Ubuntu alert USN-8051-2 (libssh)
| From: | noreply+usn-bot@canonical.com | |
| To: | ubuntu-security-announce@lists.ubuntu.com | |
| Subject: | [USN-8051-2] libssh vulnerabilities | |
| Date: | Mon, 23 Feb 2026 20:21:53 +0000 | |
| Message-ID: | <E1vucRF-0000JY-Ol@lists.ubuntu.com> |
========================================================================== Ubuntu Security Notice USN-8051-2 February 23, 2026 libssh vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS - Ubuntu 16.04 LTS Summary: Several security issues were fixed in libssh. Software Description: - libssh: A tiny C SSH library Details: USN-8051-1 fixed vulnerabilities in libssh. This update provides the corresponding updates for Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, and Ubuntu 20.04 LTS. Original advisory details: It was discovered that libssh clients incorrectly handled the key exchange process. A remote attacker could possibly use this issue to cause libssh clients to crash, resulting in a denial of service. (CVE-2025-8277) It was discovered that the libssh SCP client incorrectly sanitized paths received from servers. A remote attacker could use this issue to cause libssh SCP clients to overwrite files outside of the working directory and possibly execute arbitrary code. (CVE-2026-0964) It was discovered that libssh incorrectly handled parsing configuration files. A local attacker could possibly use this issue to cause libssh to access non-regular files, resulting in a denial of service. (CVE-2026-0965) It was discovered that libssh incorrectly handled the ssh_get_hexa() function. A remote attacker could possibly use this issue to cause libssh to crash, resulting in a denial of service. (CVE-2026-0966) It was discovered that libssh incorrectly handled certain regular expressions. A local attacker could possibly use this issue to cause libssh to consume resources, resulting in a denial of service. (CVE-2026-0967) It was discovered that the libssh SFTP client incorrectly handled certain malformed longname fields. A remote attacker could use this issue to cause libssh SFTP clients to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2026-0968) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 20.04 LTS libssh-4 0.9.3-2ubuntu2.5+esm3 Available with Ubuntu Pro Ubuntu 18.04 LTS libssh-4 0.8.0~20170825.94fa1e38-1ubuntu0.7+esm6 Available with Ubuntu Pro Ubuntu 16.04 LTS libssh-4 0.6.3-4.3ubuntu0.6+esm4 Available with Ubuntu Pro In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-8051-2 https://ubuntu.com/security/notices/USN-8051-1 CVE-2025-8277, CVE-2026-0964, CVE-2026-0965, CVE-2026-0966, CVE-2026-0967, CVE-2026-0968
Attachment: signature.asc (type=application/pgp-signature)
-----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEE+8neBLO2Hp/ppPlOcpJm3tlzhgEFAmmctqYACgkQcpJm3tlz hgF1RhAAtDDVFY5TvWwhSEKyjc2GLOA+9vudMkqaHZgMaoiTkbLqMiIm4UkoEUXR DUvE+exPKeUizt15P2qz0bJSGp/t0HURLK5blPSruilQHYV3e499u5GBOEGOlS3O biUJEr09CFbH0rVnbA7NFEA+6lRDTT/ztjMG55g0VDyGjVhRknsjsPc0yjVOGPTZ /7x74NooOHc3SeFyB1WpvRR8MTn5L0W2Kz6MlHOCMJeYPmH/kwTub95ZicQOI0re GGBDGnhQX26Cn/hfSvtCNm+2211f5KSRNKqPzdegLFXj9+MbF0firu8e8ByXPPIA YRhzZ9lqD4pUcuGlXjrzJhmZtp2HAnKqunlmlUlpfazoAFbUDrHaheFVSywvIgwd LSBOoXsM+/dRLBCa9sVAu/noEREUH6v1us9JmW6/oBQz7reij17DjiSqzstbBz+d NJjmMhLmimXKNF1ik8zpTN4tdJq/+iDdNYZ0GnH31gwjLF4crReEqthDLes39U0Z U02i1zf/p7HdDA0pODAQY7IFk/ZMlkd1u4cUZhRC2VbhLuIAWXKw7LKmqg2w8ZwH zM4WXXhKMNYD8k3qy//zevjdui1nka9ZOkpxj/m0xizWn/pvNvFipR0GajPq4XnD ed9YI22PdAPcL1VKnWiNpZ+sD55SNGKlrYPZwgJ+LpTkujea01A= =zFeo -----END PGP SIGNATURE-----