Peter

**Name of the Vulnerable Software and Affected Versions** cpdb-libs versions 1.0 through 2.0b4 **Description** The issue arises from the improper use of `scanf(3)` in cpdb-libs, leading to buffer overflows. This occurs because `fscanf()` and `scanf()` functions are used to parse command lines and configuration files without limiting the length of the strings to be read, causing buffer overflows when a string exceeds 1023 characters. The `fscanf()` and `scanf()` functions drop the read string components into fixed-length buffers. A patch is available, which limits the maximum string length to 1023 by replacing `%s` with `%1023s` in all calls of `fscanf()` and `scanf()` functions. **Recommendations** For versions 1.0 through 2.0b4, apply the patch available at commit f181bd1f14757c2ae0f17cc76dc20421a40f30b7, which replaces all occurrences of `%s` with `%1023s` in all calls of the `fscanf()` and `scanf()` functions to limit the maximum string length to 1023.

**Name of the Vulnerable Software and Affected Versions** OpenSSH versions through 8.7 **Description** The issue allows remote attackers to test whether a certain combination of username and public key is known to an SSH server. This occurs because a challenge is sent only when that combination could be valid for a login session. The vendor does not recognize user enumeration as a vulnerability for this product. **Recommendations** For OpenSSH versions through 8.7, consider restricting access to the SSH server to minimize the risk of exploitation, as the vendor does not recognize this as a vulnerability and may not provide a patch. At the moment, there is no information about a newer version that contains a fix for this vulnerability.