On 23/06/2026 21:24, James Addison wrote:
The commit IDs of the fixes for each of the vulnerabilities,
respectively, as found in the GitHub libssh2/libssh2.git repository,
are:

- 2dae3024897e1898d389835151f4e9606227721d
- 17626857d20b3c9a1addfa45979dadcee1cd84a4
- 97acf3dfda80c91c3a8c9f2372546301d4a1a7a8

Just as a heads up, libssh2 1.11.1 was release October 2024 and the patch for src/sftp.c does not apply cleanly to the release.

[1] -https://digital.nhs.uk/cyber-alerts/2026/cc-4799

This url point to https://github.com/advisories/GHSA-R8MH-X5QV-7GG2 as the "Definitive source of threat updates" which references another commit separate from the hashes above

https://github.com/libssh2/libssh2/commit/97acf3dfda80c91c3a8c9f2372546301d4a1a7a8
via
https://github.com/libssh2/libssh2/pull/2052
"transport.c: Additional boundary checks for packet length"

Sorry, too busy melting to provide a patch against 1.11.1 release. :(

Sincerely,

Sevan

Reply via email to