[v2 0/2] libssh / libssh2 security updates

guix-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[v2 0/2] libssh / libssh2 security updates

From:	Leo Famulari
Subject:	[v2 0/2] libssh / libssh2 security updates
Date:	Tue, 23 Feb 2016 18:40:43 -0500

Sorry for the noise but my last email on this subject contained an early
draft of the annotation. It's possible the patches were an earlier
revision as well, so I'm resending here.

Please disregard the first version.

These patches address CVE-2016-0739 (libssh) and CVE-2016-0786 (libssh2)
[0].

For libssh, we update to the latest upstream release, 0.7.3 [1].

Guile-ssh depends on a private package of an older version of libssh [2], so
we update that private package to the latest version supported by
guile-ssh, 0.6.5. This happens to be the previous version of our public
libssh package.

This allows us to remove the patch for CVE-2014-0017, which was fixed in
libssh-0.6.3 [3].

For libssh2, we update to the latest upstream release, 1.7.0. [4]

Many packages depend on libssh2, including curl, so we create a
temporary package of the old, vulnerable version, 1.4. When we have
rebuilt all packages affected by CVE-2016-0786, this temporary package
should be removed and curl should be made to depend on the latest
version. That future commit should state "Fixes CVE-2016-7087".

Please double check that curl does not need to be rebuilt before
applying these patches. Feel free to reorganize them changes or alter
the commit messages as desired.

[0]
http://seclists.org/oss-sec/2016/q1/408
http://www.libssh.org/archive/libssh/2016-02/0000013.html
https://libssh2.org/changes.html

[1]
http://www.libssh.org/archive/libssh/2016-02/0000013.html

[2]
https://github.com/artyom-poptsov/guile-ssh#requirements

[3]
https://www.libssh.org/2014/03/04/libssh-0-6-3-security-release/
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0017

[4]
https://libssh2.org/changes.html


Leo Famulari (2):
  gnu: libssh2: Update to 1.7.0.
  gnu: libssh: Update to 0.7.3.

 gnu-system.am                                   |  1 -
 gnu/packages/curl.scm                           |  2 +-
 gnu/packages/patches/libssh-CVE-2014-0017.patch | 89 -------------------------
 gnu/packages/ssh.scm                            | 48 +++++++++----
 4 files changed, 35 insertions(+), 105 deletions(-)
 delete mode 100644 gnu/packages/patches/libssh-CVE-2014-0017.patch

-- 
2.7.1

[Prev in Thread]

Current Thread

[Next in Thread]

[v2 0/2] libssh / libssh2 security updates, Leo Famulari <=
- [v2 1/2] gnu: libssh2: Update to 1.7.0., Leo Famulari, 2016/02/23
- [v2 2/2] gnu: libssh: Update to 0.7.3., Leo Famulari, 2016/02/23

Prev by Date: Re: [PATCH 0/2] libssh / libssh2 security updates
Next by Date: [v2 1/2] gnu: libssh2: Update to 1.7.0.
Previous by thread: [PATCH 0/2] libssh / libssh2 security updates
Next by thread: [v2 1/2] gnu: libssh2: Update to 1.7.0.
Index(es):
- Date
- Thread