A vulnerability was found in libssh through version 0.8.0, where a malicious client or server could crash the counterpart implemented with libssh AES-CTR ciphers are used and don't get fully initialized. It will crash when it tries to cleanup the AES-CTR ciphers when closing the connection.
Name: libssh team
Upstream: Yasheng Yang (Google)
Disable AES-CTR ciphers (and DES in libssh 0.8). If you implement a server using libssh we advise to use a prefork model so each session runs in an own process. If you have implemented your server this way this is not really an issue. The client will kill its own connection.
Created libssh tracking bugs for this issue:
Affects: fedora-all [bug 1822529]
Upstream patch: https://git.libssh.org/projects/libssh.git/commit/?id=b36272eac1b36982598c10de7af0a501582de07a