package/libssh: security bump to v0.11.3
For more details on the version bump, see:
- https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.11&id=301d0e16dfa8a5cac1cff956b6880ca90eb82864
Fixes the following vulnerabilities:
- CVE-2025-8114
A flaw was found in libssh, a library that implements the SSH
protocol. When calculating the session ID during the key exchange
(KEX) process, an allocation failure in cryptographic functions may
lead to a NULL pointer dereference. This issue can cause the client
or server to crash.
For more information, see:
- https://nvd.nist.gov//vuln/detail/CVE-2025-8114
- https://www.libssh.org/security/advisories/CVE-2025-8114.txt
- https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.11&id=65f363c9e3a22b90af7f74b5c439a133b1047379
- CVE-2025-8277
A flaw was found in libssh's handling of key exchange (KEX)
processes when a client repeatedly sends incorrect KEX guesses. The
library fails to free memory during these rekey operations, which
can gradually exhaust system memory. This issue can lead to crashes
on the client side, particularly when using libgcrypt, which impacts
application stability and availability.
For more infromation, see:
- https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.11&id=87db2659ec608a977a63eea529f17b9168388d73
- https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.11&id=266174a6d36687b65cf90174f06af90b8b27c65f
- https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.11&id=8e4d67aa9eda455bfad9ac610e54b7a548d0aa08
- https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.11&id=1c763e29d138db87665e98983f468d2dd0f286c1
The v0.11.2 already had a fixed for CVE-2025-5318 but the NVD reference
mentionned wrongly the version 0.11.2.
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Thomas Perale