdaoI+/4hHaYJVHxUBrz9Z4zvFLkWKKqY2ZQ8oru/CQWOUsEYR9WdsY1mJg93
liIQTOgYBmjgMoHQne5LyfLC+DHFOGXJiXW0qTuyhvMWJR1gedycTnnOk+6aKLr2
3ld8jMCKtmgcRgo5lKIVFgOKL/LTibbKcnCpAaXfUihYU97TuGfAE+xi+iSEyWd7
F8oBRf3Cv6CGAmUsc+ZkifSDytbukX4nS6PS9PKepPTh6fdM6oo=
=KesF
-----END PGP SIGNATURE-----

pgpFe9WygTJtN.pgp
Description: PGP signature

--- End Message ---