./security/libssh2, SSH2 protocol library

[ CVSweb ] [ Homepage ] [ RSS ] [ Required by ] [ Add to tracker ]

Branch: CURRENT, Version: 1.9.0nb1, Package name: libssh2-1.9.0nb1, Maintainer: pkgsrc-users

libssh2 is a library implementing the SSH2 protocol, available under
the revised BSD license.

Required to run:

Required to build:

Master sites:

SHA1: 21e98282b103307a16792e5e2d4c99beaf0b3b9c
RMD160: eb3553a9b2c05d5b6a24159db8a1478f9aea3877
Filesize: 867.726 KB

Version history: (Expand)

CVS history: (Expand)

   2020-03-12 18:46:22 by Thomas Klausner | Files touched by this commit (2)
Log message:
libssh2: add upstream bug report
   2020-03-12 18:28:10 by Thomas Klausner | Files touched by this commit (3)
Log message:
libssh2: fix unportable test(1) operator in Makefile.in

Skip check for Makefile.am.
   2020-01-18 22:51:16 by Jonathan Perkin | Files touched by this commit (1836)
Log message:
*: Recursive revision bump for openssl 1.1.1.
   2019-07-21 10:18:53 by Nia Alarie | Files touched by this commit (1)
Log message:
libssh2: Don't build examples, they're not installed anyway.
   2019-07-09 12:42:59 by Nia Alarie | Files touched by this commit (3) | Package updated
Log message:
libssh2: Update to 1.9.0

- adds ECDSA keys and host key support when using OpenSSL
- adds ED25519 key and host key support when using OpenSSL 1.1.1
- adds OpenSSH style key file reading
- adds AES CTR mode support when using WinCNG
- adds PEM passphrase protected file support for Libgcrypt and WinCNG
- adds SHA256 hostkey fingerprint
- adds libssh2_agent_get_identity_path() and libssh2_agent_set_identity_path()
- adds explicit zeroing of sensitive data in memory
- adds additional bounds checks to network buffer reads
- adds the ability to use the server default permissions when creating sftp \ 
- adds support for building with OpenSSL no engine flag
- adds support for building with LibreSSL
- increased sftp packet size to 256k
- fixed oversized packet handling in sftp
- fixed building with OpenSSL 1.1
- fixed a possible crash if sftp stat gets an unexpected response
- fixed incorrect parsing of the KEX preference string value
- fixed conditional RSA and AES-CTR support
- fixed a small memory leak during the key exchange process
- fixed a possible memory leak of the ssh banner string
- fixed various small memory leaks in the backends
- fixed possible out of bounds read when parsing public keys from the server
- fixed possible out of bounds read when parsing invalid PEM files
- no longer null terminates the scp remote exec command
- now handle errors when diffie hellman key pair generation fails
- fixed compiling on Windows with the flag STDCALL=ON
- improved building instructions
- improved unit tests
   2019-04-01 16:21:14 by Thomas Klausner | Files touched by this commit (2) | Package updated
Log message:
libssh2: update to 1.8.2.

Version 1.8.2 (25 Mar 2019)

Daniel Stenberg (25 Mar 2019)
- RELEASE-NOTES: version 1.8.2

- [Will Cosgrove brought this change]

  moved MAX size declarations #330

- [Will Cosgrove brought this change]

  Fixed misapplied patch (#327)

  Fixes for user auth
   2019-03-25 23:52:16 by Thomas Klausner | Files touched by this commit (2) | Package updated
Log message:
libssh2: update to 1.8.1.

Version 1.8.1 (14 Mar 2019)

Will Cosgrove (14 Mar 2019)
- [Michael Buckley brought this change]

  More 1.8.0 security fixes (#316)

  * Defend against possible integer overflows in comp_method_zlib_decomp.

  * Defend against writing beyond the end of the payload in \ 

  * Sanitize padding_length - _libssh2_transport_read(). \ 

  This prevents an underflow resulting in a potential out-of-bounds read if a \ 
server sends a too-large padding_length, possibly with malicious intent.

  * Prevent zero-byte allocation in sftp_packet_read() which could lead to an \ 
out-of-bounds read. https://libssh2.org/CVE-2019-3858.html

  * Check the length of data passed to sftp_packet_add() to prevent \ 
out-of-bounds reads.

  * Add a required_size parameter to sftp_packet_require et. al. to require \ 
callers of these functions to handle packets that are too short. \ 

  * Additional length checks to prevent out-of-bounds reads and writes in \ 
_libssh2_packet_add(). https://libssh2.org/CVE-2019-3862.html

GitHub (14 Mar 2019)
- [Will Cosgrove brought this change]

  1.8 Security fixes (#314)

  * fixed possible integer overflow in packet_length

  CVE https://www.libssh2.org/CVE-2019-3861.html

  * fixed possible interger overflow with userauth_keyboard_interactive

  CVE https://www.libssh2.org/CVE-2019-3856.html

  * fixed possible out zero byte/incorrect bounds allocation

  CVE https://www.libssh2.org/CVE-2019-3857.html

  * bounds checks for response packets

  * fixed integer overflow in userauth_keyboard_interactive

  CVE https://www.libssh2.org/CVE-2019-3863.html
   2016-10-31 17:18:02 by Thomas Klausner | Files touched by this commit (2) | Package updated
Log message:
Updated libssh2 to 1.8.0.

Version 1.8.0 (25 Oct 2016)

Daniel Stenberg (25 Oct 2016)
- RELEASE-NOTES: adjusted for 1.8.0

Kamil Dudka (20 Oct 2016)
- Revert "aes: the init function fails when OpenSSL has AES support"

  This partially reverts commit f4f2298ef3635acd031cc2ee0e71026cdcda5864
  because it caused the compatibility code to call initialization routines
  redundantly, leading to memory leakage with OpenSSL 1.1 and broken curl
  test-suite in Fedora:

  88 bytes in 1 blocks are definitely lost in loss record 5 of 8
     at 0x4C2DB8D: malloc (vg_replace_malloc.c:299)
     by 0x72C607D: CRYPTO_zalloc (mem.c:100)
     by 0x72A2480: EVP_CIPHER_meth_new (cmeth_lib.c:18)
     by 0x4E5A550: make_ctr_evp.isra.0 (openssl.c:407)
     by 0x4E5A8E8: _libssh2_init_aes_ctr (openssl.c:471)
     by 0x4E5BB5A: libssh2_init (global.c:49)

Daniel Stenberg (19 Oct 2016)
- [Charles Collicutt brought this change]

  libssh2_wait_socket: Fix comparison with api_timeout to use milliseconds (#134)

  Fixes #74

- [Charles Collicutt brought this change]

  Set err_msg on _libssh2_wait_socket errors (#135)

- Revert "travis: Test mbedtls too"

  This reverts commit 3e6de50a24815e72ec5597947f1831f6083b7da8.

  Travis doesn't seem to support the mbedtls-dev package

- maketgz: support "only" to only update version number locally

  and fix the date output locale

- configure: make the --with-* options override the OpenSSL default

  ... previously it would default to OpenSSL even with the --with-[crypto]
  options used unless you specificly disabled OpenSSL. Now, enabling another
  backend will automatically disable OpenSSL if the other one is found.

- [Keno Fischer brought this change]

  docs: Add documentation on new cmake/configure options

- [Keno Fischer brought this change]

  configure: Add support for building with mbedtls

- [wildart brought this change]

  travis: Test mbedtls too

- [wildart brought this change]

  crypto: add support for the mbedTLS backend

  Closes #132

- [wildart brought this change]

  cmake: Add CLEAR_MEMORY option, analogously to that for autoconf

- README.md: fix link typo

- README: markdown version to look nicer on github

Viktor Szakats (5 Sep 2016)
- [Taylor Holberton brought this change]

  openssl: add OpenSSL 1.1.0 compatibility

Daniel Stenberg (4 Sep 2016)
- [Antenore Gatta brought this change]

  tests: HAVE_NETINET_IN_H was not defined correctly (#127)

  Fixes #125

- SECURITY: fix web site typo

- SECURITY: security process

GitHub (14 Aug 2016)
- [Alexander Lamaison brought this change]

  Basic dockerised test suite.

  This introduces a test suite for libssh2. It runs OpenSSH in a Docker
  container because that works well on Windows (via docker-machine) as
  well as Linux. Presumably it works on Mac too with docker-machine, but
  I've not tested that.

  Because the test suite is docker-machine aware, you can also run it
  against a cloud provider, for more realistic network testing, by setting
  your cloud provider as your active docker machine. The Appveyor CI setup
  in this commit does that because Appveyor doesn't support docker

Kamil Dudka (3 Aug 2016)
- [Viktor Szakats brought this change]

  misc.c: Delete unused static variables

  Closes #114

Daniel Stenberg (9 Apr 2016)
- [Will Cosgrove brought this change]

  Merge pull request #103 from willco007/patch-2

  Fix for security issue CVE-2016-0787

Alexander Lamaison (2 Apr 2016)
- [Zenju brought this change]

  Fix MSVC 14 compilation errors

  For _MSC_VER == 1900 these macros are not needed and create problems:

  1>C:\Program Files (x86)\Windows \ 
Kits\10\Include\10.0.10240.0\ucrt\stdio.h(1925): warning C4005: 'snprintf': \ 
macro redefinition (compiling source file libssh2-files\src\mac.c)

  1> \win32\libssh2_config.h(27): note: see previous definition of 'snprintf' \ 
(compiling source file libssh2-files\src\mac.c)

  1>C:\Program Files (x86)\Windows \ 
Kits\10\Include\10.0.10240.0\ucrt\stdio.h(1927): fatal error C1189: #error: \ 
Macro definition of snprintf conflicts with Standard Library function \ 
declaration (compiling source file libssh2-files\src\mac.c)

Daniel Stenberg (26 Mar 2016)
- [Brad Harder brought this change]

  _libssh2_channel_open: speeling error fixed in channel error message

Alexander Lamaison (15 Mar 2016)
- Link with crypt32.lib on Windows.

  Makes linking with static OpenSSL work again.  Although it's not
  required for dynamic OpenSSL, it does no harm.

  Fixes #98.

- [Craig A. Berry brought this change]

  Tweak VMS help file building.

  Primarily this is handling cases where top-level files moved into
  the docs/ directory.  I also corrected a typo and removed the
  claim that libssh2 is public domain.

- [Craig A. Berry brought this change]

  Build with standard stat structure on VMS.

  This gets us large file support, is available on any VMS release
  in the last decade and more, and gives stat other modern features
  such as 64-bit ino_t.

- [Craig A. Berry brought this change]

  Update vms/libssh2_config.h.

  VMS does have stdlib.h, gettimeofday(), and OpenSSL.  The latter
  is appropriate to hard-wire in the configuration because it's
  installed by default as part of the base operating system and
  there is currently no libgcrypt port.

- [Craig A. Berry brought this change]

  VMS can't use %zd for off_t format.

  %z is a C99-ism that VMS doesn't currently have; even though the
  compiler is C99-compliant, the library isn't quite.  The off_t used
  for the st_size element of the stat can be 32-bit or 64-bit, so
  detect what we've got and pick a format accordingly.

- [Craig A. Berry brought this change]

  Normalize line endings in libssh2_sftp_get_channel.3.

  Somehow it got Windows-style CRLF endings so convert to just LF,
  for consistency as well as not to confuse tools that will regard
  the \r as content (e.g. the OpenVMS help librarian).

Dan Fandrich (29 Feb 2016)
- libgcrypt: Fixed a NULL pointer dereference on OOM

Daniel Stenberg (24 Feb 2016)
- [Viktor Szakats brought this change]

  url updates, HTTP => HTTPS

  Closes #87

Dan Fandrich (23 Feb 2016)
- RELEASE-NOTES: removed some duplicated names