Top 5 New Open Source Security Vulnerabilities in March 2019

We all sprang forward with daylight savings this past March, losing an hour of sleep and hopefully giving spring a much-needed nudge. However, even daylight saving didn’t keep our hardworking knowledge team from burning the midnight oil and reviewing all of the recent open source security vulnerabilities in our database to bring our faithful readers the lowdown on March’s top 5 new open source vulnerabilities.

The WhiteSource database continuously collects known open source security vulnerabilities from a number of well-respected community resources like the National Vulnerability Database (NVD), and other public, peer-reviewed security advisories, and issue trackers.

So, without further ado, here are the top 5 new known open source security vulnerabilities in March.

#1 libssh2

Vulnerability Score: High — 8.8

Affected versions: all versions up to and including 1.8.0

CVSS v2.0 – 9.3

According to the libssh2 security advisory, “a malicious server could send a specially crafted packet which could result in an unchecked integer overflow. The value would then be used to allocate memory causing a possible memory write out of bounds error (CWE-130).” According to the advisory, there are currently no known exploits of the vulnerability

For remediation, the libssh2 advisory recommended updating to libssh2 version 1.8.1 or later, or applying the patch they created.

libssh2, not to be confused with libssh, is a client-side C library implementing the SSH2 protocol, available under the revised BSD license. The project is supported by an active community — according to the stats, it has averaged 2.6 commits per average day, with a total of 2,019 commits on GitHub.

libssh2 did some deep spring cleaning this month, and has published a number of additional security integer overflow (Read more…)

*** This is a Security Bloggers Network syndicated blog from Blog – WhiteSource authored by Patricia Johnson. Read the original post at: