Oh joy, pre-auth libssh2 RCE.
Edit: fortunately it looks like sshd is not impacted, and it requires a malicious server for exploitation.
Oh joy, pre-auth libssh2 RCE.
Edit: fortunately it looks like sshd is not impacted, and it requires a malicious server for exploitation.
@bascule thank fuck it’s on clients. And connecting to rogue servers is rare. Or am I missing an angle here?
@janl I was missing the angle 😅
@bascule ooooh phewww
@bascule libssh2 was the most concerning dependency needed to add cargo to Ubuntu main (lp#1991650).
In 2018 @chrisccoulson reported CVE-2019-3855 through -3863. CVE-2019-3855 is the same bug as today's: a server-controlled packet_length with no upper bound, overflowing the transport read. 1.8.1 added a bounds check. CVE-2026-55200 is the same check missing 7 years later, on the chacha20-poly1305 path. That path is post-KEX, so at least host-key verification gates it (unlike 3855).
@bascule directionality is conveniently not super concerning. Though, maybe some useful attack service for asset scanners.