| Message ID | 20231221142249.327382-1-peter@korsgaard.com |
|---|---|
| State | Accepted |
| Headers | show |
| Series | package/libssh: security bump to version 0.10.6 | expand |
On Thu, 21 Dec 2023 15:22:49 +0100 Peter Korsgaard <peter@korsgaard.com> wrote: > Fixes the following security issues: > > - CVE-2023-6004: Command Injection using malicious hostname in expanded proxycommand > https://www.libssh.org/security/advisories/CVE-2023-6004.txt > > - CVE-2023-48795: Avoid potential downgrade attacks by implementing strict kex > https://www.libssh.org/security/advisories/CVE-2023-48795.txt > > - CVE-2023-6918: Avoid potential use of weak keys in low memory conditions > by systematically checking return values of MD functions. > https://www.libssh.org/security/advisories/CVE-2023-6918.txt > > Signed-off-by: Peter Korsgaard <peter@korsgaard.com> > --- > package/libssh/libssh.hash | 4 ++-- > package/libssh/libssh.mk | 2 +- > 2 files changed, 3 insertions(+), 3 deletions(-) Applied to master, thanks. Thomas
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes: > Fixes the following security issues: > - CVE-2023-6004: Command Injection using malicious hostname in expanded proxycommand > https://www.libssh.org/security/advisories/CVE-2023-6004.txt > - CVE-2023-48795: Avoid potential downgrade attacks by implementing strict kex > https://www.libssh.org/security/advisories/CVE-2023-48795.txt > - CVE-2023-6918: Avoid potential use of weak keys in low memory conditions > by systematically checking return values of MD functions. > https://www.libssh.org/security/advisories/CVE-2023-6918.txt > Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Committed to 2023.02.x and 2023.11.x, thanks.
diff --git a/package/libssh/libssh.hash b/package/libssh/libssh.hash index 0d61191842..e5eba219b5 100644 --- a/package/libssh/libssh.hash +++ b/package/libssh/libssh.hash @@ -1,5 +1,5 @@ # Locally calculated after checking pgp signature -# https://www.libssh.org/files/0.10/libssh-0.10.5.tar.xz.asc +# https://www.libssh.org/files/0.10/libssh-0.10.6.tar.xz.asc # with key 8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D -sha256 b60e2ff7f367b9eee2b5634d3a63303ddfede0e6a18dfca88c44a8770e7e4234 libssh-0.10.5.tar.xz +sha256 1861d498f5b6f1741b6abc73e608478491edcf9c9d4b6630eef6e74596de9dc1 libssh-0.10.6.tar.xz sha256 1656186e951db1c010a8485481fa94587f7e53a26d24976bef97945ad0c4df5a COPYING diff --git a/package/libssh/libssh.mk b/package/libssh/libssh.mk index ff4cddaf91..8b995c3555 100644 --- a/package/libssh/libssh.mk +++ b/package/libssh/libssh.mk @@ -5,7 +5,7 @@ ################################################################################ LIBSSH_VERSION_MAJOR = 0.10 -LIBSSH_VERSION = $(LIBSSH_VERSION_MAJOR).5 +LIBSSH_VERSION = $(LIBSSH_VERSION_MAJOR).6 LIBSSH_SOURCE = libssh-$(LIBSSH_VERSION).tar.xz LIBSSH_SITE = https://www.libssh.org/files/$(LIBSSH_VERSION_MAJOR) LIBSSH_LICENSE = LGPL-2.1
Fixes the following security issues: - CVE-2023-6004: Command Injection using malicious hostname in expanded proxycommand https://www.libssh.org/security/advisories/CVE-2023-6004.txt - CVE-2023-48795: Avoid potential downgrade attacks by implementing strict kex https://www.libssh.org/security/advisories/CVE-2023-48795.txt - CVE-2023-6918: Avoid potential use of weak keys in low memory conditions by systematically checking return values of MD functions. https://www.libssh.org/security/advisories/CVE-2023-6918.txt Signed-off-by: Peter Korsgaard <peter@korsgaard.com> --- package/libssh/libssh.hash | 4 ++-- package/libssh/libssh.mk | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-)