From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH] libssh: Update to version 0.9.6
Date: Mon, 06 Sep 2021 10:55:48 +0100 [thread overview]
Message-ID: <83407CD6-B8EF-4E33-B187-41A74A3F0FC9@ipfire.org> (raw)
In-Reply-To: <20210905113032.4300-1-adolf.belka@ipfire.org>
[-- Attachment #1: Type: text/plain, Size: 4267 bytes --]
Reviewed-by: Michael Tremer <michael.tremer(a)ipfire.org>
> On 5 Sep 2021, at 12:30, Adolf Belka <adolf.belka(a)ipfire.org> wrote:
>
> - Update from 0.9.3 to 0.9.6
> 0.9.4 and 0.9.6 are security releases
> - Update rootfile
> - Changelog
> libssh 0.9.6 security release
> This is a security release of libssh to address CVE-2021-3634 (moderate impact), a
> possible heap-buffer overflow when rekeying. A workaround exists. More details can be
> found in the advisory.
> In addition the 0.9.6 version addresses some memory leaks in error path, an AEAD
> handshake and some more.
> CVE-2021-3634: Fix possible heap-buffer overflow when rekeying with different key exchange mechanism
> Fix several memory leaks on error paths
> Reset pending_call_state on disconnect
> Fix handshake bug with AEAD ciphers and no HMAC overlap
> Use OPENSSL_CRYPTO_LIBRARIES in CMake
> Ignore request success and failure message if they are not expected
> Support more identity files in configuration
> Avoid setting compiler flags directly in CMake
> Support build directories with special characters
> Include stdlib.h to avoid crash in Windows
> Fix sftp_new_channel constructs an invalid object
> Fix Ninja multiple rules error
> Several tests fixes
> libssh 0.9.5
> The libssh team is happy to announce another bugfix release of libssh as version
> 0.9.5. It offers bug fixes for several issues found by our users.
> This includes a fix for CVE-2020-16135, however we do not see how this would be
> exploitable at all. If you find a security bug in libssh please don’t just assign a
> CVE, talk to us first.
> CVE-2020-16135: Avoid null pointer dereference in sftpserver (T232)
> Improve handling of library initialization (T222)
> Fix parsing of subsecond times in SFTP (T219)
> Make the documentation reproducible
> Remove deprecated API usage in OpenSSL
> Fix regression of ssh_channel_poll_timeout() returning SSH_AGAIN
> Define version in one place (T226)
> Prevent invalid free when using different C runtimes than OpenSSL (T229)
> Compatibility improvements to testsuite
> libssh 0.9.4 security release
> This is a security release of libssh to address CVE-2020-1730 (moderate impact), a
> possible Denial of Service (DoS) in client and server when handling AES-CTR keys with
> OpenSSL. A workaround exists. More details can be found in the advisory.
> In addition the this version addresses several memory leaks and adds support for
> diffie-hellman-group14-sha256 key exchange.
> Fixed CVE-2020-1730 (Possible DoS in client and server when handling AES-CTR keys with OpenSSL)
> Added diffie-hellman-group14-sha256
> Fixed several possible memory leaks
>
> Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
> ---
> config/rootfiles/common/libssh | 3 ++-
> lfs/libssh | 4 ++--
> 2 files changed, 4 insertions(+), 3 deletions(-)
>
> diff --git a/config/rootfiles/common/libssh b/config/rootfiles/common/libssh
> index 0bde1b45d..ffb5ad59e 100644
> --- a/config/rootfiles/common/libssh
> +++ b/config/rootfiles/common/libssh
> @@ -2,6 +2,7 @@
> #usr/include/libssh/callbacks.h
> #usr/include/libssh/legacy.h
> #usr/include/libssh/libssh.h
> +#usr/include/libssh/libssh_version.h
> #usr/include/libssh/libsshpp.hpp
> #usr/include/libssh/server.h
> #usr/include/libssh/sftp.h
> @@ -12,5 +13,5 @@
> #usr/lib/cmake/libssh/libssh-config.cmake
> #usr/lib/libssh.so
> usr/lib/libssh.so.4
> -usr/lib/libssh.so.4.8.4
> +usr/lib/libssh.so.4.8.7
> #usr/lib/pkgconfig/libssh.pc
> diff --git a/lfs/libssh b/lfs/libssh
> index 4eaddcd70..d08e91146 100644
> --- a/lfs/libssh
> +++ b/lfs/libssh
> @@ -24,7 +24,7 @@
>
> include Config
>
> -VER = 0.9.3
> +VER = 0.9.6
>
> THISAPP = libssh-$(VER)
> DL_FILE = $(THISAPP).tar.xz
> @@ -40,7 +40,7 @@ objects = $(DL_FILE)
>
> $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
>
> -$(DL_FILE)_MD5 = f35e9ad384f29375718682a88a3885da
> +$(DL_FILE)_MD5 = 0174df377361221a31a9576afbaba330
>
> install : $(TARGET)
>
> --
> 2.33.0
>
prev parent reply other threads:[~2021-09-06 9:55 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-09-05 11:30 Adolf Belka
2021-09-06 9:55 ` Michael Tremer [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=83407CD6-B8EF-4E33-B187-41A74A3F0FC9@ipfire.org \
--to=michael.tremer@ipfire.org \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox