<div class="container">
<h1>Recommended update for libssh2_org</h1>
<table class="table table-striped table-bordered">
<tbody>
<tr>
<th>Announcement ID:</th>
<td>SUSE-RU-2023:4066-1</td>
</tr>
<tr>
<th>Rating:</th>
<td>moderate</td>
</tr>
<tr>
<th>References:</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://jira.suse.com/browse/PED-5721">PED-5721</a>
</li>
<li style="display: inline;">
<a href="https://jira.suse.com/browse/SLE-16922">SLE-16922</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>Affected Products:</th>
<td>
<ul class="list-group">
<li class="list-group-item">SUSE Linux Enterprise High Performance Computing 12 SP5</li>
<li class="list-group-item">SUSE Linux Enterprise Server 12 SP5</li>
<li class="list-group-item">SUSE Linux Enterprise Server for SAP Applications 12 SP5</li>
<li class="list-group-item">SUSE Linux Enterprise Software Development Kit 12 SP5</li>
</ul>
</td>
</tr>
</tbody>
</table>
<p>An update that contains two features can now be installed.</p>
<h2>Description:</h2>
<p>This update for libssh2_org fixes the following issues:</p>
<p>libssh2_org was upgraded to version 1.11.0 in SUSE Linux Enterprise Server 12 SP5 (jsc#PED-5721)</p>
<p>Version update to 1.11.0:</p>
<ul>
<li>
<p>Enhancements and bugfixes:</p>
<ul>
<li>Adds support for encrypt-then-mac (ETM) MACs</li>
<li>Adds support for AES-GCM crypto protocols</li>
<li>Adds support for sk-ecdsa-sha2-nistp256 and sk-ssh-ed25519 keys</li>
<li>Adds support for RSA certificate authentication</li>
<li>Adds FIDO support with *_sk() functions</li>
<li>Adds RSA-SHA2 key upgrading to OpenSSL, WinCNG, mbedTLS, OS400 backends</li>
<li>Adds Agent Forwarding and libssh2_agent_sign()</li>
<li>Adds support for Channel Signal message libssh2_channel_signal_ex()</li>
<li>Adds support to get the user auth banner message libssh2_userauth_banner()</li>
<li>Adds LIBSSH2_NO_{MD5, HMAC_RIPEMD, DSA, RSA, RSA_SHA1, ECDSA, ED25519,
AES_CBC, AES_CTR, BLOWFISH, RC4, CAST, 3DES} options</li>
<li>Adds direct stream UNIX sockets with libssh2_channel_direct_streamlocal_ex()</li>
<li>Adds wolfSSL support to CMake file</li>
<li>Adds mbedTLS 3.x support</li>
<li>Adds LibreSSL 3.5 support</li>
<li>Adds support for CMake "unity" builds</li>
<li>Adds CMake support for building shared and static libs in a single pass</li>
<li>Adds symbol hiding support to CMake</li>
<li>Adds support for libssh2.rc for all build tools</li>
<li>Adds .zip, .tar.xz and .tar.bz2 release tarballs</li>
<li>Enables ed25519 key support for LibreSSL 3.7.0 or higher</li>
<li>Improves OpenSSL 1.1 and 3 compatibility</li>
<li>Now requires OpenSSL 1.0.2 or newer</li>
<li>Now requires CMake 3.1 or newer</li>
<li>SFTP: Adds libssh2_sftp_open_ex_r() and libssh2_sftp_open_r() extended APIs</li>
<li>SFTP: No longer has a packet limit when reading a directory</li>
<li>SFTP: now parses attribute extensions if they exist</li>
<li>SFTP: no longer will busy loop if SFTP fails to initialize</li>
<li>SFTP: now clear various errors as expected</li>
<li>SFTP: no longer skips files if the line buffer is too small</li>
<li>SCP: add option to not quote paths</li>
<li>SCP: Enables 64-bit offset support unconditionally</li>
<li>Now skips leading \r and \n characters in banner_receive()</li>
<li>Enables secure memory zeroing with all build tools on all platforms</li>
<li>No longer logs SSH_MSG_REQUEST_FAILURE packets from keepalive</li>
<li>Speed up base64 encoding by 7x</li>
<li>Assert if there is an attempt to write a value that is too large</li>
<li>WinCNG: fix memory leak in _libssh2_dh_secret()</li>
<li>Added protection against possible null pointer dereferences</li>
<li>Agent now handles overly large comment lengths</li>
<li>Now ensure KEX replies don't include extra bytes</li>
<li>Fixed possible buffer overflow when receiving SSH_MSG_USERAUTH_BANNER</li>
<li>Fixed possible buffer overflow in keyboard interactive code path</li>
<li>Fixed overlapping memcpy()</li>
<li>Fixed DLL import name</li>
<li>Renamed local RANDOM_PADDING macro to avoid unexpected define on Windows</li>
<li>Support for building with gcc versions older than 8</li>
<li>Improvements to CMake, Makefile, NMakefile, GNUmakefile, autoreconf files</li>
<li>Restores ANSI C89 compliance</li>
<li>Enabled new compiler warnings and fixed/silenced them</li>
<li>Improved error messages</li>
<li>Now uses CIFuzz</li>
<li>Numerous minor code improvements</li>
<li>Improvements to CI builds</li>
<li>Improvements to unit tests</li>
<li>Improvements to doc files</li>
<li>Improvements to example files</li>
<li>Removed "old gex" build option</li>
<li>Removed no-encryption/no-mac builds</li>
<li>Removed support for NetWare and Watcom wmake build files</li>
</ul>
</li>
</ul>
<p>Version update to 1.10.0:</p>
<ul>
<li>
<p>Enhancements and bugfixes:</p>
<ul>
<li>support ECDSA certificate authentication</li>
<li>fix detailed _libssh2_error being overwritten by generic errors</li>
<li>unified error handling</li>
<li>fix _libssh2_random() silently discarding errors</li>
<li>don't error if using keys without RSA</li>
<li>avoid OpenSSL latent error in FIPS mode</li>
<li>fix EVP_Cipher interface change in openssl 3</li>
<li>fix potential overwrite of buffer when reading stdout of command</li>
<li>use string_buf in ecdh_sha2_nistp() to avoid attempting to parse malformed data</li>
<li>correct a typo which may lead to stack overflow</li>
<li>fix random big number generation to match openssl</li>
<li>added key exchange group16-sha512 and group18-sha512.</li>
<li>add support for an OSS Fuzzer fuzzing target</li>
<li>adds support for ECDSA for both key exchange and host key algorithms</li>
<li>clean up curve25519 code</li>
<li>update the min, preferred and max DH group values based on RFC 8270.</li>
<li>changed type of LIBSSH2_FX_* constants to unsigned long</li>
<li>added diffie-hellman-group14-sha256 kex</li>
<li>fix for use of uninitialized aes_ctr_cipher.key_len when using HAVE_OPAQUE_STRUCTS, regression</li>
<li>fixes memory leaks and use after free AES EVP_CIPHER contexts when using OpenSSL 1.0.x.</li>
<li>fixes crash with delayed compression option using Bitvise server.</li>
<li>adds support for PKIX key reading</li>
<li>use new API to parse data in packet_x11_open() for better bounds checking.</li>
<li>double the static buffer size when reading and writing known hosts</li>
<li>improved bounds checking in packet_queue_listener</li>
<li>improve message parsing (CVE-2019-17498)</li>
<li>improve bounds checking in kex_agree_methods()</li>
<li>adding SSH agent forwarding.</li>
<li>fix agent forwarding message, updated example.</li>
<li>added integration test code and cmake target. Added example to cmake list.</li>
<li>don't call <code>libssh2_crypto_exit()</code> until <code>_libssh2_initialized</code> count is down to zero.</li>
<li>add an EWOULDBLOCK check for better portability</li>
<li>fix off by one error when loading public keys with no id</li>
<li>fix use-after-free crash on reinitialization of openssl backend</li>
<li>preserve error info from agent_list_identities()</li>
<li>make sure the error code is set in _libssh2_channel_open()</li>
<li>fixed misspellings</li>
<li>fix potential typecast error for <code>_libssh2_ecdsa_key_get_curve_type</code></li>
<li>rename _libssh2_ecdsa_key_get_curve_type to _libssh2_ecdsa_get_curve_type</li>
</ul>
</li>
</ul>
<p>Version update to 1.9.0: [bsc#1178083, jsc#SLE-16922]</p>
<ul>
<li>
<p>Enhancements and bugfixes:</p>
<ul>
<li>adds ECDSA keys and host key support when using OpenSSL</li>
<li>adds ED25519 key and host key support when using OpenSSL 1.1.1</li>
<li>adds OpenSSH style key file reading</li>
<li>adds AES CTR mode support when using WinCNG</li>
<li>adds PEM passphrase protected file support for Libgcrypt and WinCNG</li>
<li>adds SHA256 hostkey fingerprint</li>
<li>adds libssh2_agent_get_identity_path() and libssh2_agent_set_identity_path()</li>
<li>adds explicit zeroing of sensitive data in memory</li>
<li>adds additional bounds checks to network buffer reads</li>
<li>adds the ability to use the server default permissions when creating sftp directories</li>
<li>adds support for building with OpenSSL no engine flag</li>
<li>adds support for building with LibreSSL</li>
<li>increased sftp packet size to 256k</li>
<li>fixed oversized packet handling in sftp</li>
<li>fixed building with OpenSSL 1.1</li>
<li>fixed a possible crash if sftp stat gets an unexpected response</li>
<li>fixed incorrect parsing of the KEX preference string value</li>
<li>fixed conditional RSA and AES-CTR support</li>
<li>fixed a small memory leak during the key exchange process</li>
<li>fixed a possible memory leak of the ssh banner string</li>
<li>fixed various small memory leaks in the backends</li>
<li>fixed possible out of bounds read when parsing public keys from the server</li>
<li>fixed possible out of bounds read when parsing invalid PEM files</li>
<li>no longer null terminates the scp remote exec command</li>
<li>now handle errors when diffie hellman key pair generation fails</li>
<li>improved building instructions</li>
<li>improved unit tests</li>
</ul>
</li>
<li>
<p>Version update to 1.8.2: [bsc#1130103]</p>
</li>
</ul>
<p>Bug fixes:
* Fixed the misapplied userauth patch that broke 1.8.1
* moved the MAX size declarations from the public header</p>
<p>Update to 1.7.0</p>
<ul>
<li>Changes:</li>
<li>libssh2_session_set_last_error: Add function</li>
<li>mac: Add support for HMAC-SHA-256 and HMAC-SHA-512</li>
<li>kex: Added diffie-hellman-group-exchange-sha256 support</li>
<li>many bugfixes</li>
</ul>
<p>Update to 1.6.0</p>
<ul>
<li>
<p>Changes:</p>
</li>
<li>
<p>Added libssh2_userauth_publickey_frommemory()</p>
</li>
<li>
<p>Bug fixes:</p>
</li>
<li>
<p>wait_socket: wrong use of difftime()</p>
</li>
<li>userauth: Fixed prompt text no longer being copied to the prompts struct</li>
<li>mingw build: allow to pass custom CFLAGS</li>
<li>Let mansyntax.sh work regardless of where it is called from
Init HMAC_CTX before using it</li>
<li>direct_tcpip: Fixed channel write</li>
<li>WinCNG: fixed backend breakage</li>
<li>OpenSSL: caused by introducing libssh2_hmac_ctx_init</li>
<li>userauth.c: fix possible dereferences of a null pointer</li>
<li>wincng: Added explicit clear memory feature to WinCNG backend</li>
<li>openssl.c: fix possible segfault in case EVP_DigestInit fails</li>
<li>wincng: fix return code of libssh2_md5_init()</li>
<li>kex: do not ignore failure of libssh2_sha1_init()</li>
<li>scp: fix that scp_send may transmit not initialised memory</li>
<li>scp.c: improved command length calculation</li>
<li>nonblocking examples: fix warning about unused tvdiff on Mac OS X</li>
<li>configure: make clear-memory default but WARN if backend unsupported</li>
<li>OpenSSL: Enable use of OpenSSL that doesn't have DSA</li>
<li>OpenSSL: Use correct no-blowfish #define</li>
<li>kex: fix libgcrypt memory leaks of bignum</li>
<li>libssh2_channel_open: more detailed error message</li>
<li>wincng: fixed memleak in (block) cipher destructor</li>
</ul>
<p>Update to 1.5.0:</p>
<ul>
<li>
<p>Changes:</p>
</li>
<li>
<p>Added Windows Cryptography API: Next Generation based backend</p>
</li>
<li>
<p>Bug fixes:</p>
</li>
<li>
<p>Security Advisory: Using <code>SSH_MSG_KEXINIT</code> data unbounded, CVE-2015-1782</p>
</li>
<li>missing _libssh2_error in _libssh2_channel_write</li>
<li>knownhost: Fix DSS keys being detected as unknown.</li>
<li>knownhost: Restore behaviour of <code>libssh2_knownhost_writeline</code> with short buffer.</li>
<li>libssh2.h: on Windows, a socket is of type SOCKET, not int</li>
<li>libssh2_priv.h: a 1 bit bit-field should be unsigned</li>
<li>Fixed two potential use-after-frees of the payload buffer</li>
<li>Fixed a few memory leaks in error paths</li>
<li>userauth: Fixed an attempt to free from stack on error</li>
<li>agent_list_identities: Fixed memory leak on OOM</li>
<li>knownhosts: Abort if the hosts buffer is too small</li>
<li>sftp_close_handle: ensure the handle is always closed</li>
<li>channel_close: Close the channel even in the case of errors</li>
<li>docs: added missing libssh2_session_handshake.3 file</li>
<li>docs: fixed a bunch of typos</li>
<li>userauth_password: pass on the underlying error code</li>
<li>_libssh2_channel_forward_cancel: accessed struct after free</li>
<li>_libssh2_packet_add: avoid using uninitialized memory</li>
<li>_libssh2_channel_forward_cancel: avoid memory leaks on error</li>
<li>_libssh2_channel_write: client spins on write when window full</li>
<li>publickey_packet_receive: avoid junk in returned pointers</li>
<li>channel_receive_window_adjust: store windows size always</li>
<li>userauth_hostbased_fromfile: zero assign to avoid uninitialized use</li>
<li>agent_connect_unix: make sure there's a trailing zero</li>
<li>MinGW build: Fixed redefine warnings.</li>
<li>sftpdir.c: added authentication method detection.</li>
<li>Watcom build: added support for WinCNG build.</li>
<li>configure.ac: replace AM_CONFIG_HEADER with AC_CONFIG_HEADERS</li>
<li>sftp_statvfs: fix for servers not supporting statfvs extension</li>
<li>knownhost.c: use LIBSSH2_FREE macro instead of free</li>
<li>Fixed compilation using mingw-w64</li>
<li>knownhost.c: fixed that 'key_type_len' may be used uninitialized</li>
<li>configure: Display individual crypto backends on separate lines</li>
<li>agent.c: check return code of MapViewOfFile</li>
<li>kex.c: fix possible NULL pointer de-reference with session->kex</li>
<li>packet.c: fix possible NULL pointer de-reference within listen_state</li>
<li>userauth.c: improve readability and clarity of for-loops</li>
<li>packet.c: i < 256 was always true and i would overflow to 0</li>
<li>kex.c: make sure mlist is not set to NULL</li>
<li>session.c: check return value of session_nonblock in debug mode</li>
<li>session.c: check return value of session_nonblock during startup</li>
<li>userauth.c: make sure that sp_len is positive and avoid overflows</li>
<li>knownhost.c: fix use of uninitialized argument variable wrote</li>
<li>openssl: initialise the digest context before calling EVP_DigestInit()</li>
<li>libssh2_agent_init: init ->fd to LIBSSH2_INVALID_SOCKET</li>
<li>configure.ac: Add zlib to Requires.private in libssh2.pc if using zlib</li>
<li>configure.ac: Rework crypto library detection</li>
<li>configure.ac: Reorder --with-* options in --help output</li>
<li>configure.ac: Call zlib zlib and not libz in text but keep option names</li>
<li>Fix non-autotools builds: Always define the LIBSSH2_OPENSSL CPP macro</li>
<li>sftp: seek: Don't flush buffers on same offset</li>
<li>sftp: statvfs: Along error path, reset the correct 'state' variable.</li>
<li>sftp: Add support for fsync (OpenSSH extension).</li>
<li>_libssh2_channel_read: fix data drop when out of window</li>
<li>comp_method_zlib_decomp: Improve buffer growing algorithm</li>
<li>_libssh2_channel_read: Honour window_size_initial</li>
<li>window_size: redid window handling for flow control reasons</li>
<li>knownhosts: handle unknown key types</li>
</ul>
<h2>Patch Instructions:</h2>
<p>
To install this SUSE update use the SUSE recommended
installation methods like YaST online_update or "zypper patch".<br/>
Alternatively you can run the command listed for your product:
</p>
<ul class="list-group">
<li class="list-group-item">
SUSE Linux Enterprise Software Development Kit 12 SP5
<br/>
<code>zypper in -t patch SUSE-SLE-SDK-12-SP5-2023-4066=1</code>
</li>
<li class="list-group-item">
SUSE Linux Enterprise High Performance Computing 12 SP5
<br/>
<code>zypper in -t patch SUSE-SLE-SERVER-12-SP5-2023-4066=1</code>
</li>
<li class="list-group-item">
SUSE Linux Enterprise Server 12 SP5
<br/>
<code>zypper in -t patch SUSE-SLE-SERVER-12-SP5-2023-4066=1</code>
</li>
<li class="list-group-item">
SUSE Linux Enterprise Server for SAP Applications 12 SP5
<br/>
<code>zypper in -t patch SUSE-SLE-SERVER-12-SP5-2023-4066=1</code>
</li>
</ul>
<h2>Package List:</h2>
<ul>
<li>
SUSE Linux Enterprise Software Development Kit 12 SP5 (aarch64 ppc64le s390x x86_64)
<ul>
<li>libssh2_org-debugsource-1.11.0-29.6.1</li>
<li>libssh2-devel-1.11.0-29.6.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise High Performance Computing 12 SP5 (aarch64 x86_64)
<ul>
<li>libssh2-1-debuginfo-1.11.0-29.6.1</li>
<li>libssh2_org-debugsource-1.11.0-29.6.1</li>
<li>libssh2-1-1.11.0-29.6.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise High Performance Computing 12 SP5 (x86_64)
<ul>
<li>libssh2-1-32bit-1.11.0-29.6.1</li>
<li>libssh2-1-debuginfo-32bit-1.11.0-29.6.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise Server 12 SP5 (aarch64 ppc64le s390x x86_64)
<ul>
<li>libssh2-1-debuginfo-1.11.0-29.6.1</li>
<li>libssh2_org-debugsource-1.11.0-29.6.1</li>
<li>libssh2-1-1.11.0-29.6.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise Server 12 SP5 (s390x x86_64)
<ul>
<li>libssh2-1-32bit-1.11.0-29.6.1</li>
<li>libssh2-1-debuginfo-32bit-1.11.0-29.6.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (ppc64le x86_64)
<ul>
<li>libssh2-1-debuginfo-1.11.0-29.6.1</li>
<li>libssh2_org-debugsource-1.11.0-29.6.1</li>
<li>libssh2-1-1.11.0-29.6.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (x86_64)
<ul>
<li>libssh2-1-32bit-1.11.0-29.6.1</li>
<li>libssh2-1-debuginfo-32bit-1.11.0-29.6.1</li>
</ul>
</li>
</ul>
<h2>References:</h2>
<ul>
<li>
<a href="https://jira.suse.com/browse/PED-5721">https://jira.suse.com/browse/PED-5721</a>
</li>
<li>
<a href="https://jira.suse.com/browse/SLE-16922">https://jira.suse.com/browse/SLE-16922</a>
</li>
</ul>
</div>