Navigation:
Browse pkgsrc
(this page)
security libssh2
CVSweb ] [ 
Homepage ] [ 
RSS ] [ 
Required by ] [ 
Add to tracker ]| 2020-01-18 22:51:16 by Jonathan Perkin | Files touched by this commit (1836) |
Log message: *: Recursive revision bump for openssl 1.1.1. |
| 2019-07-21 10:18:53 by Nia Alarie | Files touched by this commit (1) |
Log message: libssh2: Don't build examples, they're not installed anyway. |
2019-07-09 12:42:59 by Nia Alarie | Files touched by this commit (3) |  |
Log message: libssh2: Update to 1.9.0 Changes: - adds ECDSA keys and host key support when using OpenSSL - adds ED25519 key and host key support when using OpenSSL 1.1.1 - adds OpenSSH style key file reading - adds AES CTR mode support when using WinCNG - adds PEM passphrase protected file support for Libgcrypt and WinCNG - adds SHA256 hostkey fingerprint - adds libssh2_agent_get_identity_path() and libssh2_agent_set_identity_path() - adds explicit zeroing of sensitive data in memory - adds additional bounds checks to network buffer reads - adds the ability to use the server default permissions when creating sftp \ directories - adds support for building with OpenSSL no engine flag - adds support for building with LibreSSL - increased sftp packet size to 256k - fixed oversized packet handling in sftp - fixed building with OpenSSL 1.1 - fixed a possible crash if sftp stat gets an unexpected response - fixed incorrect parsing of the KEX preference string value - fixed conditional RSA and AES-CTR support - fixed a small memory leak during the key exchange process - fixed a possible memory leak of the ssh banner string - fixed various small memory leaks in the backends - fixed possible out of bounds read when parsing public keys from the server - fixed possible out of bounds read when parsing invalid PEM files - no longer null terminates the scp remote exec command - now handle errors when diffie hellman key pair generation fails - fixed compiling on Windows with the flag STDCALL=ON - improved building instructions - improved unit tests |
| 2019-04-01 16:21:14 by Thomas Klausner | Files touched by this commit (2) | |
Log message: libssh2: update to 1.8.2. Version 1.8.2 (25 Mar 2019) Daniel Stenberg (25 Mar 2019) - RELEASE-NOTES: version 1.8.2 - [Will Cosgrove brought this change] moved MAX size declarations #330 - [Will Cosgrove brought this change] Fixed misapplied patch (#327) Fixes for user auth |
| 2019-03-25 23:52:16 by Thomas Klausner | Files touched by this commit (2) | |
Log message: libssh2: update to 1.8.1. Version 1.8.1 (14 Mar 2019) Will Cosgrove (14 Mar 2019) - [Michael Buckley brought this change] More 1.8.0 security fixes (#316) * Defend against possible integer overflows in comp_method_zlib_decomp. * Defend against writing beyond the end of the payload in \ _libssh2_transport_read(). * Sanitize padding_length - _libssh2_transport_read(). \ https://libssh2.org/CVE-2019-3861.html This prevents an underflow resulting in a potential out-of-bounds read if a \ server sends a too-large padding_length, possibly with malicious intent. * Prevent zero-byte allocation in sftp_packet_read() which could lead to an \ out-of-bounds read. https://libssh2.org/CVE-2019-3858.html * Check the length of data passed to sftp_packet_add() to prevent \ out-of-bounds reads. * Add a required_size parameter to sftp_packet_require et. al. to require \ callers of these functions to handle packets that are too short. \ https://libssh2.org/CVE-2019-3860.html * Additional length checks to prevent out-of-bounds reads and writes in \ _libssh2_packet_add(). https://libssh2.org/CVE-2019-3862.html GitHub (14 Mar 2019) - [Will Cosgrove brought this change] 1.8 Security fixes (#314) * fixed possible integer overflow in packet_length CVE https://www.libssh2.org/CVE-2019-3861.html * fixed possible interger overflow with userauth_keyboard_interactive CVE https://www.libssh2.org/CVE-2019-3856.html * fixed possible out zero byte/incorrect bounds allocation CVE https://www.libssh2.org/CVE-2019-3857.html * bounds checks for response packets * fixed integer overflow in userauth_keyboard_interactive CVE https://www.libssh2.org/CVE-2019-3863.html |
| 2016-10-31 17:18:02 by Thomas Klausner | Files touched by this commit (2) | |
Log message:
Updated libssh2 to 1.8.0.
Version 1.8.0 (25 Oct 2016)
Daniel Stenberg (25 Oct 2016)
- RELEASE-NOTES: adjusted for 1.8.0
Kamil Dudka (20 Oct 2016)
- Revert "aes: the init function fails when OpenSSL has AES support"
This partially reverts commit f4f2298ef3635acd031cc2ee0e71026cdcda5864
because it caused the compatibility code to call initialization routines
redundantly, leading to memory leakage with OpenSSL 1.1 and broken curl
test-suite in Fedora:
88 bytes in 1 blocks are definitely lost in loss record 5 of 8
at 0x4C2DB8D: malloc (vg_replace_malloc.c:299)
by 0x72C607D: CRYPTO_zalloc (mem.c:100)
by 0x72A2480: EVP_CIPHER_meth_new (cmeth_lib.c:18)
by 0x4E5A550: make_ctr_evp.isra.0 (openssl.c:407)
by 0x4E5A8E8: _libssh2_init_aes_ctr (openssl.c:471)
by 0x4E5BB5A: libssh2_init (global.c:49)
Daniel Stenberg (19 Oct 2016)
- [Charles Collicutt brought this change]
libssh2_wait_socket: Fix comparison with api_timeout to use milliseconds (#134)
Fixes #74
- [Charles Collicutt brought this change]
Set err_msg on _libssh2_wait_socket errors (#135)
- Revert "travis: Test mbedtls too"
This reverts commit 3e6de50a24815e72ec5597947f1831f6083b7da8.
Travis doesn't seem to support the mbedtls-dev package
- maketgz: support "only" to only update version number locally
and fix the date output locale
- configure: make the --with-* options override the OpenSSL default
... previously it would default to OpenSSL even with the --with-[crypto]
options used unless you specificly disabled OpenSSL. Now, enabling another
backend will automatically disable OpenSSL if the other one is found.
- [Keno Fischer brought this change]
docs: Add documentation on new cmake/configure options
- [Keno Fischer brought this change]
configure: Add support for building with mbedtls
- [wildart brought this change]
travis: Test mbedtls too
- [wildart brought this change]
crypto: add support for the mbedTLS backend
Closes #132
- [wildart brought this change]
cmake: Add CLEAR_MEMORY option, analogously to that for autoconf
- README.md: fix link typo
- README: markdown version to look nicer on github
Viktor Szakats (5 Sep 2016)
- [Taylor Holberton brought this change]
openssl: add OpenSSL 1.1.0 compatibility
Daniel Stenberg (4 Sep 2016)
- [Antenore Gatta brought this change]
tests: HAVE_NETINET_IN_H was not defined correctly (#127)
Fixes #125
- SECURITY: fix web site typo
- SECURITY: security process
GitHub (14 Aug 2016)
- [Alexander Lamaison brought this change]
Basic dockerised test suite.
This introduces a test suite for libssh2. It runs OpenSSH in a Docker
container because that works well on Windows (via docker-machine) as
well as Linux. Presumably it works on Mac too with docker-machine, but
I've not tested that.
Because the test suite is docker-machine aware, you can also run it
against a cloud provider, for more realistic network testing, by setting
your cloud provider as your active docker machine. The Appveyor CI setup
in this commit does that because Appveyor doesn't support docker
locally.
Kamil Dudka (3 Aug 2016)
- [Viktor Szakats brought this change]
misc.c: Delete unused static variables
Closes #114
Daniel Stenberg (9 Apr 2016)
- [Will Cosgrove brought this change]
Merge pull request #103 from willco007/patch-2
Fix for security issue CVE-2016-0787
Alexander Lamaison (2 Apr 2016)
- [Zenju brought this change]
Fix MSVC 14 compilation errors
For _MSC_VER == 1900 these macros are not needed and create problems:
1>C:\Program Files (x86)\Windows \
Kits\10\Include\10.0.10240.0\ucrt\stdio.h(1925): warning C4005: 'snprintf': \
macro redefinition (compiling source file libssh2-files\src\mac.c)
1> \win32\libssh2_config.h(27): note: see previous definition of 'snprintf' \
(compiling source file libssh2-files\src\mac.c)
1>C:\Program Files (x86)\Windows \
Kits\10\Include\10.0.10240.0\ucrt\stdio.h(1927): fatal error C1189: #error: \
Macro definition of snprintf conflicts with Standard Library function \
declaration (compiling source file libssh2-files\src\mac.c)
Daniel Stenberg (26 Mar 2016)
- [Brad Harder brought this change]
_libssh2_channel_open: speeling error fixed in channel error message
Alexander Lamaison (15 Mar 2016)
- Link with crypt32.lib on Windows.
Makes linking with static OpenSSL work again. Although it's not
required for dynamic OpenSSL, it does no harm.
Fixes #98.
- [Craig A. Berry brought this change]
Tweak VMS help file building.
Primarily this is handling cases where top-level files moved into
the docs/ directory. I also corrected a typo and removed the
claim that libssh2 is public domain.
- [Craig A. Berry brought this change]
Build with standard stat structure on VMS.
This gets us large file support, is available on any VMS release
in the last decade and more, and gives stat other modern features
such as 64-bit ino_t.
- [Craig A. Berry brought this change]
Update vms/libssh2_config.h.
VMS does have stdlib.h, gettimeofday(), and OpenSSL. The latter
is appropriate to hard-wire in the configuration because it's
installed by default as part of the base operating system and
there is currently no libgcrypt port.
- [Craig A. Berry brought this change]
VMS can't use %zd for off_t format.
%z is a C99-ism that VMS doesn't currently have; even though the
compiler is C99-compliant, the library isn't quite. The off_t used
for the st_size element of the stat can be 32-bit or 64-bit, so
detect what we've got and pick a format accordingly.
- [Craig A. Berry brought this change]
Normalize line endings in libssh2_sftp_get_channel.3.
Somehow it got Windows-style CRLF endings so convert to just LF,
for consistency as well as not to confuse tools that will regard
the \r as content (e.g. the OpenVMS help librarian).
Dan Fandrich (29 Feb 2016)
- libgcrypt: Fixed a NULL pointer dereference on OOM
Daniel Stenberg (24 Feb 2016)
- [Viktor Szakats brought this change]
url updates, HTTP => HTTPS
Closes #87
Dan Fandrich (23 Feb 2016)
- RELEASE-NOTES: removed some duplicated names
|
| 2016-03-05 12:29:49 by Jonathan Perkin | Files touched by this commit (1813) | |
Log message: Bump PKGREVISION for security/openssl ABI bump. |
| 2016-02-23 23:47:18 by Thomas Klausner | Files touched by this commit (3) | |
Log message:
Update libssh2 to 1.7.0.
Changes:
libssh2_session_set_last_error: Add function
mac: Add support for HMAC-SHA-256 and HMAC-SHA-512
WinCNG: support for SHA256/512 HMAC
kex: Added diffie-hellman-group-exchange-sha256 support
OS/400 crypto library QC3 support
Bug fixes:
diffie_hellman_sha256: convert bytes to bits CVE-2016-0787
SFTP: Increase speed and datasize in SFTP read
openssl: make libssh2_sha1 return error code
openssl: fix memleak in _libssh2_dsa_sha1_verify()
cmake: include CMake files in the release tarballs
Fix builds with Visual Studio 2015
hostkey.c: Fix compiling error when OPENSSL_NO_MD5 is defined
GNUmakefile: add support for LIBSSH2_LDFLAG_EXTRAS
GNUmakefile: add -m64 CFLAGS when targeting mingw64
kex: free server host key before allocating it (again)
SCP: add libssh2_scp_recv2 to support large (> 2GB) files on windows
channel: Detect bad usage of libssh2_channel_process_startup
userauth: Fix off by one error when reading public key file
kex: removed dupe entry from libssh2_kex_methods
_libssh2_error: Support allocating the error message
hostkey: fix invalid memory access if libssh2_dsa_new fails
hostkey: align code path of ssh_rsa_init to ssh_dss_init
libssh2.pc.in: fix the output of pkg-config --libs
wincng: fixed possible memory leak in _libssh2_wincng_hash
wincng: fixed _libssh2_wincng_hash_final return value
add OpenSSL 1.1.0-pre2 compatibility
agent_disconnect_unix: unset the agent fd after closing it
sftp: stop reading when buffer is full
sftp: Send at least one read request before reading
sftp: Don't return EAGAIN if data was written to buffer
sftp: Check read packet file offset
configure: build "silent" if possible
openssl: add OpenSSL 1.1.0-pre3-dev compatibility
GNUmakefile: list system libs after user libs
|
New packages: