From mboxrd@z Thu Jan  1 00:00:00 1970
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH] libssh: Update to version 0.9.6
Date: Mon, 06 Sep 2021 10:55:48 +0100
Message-ID: <83407CD6-B8EF-4E33-B187-41A74A3F0FC9@ipfire.org>
In-Reply-To: <20210905113032.4300-1-adolf.belka@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============8145731375918587467=="
List-Id: <development.lists.ipfire.org>

--===============8145731375918587467==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Reviewed-by: Michael Tremer <michael.tremer(a)ipfire.org>

> On 5 Sep 2021, at 12:30, Adolf Belka <adolf.belka(a)ipfire.org> wrote:
>=20
> - Update from 0.9.3 to 0.9.6
>   0.9.4 and 0.9.6 are security releases
> - Update rootfile
> - Changelog
>   libssh 0.9.6 security release
>    This is a security release of libssh to address CVE-2021-3634 (moderate =
impact), a
>    possible heap-buffer overflow when rekeying. A workaround exists. More d=
etails can be
>    found in the advisory.
>    In addition the 0.9.6 version addresses some memory leaks in error path,=
 an AEAD
>    handshake and some more.
>      CVE-2021-3634: Fix possible heap-buffer overflow when rekeying with di=
fferent key exchange mechanism
>      Fix several memory leaks on error paths
>      Reset pending_call_state on disconnect
>      Fix handshake bug with AEAD ciphers and no HMAC overlap
>      Use OPENSSL_CRYPTO_LIBRARIES in CMake
>      Ignore request success and failure message if they are not expected
>      Support more identity files in configuration
>      Avoid setting compiler flags directly in CMake
>      Support build directories with special characters
>      Include stdlib.h to avoid crash in Windows
>      Fix sftp_new_channel constructs an invalid object
>      Fix Ninja multiple rules error
>      Several tests fixes
>   libssh 0.9.5
>    The libssh team is happy to announce another bugfix release of libssh as=
 version
>    0.9.5. It offers bug fixes for several issues found by our users.
>    This includes a fix for CVE-2020-16135, however we do not see how this w=
ould be
>    exploitable at all. If you find a security bug in libssh please don=E2=
=80=99t just assign a
>    CVE, talk to us first.
>      CVE-2020-16135: Avoid null pointer dereference in sftpserver (T232)
>      Improve handling of library initialization (T222)
>      Fix parsing of subsecond times in SFTP (T219)
>      Make the documentation reproducible
>      Remove deprecated API usage in OpenSSL
>      Fix regression of ssh_channel_poll_timeout() returning SSH_AGAIN
>      Define version in one place (T226)
>      Prevent invalid free when using different C runtimes than OpenSSL (T22=
9)
>      Compatibility improvements to testsuite
>   libssh 0.9.4 security release
>    This is a security release of libssh to address CVE-2020-1730 (moderate =
impact), a
>    possible Denial of Service (DoS) in client and server when handling AES-=
CTR keys with
>    OpenSSL. A workaround exists. More details can be found in the advisory.
>    In addition the this version addresses several memory leaks and adds sup=
port for
>    diffie-hellman-group14-sha256 key exchange.
>      Fixed CVE-2020-1730 (Possible DoS in client and server when handling A=
ES-CTR keys with OpenSSL)
>      Added diffie-hellman-group14-sha256
>      Fixed several possible memory leaks
>=20
> Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
> ---
> config/rootfiles/common/libssh | 3 ++-
> lfs/libssh                     | 4 ++--
> 2 files changed, 4 insertions(+), 3 deletions(-)
>=20
> diff --git a/config/rootfiles/common/libssh b/config/rootfiles/common/libssh
> index 0bde1b45d..ffb5ad59e 100644
> --- a/config/rootfiles/common/libssh
> +++ b/config/rootfiles/common/libssh
> @@ -2,6 +2,7 @@
> #usr/include/libssh/callbacks.h
> #usr/include/libssh/legacy.h
> #usr/include/libssh/libssh.h
> +#usr/include/libssh/libssh_version.h
> #usr/include/libssh/libsshpp.hpp
> #usr/include/libssh/server.h
> #usr/include/libssh/sftp.h
> @@ -12,5 +13,5 @@
> #usr/lib/cmake/libssh/libssh-config.cmake
> #usr/lib/libssh.so
> usr/lib/libssh.so.4
> -usr/lib/libssh.so.4.8.4
> +usr/lib/libssh.so.4.8.7
> #usr/lib/pkgconfig/libssh.pc
> diff --git a/lfs/libssh b/lfs/libssh
> index 4eaddcd70..d08e91146 100644
> --- a/lfs/libssh
> +++ b/lfs/libssh
> @@ -24,7 +24,7 @@
>=20
> include Config
>=20
> -VER        =3D 0.9.3
> +VER        =3D 0.9.6
>=20
> THISAPP    =3D libssh-$(VER)
> DL_FILE    =3D $(THISAPP).tar.xz
> @@ -40,7 +40,7 @@ objects =3D $(DL_FILE)
>=20
> $(DL_FILE) =3D $(DL_FROM)/$(DL_FILE)
>=20
> -$(DL_FILE)_MD5 =3D f35e9ad384f29375718682a88a3885da
> +$(DL_FILE)_MD5 =3D 0174df377361221a31a9576afbaba330
>=20
> install : $(TARGET)
>=20
> --=20
> 2.33.0
>=20


--===============8145731375918587467==--