libssh 0.10.6 and libssh 0.9.8 security releases

Edit 22. 12. 2023: It turns out these releases have a regression in parsing IPv6 hostnames. The fixes are already available in the linked issue.

With festive season approaching, the libssh team comes with an early present of new releases fixing three security issues.

The two new releases of libssh 0.9 and 0.10 address the following security issues:

  • CVE-2023-6004: Command Injection using malicious hostname in expanded proxycommand. More details can be found in the advisory.
  • CVE-2023-48795: Avoid potential downgrade attacks by implementing strict kex. More details can be found in the advisory.
  • CVE-2023-6918: Avoid potential use of weak keys in low memory conditions by systematically checking return values of MD functions. More details can be found in the advisory.

In addition the 0.10 version contains several bugfixes and backports. For full list, see the changelog below.

If you are new to libssh you should read our tutorial how to get started. Please join our mailing list or visit Matrix channel if you have questions.

You can download libssh here.

Merry Christmas everyone!

ChangeLog for libssh 0.10.6

  • Fix CVE-2023-6004: Command injection using proxycommand
  • Fix CVE-2023-48795: Potential downgrade attack using strict kex
  • Fix CVE-2023-6918: Missing checks for return values of MD functions
  • Fix ssh_send_issue_banner() for CMD(PowerShell)
  • Avoid passing other events to callbacks when poll is called recursively (#202)
  • Allow @ in usernames when parsing from URI composes

ChangeLog for libssh 0.9.8

  • Fix CVE-2023-6004: Command injection using proxycommand
  • Fix CVE-2023-48795: Potential downgrade attack using strict kex
  • Fix CVE-2023-6918: Missing checks for return values of MD functions
  • Allow @ in usernames when parsing from URI composes