On 23/06/2026 21:24, James Addison wrote:
The commit IDs of the fixes for each of the vulnerabilities,
respectively, as found in the GitHub libssh2/libssh2.git repository,
are:
- 2dae3024897e1898d389835151f4e9606227721d
- 17626857d20b3c9a1addfa45979dadcee1cd84a4
- 97acf3dfda80c91c3a8c9f2372546301d4a1a7a8
Just as a heads up, libssh2 1.11.1 was release October 2024 and the
patch for src/sftp.c does not apply cleanly to the release.
[1] -https://digital.nhs.uk/cyber-alerts/2026/cc-4799
This url point to https://github.com/advisories/GHSA-R8MH-X5QV-7GG2 as
the "Definitive source of threat updates" which references another
commit separate from the hashes above
https://github.com/libssh2/libssh2/commit/97acf3dfda80c91c3a8c9f2372546301d4a1a7a8
via
https://github.com/libssh2/libssh2/pull/2052
"transport.c: Additional boundary checks for packet length"
Sorry, too busy melting to provide a patch against 1.11.1 release. :(
Sincerely,
Sevan