SUSE-RU-2023:4066-1: moderate: Recommended update for libssh2_org
sle-updates at lists.suse.com
sle-updates at lists.suse.com
Thu Oct 12 16:30:03 UTC 2023
# Recommended update for libssh2_org
Announcement ID: SUSE-RU-2023:4066-1
Rating: moderate
References:
* PED-5721
* SLE-16922
Affected Products:
* SUSE Linux Enterprise High Performance Computing 12 SP5
* SUSE Linux Enterprise Server 12 SP5
* SUSE Linux Enterprise Server for SAP Applications 12 SP5
* SUSE Linux Enterprise Software Development Kit 12 SP5
An update that contains two features can now be installed.
## Description:
This update for libssh2_org fixes the following issues:
libssh2_org was upgraded to version 1.11.0 in SUSE Linux Enterprise Server 12
SP5 (jsc#PED-5721)
Version update to 1.11.0:
* Enhancements and bugfixes:
* Adds support for encrypt-then-mac (ETM) MACs
* Adds support for AES-GCM crypto protocols
* Adds support for sk-ecdsa-sha2-nistp256 and sk-ssh-ed25519 keys
* Adds support for RSA certificate authentication
* Adds FIDO support with *_sk() functions
* Adds RSA-SHA2 key upgrading to OpenSSL, WinCNG, mbedTLS, OS400 backends
* Adds Agent Forwarding and libssh2_agent_sign()
* Adds support for Channel Signal message libssh2_channel_signal_ex()
* Adds support to get the user auth banner message libssh2_userauth_banner()
* Adds LIBSSH2_NO_{MD5, HMAC_RIPEMD, DSA, RSA, RSA_SHA1, ECDSA, ED25519, AES_CBC, AES_CTR, BLOWFISH, RC4, CAST, 3DES} options
* Adds direct stream UNIX sockets with libssh2_channel_direct_streamlocal_ex()
* Adds wolfSSL support to CMake file
* Adds mbedTLS 3.x support
* Adds LibreSSL 3.5 support
* Adds support for CMake "unity" builds
* Adds CMake support for building shared and static libs in a single pass
* Adds symbol hiding support to CMake
* Adds support for libssh2.rc for all build tools
* Adds .zip, .tar.xz and .tar.bz2 release tarballs
* Enables ed25519 key support for LibreSSL 3.7.0 or higher
* Improves OpenSSL 1.1 and 3 compatibility
* Now requires OpenSSL 1.0.2 or newer
* Now requires CMake 3.1 or newer
* SFTP: Adds libssh2_sftp_open_ex_r() and libssh2_sftp_open_r() extended APIs
* SFTP: No longer has a packet limit when reading a directory
* SFTP: now parses attribute extensions if they exist
* SFTP: no longer will busy loop if SFTP fails to initialize
* SFTP: now clear various errors as expected
* SFTP: no longer skips files if the line buffer is too small
* SCP: add option to not quote paths
* SCP: Enables 64-bit offset support unconditionally
* Now skips leading \r and \n characters in banner_receive()
* Enables secure memory zeroing with all build tools on all platforms
* No longer logs SSH_MSG_REQUEST_FAILURE packets from keepalive
* Speed up base64 encoding by 7x
* Assert if there is an attempt to write a value that is too large
* WinCNG: fix memory leak in _libssh2_dh_secret()
* Added protection against possible null pointer dereferences
* Agent now handles overly large comment lengths
* Now ensure KEX replies don't include extra bytes
* Fixed possible buffer overflow when receiving SSH_MSG_USERAUTH_BANNER
* Fixed possible buffer overflow in keyboard interactive code path
* Fixed overlapping memcpy()
* Fixed DLL import name
* Renamed local RANDOM_PADDING macro to avoid unexpected define on Windows
* Support for building with gcc versions older than 8
* Improvements to CMake, Makefile, NMakefile, GNUmakefile, autoreconf files
* Restores ANSI C89 compliance
* Enabled new compiler warnings and fixed/silenced them
* Improved error messages
* Now uses CIFuzz
* Numerous minor code improvements
* Improvements to CI builds
* Improvements to unit tests
* Improvements to doc files
* Improvements to example files
* Removed "old gex" build option
* Removed no-encryption/no-mac builds
* Removed support for NetWare and Watcom wmake build files
Version update to 1.10.0:
* Enhancements and bugfixes:
* support ECDSA certificate authentication
* fix detailed _libssh2_error being overwritten by generic errors
* unified error handling
* fix _libssh2_random() silently discarding errors
* don't error if using keys without RSA
* avoid OpenSSL latent error in FIPS mode
* fix EVP_Cipher interface change in openssl 3
* fix potential overwrite of buffer when reading stdout of command
* use string_buf in ecdh_sha2_nistp() to avoid attempting to parse malformed data
* correct a typo which may lead to stack overflow
* fix random big number generation to match openssl
* added key exchange group16-sha512 and group18-sha512.
* add support for an OSS Fuzzer fuzzing target
* adds support for ECDSA for both key exchange and host key algorithms
* clean up curve25519 code
* update the min, preferred and max DH group values based on RFC 8270.
* changed type of LIBSSH2_FX_* constants to unsigned long
* added diffie-hellman-group14-sha256 kex
* fix for use of uninitialized aes_ctr_cipher.key_len when using HAVE_OPAQUE_STRUCTS, regression
* fixes memory leaks and use after free AES EVP_CIPHER contexts when using OpenSSL 1.0.x.
* fixes crash with delayed compression option using Bitvise server.
* adds support for PKIX key reading
* use new API to parse data in packet_x11_open() for better bounds checking.
* double the static buffer size when reading and writing known hosts
* improved bounds checking in packet_queue_listener
* improve message parsing (CVE-2019-17498)
* improve bounds checking in kex_agree_methods()
* adding SSH agent forwarding.
* fix agent forwarding message, updated example.
* added integration test code and cmake target. Added example to cmake list.
* don't call `libssh2_crypto_exit()` until `_libssh2_initialized` count is down to zero.
* add an EWOULDBLOCK check for better portability
* fix off by one error when loading public keys with no id
* fix use-after-free crash on reinitialization of openssl backend
* preserve error info from agent_list_identities()
* make sure the error code is set in _libssh2_channel_open()
* fixed misspellings
* fix potential typecast error for `_libssh2_ecdsa_key_get_curve_type`
* rename _libssh2_ecdsa_key_get_curve_type to _libssh2_ecdsa_get_curve_type
Version update to 1.9.0: [bsc#1178083, jsc#SLE-16922]
* Enhancements and bugfixes:
* adds ECDSA keys and host key support when using OpenSSL
* adds ED25519 key and host key support when using OpenSSL 1.1.1
* adds OpenSSH style key file reading
* adds AES CTR mode support when using WinCNG
* adds PEM passphrase protected file support for Libgcrypt and WinCNG
* adds SHA256 hostkey fingerprint
* adds libssh2_agent_get_identity_path() and libssh2_agent_set_identity_path()
* adds explicit zeroing of sensitive data in memory
* adds additional bounds checks to network buffer reads
* adds the ability to use the server default permissions when creating sftp directories
* adds support for building with OpenSSL no engine flag
* adds support for building with LibreSSL
* increased sftp packet size to 256k
* fixed oversized packet handling in sftp
* fixed building with OpenSSL 1.1
* fixed a possible crash if sftp stat gets an unexpected response
* fixed incorrect parsing of the KEX preference string value
* fixed conditional RSA and AES-CTR support
* fixed a small memory leak during the key exchange process
* fixed a possible memory leak of the ssh banner string
* fixed various small memory leaks in the backends
* fixed possible out of bounds read when parsing public keys from the server
* fixed possible out of bounds read when parsing invalid PEM files
* no longer null terminates the scp remote exec command
* now handle errors when diffie hellman key pair generation fails
* improved building instructions
* improved unit tests
* Version update to 1.8.2: [bsc#1130103]
Bug fixes: * Fixed the misapplied userauth patch that broke 1.8.1 * moved the
MAX size declarations from the public header
Update to 1.7.0
* Changes:
* libssh2_session_set_last_error: Add function
* mac: Add support for HMAC-SHA-256 and HMAC-SHA-512
* kex: Added diffie-hellman-group-exchange-sha256 support
* many bugfixes
Update to 1.6.0
* Changes:
* Added libssh2_userauth_publickey_frommemory()
* Bug fixes:
* wait_socket: wrong use of difftime()
* userauth: Fixed prompt text no longer being copied to the prompts struct
* mingw build: allow to pass custom CFLAGS
* Let mansyntax.sh work regardless of where it is called from Init HMAC_CTX
before using it
* direct_tcpip: Fixed channel write
* WinCNG: fixed backend breakage
* OpenSSL: caused by introducing libssh2_hmac_ctx_init
* userauth.c: fix possible dereferences of a null pointer
* wincng: Added explicit clear memory feature to WinCNG backend
* openssl.c: fix possible segfault in case EVP_DigestInit fails
* wincng: fix return code of libssh2_md5_init()
* kex: do not ignore failure of libssh2_sha1_init()
* scp: fix that scp_send may transmit not initialised memory
* scp.c: improved command length calculation
* nonblocking examples: fix warning about unused tvdiff on Mac OS X
* configure: make clear-memory default but WARN if backend unsupported
* OpenSSL: Enable use of OpenSSL that doesn't have DSA
* OpenSSL: Use correct no-blowfish #define
* kex: fix libgcrypt memory leaks of bignum
* libssh2_channel_open: more detailed error message
* wincng: fixed memleak in (block) cipher destructor
Update to 1.5.0:
* Changes:
* Added Windows Cryptography API: Next Generation based backend
* Bug fixes:
* Security Advisory: Using `SSH_MSG_KEXINIT` data unbounded, CVE-2015-1782
* missing _libssh2_error in _libssh2_channel_write
* knownhost: Fix DSS keys being detected as unknown.
* knownhost: Restore behaviour of `libssh2_knownhost_writeline` with short
buffer.
* libssh2.h: on Windows, a socket is of type SOCKET, not int
* libssh2_priv.h: a 1 bit bit-field should be unsigned
* Fixed two potential use-after-frees of the payload buffer
* Fixed a few memory leaks in error paths
* userauth: Fixed an attempt to free from stack on error
* agent_list_identities: Fixed memory leak on OOM
* knownhosts: Abort if the hosts buffer is too small
* sftp_close_handle: ensure the handle is always closed
* channel_close: Close the channel even in the case of errors
* docs: added missing libssh2_session_handshake.3 file
* docs: fixed a bunch of typos
* userauth_password: pass on the underlying error code
* _libssh2_channel_forward_cancel: accessed struct after free
* _libssh2_packet_add: avoid using uninitialized memory
* _libssh2_channel_forward_cancel: avoid memory leaks on error
* _libssh2_channel_write: client spins on write when window full
* publickey_packet_receive: avoid junk in returned pointers
* channel_receive_window_adjust: store windows size always
* userauth_hostbased_fromfile: zero assign to avoid uninitialized use
* agent_connect_unix: make sure there's a trailing zero
* MinGW build: Fixed redefine warnings.
* sftpdir.c: added authentication method detection.
* Watcom build: added support for WinCNG build.
* configure.ac: replace AM_CONFIG_HEADER with AC_CONFIG_HEADERS
* sftp_statvfs: fix for servers not supporting statfvs extension
* knownhost.c: use LIBSSH2_FREE macro instead of free
* Fixed compilation using mingw-w64
* knownhost.c: fixed that 'key_type_len' may be used uninitialized
* configure: Display individual crypto backends on separate lines
* agent.c: check return code of MapViewOfFile
* kex.c: fix possible NULL pointer de-reference with session->kex
* packet.c: fix possible NULL pointer de-reference within listen_state
* userauth.c: improve readability and clarity of for-loops
* packet.c: i < 256 was always true and i would overflow to 0
* kex.c: make sure mlist is not set to NULL
* session.c: check return value of session_nonblock in debug mode
* session.c: check return value of session_nonblock during startup
* userauth.c: make sure that sp_len is positive and avoid overflows
* knownhost.c: fix use of uninitialized argument variable wrote
* openssl: initialise the digest context before calling EVP_DigestInit()
* libssh2_agent_init: init ->fd to LIBSSH2_INVALID_SOCKET
* configure.ac: Add zlib to Requires.private in libssh2.pc if using zlib
* configure.ac: Rework crypto library detection
* configure.ac: Reorder --with-* options in --help output
* configure.ac: Call zlib zlib and not libz in text but keep option names
* Fix non-autotools builds: Always define the LIBSSH2_OPENSSL CPP macro
* sftp: seek: Don't flush buffers on same offset
* sftp: statvfs: Along error path, reset the correct 'state' variable.
* sftp: Add support for fsync (OpenSSH extension).
* _libssh2_channel_read: fix data drop when out of window
* comp_method_zlib_decomp: Improve buffer growing algorithm
* _libssh2_channel_read: Honour window_size_initial
* window_size: redid window handling for flow control reasons
* knownhosts: handle unknown key types
## Patch Instructions:
To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
* SUSE Linux Enterprise Software Development Kit 12 SP5
zypper in -t patch SUSE-SLE-SDK-12-SP5-2023-4066=1
* SUSE Linux Enterprise High Performance Computing 12 SP5
zypper in -t patch SUSE-SLE-SERVER-12-SP5-2023-4066=1
* SUSE Linux Enterprise Server 12 SP5
zypper in -t patch SUSE-SLE-SERVER-12-SP5-2023-4066=1
* SUSE Linux Enterprise Server for SAP Applications 12 SP5
zypper in -t patch SUSE-SLE-SERVER-12-SP5-2023-4066=1
## Package List:
* SUSE Linux Enterprise Software Development Kit 12 SP5 (aarch64 ppc64le s390x
x86_64)
* libssh2_org-debugsource-1.11.0-29.6.1
* libssh2-devel-1.11.0-29.6.1
* SUSE Linux Enterprise High Performance Computing 12 SP5 (aarch64 x86_64)
* libssh2-1-debuginfo-1.11.0-29.6.1
* libssh2_org-debugsource-1.11.0-29.6.1
* libssh2-1-1.11.0-29.6.1
* SUSE Linux Enterprise High Performance Computing 12 SP5 (x86_64)
* libssh2-1-32bit-1.11.0-29.6.1
* libssh2-1-debuginfo-32bit-1.11.0-29.6.1
* SUSE Linux Enterprise Server 12 SP5 (aarch64 ppc64le s390x x86_64)
* libssh2-1-debuginfo-1.11.0-29.6.1
* libssh2_org-debugsource-1.11.0-29.6.1
* libssh2-1-1.11.0-29.6.1
* SUSE Linux Enterprise Server 12 SP5 (s390x x86_64)
* libssh2-1-32bit-1.11.0-29.6.1
* libssh2-1-debuginfo-32bit-1.11.0-29.6.1
* SUSE Linux Enterprise Server for SAP Applications 12 SP5 (ppc64le x86_64)
* libssh2-1-debuginfo-1.11.0-29.6.1
* libssh2_org-debugsource-1.11.0-29.6.1
* libssh2-1-1.11.0-29.6.1
* SUSE Linux Enterprise Server for SAP Applications 12 SP5 (x86_64)
* libssh2-1-32bit-1.11.0-29.6.1
* libssh2-1-debuginfo-32bit-1.11.0-29.6.1
## References:
* https://jira.suse.com/browse/PED-5721
* https://jira.suse.com/browse/SLE-16922
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-updates/attachments/20231012/dc09fe4b/attachment.htm>
More information about the sle-updates
mailing list