[Buildroot] [PATCH 1/1] package/openssh: security bump to version 9.1p1

[Buildroot] [PATCH 1/1] package/openssh: security bump to version 9.1p1

[Fabrice Fontaine]

This release contains fixes for three minor memory safety problems.
None are believed to be exploitable, but we report most memory safety
problems as potential security vulnerabilities out of caution.

 * ssh-keyscan(1): fix a one-byte overflow in SSH- banner processing.
   Reported by Qualys

 * ssh-keygen(1): double free() in error path of file hashing step in
   signing/verify code; GHPR333

 * ssh-keysign(8): double-free in error path introduced in openssh-8.9

https://www.openssh.com/txt/release-9.1

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
 package/openssh/openssh.hash | 4 ++--
 package/openssh/openssh.mk   | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/package/openssh/openssh.hash b/package/openssh/openssh.hash
index 4cfdb91484..81cea32d2c 100644
--- a/package/openssh/openssh.hash
+++ b/package/openssh/openssh.hash
@@ -1,4 +1,4 @@
-# From https://www.openssh.com/txt/release-9.0 (base64 encoded)
-sha256  03974302161e9ecce32153cfa10012f1e65c8f3750f573a73ab1befd5972a28a  openssh-9.0p1.tar.gz
+# From https://www.openssh.com/txt/release-9.1 (base64 encoded)
+sha256  19f85009c7e3e23787f0236fbb1578392ab4d4bf9f8ec5fe6bc1cd7e8bfdd288  openssh-9.1p1.tar.gz
 # Locally calculated
 sha256  d6807e99f3d159145c659060f57c3fa74e109faa39326dbfc38674cb550fd104  LICENCE
diff --git a/package/openssh/openssh.mk b/package/openssh/openssh.mk
index 0e4253fa74..b70e327620 100644
--- a/package/openssh/openssh.mk
+++ b/package/openssh/openssh.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-OPENSSH_VERSION_MAJOR = 9.0
+OPENSSH_VERSION_MAJOR = 9.1
 OPENSSH_VERSION_MINOR = p1
 OPENSSH_VERSION = $(OPENSSH_VERSION_MAJOR)$(OPENSSH_VERSION_MINOR)
 OPENSSH_CPE_ID_VERSION = $(OPENSSH_VERSION_MAJOR)
-- 
2.35.1

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 1/1] package/openssh: security bump to version 9.1p1

[Peter Korsgaard]

>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:

 > This release contains fixes for three minor memory safety problems.
 > None are believed to be exploitable, but we report most memory safety
 > problems as potential security vulnerabilities out of caution.

 >  * ssh-keyscan(1): fix a one-byte overflow in SSH- banner processing.
 >    Reported by Qualys

 >  * ssh-keygen(1): double free() in error path of file hashing step in
 >    signing/verify code; GHPR333

 >  * ssh-keysign(8): double-free in error path introduced in openssh-8.9

 > https://www.openssh.com/txt/release-9.1

 > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>

Committed, thanks.

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 1/1] package/openssh: security bump to version 9.1p1

[Peter Korsgaard]

>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:

 > This release contains fixes for three minor memory safety problems.
 > None are believed to be exploitable, but we report most memory safety
 > problems as potential security vulnerabilities out of caution.

 >  * ssh-keyscan(1): fix a one-byte overflow in SSH- banner processing.
 >    Reported by Qualys

 >  * ssh-keygen(1): double free() in error path of file hashing step in
 >    signing/verify code; GHPR333

 >  * ssh-keysign(8): double-free in error path introduced in openssh-8.9

 > https://www.openssh.com/txt/release-9.1

 > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>

Committed to 2022.08.x, thanks.

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot