MGASA-2026-0189

See a problem?
Please try reporting it to the source first.
Source
https://advisories.mageia.org/MGASA-2026-0189.html
Import Source
https://advisories.mageia.org/MGASA-2026-0189.json
JSON Data
https://api.test.osv.dev/v1/vulns/MGASA-2026-0189
Upstream
Published
2026-06-10T05:07:06Z
Modified
2026-06-10T05:15:04.202295443Z
Summary
Updated libssh packages fix security vulnerabilities
Details

CVE-2025-4877 Write beyond bounds in binary to base64 conversion functions CVE-2025-4878 Use of uninitialized variable in privatekeyfromfile() CVE-2025-5318 Likely read beyond bounds in sftp server handle management CVE-2025-5351 Double free in functions exporting keys CVE-2025-5372 ssh_kdf() returns a success code on certain failures CVE-2025-5449 Likely read beyond bounds in sftp server message decoding CVE-2025-5987 Invalid return code for chacha20 poly1305 with OpenSSL backend

References
Credits

Affected packages

Mageia:9 / libssh

Package

Name
libssh
Purl
pkg:rpm/mageia/libssh?arch=source&distro=mageia-9

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.10.6-1.1.mga9

Ecosystem specific 

{
    "section": "core"
}

Database specific

source 
"https://advisories.mageia.org/MGASA-2026-0189.json"