libssh 0.9.6 security release

This is a security release of libssh to address CVE-2021-3634 (moderate impact), a possible heap-buffer overflow when rekeying. A workaround exists. More details can be found in the advisory.

In addition the 0.9.6 version addresses some memory leaks in error path, an AEAD handshake and some more.

If you are new to libssh you should read our tutorial how to get started. Please join our mailing list or visit our IRC channel if you have questions.

You can download libssh here.


  • CVE-2021-3634: Fix possible heap-buffer overflow when rekeying with different key exchange mechanism
  • Fix several memory leaks on error paths
  • Reset pending_call_state on disconnect
  • Fix handshake bug with AEAD ciphers and no HMAC overlap
  • Ignore request success and failure message if they are not expected
  • Support more identity files in configuration
  • Avoid setting compiler flags directly in CMake
  • Support build directories with special characters
  • Include stdlib.h to avoid crash in Windows
  • Fix sftp_new_channel constructs an invalid object
  • Fix Ninja multiple rules error
  • Several tests fixes