CVE-2012-4559

Name of the Vulnerable Software and Affected Versions libssh versions prior to 0.5.3

Description The issue affects the libssh package, allowing remote attackers to exploit multiple double free vulnerabilities. These vulnerabilities are located in various functions, including agent sign data in agent.c, channel request in channels.c, ssh userauth pubkey in auth.c, sftp parse attr 3 in sftp.c, and try publickey from file in keyfiles.c. Exploitation can lead to a denial of service (crash) and possibly the execution of arbitrary code via unspecified vectors. The vulnerabilities can be exploited remotely, potentially disrupting the confidentiality, integrity, and availability of protected information.

Recommendations For versions prior to 0.5.3, update to version 0.5.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the libssh package until a patch is available. Avoid using the affected functions, such as agent sign data, channel request, ssh userauth pubkey, sftp parse attr 3, and try publickey from file, in the affected API endpoints until the issue is resolved.