libssh 0.9.5

The libssh team is happy to announce another bugfix release of libssh as version 0.9.5. It offers bug fixes for several issues found by our users. Thanks to all contributors!

This includes a fix for CVE-2020-16135, however we do not see how this would be exploitable at all. If you find a security bug in libssh please don’t just assign a CVE, talk to us first. Our security process is documented here.

If you are new to libssh you should read our tutorial how to get started. Please join our mailing list or visit our IRC channel if you have questions.

You can download libssh here.


  • CVE-2020-16135: Avoid null pointer dereference in sftpserver (T232)
  • Improve handling of library initialization (T222)
  • Fix parsing of subsecond times in SFTP (T219)
  • Make the documentation reproducible
  • Remove deprecated API usage in OpenSSL
  • Fix regression of ssh_channel_poll_timeout() returning SSH_AGAIN
  • Define version in one place (T226)
  • Prevent invalid free when using different C runtimes than OpenSSL (T229)
  • Compatibility improvements to testsuite