* [Buildroot] [PATCH] package/libssh: security bump to version 0.10.6
@ 2023-12-21 14:22 Peter Korsgaard
2023-12-23 14:14 ` Thomas Petazzoni via buildroot
2024-01-07 22:42 ` Peter Korsgaard
0 siblings, 2 replies; 3+ messages in thread
From: Peter Korsgaard @ 2023-12-21 14:22 UTC (permalink / raw)
To: buildroot
Fixes the following security issues:
- CVE-2023-6004: Command Injection using malicious hostname in expanded proxycommand
https://www.libssh.org/security/advisories/CVE-2023-6004.txt
- CVE-2023-48795: Avoid potential downgrade attacks by implementing strict kex
https://www.libssh.org/security/advisories/CVE-2023-48795.txt
- CVE-2023-6918: Avoid potential use of weak keys in low memory conditions
by systematically checking return values of MD functions.
https://www.libssh.org/security/advisories/CVE-2023-6918.txt
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
package/libssh/libssh.hash | 4 ++--
package/libssh/libssh.mk | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/package/libssh/libssh.hash b/package/libssh/libssh.hash
index 0d61191842..e5eba219b5 100644
--- a/package/libssh/libssh.hash
+++ b/package/libssh/libssh.hash
@@ -1,5 +1,5 @@
# Locally calculated after checking pgp signature
-# https://www.libssh.org/files/0.10/libssh-0.10.5.tar.xz.asc
+# https://www.libssh.org/files/0.10/libssh-0.10.6.tar.xz.asc
# with key 8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D
-sha256 b60e2ff7f367b9eee2b5634d3a63303ddfede0e6a18dfca88c44a8770e7e4234 libssh-0.10.5.tar.xz
+sha256 1861d498f5b6f1741b6abc73e608478491edcf9c9d4b6630eef6e74596de9dc1 libssh-0.10.6.tar.xz
sha256 1656186e951db1c010a8485481fa94587f7e53a26d24976bef97945ad0c4df5a COPYING
diff --git a/package/libssh/libssh.mk b/package/libssh/libssh.mk
index ff4cddaf91..8b995c3555 100644
--- a/package/libssh/libssh.mk
+++ b/package/libssh/libssh.mk
@@ -5,7 +5,7 @@
################################################################################
LIBSSH_VERSION_MAJOR = 0.10
-LIBSSH_VERSION = $(LIBSSH_VERSION_MAJOR).5
+LIBSSH_VERSION = $(LIBSSH_VERSION_MAJOR).6
LIBSSH_SOURCE = libssh-$(LIBSSH_VERSION).tar.xz
LIBSSH_SITE = https://www.libssh.org/files/$(LIBSSH_VERSION_MAJOR)
LIBSSH_LICENSE = LGPL-2.1
--
2.39.2
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [Buildroot] [PATCH] package/libssh: security bump to version 0.10.6
2023-12-21 14:22 [Buildroot] [PATCH] package/libssh: security bump to version 0.10.6 Peter Korsgaard
@ 2023-12-23 14:14 ` Thomas Petazzoni via buildroot
2024-01-07 22:42 ` Peter Korsgaard
1 sibling, 0 replies; 3+ messages in thread
From: Thomas Petazzoni via buildroot @ 2023-12-23 14:14 UTC (permalink / raw)
To: Peter Korsgaard; +Cc: buildroot
On Thu, 21 Dec 2023 15:22:49 +0100
Peter Korsgaard <peter@korsgaard.com> wrote:
> Fixes the following security issues:
>
> - CVE-2023-6004: Command Injection using malicious hostname in expanded proxycommand
> https://www.libssh.org/security/advisories/CVE-2023-6004.txt
>
> - CVE-2023-48795: Avoid potential downgrade attacks by implementing strict kex
> https://www.libssh.org/security/advisories/CVE-2023-48795.txt
>
> - CVE-2023-6918: Avoid potential use of weak keys in low memory conditions
> by systematically checking return values of MD functions.
> https://www.libssh.org/security/advisories/CVE-2023-6918.txt
>
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
> ---
> package/libssh/libssh.hash | 4 ++--
> package/libssh/libssh.mk | 2 +-
> 2 files changed, 3 insertions(+), 3 deletions(-)
Applied to master, thanks.
Thomas
--
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [Buildroot] [PATCH] package/libssh: security bump to version 0.10.6
2023-12-21 14:22 [Buildroot] [PATCH] package/libssh: security bump to version 0.10.6 Peter Korsgaard
2023-12-23 14:14 ` Thomas Petazzoni via buildroot
@ 2024-01-07 22:42 ` Peter Korsgaard
1 sibling, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2024-01-07 22:42 UTC (permalink / raw)
To: buildroot
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:
> Fixes the following security issues:
> - CVE-2023-6004: Command Injection using malicious hostname in expanded proxycommand
> https://www.libssh.org/security/advisories/CVE-2023-6004.txt
> - CVE-2023-48795: Avoid potential downgrade attacks by implementing strict kex
> https://www.libssh.org/security/advisories/CVE-2023-48795.txt
> - CVE-2023-6918: Avoid potential use of weak keys in low memory conditions
> by systematically checking return values of MD functions.
> https://www.libssh.org/security/advisories/CVE-2023-6918.txt
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Committed to 2023.02.x and 2023.11.x, thanks.
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2024-01-07 22:42 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-12-21 14:22 [Buildroot] [PATCH] package/libssh: security bump to version 0.10.6 Peter Korsgaard
2023-12-23 14:14 ` Thomas Petazzoni via buildroot
2024-01-07 22:42 ` Peter Korsgaard
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox