Recommended update for libssh2_org
| Announcement ID: | SUSE-RU-2023:4066-1 |
|---|---|
| Rating: | moderate |
| References: | |
| Affected Products: |
|
An update that contains two features can now be installed.
Description:
This update for libssh2_org fixes the following issues:
libssh2_org was upgraded to version 1.11.0 in SUSE Linux Enterprise Server 12 SP5 (jsc#PED-5721)
Version update to 1.11.0:
-
Enhancements and bugfixes:
- Adds support for encrypt-then-mac (ETM) MACs
- Adds support for AES-GCM crypto protocols
- Adds support for sk-ecdsa-sha2-nistp256 and sk-ssh-ed25519 keys
- Adds support for RSA certificate authentication
- Adds FIDO support with *_sk() functions
- Adds RSA-SHA2 key upgrading to OpenSSL, WinCNG, mbedTLS, OS400 backends
- Adds Agent Forwarding and libssh2_agent_sign()
- Adds support for Channel Signal message libssh2_channel_signal_ex()
- Adds support to get the user auth banner message libssh2_userauth_banner()
- Adds LIBSSH2_NO_{MD5, HMAC_RIPEMD, DSA, RSA, RSA_SHA1, ECDSA, ED25519, AES_CBC, AES_CTR, BLOWFISH, RC4, CAST, 3DES} options
- Adds direct stream UNIX sockets with libssh2_channel_direct_streamlocal_ex()
- Adds wolfSSL support to CMake file
- Adds mbedTLS 3.x support
- Adds LibreSSL 3.5 support
- Adds support for CMake "unity" builds
- Adds CMake support for building shared and static libs in a single pass
- Adds symbol hiding support to CMake
- Adds support for libssh2.rc for all build tools
- Adds .zip, .tar.xz and .tar.bz2 release tarballs
- Enables ed25519 key support for LibreSSL 3.7.0 or higher
- Improves OpenSSL 1.1 and 3 compatibility
- Now requires OpenSSL 1.0.2 or newer
- Now requires CMake 3.1 or newer
- SFTP: Adds libssh2_sftp_open_ex_r() and libssh2_sftp_open_r() extended APIs
- SFTP: No longer has a packet limit when reading a directory
- SFTP: now parses attribute extensions if they exist
- SFTP: no longer will busy loop if SFTP fails to initialize
- SFTP: now clear various errors as expected
- SFTP: no longer skips files if the line buffer is too small
- SCP: add option to not quote paths
- SCP: Enables 64-bit offset support unconditionally
- Now skips leading \r and \n characters in banner_receive()
- Enables secure memory zeroing with all build tools on all platforms
- No longer logs SSH_MSG_REQUEST_FAILURE packets from keepalive
- Speed up base64 encoding by 7x
- Assert if there is an attempt to write a value that is too large
- WinCNG: fix memory leak in _libssh2_dh_secret()
- Added protection against possible null pointer dereferences
- Agent now handles overly large comment lengths
- Now ensure KEX replies don't include extra bytes
- Fixed possible buffer overflow when receiving SSH_MSG_USERAUTH_BANNER
- Fixed possible buffer overflow in keyboard interactive code path
- Fixed overlapping memcpy()
- Fixed DLL import name
- Renamed local RANDOM_PADDING macro to avoid unexpected define on Windows
- Support for building with gcc versions older than 8
- Improvements to CMake, Makefile, NMakefile, GNUmakefile, autoreconf files
- Restores ANSI C89 compliance
- Enabled new compiler warnings and fixed/silenced them
- Improved error messages
- Now uses CIFuzz
- Numerous minor code improvements
- Improvements to CI builds
- Improvements to unit tests
- Improvements to doc files
- Improvements to example files
- Removed "old gex" build option
- Removed no-encryption/no-mac builds
- Removed support for NetWare and Watcom wmake build files
Version update to 1.10.0:
-
Enhancements and bugfixes:
- support ECDSA certificate authentication
- fix detailed _libssh2_error being overwritten by generic errors
- unified error handling
- fix _libssh2_random() silently discarding errors
- don't error if using keys without RSA
- avoid OpenSSL latent error in FIPS mode
- fix EVP_Cipher interface change in openssl 3
- fix potential overwrite of buffer when reading stdout of command
- use string_buf in ecdh_sha2_nistp() to avoid attempting to parse malformed data
- correct a typo which may lead to stack overflow
- fix random big number generation to match openssl
- added key exchange group16-sha512 and group18-sha512.
- add support for an OSS Fuzzer fuzzing target
- adds support for ECDSA for both key exchange and host key algorithms
- clean up curve25519 code
- update the min, preferred and max DH group values based on RFC 8270.
- changed type of LIBSSH2_FX_* constants to unsigned long
- added diffie-hellman-group14-sha256 kex
- fix for use of uninitialized aes_ctr_cipher.key_len when using HAVE_OPAQUE_STRUCTS, regression
- fixes memory leaks and use after free AES EVP_CIPHER contexts when using OpenSSL 1.0.x.
- fixes crash with delayed compression option using Bitvise server.
- adds support for PKIX key reading
- use new API to parse data in packet_x11_open() for better bounds checking.
- double the static buffer size when reading and writing known hosts
- improved bounds checking in packet_queue_listener
- improve message parsing (CVE-2019-17498)
- improve bounds checking in kex_agree_methods()
- adding SSH agent forwarding.
- fix agent forwarding message, updated example.
- added integration test code and cmake target. Added example to cmake list.
- don't call
libssh2_crypto_exit()until_libssh2_initializedcount is down to zero. - add an EWOULDBLOCK check for better portability
- fix off by one error when loading public keys with no id
- fix use-after-free crash on reinitialization of openssl backend
- preserve error info from agent_list_identities()
- make sure the error code is set in _libssh2_channel_open()
- fixed misspellings
- fix potential typecast error for
_libssh2_ecdsa_key_get_curve_type - rename _libssh2_ecdsa_key_get_curve_type to _libssh2_ecdsa_get_curve_type
Version update to 1.9.0: [bsc#1178083, jsc#SLE-16922]
-
Enhancements and bugfixes:
- adds ECDSA keys and host key support when using OpenSSL
- adds ED25519 key and host key support when using OpenSSL 1.1.1
- adds OpenSSH style key file reading
- adds AES CTR mode support when using WinCNG
- adds PEM passphrase protected file support for Libgcrypt and WinCNG
- adds SHA256 hostkey fingerprint
- adds libssh2_agent_get_identity_path() and libssh2_agent_set_identity_path()
- adds explicit zeroing of sensitive data in memory
- adds additional bounds checks to network buffer reads
- adds the ability to use the server default permissions when creating sftp directories
- adds support for building with OpenSSL no engine flag
- adds support for building with LibreSSL
- increased sftp packet size to 256k
- fixed oversized packet handling in sftp
- fixed building with OpenSSL 1.1
- fixed a possible crash if sftp stat gets an unexpected response
- fixed incorrect parsing of the KEX preference string value
- fixed conditional RSA and AES-CTR support
- fixed a small memory leak during the key exchange process
- fixed a possible memory leak of the ssh banner string
- fixed various small memory leaks in the backends
- fixed possible out of bounds read when parsing public keys from the server
- fixed possible out of bounds read when parsing invalid PEM files
- no longer null terminates the scp remote exec command
- now handle errors when diffie hellman key pair generation fails
- improved building instructions
- improved unit tests
-
Version update to 1.8.2: [bsc#1130103]
Bug fixes: * Fixed the misapplied userauth patch that broke 1.8.1 * moved the MAX size declarations from the public header
Update to 1.7.0
- Changes:
- libssh2_session_set_last_error: Add function
- mac: Add support for HMAC-SHA-256 and HMAC-SHA-512
- kex: Added diffie-hellman-group-exchange-sha256 support
- many bugfixes
Update to 1.6.0
-
Changes:
-
Added libssh2_userauth_publickey_frommemory()
-
Bug fixes:
-
wait_socket: wrong use of difftime()
- userauth: Fixed prompt text no longer being copied to the prompts struct
- mingw build: allow to pass custom CFLAGS
- Let mansyntax.sh work regardless of where it is called from Init HMAC_CTX before using it
- direct_tcpip: Fixed channel write
- WinCNG: fixed backend breakage
- OpenSSL: caused by introducing libssh2_hmac_ctx_init
- userauth.c: fix possible dereferences of a null pointer
- wincng: Added explicit clear memory feature to WinCNG backend
- openssl.c: fix possible segfault in case EVP_DigestInit fails
- wincng: fix return code of libssh2_md5_init()
- kex: do not ignore failure of libssh2_sha1_init()
- scp: fix that scp_send may transmit not initialised memory
- scp.c: improved command length calculation
- nonblocking examples: fix warning about unused tvdiff on Mac OS X
- configure: make clear-memory default but WARN if backend unsupported
- OpenSSL: Enable use of OpenSSL that doesn't have DSA
- OpenSSL: Use correct no-blowfish #define
- kex: fix libgcrypt memory leaks of bignum
- libssh2_channel_open: more detailed error message
- wincng: fixed memleak in (block) cipher destructor
Update to 1.5.0:
-
Changes:
-
Added Windows Cryptography API: Next Generation based backend
-
Bug fixes:
-
Security Advisory: Using
SSH_MSG_KEXINITdata unbounded, CVE-2015-1782 - missing _libssh2_error in _libssh2_channel_write
- knownhost: Fix DSS keys being detected as unknown.
- knownhost: Restore behaviour of
libssh2_knownhost_writelinewith short buffer. - libssh2.h: on Windows, a socket is of type SOCKET, not int
- libssh2_priv.h: a 1 bit bit-field should be unsigned
- Fixed two potential use-after-frees of the payload buffer
- Fixed a few memory leaks in error paths
- userauth: Fixed an attempt to free from stack on error
- agent_list_identities: Fixed memory leak on OOM
- knownhosts: Abort if the hosts buffer is too small
- sftp_close_handle: ensure the handle is always closed
- channel_close: Close the channel even in the case of errors
- docs: added missing libssh2_session_handshake.3 file
- docs: fixed a bunch of typos
- userauth_password: pass on the underlying error code
- _libssh2_channel_forward_cancel: accessed struct after free
- _libssh2_packet_add: avoid using uninitialized memory
- _libssh2_channel_forward_cancel: avoid memory leaks on error
- _libssh2_channel_write: client spins on write when window full
- publickey_packet_receive: avoid junk in returned pointers
- channel_receive_window_adjust: store windows size always
- userauth_hostbased_fromfile: zero assign to avoid uninitialized use
- agent_connect_unix: make sure there's a trailing zero
- MinGW build: Fixed redefine warnings.
- sftpdir.c: added authentication method detection.
- Watcom build: added support for WinCNG build.
- configure.ac: replace AM_CONFIG_HEADER with AC_CONFIG_HEADERS
- sftp_statvfs: fix for servers not supporting statfvs extension
- knownhost.c: use LIBSSH2_FREE macro instead of free
- Fixed compilation using mingw-w64
- knownhost.c: fixed that 'key_type_len' may be used uninitialized
- configure: Display individual crypto backends on separate lines
- agent.c: check return code of MapViewOfFile
- kex.c: fix possible NULL pointer de-reference with session->kex
- packet.c: fix possible NULL pointer de-reference within listen_state
- userauth.c: improve readability and clarity of for-loops
- packet.c: i < 256 was always true and i would overflow to 0
- kex.c: make sure mlist is not set to NULL
- session.c: check return value of session_nonblock in debug mode
- session.c: check return value of session_nonblock during startup
- userauth.c: make sure that sp_len is positive and avoid overflows
- knownhost.c: fix use of uninitialized argument variable wrote
- openssl: initialise the digest context before calling EVP_DigestInit()
- libssh2_agent_init: init ->fd to LIBSSH2_INVALID_SOCKET
- configure.ac: Add zlib to Requires.private in libssh2.pc if using zlib
- configure.ac: Rework crypto library detection
- configure.ac: Reorder --with-* options in --help output
- configure.ac: Call zlib zlib and not libz in text but keep option names
- Fix non-autotools builds: Always define the LIBSSH2_OPENSSL CPP macro
- sftp: seek: Don't flush buffers on same offset
- sftp: statvfs: Along error path, reset the correct 'state' variable.
- sftp: Add support for fsync (OpenSSH extension).
- _libssh2_channel_read: fix data drop when out of window
- comp_method_zlib_decomp: Improve buffer growing algorithm
- _libssh2_channel_read: Honour window_size_initial
- window_size: redid window handling for flow control reasons
- knownhosts: handle unknown key types
Patch Instructions:
To install this SUSE update use the SUSE recommended
installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
-
SUSE Linux Enterprise Software Development Kit 12 SP5
zypper in -t patch SUSE-SLE-SDK-12-SP5-2023-4066=1 -
SUSE Linux Enterprise High Performance Computing 12 SP5
zypper in -t patch SUSE-SLE-SERVER-12-SP5-2023-4066=1 -
SUSE Linux Enterprise Server 12 SP5
zypper in -t patch SUSE-SLE-SERVER-12-SP5-2023-4066=1 -
SUSE Linux Enterprise Server for SAP Applications 12 SP5
zypper in -t patch SUSE-SLE-SERVER-12-SP5-2023-4066=1
Package List:
-
SUSE Linux Enterprise Software Development Kit 12 SP5 (aarch64 ppc64le s390x x86_64)
- libssh2-devel-1.11.0-29.6.1
- libssh2_org-debugsource-1.11.0-29.6.1
-
SUSE Linux Enterprise High Performance Computing 12 SP5 (aarch64 x86_64)
- libssh2-1-debuginfo-1.11.0-29.6.1
- libssh2_org-debugsource-1.11.0-29.6.1
- libssh2-1-1.11.0-29.6.1
-
SUSE Linux Enterprise High Performance Computing 12 SP5 (x86_64)
- libssh2-1-32bit-1.11.0-29.6.1
- libssh2-1-debuginfo-32bit-1.11.0-29.6.1
-
SUSE Linux Enterprise Server 12 SP5 (aarch64 ppc64le s390x x86_64)
- libssh2-1-debuginfo-1.11.0-29.6.1
- libssh2_org-debugsource-1.11.0-29.6.1
- libssh2-1-1.11.0-29.6.1
-
SUSE Linux Enterprise Server 12 SP5 (s390x x86_64)
- libssh2-1-32bit-1.11.0-29.6.1
- libssh2-1-debuginfo-32bit-1.11.0-29.6.1
-
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (ppc64le x86_64)
- libssh2-1-debuginfo-1.11.0-29.6.1
- libssh2_org-debugsource-1.11.0-29.6.1
- libssh2-1-1.11.0-29.6.1
-
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (x86_64)
- libssh2-1-32bit-1.11.0-29.6.1
- libssh2-1-debuginfo-32bit-1.11.0-29.6.1