Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CAF3AkiO-wQNc=ibGB0hGXbea+fCejZqzOAmxE+yX6y67hyBbDA@mail.gmail.com>
Date: Tue, 23 Jun 2026 20:24:25 +0000
From: James Addison <james@...iperadar.com>
To: oss-security@...ts.openwall.com
Subject: libssh2: CVE-2026-55200 (critical), CVE-2025-15661 (high),
 CVE-2026-55199 (high)

Hello list,

With credit to the NHS Digital Cyber security team for publishing[1] a
notice about CVE-2026-55200 that alerted me to these:

Three vulnerabilities in libssh2 - a popular client library for the
Unix secure shell protocol (aka SSH) - have been published as CVEs:

- High severity, 8.3 rating: CVE-2025-15661
- High severity, 8.2 rating: CVE-2026-55199
- Critical severity, 9.2 rating: CVE-2026-55200

The vulnerabilities affect versions up-to-and-including v1.11.1 of the
libssh2 library.

Patches/commits fixing each of the vulnerabilities are available and
have been merged into the libssh2 mainline development source control
branch.

A release containing these fixes is under preparation.

For reference:

The commit IDs of the fixes for each of the vulnerabilities,
respectively, as found in the GitHub libssh2/libssh2.git repository,
are:

- 2dae3024897e1898d389835151f4e9606227721d
- 17626857d20b3c9a1addfa45979dadcee1cd84a4
- 97acf3dfda80c91c3a8c9f2372546301d4a1a7a8

Regards,
James

[1] - https://digital.nhs.uk/cyber-alerts/2026/cc-4799

--
OpenCulinary C.I.C. is a Community Interest Company, number SC647817,
registered in Scotland, United Kingdom and with registered company
address The Melting Pot, 15 Calton Road, Edinburgh, Scotland, EH8 8DL.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.