Security update for libssh SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2025:03368-1 Final 1 1 2025-09-26T10:53:33Z current 2025-09-26T10:53:33Z 2025-09-26T10:53:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for libssh This update for libssh fixes the following issues: - CVE-2025-8277: memory exhaustion leading to client-side DoS due to improper memory management when KEX process is repeated with incorrect guesses (bsc#1249375). - CVE-2025-8114: NULL pointer dereference when an allocation error happens during the calculation of the KEX session ID (bsc#1246974). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Container suse/ltss/sle12.5/sles12sp5:latest-2025-3368,SUSE-2025-3368,SUSE-SLE-SERVER-12-SP5-LTSS-EXTENDED-SECURITY-2025-3368 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2025/suse-su-202503368-1/ Link for SUSE-SU-2025:03368-1 https://lists.suse.com/pipermail/sle-updates/2025-September/041851.html E-Mail link for SUSE-SU-2025:03368-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1246974 SUSE Bug 1246974 https://bugzilla.suse.com/1249375 SUSE Bug 1249375 https://www.suse.com/security/cve/CVE-2025-8114/ SUSE CVE CVE-2025-8114 page https://www.suse.com/security/cve/CVE-2025-8277/ SUSE CVE CVE-2025-8277 page Container suse/ltss/sle12.5/sles12sp5:latest SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 libssh-config-0.9.8-3.18.1 libssh4-0.9.8-3.18.1 libssh-devel-0.9.8-3.18.1 libssh4-32bit-0.9.8-3.18.1 libssh4-64bit-0.9.8-3.18.1 libssh-config-0.9.8-3.18.1 as a component of Container suse/ltss/sle12.5/sles12sp5:latest libssh4-0.9.8-3.18.1 as a component of Container suse/ltss/sle12.5/sles12sp5:latest libssh-config-0.9.8-3.18.1 as a component of SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 libssh-devel-0.9.8-3.18.1 as a component of SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 libssh4-0.9.8-3.18.1 as a component of SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 libssh4-32bit-0.9.8-3.18.1 as a component of SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 A flaw was found in libssh, a library that implements the SSH protocol. When calculating the session ID during the key exchange (KEX) process, an allocation failure in cryptographic functions may lead to a NULL pointer dereference. This issue can cause the client or server to crash. CVE-2025-8114 Container suse/ltss/sle12.5/sles12sp5:latest:libssh-config-0.9.8-3.18.1 Container suse/ltss/sle12.5/sles12sp5:latest:libssh4-0.9.8-3.18.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:libssh-config-0.9.8-3.18.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:libssh-devel-0.9.8-3.18.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:libssh4-0.9.8-3.18.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:libssh4-32bit-0.9.8-3.18.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202503368-1/ https://www.suse.com/security/cve/CVE-2025-8114.html CVE-2025-8114 https://bugzilla.suse.com/1246974 SUSE Bug 1246974 A flaw was found in libssh's handling of key exchange (KEX) processes when a client repeatedly sends incorrect KEX guesses. The library fails to free memory during these rekey operations, which can gradually exhaust system memory. This issue can lead to crashes on the client side, particularly when using libgcrypt, which impacts application stability and availability. CVE-2025-8277 Container suse/ltss/sle12.5/sles12sp5:latest:libssh-config-0.9.8-3.18.1 Container suse/ltss/sle12.5/sles12sp5:latest:libssh4-0.9.8-3.18.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:libssh-config-0.9.8-3.18.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:libssh-devel-0.9.8-3.18.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:libssh4-0.9.8-3.18.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:libssh4-32bit-0.9.8-3.18.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202503368-1/ https://www.suse.com/security/cve/CVE-2025-8277.html CVE-2025-8277 https://bugzilla.suse.com/1249375 SUSE Bug 1249375