of past PRs
> not being taken for whatever reason.
I'm able to identify certain class of problems (as I said below in OP, "code
around _libssh2_ntohu32 often looks wrong, please review and fix it"), but
I don't understand libssh2 code to extent I can design replacement.
>> On Mar 31, 20
On 31.03.2019 14:23, Yuriy M. Kaminskiy wrote:
> FTR, (some) problems that was addressed by this patch was (apparently
> independently) rediscovered 3 years later, assigned CVE-2019-38{55...63}
> and fixed (differently; I have not checked if fixed code covers all
> cases was covered
016-03-27 22:28 , Yuriy M. Kaminskiy wrote:
> Ping? I'd like to stress out this issue has security imlications. At
> very least, DoS (and this is not a standalone application, so it is not
> a minor issue), and maybe host memory exposure too. (However, it is only
> heap over-reads, wi
Daniel Stenberg writes:
> I think it is about time we ship another release. The OpenSSL 1.1.0
> support being a major reason I think.
>
> So, please bring up your issues that we should squeeze in before we
> release.
E.g. that libssh2 uses oversized exponent (private key) in DH
"George Garner (online)" writes:
[...]
> 3. Where is the p_len/group_order parameter validated? In
> kex_method_diffie_hellman_group_exchange_sha256_key_exchange it is
> converted from network byte order and accepted at face value. What
> happens if a malicious