libssh 0.5.4 (SECURITY RELEASE)

This is an important SECURITY and maintenance release in order to address CVE-2013-0176 – NULL dereference leads to denial of service.

The crash could kill a SSH server using libssh. However it depends on the the server process model how bad the situation can be. If you use a forked model to implement your server, the user will just kill its own connection.

Thanks to Yong Chuan Koh, X-Force Research for the report.

If you are new to libssh read The Tutorial how to get started. Please join our mailing list or visit our irc channel if you have questions.

You can download libssh 0.5.4 here. For Windows binaries we suggest to use the MSVC and MinGW binaries from the KDE Windows project here. Packages for Fedora and for openSUSE are available here.

ChangeLog

  • CVE-2013-0176 – NULL dereference leads to denial of service
  • Fixed several NULL pointer dereferences in SSHv1.
  • Fixed a free crash bug in options parsing.