This update, to the current upstream libssh2 release, addresses a couple of security issues: CVE-2023-6918 (missing checks for return values for digests) CVE-2023-48795 (prefix truncation attack on Binary Packet Protocol (BPP) - "Terrapin")

Source: Fedora 40: libssh2 2025-aaa849ae74 Security Advisory Updates