Message ID | 20210905113032.4300-1-adolf.belka@ipfire.org |
---|---|
State | Accepted |
Commit | 6cc834c9875f45030a9d209ff1669dd2f28ab5de |
Headers |
Return-Path: <development-bounces@lists.ipfire.org> Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4H2TqK6yMxz3xJJ for <patchwork@web04.haj.ipfire.org>; Sun, 5 Sep 2021 11:30:37 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4H2TqK2x8Jz1WM; Sun, 5 Sep 2021 11:30:37 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4H2TqK2Nzvz2y0B; Sun, 5 Sep 2021 11:30:37 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4H2TqH6MHbz2xLr for <development@lists.ipfire.org>; Sun, 5 Sep 2021 11:30:35 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4H2TqH2D9kz18F; Sun, 5 Sep 2021 11:30:35 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1630841435; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=AxmfCcGrC/rFL+erzMa8wmzH7OO0ErDAWJ5Vv81LQRE=; b=XyBB/zCVUZFhW2jTaJ+cSMqi9CU4Q655Z34HAoYNYKWuzUFHdKhWh7ZO2E0Fkqqt4aJPHu S45+t8F6+PQMdIAA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1630841435; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=AxmfCcGrC/rFL+erzMa8wmzH7OO0ErDAWJ5Vv81LQRE=; b=uHzFatfkaqYiPhV4a7mn+hksmKQY8UsKAoY44YqxNHzYl39+oAgFnDNJUVmEzKYVaSum+D TNyfCvbbmgzZvkyhNF5KfEw8gG85eIHYUbHZrc73e8uUEh2V3W8egtsHNCIBzJlRoouyZZ z+HjXQefuJ4AUkjU6P25yvBmA4EALiqBQo2SGrv7WGPZDHAMTl08bbxfRHgmd9+ryeXz+i G5ak6AkeJOyz7Qmvo9zBT65TuKJYdMfplmOoHqr6e+5XehT+W+gFpFsIkRZMefQpYyWcSr wD2jF8qLku7mCYKpnUZWDJJL2U9MXY5y4rksd89s1XP5Wlzc8osHAkXnJjWeLg== From: Adolf Belka <adolf.belka@ipfire.org> To: development@lists.ipfire.org Subject: [PATCH] libssh: Update to version 0.9.6 Date: Sun, 5 Sep 2021 13:30:32 +0200 Message-Id: <20210905113032.4300-1-adolf.belka@ipfire.org> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk <development.lists.ipfire.org> List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>, <mailto:development-request@lists.ipfire.org?subject=unsubscribe> List-Archive: <http://lists.ipfire.org/pipermail/development/> List-Post: <mailto:development@lists.ipfire.org> List-Help: <mailto:development-request@lists.ipfire.org?subject=help> List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>, <mailto:development-request@lists.ipfire.org?subject=subscribe> Errors-To: development-bounces@lists.ipfire.org Sender: "Development" <development-bounces@lists.ipfire.org> |
Series |
libssh: Update to version 0.9.6
|
|
Commit Message
Adolf Belka
Sept. 5, 2021, 11:30 a.m. UTC
- Update from 0.9.3 to 0.9.6
0.9.4 and 0.9.6 are security releases
- Update rootfile
- Changelog
libssh 0.9.6 security release
This is a security release of libssh to address CVE-2021-3634 (moderate impact), a
possible heap-buffer overflow when rekeying. A workaround exists. More details can be
found in the advisory.
In addition the 0.9.6 version addresses some memory leaks in error path, an AEAD
handshake and some more.
CVE-2021-3634: Fix possible heap-buffer overflow when rekeying with different key exchange mechanism
Fix several memory leaks on error paths
Reset pending_call_state on disconnect
Fix handshake bug with AEAD ciphers and no HMAC overlap
Use OPENSSL_CRYPTO_LIBRARIES in CMake
Ignore request success and failure message if they are not expected
Support more identity files in configuration
Avoid setting compiler flags directly in CMake
Support build directories with special characters
Include stdlib.h to avoid crash in Windows
Fix sftp_new_channel constructs an invalid object
Fix Ninja multiple rules error
Several tests fixes
libssh 0.9.5
The libssh team is happy to announce another bugfix release of libssh as version
0.9.5. It offers bug fixes for several issues found by our users.
This includes a fix for CVE-2020-16135, however we do not see how this would be
exploitable at all. If you find a security bug in libssh please don’t just assign a
CVE, talk to us first.
CVE-2020-16135: Avoid null pointer dereference in sftpserver (T232)
Improve handling of library initialization (T222)
Fix parsing of subsecond times in SFTP (T219)
Make the documentation reproducible
Remove deprecated API usage in OpenSSL
Fix regression of ssh_channel_poll_timeout() returning SSH_AGAIN
Define version in one place (T226)
Prevent invalid free when using different C runtimes than OpenSSL (T229)
Compatibility improvements to testsuite
libssh 0.9.4 security release
This is a security release of libssh to address CVE-2020-1730 (moderate impact), a
possible Denial of Service (DoS) in client and server when handling AES-CTR keys with
OpenSSL. A workaround exists. More details can be found in the advisory.
In addition the this version addresses several memory leaks and adds support for
diffie-hellman-group14-sha256 key exchange.
Fixed CVE-2020-1730 (Possible DoS in client and server when handling AES-CTR keys with OpenSSL)
Added diffie-hellman-group14-sha256
Fixed several possible memory leaks
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
config/rootfiles/common/libssh | 3 ++-
lfs/libssh | 4 ++--
2 files changed, 4 insertions(+), 3 deletions(-)
Comments
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> > On 5 Sep 2021, at 12:30, Adolf Belka <adolf.belka@ipfire.org> wrote: > > - Update from 0.9.3 to 0.9.6 > 0.9.4 and 0.9.6 are security releases > - Update rootfile > - Changelog > libssh 0.9.6 security release > This is a security release of libssh to address CVE-2021-3634 (moderate impact), a > possible heap-buffer overflow when rekeying. A workaround exists. More details can be > found in the advisory. > In addition the 0.9.6 version addresses some memory leaks in error path, an AEAD > handshake and some more. > CVE-2021-3634: Fix possible heap-buffer overflow when rekeying with different key exchange mechanism > Fix several memory leaks on error paths > Reset pending_call_state on disconnect > Fix handshake bug with AEAD ciphers and no HMAC overlap > Use OPENSSL_CRYPTO_LIBRARIES in CMake > Ignore request success and failure message if they are not expected > Support more identity files in configuration > Avoid setting compiler flags directly in CMake > Support build directories with special characters > Include stdlib.h to avoid crash in Windows > Fix sftp_new_channel constructs an invalid object > Fix Ninja multiple rules error > Several tests fixes > libssh 0.9.5 > The libssh team is happy to announce another bugfix release of libssh as version > 0.9.5. It offers bug fixes for several issues found by our users. > This includes a fix for CVE-2020-16135, however we do not see how this would be > exploitable at all. If you find a security bug in libssh please don’t just assign a > CVE, talk to us first. > CVE-2020-16135: Avoid null pointer dereference in sftpserver (T232) > Improve handling of library initialization (T222) > Fix parsing of subsecond times in SFTP (T219) > Make the documentation reproducible > Remove deprecated API usage in OpenSSL > Fix regression of ssh_channel_poll_timeout() returning SSH_AGAIN > Define version in one place (T226) > Prevent invalid free when using different C runtimes than OpenSSL (T229) > Compatibility improvements to testsuite > libssh 0.9.4 security release > This is a security release of libssh to address CVE-2020-1730 (moderate impact), a > possible Denial of Service (DoS) in client and server when handling AES-CTR keys with > OpenSSL. A workaround exists. More details can be found in the advisory. > In addition the this version addresses several memory leaks and adds support for > diffie-hellman-group14-sha256 key exchange. > Fixed CVE-2020-1730 (Possible DoS in client and server when handling AES-CTR keys with OpenSSL) > Added diffie-hellman-group14-sha256 > Fixed several possible memory leaks > > Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> > --- > config/rootfiles/common/libssh | 3 ++- > lfs/libssh | 4 ++-- > 2 files changed, 4 insertions(+), 3 deletions(-) > > diff --git a/config/rootfiles/common/libssh b/config/rootfiles/common/libssh > index 0bde1b45d..ffb5ad59e 100644 > --- a/config/rootfiles/common/libssh > +++ b/config/rootfiles/common/libssh > @@ -2,6 +2,7 @@ > #usr/include/libssh/callbacks.h > #usr/include/libssh/legacy.h > #usr/include/libssh/libssh.h > +#usr/include/libssh/libssh_version.h > #usr/include/libssh/libsshpp.hpp > #usr/include/libssh/server.h > #usr/include/libssh/sftp.h > @@ -12,5 +13,5 @@ > #usr/lib/cmake/libssh/libssh-config.cmake > #usr/lib/libssh.so > usr/lib/libssh.so.4 > -usr/lib/libssh.so.4.8.4 > +usr/lib/libssh.so.4.8.7 > #usr/lib/pkgconfig/libssh.pc > diff --git a/lfs/libssh b/lfs/libssh > index 4eaddcd70..d08e91146 100644 > --- a/lfs/libssh > +++ b/lfs/libssh > @@ -24,7 +24,7 @@ > > include Config > > -VER = 0.9.3 > +VER = 0.9.6 > > THISAPP = libssh-$(VER) > DL_FILE = $(THISAPP).tar.xz > @@ -40,7 +40,7 @@ objects = $(DL_FILE) > > $(DL_FILE) = $(DL_FROM)/$(DL_FILE) > > -$(DL_FILE)_MD5 = f35e9ad384f29375718682a88a3885da > +$(DL_FILE)_MD5 = 0174df377361221a31a9576afbaba330 > > install : $(TARGET) > > -- > 2.33.0 >
diff --git a/config/rootfiles/common/libssh b/config/rootfiles/common/libssh index 0bde1b45d..ffb5ad59e 100644 --- a/config/rootfiles/common/libssh +++ b/config/rootfiles/common/libssh @@ -2,6 +2,7 @@ #usr/include/libssh/callbacks.h #usr/include/libssh/legacy.h #usr/include/libssh/libssh.h +#usr/include/libssh/libssh_version.h #usr/include/libssh/libsshpp.hpp #usr/include/libssh/server.h #usr/include/libssh/sftp.h @@ -12,5 +13,5 @@ #usr/lib/cmake/libssh/libssh-config.cmake #usr/lib/libssh.so usr/lib/libssh.so.4 -usr/lib/libssh.so.4.8.4 +usr/lib/libssh.so.4.8.7 #usr/lib/pkgconfig/libssh.pc diff --git a/lfs/libssh b/lfs/libssh index 4eaddcd70..d08e91146 100644 --- a/lfs/libssh +++ b/lfs/libssh @@ -24,7 +24,7 @@ include Config -VER = 0.9.3 +VER = 0.9.6 THISAPP = libssh-$(VER) DL_FILE = $(THISAPP).tar.xz @@ -40,7 +40,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_MD5 = f35e9ad384f29375718682a88a3885da +$(DL_FILE)_MD5 = 0174df377361221a31a9576afbaba330 install : $(TARGET)