./security/libssh2, SSH2 protocol library

[ CVSweb ] [ Homepage ] [ RSS ] [ Required by ] [ Add to tracker ]

Branch: CURRENT, Version: 1.8.2, Package name: libssh2-1.8.2, Maintainer: pkgsrc-users

libssh2 is a library implementing the SSH2 protocol, available under
the revised BSD license.

Required to build:

Master sites:

SHA1: 9250682b0df0ab61e47cc4192f99731949f605bc
RMD160: b2b84b3fe14e4e527db4a391abd8706a8e028e23
Filesize: 839.44 KB

Version history: (Expand)

CVS history: (Expand)

   2019-04-01 16:21:14 by Thomas Klausner | Files touched by this commit (2) | Package updated
Log message:
libssh2: update to 1.8.2.

Version 1.8.2 (25 Mar 2019)

Daniel Stenberg (25 Mar 2019)
- RELEASE-NOTES: version 1.8.2

- [Will Cosgrove brought this change]

  moved MAX size declarations #330

- [Will Cosgrove brought this change]

  Fixed misapplied patch (#327)

  Fixes for user auth
   2019-03-25 23:52:16 by Thomas Klausner | Files touched by this commit (2) | Package updated
Log message:
libssh2: update to 1.8.1.

Version 1.8.1 (14 Mar 2019)

Will Cosgrove (14 Mar 2019)
- [Michael Buckley brought this change]

  More 1.8.0 security fixes (#316)

  * Defend against possible integer overflows in comp_method_zlib_decomp.

  * Defend against writing beyond the end of the payload in \ 

  * Sanitize padding_length - _libssh2_transport_read(). \ 

  This prevents an underflow resulting in a potential out-of-bounds read if a \ 
server sends a too-large padding_length, possibly with malicious intent.

  * Prevent zero-byte allocation in sftp_packet_read() which could lead to an \ 
out-of-bounds read. https://libssh2.org/CVE-2019-3858.html

  * Check the length of data passed to sftp_packet_add() to prevent \ 
out-of-bounds reads.

  * Add a required_size parameter to sftp_packet_require et. al. to require \ 
callers of these functions to handle packets that are too short. \ 

  * Additional length checks to prevent out-of-bounds reads and writes in \ 
_libssh2_packet_add(). https://libssh2.org/CVE-2019-3862.html

GitHub (14 Mar 2019)
- [Will Cosgrove brought this change]

  1.8 Security fixes (#314)

  * fixed possible integer overflow in packet_length

  CVE https://www.libssh2.org/CVE-2019-3861.html

  * fixed possible interger overflow with userauth_keyboard_interactive

  CVE https://www.libssh2.org/CVE-2019-3856.html

  * fixed possible out zero byte/incorrect bounds allocation

  CVE https://www.libssh2.org/CVE-2019-3857.html

  * bounds checks for response packets

  * fixed integer overflow in userauth_keyboard_interactive

  CVE https://www.libssh2.org/CVE-2019-3863.html
   2016-10-31 17:18:02 by Thomas Klausner | Files touched by this commit (2) | Package updated
Log message:
Updated libssh2 to 1.8.0.

Version 1.8.0 (25 Oct 2016)

Daniel Stenberg (25 Oct 2016)
- RELEASE-NOTES: adjusted for 1.8.0

Kamil Dudka (20 Oct 2016)
- Revert "aes: the init function fails when OpenSSL has AES support"

  This partially reverts commit f4f2298ef3635acd031cc2ee0e71026cdcda5864
  because it caused the compatibility code to call initialization routines
  redundantly, leading to memory leakage with OpenSSL 1.1 and broken curl
  test-suite in Fedora:

  88 bytes in 1 blocks are definitely lost in loss record 5 of 8
     at 0x4C2DB8D: malloc (vg_replace_malloc.c:299)
     by 0x72C607D: CRYPTO_zalloc (mem.c:100)
     by 0x72A2480: EVP_CIPHER_meth_new (cmeth_lib.c:18)
     by 0x4E5A550: make_ctr_evp.isra.0 (openssl.c:407)
     by 0x4E5A8E8: _libssh2_init_aes_ctr (openssl.c:471)
     by 0x4E5BB5A: libssh2_init (global.c:49)

Daniel Stenberg (19 Oct 2016)
- [Charles Collicutt brought this change]

  libssh2_wait_socket: Fix comparison with api_timeout to use milliseconds (#134)

  Fixes #74

- [Charles Collicutt brought this change]

  Set err_msg on _libssh2_wait_socket errors (#135)

- Revert "travis: Test mbedtls too"

  This reverts commit 3e6de50a24815e72ec5597947f1831f6083b7da8.

  Travis doesn't seem to support the mbedtls-dev package

- maketgz: support "only" to only update version number locally

  and fix the date output locale

- configure: make the --with-* options override the OpenSSL default

  ... previously it would default to OpenSSL even with the --with-[crypto]
  options used unless you specificly disabled OpenSSL. Now, enabling another
  backend will automatically disable OpenSSL if the other one is found.

- [Keno Fischer brought this change]

  docs: Add documentation on new cmake/configure options

- [Keno Fischer brought this change]

  configure: Add support for building with mbedtls

- [wildart brought this change]

  travis: Test mbedtls too

- [wildart brought this change]

  crypto: add support for the mbedTLS backend

  Closes #132

- [wildart brought this change]

  cmake: Add CLEAR_MEMORY option, analogously to that for autoconf

- README.md: fix link typo

- README: markdown version to look nicer on github

Viktor Szakats (5 Sep 2016)
- [Taylor Holberton brought this change]

  openssl: add OpenSSL 1.1.0 compatibility

Daniel Stenberg (4 Sep 2016)
- [Antenore Gatta brought this change]

  tests: HAVE_NETINET_IN_H was not defined correctly (#127)

  Fixes #125

- SECURITY: fix web site typo

- SECURITY: security process

GitHub (14 Aug 2016)
- [Alexander Lamaison brought this change]

  Basic dockerised test suite.

  This introduces a test suite for libssh2. It runs OpenSSH in a Docker
  container because that works well on Windows (via docker-machine) as
  well as Linux. Presumably it works on Mac too with docker-machine, but
  I've not tested that.

  Because the test suite is docker-machine aware, you can also run it
  against a cloud provider, for more realistic network testing, by setting
  your cloud provider as your active docker machine. The Appveyor CI setup
  in this commit does that because Appveyor doesn't support docker

Kamil Dudka (3 Aug 2016)
- [Viktor Szakats brought this change]

  misc.c: Delete unused static variables

  Closes #114

Daniel Stenberg (9 Apr 2016)
- [Will Cosgrove brought this change]

  Merge pull request #103 from willco007/patch-2

  Fix for security issue CVE-2016-0787

Alexander Lamaison (2 Apr 2016)
- [Zenju brought this change]

  Fix MSVC 14 compilation errors

  For _MSC_VER == 1900 these macros are not needed and create problems:

  1>C:\Program Files (x86)\Windows \ 
Kits\10\Include\10.0.10240.0\ucrt\stdio.h(1925): warning C4005: 'snprintf': \ 
macro redefinition (compiling source file libssh2-files\src\mac.c)

  1> \win32\libssh2_config.h(27): note: see previous definition of 'snprintf' \ 
(compiling source file libssh2-files\src\mac.c)

  1>C:\Program Files (x86)\Windows \ 
Kits\10\Include\10.0.10240.0\ucrt\stdio.h(1927): fatal error C1189: #error: \ 
Macro definition of snprintf conflicts with Standard Library function \ 
declaration (compiling source file libssh2-files\src\mac.c)

Daniel Stenberg (26 Mar 2016)
- [Brad Harder brought this change]

  _libssh2_channel_open: speeling error fixed in channel error message

Alexander Lamaison (15 Mar 2016)
- Link with crypt32.lib on Windows.

  Makes linking with static OpenSSL work again.  Although it's not
  required for dynamic OpenSSL, it does no harm.

  Fixes #98.

- [Craig A. Berry brought this change]

  Tweak VMS help file building.

  Primarily this is handling cases where top-level files moved into
  the docs/ directory.  I also corrected a typo and removed the
  claim that libssh2 is public domain.

- [Craig A. Berry brought this change]

  Build with standard stat structure on VMS.

  This gets us large file support, is available on any VMS release
  in the last decade and more, and gives stat other modern features
  such as 64-bit ino_t.

- [Craig A. Berry brought this change]

  Update vms/libssh2_config.h.

  VMS does have stdlib.h, gettimeofday(), and OpenSSL.  The latter
  is appropriate to hard-wire in the configuration because it's
  installed by default as part of the base operating system and
  there is currently no libgcrypt port.

- [Craig A. Berry brought this change]

  VMS can't use %zd for off_t format.

  %z is a C99-ism that VMS doesn't currently have; even though the
  compiler is C99-compliant, the library isn't quite.  The off_t used
  for the st_size element of the stat can be 32-bit or 64-bit, so
  detect what we've got and pick a format accordingly.

- [Craig A. Berry brought this change]

  Normalize line endings in libssh2_sftp_get_channel.3.

  Somehow it got Windows-style CRLF endings so convert to just LF,
  for consistency as well as not to confuse tools that will regard
  the \r as content (e.g. the OpenVMS help librarian).

Dan Fandrich (29 Feb 2016)
- libgcrypt: Fixed a NULL pointer dereference on OOM

Daniel Stenberg (24 Feb 2016)
- [Viktor Szakats brought this change]

  url updates, HTTP => HTTPS

  Closes #87

Dan Fandrich (23 Feb 2016)
- RELEASE-NOTES: removed some duplicated names
   2016-03-05 12:29:49 by Jonathan Perkin | Files touched by this commit (1813) | Package updated
Log message:
Bump PKGREVISION for security/openssl ABI bump.
   2016-02-23 23:47:18 by Thomas Klausner | Files touched by this commit (3) | Package updated
Log message:
Update libssh2 to 1.7.0.


    libssh2_session_set_last_error: Add function
    mac: Add support for HMAC-SHA-256 and HMAC-SHA-512
    WinCNG: support for SHA256/512 HMAC
    kex: Added diffie-hellman-group-exchange-sha256 support
    OS/400 crypto library QC3 support

Bug fixes:

    diffie_hellman_sha256: convert bytes to bits CVE-2016-0787
    SFTP: Increase speed and datasize in SFTP read
    openssl: make libssh2_sha1 return error code
    openssl: fix memleak in _libssh2_dsa_sha1_verify()
    cmake: include CMake files in the release tarballs
    Fix builds with Visual Studio 2015
    hostkey.c: Fix compiling error when OPENSSL_NO_MD5 is defined
    GNUmakefile: add support for LIBSSH2_LDFLAG_EXTRAS
    GNUmakefile: add -m64 CFLAGS when targeting mingw64
    kex: free server host key before allocating it (again)
    SCP: add libssh2_scp_recv2 to support large (> 2GB) files on windows
    channel: Detect bad usage of libssh2_channel_process_startup
    userauth: Fix off by one error when reading public key file
    kex: removed dupe entry from libssh2_kex_methods
    _libssh2_error: Support allocating the error message
    hostkey: fix invalid memory access if libssh2_dsa_new fails
    hostkey: align code path of ssh_rsa_init to ssh_dss_init
    libssh2.pc.in: fix the output of pkg-config --libs
    wincng: fixed possible memory leak in _libssh2_wincng_hash
    wincng: fixed _libssh2_wincng_hash_final return value
    add OpenSSL 1.1.0-pre2 compatibility
    agent_disconnect_unix: unset the agent fd after closing it
    sftp: stop reading when buffer is full
    sftp: Send at least one read request before reading
    sftp: Don't return EAGAIN if data was written to buffer
    sftp: Check read packet file offset
    configure: build "silent" if possible
    openssl: add OpenSSL 1.1.0-pre3-dev compatibility
    GNUmakefile: list system libs after user libs
   2015-11-04 02:18:12 by Alistair G. Crooks | Files touched by this commit (434)
Log message:
Add SHA512 digests for distfiles for security category

Problems found locating distfiles:
	Package f-prot-antivirus6-fs-bin: missing distfile fp-NetBSD.x86.32-fs-6.2.3.tar.gz
	Package f-prot-antivirus6-ws-bin: missing distfile fp-NetBSD.x86.32-ws-6.2.3.tar.gz
	Package libidea: missing distfile libidea-0.8.2b.tar.gz
	Package openssh: missing distfile openssh-7.1p1-hpn-20150822.diff.bz2
	Package uvscan: missing distfile vlp4510e.tar.Z

Otherwise, existing SHA1 digests verified and found to be the same on
the machine holding the existing distfiles (morden).  All existing
SHA1 digests retained for now as an audit trail.
   2015-07-26 19:15:35 by Niclas Rosenvik | Files touched by this commit (4) | Package updated
Log message:
Updated libssh2 to version 1.6.0.



    Added libssh2_userauth_publickey_frommemory()

Bug fixes:

    wait_socket: wrong use of difftime()
    userauth: Fixed prompt text no longer being copied to the prompts struct
    mingw build: allow to pass custom CFLAGS
    Let mansyntax.sh work regardless of where it is called from
    Init HMAC_CTX before using it
    direct_tcpip: Fixed channel write
    WinCNG: fixed backend breakage
    OpenSSL: caused by introducing libssh2_hmac_ctx_init
    userauth.c: fix possible dereferences of a null pointer
    wincng: Added explicit clear memory feature to WinCNG backend
    openssl.c: fix possible segfault in case EVP_DigestInit fails
    wincng: fix return code of libssh2_md5_init()
    kex: do not ignore failure of libssh2_sha1_init()
    scp: fix that scp_send may transmit not initialised memory
    scp.c: improved command length calculation
    nonblocking examples: fix warning about unused tvdiff on Mac OS X
    configure: make clear-memory default but WARN if backend unsupported
    OpenSSL: Enable use of OpenSSL that doesn't have DSA
    OpenSSL: Use correct no-blowfish #define
    kex: fix libgcrypt memory leaks of bignum
    libssh2_channel_open: more detailed error message
    wincng: fixed memleak in (block) cipher destructor
   2015-03-23 10:14:53 by Niclas Rosenvik | Files touched by this commit (4) | Package updated
Log message:
Update libssh2 to 1.5.0 to address CVE-2015-1782.



This release includes the following changes:

 o Added Windows Cryptography API: Next Generation based backend

This release includes the following bugfixes:

 o Security Advisory for CVE-2015-1782, using SSH_MSG_KEXINIT data unbounded
 o missing _libssh2_error in _libssh2_channel_write
 o knownhost: Fix DSS keys being detected as unknown.
 o knownhost: Restore behaviour of `libssh2_knownhost_writeline` with short buffer.
 o libssh2.h: on Windows, a socket is of type SOCKET, not int
 o libssh2_priv.h: a 1 bit bit-field should be unsigned
 o windows build: do not export externals from static library
 o Fixed two potential use-after-frees of the payload buffer
 o Fixed a few memory leaks in error paths
 o userauth: Fixed an attempt to free from stack on error
 o agent_list_identities: Fixed memory leak on OOM
 o knownhosts: Abort if the hosts buffer is too small
 o sftp_close_handle: ensure the handle is always closed
 o channel_close: Close the channel even in the case of errors
 o docs: added missing libssh2_session_handshake.3 file
 o docs: fixed a bunch of typos
 o userauth_password: pass on the underlying error code
 o _libssh2_channel_forward_cancel: accessed struct after free
 o _libssh2_packet_add: avoid using uninitialized memory
 o _libssh2_channel_forward_cancel: avoid memory leaks on error
 o _libssh2_channel_write: client spins on write when window full
 o windows build: fix build errors
 o publickey_packet_receive: avoid junk in returned pointers
 o channel_receive_window_adjust: store windows size always
 o userauth_hostbased_fromfile: zero assign to avoid uninitialized use
 o configure: change LIBS not LDFLAGS when checking for libs
 o agent_connect_unix: make sure there's a trailing zero
 o MinGW build: Fixed redefine warnings.
 o sftpdir.c: added authentication method detection.
 o Watcom build: added support for WinCNG build.
 o configure.ac: replace AM_CONFIG_HEADER with AC_CONFIG_HEADERS
 o sftp_statvfs: fix for servers not supporting statfvs extension
 o knownhost.c: use LIBSSH2_FREE macro instead of free
 o Fixed compilation using mingw-w64
 o knownhost.c: fixed that 'key_type_len' may be used uninitialized
 o configure: Display individual crypto backends on separate lines
 o examples on Windows: check for WSAStartup return code
 o examples on Windows: check for socket return code
 o agent.c: check return code of MapViewOfFile
 o kex.c: fix possible NULL pointer de-reference with session->kex
 o packet.c: fix possible NULL pointer de-reference within listen_state
 o tests on Windows: check for WSAStartup return code
 o userauth.c: improve readability and clarity of for-loops
 o examples on Windows: use native SOCKET-type instead of int
 o packet.c: i < 256 was always true and i would overflow to 0
 o kex.c: make sure mlist is not set to NULL
 o session.c: check return value of session_nonblock in debug mode
 o session.c: check return value of session_nonblock during startup
 o userauth.c: make sure that sp_len is positive and avoid overflows
 o knownhost.c: fix use of uninitialized argument variable wrote
 o openssl: initialise the digest context before calling EVP_DigestInit()
 o libssh2_agent_init: init ->fd to LIBSSH2_INVALID_SOCKET
 o configure.ac: Add zlib to Requires.private in libssh2.pc if using zlib
 o configure.ac: Rework crypto library detection
 o configure.ac: Reorder --with-* options in --help output
 o configure.ac: Call zlib zlib and not libz in text but keep option names
 o Fix non-autotools builds: Always define the LIBSSH2_OPENSSL CPP macro
 o sftp: seek: Don't flush buffers on same offset
 o sftp: statvfs: Along error path, reset the correct 'state' variable.
 o sftp: Add support for fsync (OpenSSH extension).
 o _libssh2_channel_read: fix data drop when out of window
 o comp_method_zlib_decomp: Improve buffer growing algorithm
 o _libssh2_channel_read: Honour window_size_initial
 o window_size: redid window handling for flow control reasons
 o knownhosts: handle unknown key types