AI_MCP/mcphost
SHA256
6
0
Fork 3
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

- Fix CVEs #3

Merged
mslacken merged 1 commits from eeich/mcphost:CVE_01_2026 into main 2026-01-07 16:15:33 +01:00
Conversation 1 Commits 1 Files Changed 5 +56 -30
eeich commented 2026-01-06 19:15:43 +01:00
Owner
Copy Link
  • GO-2025-4135 (CVE-2025-47914)
    SSH Agent servers do not validate the size of messages
    when processing new identity requests, which may cause
    the program to panic if the message is malformed due to
    an out of bounds read.
  • GO-2025-4116 (CVE-2025-47913)
    SSH clients receiving SSH_AGENT_SUCCESS when expecting a
    typed response will panic and cause early termination of
    the client process.
  • GO-2025-4134 (CVE-2025-58181, bsc#1253952).
    SSH servers parsing GSSAPI authentication
    requests do not validate the number of mechanisms
    specified in the request, allowing an attacker to cause
    unbounded memory consumption.

Signed-off-by: Egbert Eich eich@suse.com

* GO-2025-4135 (CVE-2025-47914) SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read. * GO-2025-4116 (CVE-2025-47913) SSH clients receiving SSH_AGENT_SUCCESS when expecting a typed response will panic and cause early termination of the client process. * GO-2025-4134 (CVE-2025-58181, bsc#1253952). SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption. Signed-off-by: Egbert Eich <eich@suse.com>
eeich added 1 commit 2026-01-06 19:15:44 +01:00
- Fix CVEs d7bcf5b155 
* GO-2025-4135 (CVE-2025-47914)
    SSH Agent servers do not validate the size of messages
    when processing new identity requests, which may cause
    the program to panic if the message is malformed due to
    an out of bounds read.
  * GO-2025-4116 (CVE-2025-47913)
    SSH clients receiving SSH_AGENT_SUCCESS when expecting a
    typed response will panic and cause early termination of
    the client process.
  * GO-2025-4134 (CVE-2025-58181, bsc#1253952).
    SSH servers parsing GSSAPI authentication
    requests do not validate the number of mechanisms
    specified in the request, allowing an attacker to cause
    unbounded memory consumption.

Signed-off-by: Egbert Eich <eich@suse.com>
mslacken approved these changes 2026-01-07 16:15:19 +01:00
mslacken merged commit d2cba1e74c into main 2026-01-07 16:15:33 +01:00
Sign in to join this conversation.
Reviewers
No Reviewers
mslacken
Labels
No items
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
doreilly eeich mcalabkova mge1512 mslacken
No Assignees
2 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: AI_MCP/mcphost#3
Delete Branch "eeich/mcphost:CVE_01_2026"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?