Bug#1140401: marked as done (libssh2: CVE-2025-15661 CVE-2026-55199 CVE-2026-55200)

[Debian Bug Tracking System]

Your message dated Thu, 25 Jun 2026 21:03:48 +0000
with message-id <e1wcrei-00000005nth-0...@fasolo.debian.org>
and subject line Bug#1140401: fixed in libssh2 1.11.1-1+deb13u1
has caused the Debian Bug report #1140401,
regarding libssh2: CVE-2025-15661 CVE-2026-55199 CVE-2026-55200
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1140401: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1140401
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: libssh2
Version: 1.11.1-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>

Hi,

The following vulnerabilities were published for libssh2.

CVE-2025-15661[0]:
| libssh2 through 1.11.1, fixed in commit 2dae302, contains an out-of-
| bounds heap read vulnerability in the sftp_symlink() function in
| src/sftp.c that allows a malicious SSH server or man-in-the-middle
| attacker to disclose heap memory contents or cause a crash by
| sending a crafted SSH_FXP_NAME response. Attackers can supply a
| link_len value larger than the actual packet data in SSH_FXP_NAME
| responses for SFTP READLINK and REALPATH operations, triggering a
| heap buffer over-read of up to target_len minus one bytes due to the
| missing validation of available packet buffer size before the memcpy
| operation.


CVE-2026-55199[1]:
| libssh2 through 1.11.1, fixed in commit 1762685, contains a pre-
| authentication denial of service vulnerability in the
| SSH_MSG_EXT_INFO handler in src/packet.c that allows a malicious SSH
| server to cause a client CPU exhaustion loop by sending a crafted
| extension count value. A malicious server can set nr_extensions to
| 0xFFFFFFFF during key exchange, causing the client to spin in a
| tight CPU loop for over 60 seconds because return values from
| _libssh2_get_string() are unchecked and the session timeout does not
| apply to CPU-bound loops.


CVE-2026-55200[2]:
| libssh2 through 1.11.1, fixed in commit 7acf3df contains an out-of-
| bounds write vulnerability in ssh2_transport_read() that fails to
| enforce upper bounds on packet_length field. Remote attackers can
| send crafted SSH packets with excessively large packet_length values
| to corrupt heap memory and achieve remote code execution.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-15661
    https://www.cve.org/CVERecord?id=CVE-2025-15661
[1] https://security-tracker.debian.org/tracker/CVE-2026-55199
    https://www.cve.org/CVERecord?id=CVE-2026-55199
[2] https://security-tracker.debian.org/tracker/CVE-2026-55200
    https://www.cve.org/CVERecord?id=CVE-2026-55200

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

Source: libssh2
Source-Version: 1.11.1-1+deb13u1
Done: Moritz Mühlenhoff <j...@debian.org>

We believe that the bug you reported is fixed in the latest version of
libssh2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1140...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Moritz Mühlenhoff <j...@debian.org> (supplier of updated libssh2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 23 Jun 2026 23:01:56 +0200
Source: libssh2
Architecture: source
Version: 1.11.1-1+deb13u1
Distribution: trixie-security
Urgency: medium
Maintainer: Nicolas Mora <babelou...@debian.org>
Changed-By: Moritz Mühlenhoff <j...@debian.org>
Closes: 1135647 1140401
Changes:
 libssh2 (1.11.1-1+deb13u1) trixie-security; urgency=medium
 .
   * CVE-2026-7598 (Closes: #1135647)
   * CVE-2025-15661 / CVE-2026-55199 / CVE-2026-55200 (Closes: #1140401)
Checksums-Sha1:
 0035d28817bd9c5967d8a9f04d246fa6720b75e3 2351 libssh2_1.11.1-1+deb13u1.dsc
 61c721696f08bf91d23dd59b766bac65e9a78b04 1093012 libssh2_1.11.1.orig.tar.gz
 d1d810ea2c4807fe71b0b66c784bd874ad5b9c67 488 libssh2_1.11.1.orig.tar.gz.asc
 0476fd56ec9daf6c4fd726d8d28fc75d59824bea 19312 
libssh2_1.11.1-1+deb13u1.debian.tar.xz
 7212afdc256e7e3a0a78fac3afe4046e5c12919c 7407 
libssh2_1.11.1-1+deb13u1_amd64.buildinfo
Checksums-Sha256:
 b49dae094697248bd4d3665dd73d13b27739237701b939bc7c1ebedf17dc81e4 2351 
libssh2_1.11.1-1+deb13u1.dsc
 d9ec76cbe34db98eec3539fe2c899d26b0c837cb3eb466a56b0f109cabf658f7 1093012 
libssh2_1.11.1.orig.tar.gz
 f5618c9356a1d5a8059d6cf64015d86547f06b2b8b1f542fbbaf381a736c8075 488 
libssh2_1.11.1.orig.tar.gz.asc
 095817cecf4b527b68208d72987439622877dde62cd88afe8822efc3d775e013 19312 
libssh2_1.11.1-1+deb13u1.debian.tar.xz
 65fce54d6aea21d8ba5aaa68cce65b9b4e386b15ab21f332a88031f8ec1e18a6 7407 
libssh2_1.11.1-1+deb13u1_amd64.buildinfo
Files:
 b84f764f6088fb8c9c8e42af6d36493d 2351 libs optional 
libssh2_1.11.1-1+deb13u1.dsc
 38857d10b5c5deb198d6989dacace2e6 1093012 libs optional 
libssh2_1.11.1.orig.tar.gz
 5ecd37626fbb7ca0850a56a05a37a4c2 488 libs optional 
libssh2_1.11.1.orig.tar.gz.asc
 c8a31ca825329401d4383a68dbd24059 19312 libs optional 
libssh2_1.11.1-1+deb13u1.debian.tar.xz
 13c300983a6905433515df00016dcddb 7407 libs optional 
libssh2_1.11.1-1+deb13u1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmo7f+8ACgkQEMKTtsN8
TjZibA/+IJBMCDJCqe8rPcrgzmwoTyn7ZfnqH0/gs9aGMGiopcYPUh2fpFUciHkT
GQhmiG/ckyjYNb3VGC7csnOuzuxgRN3s4yqQwZoEyY8EfJCOGf9d3RICYDH877+B
qiwygy6kkJioAj0HeaSzLHT9KqrfhHqzAKD+OV104jrOOMAjMyuNvCUDJ4FbrfQu
SPMCZZFXhd+zEfNzo0olGqBbZstdG5l2QFskUyRtpXfnj79asxcrJnNiAaHErue5
xN1cdv43cfXq23RUTEYMmOT+GjbGnJyrOrkh5XFlSOWDMvUOeaURhu54Yu2qKty/
FtIklREk9erYHwW5jsXqcLOqNhd6WIvwUelKC0cUh4eTtB3/Ak2hqk+HTmTBDVRy
F5/62TZEw2nUfw467qdbWKD7xBVUuFPMGfpTDHtOKLy4hhnbddU1REqm/GZB/UAB
ueO/BeSdnfwfcjGtiUheOi/y2i32Tr2dPUJF9Dxm+UvCzGPGTpiTYLQ+BLYb+RJW
E4fUR5uGmYVKW2zEZoLSlFUK5eyUB/t1L6vbefAXMhgFoiHFkdXLOVCPPtP6va9V
8V1zGL7HUBBGuLaPpIy4vMukaYK6fGowjKMyYRqC2ycQJ34aTqrOQ3k/1DsyhgF5
fBIV+QFJTgQ8qitpTBty9VeSGhPV/8rtt6HoXH6sNK6s7xbSTF4=
=fHbl
-----END PGP SIGNATURE-----

pgpMrVjnTLDR2.pgp
Description: PGP signature

--- End Message ---