From libssh2-devel-bounces@cool.haxx.se Thu Mar 11 15:57:06 2021 Return-Path: Received: from giant.haxx.se (mail [127.0.0.1]) by giant.haxx.se (8.15.2/8.15.2/Debian-4) with ESMTP id 12BEuQbv008590; Thu, 11 Mar 2021 15:56:55 +0100 Received: from mail-wm1-x32f.google.com (mail-wm1-x32f.google.com [IPv6:2a00:1450:4864:20:0:0:0:32f]) by giant.haxx.se (8.15.2/8.15.2/Debian-4) with ESMTPS id 12BEuPoU008580 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Thu, 11 Mar 2021 15:56:25 +0100 Received: by mail-wm1-x32f.google.com with SMTP id r15-20020a05600c35cfb029010e639ca09eso13387846wmq.1 for ; Thu, 11 Mar 2021 06:56:26 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:subject:message-id:mime-version:content-disposition; bh=y3OCif5xOiRenuOhQ5usz05LcjkirV2ql0kU+9rSEEY=; b=CwJbMCjff0VjWEg+GvRC1ROLwSK7JoY89AIEkpIbez91v2JX0rhDjAVZ7G5rnMi1rZ 41ebGjnC4f1ylSoAAoscCRLIzrJXDXKWcRm1c4wpNWkGebUwXabmSg0hYNYWq4cmpcXR TOBVBRAMIXCexvTcSsrIIf+qG7MEUOL8sKhwUPGw1ZqDxsLandHgmlAKqnIvg2SAOFgn o4i8P9YB8GdCsDyhJCmgQt9/C9XDxIq5s0RBFOA2uB9+HN7hmQKc7Y/GAr5SWHItRNvy 2nkZlKYcTALLTr5KcQzhsvBY/HcPN+kLlEub4kedFDg9tKjM/10e7reg+DLoJXP5HxgK Dhsg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:subject:message-id:mime-version :content-disposition; bh=y3OCif5xOiRenuOhQ5usz05LcjkirV2ql0kU+9rSEEY=; b=KCEKJhIdSENvohKMjnoXkVvYeh8kWr9vTyw95K+sPl0jSU4PQg5GocRDL2Cq9/42JH 5g+7QDEtKQiRePy2gT/02fBHA2pVn0EZVuQGUW5xxnIyQR6dR4vWSbopjrR7X0ZjZCbf ltrCIbSmpfELUBbFpy0rTBsdSmOv/gc3QtHB4q+QNmNXDygDAQjNP/ZJFODotcU1kcOx ybz3UtiuH2YPYE7KqtlhZuvWAsuregR+VyOZb6/WKjbju+qfLfIHIobshn7/+gDuR3Rg Vbqm/9fWNN4Rxg+V+JfQS9woGree6efXIjNh1HGeyXuFdTlJJsGRkhxxfhxl3xb+p5RX ERNw== X-Gm-Message-State: AOAM532nIMw6e2amc8PmHiCfvsZbzCJcvoc2q7R/vcDqyY+8/2xNd8N0 j6E5SSyentB2Ti9GiCrMi9a3fRjO6cE= X-Google-Smtp-Source: ABdhPJyzLn7N0+Kec1fjHJjTqVnS8yodd2gmwaV//sJbXwYoQQe557qTDK/hESEXOcCA7VlVNEIOXg== X-Received: by 2002:a1c:771a:: with SMTP id t26mr8777411wmi.60.1615474580239; Thu, 11 Mar 2021 06:56:20 -0800 (PST) Received: from saturne.home ([2a01:cb1d:16b:7e00:98d1:f0ed:3bc1:9a91]) by smtp.gmail.com with ESMTPSA id v18sm4885026wrf.41.2021.03.11.06.56.18 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 11 Mar 2021 06:56:19 -0800 (PST) Date: Thu, 11 Mar 2021 15:56:13 +0100 From: Laurent Stacul To: libssh2-devel@cool.haxx.se Subject: Running tests inside OCI containers Message-ID: MIME-Version: 1.0 Content-Disposition: inline X-BeenThere: libssh2-devel@cool.haxx.se X-Mailman-Version: 2.1.22 Precedence: list List-Id: libssh2 development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: libssh2 development Content-Type: text/plain; charset="utf-8"; Format="flowed" Errors-To: libssh2-devel-bounces@cool.haxx.se Sender: "libssh2-devel" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from base64 to 8bit by giant.haxx.se id 12BEuQbv008590 Hello dear libssh2 maintainers, I recently sent several PR to improve the tests suite execution. I will give you some context on why I did such PR. We, in our company, are building some kind C/C++ opensource distributions that are compiled with different toolchains and version of the toolchains (gcc, clang) for Linux amd64 and aarch64 architectures and different optimization options (LTO, PGO, post-process with Bolt). All those builds are run in containers to ease the isolation from the host machines. We care a lot about the results of the unit tests of all the opensource components we build. For low level opensource components, there are no reasons to run container while in the case of libssh2 project this makes perfect sense. That's the reason why I proposed the following PR to enable the tests to be run from inside a container and some PRs to improve the stability of the test suites: - https://github.com/libssh2/libssh2/pull/557 - https://github.com/libssh2/libssh2/pull/559 - https://github.com/libssh2/libssh2/pull/560 I would be glad to have your feedback about them and to know if there is a chance one day they will be merged into the official distribution. For the time being, I apply those patch on our side, builds are run several times a day with no issue detected. Thanks in advance for your feedback and don't hesitate to tell if some improvements are needed on those PRs to be merged. Regards, Laurent _______________________________________________ libssh2-devel https://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel From libssh2-devel-bounces@cool.haxx.se Thu Mar 11 18:47:10 2021 Return-Path: Received: from giant.haxx.se (mail [127.0.0.1]) by giant.haxx.se (8.15.2/8.15.2/Debian-4) with ESMTP id 12BHkkBW006745; Thu, 11 Mar 2021 18:47:04 +0100 Received: from APC01-SG2-obe.outbound.protection.outlook.com (mail-eopbgr1310071.outbound.protection.outlook.com [40.107.131.71]) by giant.haxx.se (8.15.2/8.15.2/Debian-4) with ESMTPS id 12BHkhcI006740 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Thu, 11 Mar 2021 18:46:44 +0100 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=E7JeutzQ0Lmy5Je0rXA4eT0UJSESiG0lTtqvQzgRsJpldbO65IYc5CDI8d/Kbtu1fzaxl6+7X34/djpABgStg7SaTezhTUYzJUqsOZFk/TKbSIOZVMorpibLW/8JR7f4tDY9e+y0H5Stj3c6fLqmka8oUGIVMp+Vj5+QmYIFofi81xJ9EfrspmJ7bMW33uKhKnsAUkKiylPU8Pu5onADPUC1k7WfamIwbU9SLkXv+6K9OItdDuPJfx2DnT8TCD0fV6lORAWKNIlF3YaEV+7dIfw5kT+kVn+m2DmMBvwIrufrpof2Oxos/f3k6zZdZHwI5G6dC7jXdK/OR2wgRKxR9w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=6yNESyKUn6JPTk+5z0fQYfxR9QGVAsprCg91d9MQcG8=; b=JBzLqUZU3mGJyVOiw1G2wVxes4H0Bb9MyIkgYbxNvgg6O1DB+UefJyPD3V4YyzC9S2jQEaPGNZpsLH6h3ydrD4SxrxJ2woG8KmJMXgti61AKwkVULS0rdlITrPqX2ow66dKvHtsoBcMzggsj4z1IL4gOzwllQR8sux0yamRAexuzWraQ2YdwkYhse4401loUzvK08Dk/eGo/fu+aeJdlmyFI2586HyMBFIOrhuQ8QN2x+V5iuIXgu4vuoEvoGwVQNMy/5cCvZdCNKZG5n6TijVuqEbPHvVaYkZMlCaivpJDTL6Q/JMGQHOmC+ZPojRblrlEejkOmPktOCsacMpaMMg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=siemens.com; dmarc=pass action=none header.from=siemens.com; dkim=pass header.d=siemens.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=siemens.onmicrosoft.com; s=selector1-siemens-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=6yNESyKUn6JPTk+5z0fQYfxR9QGVAsprCg91d9MQcG8=; b=VLGZD/t5VD0lkaCrZ60ChuoLaOSwAWiD8DZBvqBz+2OXEgzjLa7avjNdKe369IUonGyG5DLGD35iqn+wtAXnQE+CclP8uEmAa7thEO0izNv8OXTSHk4RMgDi5gyuNyb1SSUfK8vbH7v7K2cnEg/D9g49+bkW2Lz0QosyW0Elbig= Received: from SG2PR06MB2234.apcprd06.prod.outlook.com (2603:1096:4:11::23) by SG2PR06MB2297.apcprd06.prod.outlook.com (2603:1096:4:c::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3890.19; Thu, 11 Mar 2021 17:46:31 +0000 Received: from SG2PR06MB2234.apcprd06.prod.outlook.com ([fe80::cd:f30e:f7c8:d865]) by SG2PR06MB2234.apcprd06.prod.outlook.com ([fe80::cd:f30e:f7c8:d865%4]) with mapi id 15.20.3912.030; Thu, 11 Mar 2021 17:46:31 +0000 From: "Sarathe, Omprakash" To: "libssh2-devel@cool.haxx.se" Subject: libssh2 V1.9.0 vulnerability CVE-2019-17498 Thread-Topic: libssh2 V1.9.0 vulnerability CVE-2019-17498 Thread-Index: AdcGsvYZx1ovTOupTUuLF+6KMWAMoAP61ogQ Date: Thu, 11 Mar 2021 17:46:30 +0000 Message-ID: References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: msip_labels: MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_Enabled=true; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_SetDate=2021-03-11T17:46:26Z; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_Method=Standard; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_Name=restricted-default; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_SiteId=38ae3bcd-9579-4fd4-adda-b42e1495d55a; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_ActionId=d02e1560-d28f-4c83-ae71-ef45053663f9; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_ContentBits=0 document_confidentiality: Restricted authentication-results: cool.haxx.se; dkim=none (message not signed) header.d=none;cool.haxx.se; dmarc=none action=none header.from=siemens.com; x-originating-ip: [157.34.43.29] x-ms-publictraffictype: Email x-ms-office365-filtering-ht: Tenant x-ms-office365-filtering-correlation-id: d4fa4bef-55cb-43fd-8545-08d8e4b59ad8 x-ms-traffictypediagnostic: SG2PR06MB2297: x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:8882; x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: 8FYJj/51/BH0m8EWQpbOYlnM+q0cHIHVGVXqjSsW7S84iMdPaDebYcoTiGKv7gyaFJkb8+zWmOrwF5G0tAohr/DQMIJW+S9xKZcqbksv7jVKIq0IG2ytOjgoay6mDZKgTY0MR1H10pgxsKT2Ic73oyY6BLEF6XG+KYwIC+f4u04BhhDIE5tQaKJRjjdEMTTLCl0oNZFWv5NaYdOUGUh8lNJHhWPXtAO4XKEIk/oRej5Ks26ugtVLTmIWyg7m3rMU2RWOhLlJHgW6dQjK3oyVzUC7iuUxSGStoTqiOKc4uctlhiQKdcXgZ5PoBuwJf0aF7lHegbf8kul0uJZ8s/9fVo0/S/cfencrxVSKEmj5PCA5hdxAv9oRS7dqcWg3BK/1q6cSTE7WhdVSTbBBh3mr/QPlQ0KigGMvjkJx2RUOH45zNJZHXgRAQ/SKIS74PypPXMy+zdSEv/q6Xjs/lb+/TtiRUPhVQlOtKK8c2XMbSMDJ2hsEjuNedZGpcLYmjrBjBNEejm5Mesz8vyZONzqFYA== x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SG2PR06MB2234.apcprd06.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(346002)(366004)(376002)(136003)(396003)(39860400002)(76116006)(66946007)(33656002)(8676002)(4743002)(66446008)(9326002)(4744005)(6916009)(8936002)(83380400001)(9686003)(55016002)(86362001)(71200400001)(316002)(66556008)(66476007)(5660300002)(64756008)(6506007)(7696005)(478600001)(2906002)(186003)(52536014)(26005); DIR:OUT; SFP:1101; x-ms-exchange-antispam-messagedata: =?us-ascii?Q?LHwTK7EEm+D6DhxiLxMuwM9xzQ43fPYZnS0k/pR9wF8yjpaZoNNsLQwpHz/I?= =?us-ascii?Q?4AiPGRLU+Z3aV72Z/Ow7djWUFQCMlKjIFcCCz1sX29TQy3gcv5jVixYzyXnB?= =?us-ascii?Q?DyHc0NgEuc/cRbhI+wIDuET1MsWrhNbqN4jY8yJXcET4WDcEwlFb+hibOI1U?= =?us-ascii?Q?rcLIE1UwRXvueG/dQQp25Ajk69xFqPwwcwZufJcRGUsqYoLLRhDAIYoRJVUN?= =?us-ascii?Q?AsevJ9q9jzpBhpagysGdYj95uo2AU7pstI0FCVtkM+Iqaoa2dK9ybktr02xi?= =?us-ascii?Q?JVhb6RVmiYgXz3hPg3QxbB2iStD1QrILA43QyJMZ7ng3nwjL2OWgD4vdTX6g?= =?us-ascii?Q?i8YUNV86yOomqpS13gwq1mMe9KBVBebSXRJKMDSaytm8UHJ8wbUJVKc0oImt?= =?us-ascii?Q?a/stI5vdTsJFehDIk4e1NjSIE5ZuLmpveWd2snf9xoaKqoTm4pibcTbTn6/9?= =?us-ascii?Q?3Ow3bcbtZv3QIBfhnKpxwo4pcRhXwJWz/japQ+iRzlCJG2a5x5+2pELxBUxD?= =?us-ascii?Q?Vw4fubKXYmAkFoExlpR5XNzLvwWCMT/8GAlzI1KGYiu78u+wrxhG1GC9TysP?= =?us-ascii?Q?lHUSH79eNdKH7PP0NEcTI0pymD3q8sXPQXS4lxx+/h1wpvIyXsOXVh+7eY8x?= =?us-ascii?Q?J/hudkJ/Z2MwQO8AIkbb2oEXcLxarF9RAQ++vHOCSivN3zovb8FL0Yeuj58s?= =?us-ascii?Q?ocpnM6FA4h8rn/0HZ3ICT1BqigXlprHS1GkynQx252pgYXg2OP+0BaCrPj5A?= =?us-ascii?Q?R4mc+MA7DEiiB5S6GlSSesXzCx4QxrrEJtcuN1eNFiEEG3LJ/wZV0R99MR6s?= =?us-ascii?Q?yOeeZOESRphgkqISXYnc1q48s7In1e+7iKtSr0vgW8L/7fpw3PuIJKiImjq4?= =?us-ascii?Q?5zdG3S+f+BJmrOxW+W4UljfRUaRtVB8zg/oVESuLSbBnkfiPD2O+CXb3kAHi?= =?us-ascii?Q?IIgouQaPfegJMd0l+xtjxptLIXlfbq7cASBahqkp5qEOkxyUAwLYTHEKC4UB?= =?us-ascii?Q?8e8xA1nptai+9+A6h1whgzdowbAINiFqn6kZMCXaMyXeVnF+Whw/lcbLSNGq?= =?us-ascii?Q?b9zC8BBXqkBmamwX1A61KKVqgtf8ZWebmvTtC+zVtVr2jdsdIUdPU7zwSqcO?= =?us-ascii?Q?IJhXOuLdqJROZvl90MRQgNjSwcxmuj+K9vEJcSdXPZOlPQYCclie9VF/ynIQ?= =?us-ascii?Q?3EmRUykzU82O1gQUWQ4yNClbWhzHi90KfeW4K2pex76SH9FCWymGTtYNvORy?= =?us-ascii?Q?ndE+cPfVzfLpOmEk6JoiA9uufbIY+AhyX7mDCh4vmIzCbVv7peJ8ykWgwfzu?= =?us-ascii?Q?Fdo=3D?= x-ms-exchange-transport-forked: True MIME-Version: 1.0 X-OriginatorOrg: siemens.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: SG2PR06MB2234.apcprd06.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: d4fa4bef-55cb-43fd-8545-08d8e4b59ad8 X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Mar 2021 17:46:30.9760 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 38ae3bcd-9579-4fd4-adda-b42e1495d55a X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: 3dI1SfI+RO3xJyRYWD25yC/DKk7U/lxDPxbN4vghw5OPhEoNej0ZykXIJn+qAFHmmnyaZKN3FoDQsS2I6HsXhS8bv0+CLePfRCpv09N9qkE= X-MS-Exchange-Transport-CrossTenantHeadersStamped: SG2PR06MB2297 X-BeenThere: libssh2-devel@cool.haxx.se X-Mailman-Version: 2.1.22 Precedence: list List-Id: libssh2 development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: libssh2 development Content-Type: multipart/mixed; boundary="===============0713121157==" Errors-To: libssh2-devel-bounces@cool.haxx.se Sender: "libssh2-devel" --===============0713121157== Content-Language: en-US Content-Type: multipart/alternative; boundary="_000_SG2PR06MB2234881F120636F814BB5498F9909SG2PR06MB2234apcp_" --_000_SG2PR06MB2234881F120636F814BB5498F9909SG2PR06MB2234apcp_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hi All, As per CVE-2019-17498 there is a vulnerability with libssh2 version 1.9.0(= Please see below more detail). Can you please confirm the official release = date of libssh2 having CVE-2019-17498 vulnerability fix. CVE-2019-17498 In libssh2 v1.9.0 and earlier versions, the SSH_MSG_DISCONNECT logic in pac= ket.c has an integer overflow in a bounds check, enabling an attacker to sp= ecify an arbitrary (out-of-bounds) offset for a subsequent memory read. A c= rafted SSH server may be able to disclose sensitive information or cause a = denial of service condition on the client system when a user connects to th= e server. With Best Regards Omprakash --_000_SG2PR06MB2234881F120636F814BB5498F9909SG2PR06MB2234apcp_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Hi All,

 

As per  CVE-2019-17498 there is a vulner= ability with libssh2 version 1.9.0(Please see below more detail). Can you p= lease confirm the official release date of libssh2 having CVE-2019-17498  vulnerability fix.

 

 

CVE-2019-17498

In libssh2 v1.9.0 and= earlier versions, the SSH_MSG_DISCONNECT logic in packet.c has an integer = overflow in a bounds check, enabling an attacker to specify an arbitrary (o= ut-of-bounds) offset for a subsequent memory read. A crafted SSH server may be able to disclose sensitive inform= ation or cause a denial of service condition on the client system when a us= er connects to the server.

 

 

With Best Regards

Omprakash

 

--_000_SG2PR06MB2234881F120636F814BB5498F9909SG2PR06MB2234apcp_-- --===============0713121157== Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: inline X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KbGlic3NoMi1k ZXZlbCBodHRwczovL2Nvb2wuaGF4eC5zZS9jZ2ktYmluL21haWxtYW4vbGlzdGluZm8vbGlic3No Mi1kZXZlbAo= --===============0713121157==-- From libssh2-devel-bounces@cool.haxx.se Thu Mar 11 19:29:06 2021 Return-Path: Received: from giant.haxx.se (mail [127.0.0.1]) by giant.haxx.se (8.15.2/8.15.2/Debian-4) with ESMTP id 12BISjhY013501; Thu, 11 Mar 2021 19:28:59 +0100 Received: from mail-ot1-x32e.google.com (mail-ot1-x32e.google.com [IPv6:2607:f8b0:4864:20:0:0:0:32e]) by giant.haxx.se (8.15.2/8.15.2/Debian-4) with ESMTPS id 12BIShk9013484 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Thu, 11 Mar 2021 19:28:44 +0100 Received: by mail-ot1-x32e.google.com with SMTP id n23so2330585otq.1 for ; Thu, 11 Mar 2021 10:28:45 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=EnKthkf6BvVSH2i2Bum0cQAEYB/hsWKQCQhnkabsUeo=; b=WsMA+cCktIITl/ZACSG1hTD5YkWoSz+yj//GMzuo6AvecPh7mvJldKmDPuvDR6Zzta M9zDlkiaDZoLggnKs9sqaAMhngPL6MBIV0Dj6ofSVYOHQf6BpJpVRAti8U8qcxgBwNRm OxVAWZIjnlOVMkgYaUPVgPk8cIoob/LWovd+UiLxMty2Vyoz0ATdORxOXeejQR8JneqS wKhITSesgoDWeT1qjYRv4OEsPGaN0X/cDmaVUZAj8nnZjcG7E4T5kiFfnKYhHRIfprJK AEpd5aUgWzSc1cuzX0UaXY4nlsGfvOszh//HeSeUe6SNyre6Uf77X8AVdwuy56lPtUIC M9Vg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=EnKthkf6BvVSH2i2Bum0cQAEYB/hsWKQCQhnkabsUeo=; b=qKeFtZvm61Mq9SX8LsUsNWoLWBH3DB8cty6gs/upsPPSJScfsnUhApiAM1rM37VftI YIJe4O4vVCziklzGpzLhP54FtXr/eWPumpSTvnfMzkBw7wdHLjeery309Y6lpgbVNRp7 OAicE9M9P1sw2aIPhyiHKXvyh5RmENejThTUNlb/h4JhjSvwjh5IKA5h7KAsiWtrV1vL BlKusC+676nLf6jXb1eXLFbur38x25fcvVab7P1AJMRIJeYZ7bVurP3GxbdtvJqXxKTE VWm4/Xe/TeT2CPt6740fXJofOb325/eG3qAINkMMsW+bEeicBisTJkSMFtKU7bE3f9EI 04Lw== X-Gm-Message-State: AOAM532o0lNURSF5Y/6Tyr6IYi1Ilymf20kSrzq1Oc+NjCNZwoCIcTH7 BYvXSoxMbc7drPHTVpbsJupKgYBpJTSPvWQslaCCK1Ue X-Google-Smtp-Source: ABdhPJx/k+Yf+htNfZFgvN/vXeYky13InLjzXsH8eULe9t2dcbs0/jft/ydkPhqaMmRvsN7PU+B+pX67wZPnLBF3Sj0= X-Received: by 2002:a05:6830:4c2:: with SMTP id s2mr192668otd.338.1615487318244; Thu, 11 Mar 2021 10:28:38 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: Micka Date: Thu, 11 Mar 2021 19:28:26 +0100 Message-ID: Subject: Re: libssh2 V1.9.0 vulnerability CVE-2019-17498 To: libssh2 development X-BeenThere: libssh2-devel@cool.haxx.se X-Mailman-Version: 2.1.22 Precedence: list List-Id: libssh2 development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: libssh2 development Content-Type: multipart/mixed; boundary="===============1093926852==" Errors-To: libssh2-devel-bounces@cool.haxx.se Sender: "libssh2-devel" --===============1093926852== Content-Type: multipart/alternative; boundary="000000000000be422005bd46f306" --000000000000be422005bd46f306 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable I found this patch : https://github.com/Cisco-Talos/clamav-mussels-cookbook/blob/master/recipes/= libssh2-1.9-patches/CVE-2019-17498-integer-overflow.patch (not mine) Le jeu. 11 mars 2021 =C3=A0 18:49, Sarathe, Omprakash < omprakash.sarathe@siemens.com> a =C3=A9crit : > Hi All, > > > > As per *CVE-2019-17498* there is a vulnerability with libssh2 version > 1.9.0(Please see below more detail). Can you please confirm the official > release date of libssh2 having *CVE-2019-17498* vulnerability fix. > > > > > > CVE-2019-17498 > > *In libssh2 v1.9.0 and earlier versions, the SSH_MSG_DISCONNECT logic in > packet.c has an integer overflow in a bounds check, enabling an attacker = to > specify an arbitrary (out-of-bounds) offset for a subsequent memory read.= A > crafted SSH server may be able to disclose sensitive information or cause= a > denial of service condition on the client system when a user connects to > the server.* > > > > > > With Best Regards > > Omprakash > > > _______________________________________________ > libssh2-devel https://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel > --000000000000be422005bd46f306 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
I found this patch :

=
Le jeu= . 11 mars 2021 =C3=A0 18:49, Sarathe, Omprakash <omprakash.sarathe@siemens.com> a =C3=A9cri= t=C2=A0:

Hi All,

=C2=A0

As per=C2=A0 CVE-2019-17498 there is a vulner= ability with libssh2 version 1.9.0(Please see below more detail). Can you p= lease confirm the official release date of libssh2 having CVE-2019-17498 =C2=A0vulnerability fix.

=C2=A0

=C2=A0

CVE-2019-17498 =

In libssh2 v1.9.0 and= earlier versions, the SSH_MSG_DISCONNECT logic in packet.c has an integer = overflow in a bounds check, enabling an attacker to specify an arbitrary (o= ut-of-bounds) offset for a subsequent memory read. A crafted SSH server may be able to disclose sensitive inform= ation or cause a denial of service condition on the client system when a us= er connects to the server.

=C2=A0

=C2=A0

With Best Regards

Omprakash

=C2=A0

_______________________________________________
libssh2-devel https://cool.hax= x.se/cgi-bin/mailman/listinfo/libssh2-devel
--000000000000be422005bd46f306-- --===============1093926852== Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: inline X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KbGlic3NoMi1k ZXZlbCBodHRwczovL2Nvb2wuaGF4eC5zZS9jZ2ktYmluL21haWxtYW4vbGlzdGluZm8vbGlic3No Mi1kZXZlbAo= --===============1093926852==-- From libssh2-devel-bounces@cool.haxx.se Thu Mar 11 19:39:49 2021 Return-Path: Received: from giant.haxx.se (mail [127.0.0.1]) by giant.haxx.se (8.15.2/8.15.2/Debian-4) with ESMTP id 12BIddMZ015079; Thu, 11 Mar 2021 19:39:46 +0100 Received: from mail-oi1-x231.google.com (mail-oi1-x231.google.com [IPv6:2607:f8b0:4864:20:0:0:0:231]) by giant.haxx.se (8.15.2/8.15.2/Debian-4) with ESMTPS id 12BIdckd015066 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Thu, 11 Mar 2021 19:39:38 +0100 Received: by mail-oi1-x231.google.com with SMTP id x135so19695525oia.9 for ; Thu, 11 Mar 2021 10:39:39 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=811YdKbA2nkeuEcCdNVVEOWGhYTzHPfI6pN3m41JSDI=; b=lC3CptaBloHqqwD1ml0bVrmJqArh5KgzBqD6BOlNJDscUH9JAp7lDkxu436QOcGidW muxvQy0rY2SHk1Go0GAc/ZijtZntpvQBlBB8uyKo6ouVETwSMI+AK0r4NH0JWUAgEfzH S9uSjLbHQci/tmQqcA2X8RecfI5o3WBqcZ0W0ZxLfKUu4ZPyql3kbua8/ZKdrPKVjoL1 ZDV/nP32LDVEhryLc5/pfPKnxe3wMEwcQWTpdwxKPOILCv5Z4Ek9J2scW0Gz5stIzVrf E3ADhJOI2ARTrwi8EZYz/s4vxpFQDDRvo5Sz6EGko27C8sQpMCMxdLkb8mzDvz5On0XL fy6A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=811YdKbA2nkeuEcCdNVVEOWGhYTzHPfI6pN3m41JSDI=; b=RRhLLwFLQQlhWGX7YTGp4BG3RYilUsPtgxwmX9uqBviR+r6RiloegekpLS5dRB94V+ NEvktWWUMmkSX8cIMRFEXIuV9B4YUW4khcA5lftfPWam99V2iSIKk57SOZPR1UQUz73I 2MJs9RpLJHTC5FrgVrM0CDGX+UqfkCWM9WHFqfgK7TrcSLpTscMxSc+iHuLnsf5J+Nh2 eyOLhpZvcMeZ8y6WDkc5Tc6eIx/1CP1SKUBJ/quis2+ymxnXyvfR0XwbD5lX1zKkLPB8 g2g1FSaLf1Q27QIwuSesKugXOu8JhOM92J2iJuc8tYPot06iAs3y6Jr3doMaqaevCKWm V0lA== X-Gm-Message-State: AOAM5331nQLX3HaxTFzUXQsRCnMBed1fGisSwcNSiisMqzp85jhvIqzD 73EZTZkEkZrqzg+p+RcHkJkcGBmXPK/PE3FR8UWXjyQe X-Google-Smtp-Source: ABdhPJyCIddDhtljVq0ICNQsi4fXcS9fX8/ui3Lpvvfta6pET8TcHiUo1p7JExIP7Qdhp2Y1B6IOEZQxV+CuKUk0/MQ= X-Received: by 2002:a05:6808:ab7:: with SMTP id r23mr1578874oij.75.1615487973120; Thu, 11 Mar 2021 10:39:33 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: Micka Date: Thu, 11 Mar 2021 19:39:21 +0100 Message-ID: Subject: Re: libssh2 V1.9.0 vulnerability CVE-2019-17498 To: libssh2 development X-BeenThere: libssh2-devel@cool.haxx.se X-Mailman-Version: 2.1.22 Precedence: list List-Id: libssh2 development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: libssh2 development Content-Type: multipart/mixed; boundary="===============0080196753==" Errors-To: libssh2-devel-bounces@cool.haxx.se Sender: "libssh2-devel" --===============0080196753== Content-Type: multipart/alternative; boundary="000000000000c6e0a505bd471a6f" --000000000000c6e0a505bd471a6f Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable And already committed on the master branch : https://github.com/libssh2/libssh2/pull/402 I hope that one day there will be an official release :) Micka, Le jeu. 11 mars 2021 =C3=A0 19:28, Micka a =C3=A9cr= it : > I found this patch : > > > https://github.com/Cisco-Talos/clamav-mussels-cookbook/blob/master/recipe= s/libssh2-1.9-patches/CVE-2019-17498-integer-overflow.patch > > (not mine) > > Le jeu. 11 mars 2021 =C3=A0 18:49, Sarathe, Omprakash < > omprakash.sarathe@siemens.com> a =C3=A9crit : > >> Hi All, >> >> >> >> As per *CVE-2019-17498* there is a vulnerability with libssh2 version >> 1.9.0(Please see below more detail). Can you please confirm the official >> release date of libssh2 having *CVE-2019-17498* vulnerability fix. >> >> >> >> >> >> CVE-2019-17498 >> >> *In libssh2 v1.9.0 and earlier versions, the SSH_MSG_DISCONNECT logic in >> packet.c has an integer overflow in a bounds check, enabling an attacker= to >> specify an arbitrary (out-of-bounds) offset for a subsequent memory read= . A >> crafted SSH server may be able to disclose sensitive information or caus= e a >> denial of service condition on the client system when a user connects to >> the server.* >> >> >> >> >> >> With Best Regards >> >> Omprakash >> >> >> _______________________________________________ >> libssh2-devel https://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-deve= l >> > --000000000000c6e0a505bd471a6f Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
And already committed on the master branch :


I hope that one day there will be= an official release :)

= Micka,=C2=A0

Le jeu. 11 mars 2021 =C3=A0 19:28, Micka <mickamusset@gmail.com> a =C3=A9crit=C2= =A0:

= Le jeu. 11 mars 2021 =C3=A0 18:49, Sarathe, Omprakash <omprak= ash.sarathe@siemens.com> a =C3=A9crit=C2=A0:

Hi All,

=C2=A0

As per=C2=A0 CVE-2019-17498 there is a vulner= ability with libssh2 version 1.9.0(Please see below more detail). Can you p= lease confirm the official release date of libssh2 having CVE-2019-17498 =C2=A0vulnerability fix.

=C2=A0

=C2=A0

CVE-2019-17498 =

In libssh2 v1.9.0 and= earlier versions, the SSH_MSG_DISCONNECT logic in packet.c has an integer = overflow in a bounds check, enabling an attacker to specify an arbitrary (o= ut-of-bounds) offset for a subsequent memory read. A crafted SSH server may be able to disclose sensitive inform= ation or cause a denial of service condition on the client system when a us= er connects to the server.

=C2=A0

=C2=A0

With Best Regards

Omprakash

=C2=A0

_______________________________________________
libssh2-devel https= ://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel
--000000000000c6e0a505bd471a6f-- --===============0080196753== Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: inline X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KbGlic3NoMi1k ZXZlbCBodHRwczovL2Nvb2wuaGF4eC5zZS9jZ2ktYmluL21haWxtYW4vbGlzdGluZm8vbGlic3No Mi1kZXZlbAo= --===============0080196753==-- From libssh2-devel-bounces@cool.haxx.se Thu Mar 11 21:14:58 2021 Return-Path: Received: from giant.haxx.se (mail [127.0.0.1]) by giant.haxx.se (8.15.2/8.15.2/Debian-4) with ESMTP id 12BKEMEM030736; Thu, 11 Mar 2021 21:14:51 +0100 Received: from foo.stuge.se (foo.stuge.se [212.116.89.98]) by giant.haxx.se (8.15.2/8.15.2/Debian-4) with ESMTPS id 12BKEKRO030713 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Thu, 11 Mar 2021 21:14:21 +0100 Received: (qmail 1390 invoked by uid 1000); 11 Mar 2021 20:14:14 -0000 Message-ID: <20210311201414.1389.qmail@stuge.se> Date: Thu, 11 Mar 2021 20:14:14 +0000 From: Peter Stuge To: libssh2-devel@cool.haxx.se Subject: Re: libssh2 V1.9.0 vulnerability CVE-2019-17498 References: MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: X-BeenThere: libssh2-devel@cool.haxx.se X-Mailman-Version: 2.1.22 Precedence: list List-Id: libssh2 development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: libssh2 development Content-Type: text/plain; charset="utf-8" Errors-To: libssh2-devel-bounces@cool.haxx.se Sender: "libssh2-devel" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from base64 to 8bit by giant.haxx.se id 12BKEMEM030736 Micka wrote: > https://github.com/libssh2/libssh2/pull/402 Commit dedcbd106f8e52d5586b0205bc7677e4c9868f9c > I hope that one day there will be an official release :) How do release engineering people (Will? Daniel?) feel about a 1.9.1 release branched off 1.9.0 with only a couple of CVE fixes cherry-picked? //Peter _______________________________________________ libssh2-devel https://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel From libssh2-devel-bounces@cool.haxx.se Sun Mar 14 07:56:22 2021 Return-Path: Received: from giant.haxx.se (mail [127.0.0.1]) by giant.haxx.se (8.15.2/8.15.2/Debian-4) with ESMTP id 12E6tjeT017138; Sun, 14 Mar 2021 07:56:11 +0100 Received: from mail-pf1-x42d.google.com (mail-pf1-x42d.google.com [IPv6:2607:f8b0:4864:20:0:0:0:42d]) by giant.haxx.se (8.15.2/8.15.2/Debian-4) with ESMTPS id 12E6tgki017118 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Sun, 14 Mar 2021 07:55:43 +0100 Received: by mail-pf1-x42d.google.com with SMTP id a188so4658734pfb.4 for ; Sat, 13 Mar 2021 22:55:44 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=QFzEDRUTxhybsNI+G/4PfTZS333yVQvUL4fU76SE0Ws=; b=Oo8YnInHncf3CNUNjOz9UwarTedBGj+R8fl5eHonX+nicq2y/N7UNXYrntYNXZZDiy UUxzQUoOgOT8+QeI4/wSEyotaVxwtHKKYuuW67+TwzkwnDWZzelhKfaXH+3bfL7cBWPg 0i2021MvjlV7NcrGjSWEOamFLbTuOz7Ge8tAI+sRptDD1h52+j2FCGDtPT7LXVPQ2vP1 xnKi+UWPNjv55TAHD3NdVoPKXZIzSq0uQ0NFUTjQNgLh179VHOqhhH+66l3pi2YD4qB0 tZATrWx6OHJlc+VteXWHf6wSwM3YYp9iMajeAYCR6UVvCYjsKdWzopCwsTOu03O14hmG FFsw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=QFzEDRUTxhybsNI+G/4PfTZS333yVQvUL4fU76SE0Ws=; b=n8huUVehFQLVVon54DnSDwUW10cOX01TZwpbO/xRc4QBSevZZruDtugCctSAdpUKzF QBawUC+H+eMAVhrEqdfWZkh91HjtCInSCfsenJ5MAvtWdspWz3iz7kFHQqeGTW/hRZXp EqSyaLfBWXwEW4GJ31mALMtpqci1Gx4a8wRGHbuTQPyQRBoMtNeyjWpt1g5E+V0q4F1i YMIwDFFhUpIX9RDeq9BN9XlWMtXCMADkm9PE6UhbEK9HE9WERxoc0NxxHB3pqZHGpZ1S IsHbH/fyZpd3tHNT31bg0h6aojB98nh0eyz9W+V7+emS5oOwWvdIeau9MBuY3KTShA7I SPXA== X-Gm-Message-State: AOAM5316d+oGT/sdVKfvGfJUt3OqOszuKqaU/ViQ1yge6jbqUbAqtTKw 9Lumfud1GxTXd54+jG0tR184WDhb6WLojQtgMcH7mlcdbvI= X-Google-Smtp-Source: ABdhPJyPCtzUhgOyej0QX89AxhmIQppN+dNDAy9qnnxmUIPj5EWZOBKJqLiqcSUbCFGuq9Q+j2EB3eXEY/hE1+4X+fs= X-Received: by 2002:a63:2bc4:: with SMTP id r187mr18710617pgr.131.1615704936689; Sat, 13 Mar 2021 22:55:36 -0800 (PST) MIME-Version: 1.0 From: Bacchababu Gupta Date: Sun, 14 Mar 2021 12:25:27 +0530 Message-ID: Subject: Libssh2 1.9.0 handshake not working with fips enable To: libssh2-devel@cool.haxx.se X-BeenThere: libssh2-devel@cool.haxx.se X-Mailman-Version: 2.1.22 Precedence: list List-Id: libssh2 development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: libssh2 development Content-Type: multipart/mixed; boundary="===============1872672742==" Errors-To: libssh2-devel-bounces@cool.haxx.se Sender: "libssh2-devel" --===============1872672742== Content-Type: multipart/alternative; boundary="000000000000d0305605bd799ed9" --000000000000d0305605bd799ed9 Content-Type: text/plain; charset="UTF-8" Hi, We are trying a program with fips enable to connect a ssh server however handshake get faile with error code LIBSSH2_ERROR_OUT_OF_BOUNDARY at line https://github.com/libssh2/libssh2/blob/master/src/transport.c#444 A quick help appreciated. Regards, B. A. Gupta --000000000000d0305605bd799ed9 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi,

We are trying a program = with fips enable to connect a ssh server however handshake get faile with e= rror code LIBSSH2_ERROR_OUT_OF_BOUNDARY at line https://github.com/libs= sh2/libssh2/blob/master/src/transport.c#444

A = quick help appreciated.

Regards,
B. A. G= upta
--000000000000d0305605bd799ed9-- --===============1872672742== Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: inline X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KbGlic3NoMi1k ZXZlbCBodHRwczovL2Nvb2wuaGF4eC5zZS9jZ2ktYmluL21haWxtYW4vbGlzdGluZm8vbGlic3No Mi1kZXZlbAo= --===============1872672742==-- From libssh2-devel-bounces@cool.haxx.se Tue Mar 23 11:25:07 2021 Return-Path: Received: from giant.haxx.se (mail [127.0.0.1]) by giant.haxx.se (8.15.2/8.15.2/Debian-4) with ESMTP id 12NAOPf1017899; Tue, 23 Mar 2021 11:24:54 +0100 Received: from mail-ed1-f45.google.com (mail-ed1-f45.google.com [209.85.208.45]) by giant.haxx.se (8.15.2/8.15.2/Debian-4) with ESMTPS id 12NAOLlQ017886 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Tue, 23 Mar 2021 11:24:22 +0100 Received: by mail-ed1-f45.google.com with SMTP id bf3so22833305edb.6 for ; Tue, 23 Mar 2021 03:24:23 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=9C/Tzbf99s+N5HRppaqlw4LSyMDIiHvKXH1Ot+ICK0A=; b=luNZlFSlHDobwD72X8gWQOPFEt+caOzOYT6L+UM77/3YC9zjRDJ/FbuHacCFh/7y7l bL+eFN+mn1ppsg9RJ4gkTlgUaQEQfvJJ8LYYLltvSTPuqKbksAzxcC1e2sUqr8g7ejQh hq8IkDVPIVZIZNAIUGQYOqmFHsOyaWkPDMySljjx5KaVFYVapLFsNz/S/MEvTwrKm+bW I8WDAeg0vuVJyZbvbQphOME8YF0TJOSpWxUaA2QBOKp5qrJbhZMimbNQ79tlJEvqPySG A2VhsbEI3noAjdo/3rSZyv71aTsdjOy5LcC+RG4ZImxjlh4myH49Roov3iZZLFZxAQms dLww== X-Gm-Message-State: AOAM533XIhE1LAHyufwt9PPnZuDo8PGSuHush8Z8mgcEio9De1XAnoL3 o5j/P1ahrI5svsk2vROF6zAEk8Z79u3oQxDm X-Google-Smtp-Source: ABdhPJyyx++NCLuWnT1anZO6hieKj6IuPUvhEceU/ccJ1Zlgdk6P5XYymEBHuIimbYNdIpqN3E9HHA== X-Received: by 2002:aa7:dc4e:: with SMTP id g14mr3957280edu.114.1616495057374; Tue, 23 Mar 2021 03:24:17 -0700 (PDT) Received: from mail-ej1-f52.google.com (mail-ej1-f52.google.com. [209.85.218.52]) by smtp.gmail.com with ESMTPSA id u24sm10870485ejr.34.2021.03.23.03.24.16 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 23 Mar 2021 03:24:16 -0700 (PDT) Received: by mail-ej1-f52.google.com with SMTP id w3so26175013ejc.4 for ; Tue, 23 Mar 2021 03:24:16 -0700 (PDT) X-Received: by 2002:a17:906:14d4:: with SMTP id y20mr4222980ejc.190.1616495055633; Tue, 23 Mar 2021 03:24:15 -0700 (PDT) MIME-Version: 1.0 From: Alberto Fanjul Alonso Date: Tue, 23 Mar 2021 11:24:03 +0100 X-Gmail-Original-Message-ID: Message-ID: Subject: Release 1.9.1 To: libssh2-devel@cool.haxx.se X-BeenThere: libssh2-devel@cool.haxx.se X-Mailman-Version: 2.1.22 Precedence: list List-Id: libssh2 development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: libssh2 development Content-Type: multipart/mixed; boundary="===============0019523228==" Errors-To: libssh2-devel-bounces@cool.haxx.se Sender: "libssh2-devel" --===============0019523228== Content-Type: multipart/alternative; boundary="00000000000092816f05be3195bc" --00000000000092816f05be3195bc Content-Type: text/plain; charset="UTF-8" Hi, I'm maintaining an app using libssh2, gitg: https://gitlab.gnome.org/GNOME/gitg Some user ping me about a CVE: https://github.com/flathub/org.gnome.gitg/pull/18#issuecomment-804323280 and I suggest to fix it upstream, as usual, but as we provide sandboxes package with flatpak, all dependencies are managed by us in that workflow. So I wanted to dig a little bit on this. Looks like release should be done in near time: https://github.com/libssh2/libssh2/issues/539 But still is not. Is there any chance for a bugfix release? Can I help on that in anyway? I understand the CVE is pretty rare, but stil interesting to learn to collaborate on libssh2 Cheers, Alberto --00000000000092816f05be3195bc Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi,

I'm = maintaining an app using libssh2, gitg:

https://git= lab.gnome.org/GNOME/gitg

Some user ping me about a CVE:

<= div dir=3D"auto">https://github.com/flathub/org.gnome.gitg/pull/1= 8#issuecomment-804323280

=C2=A0and I suggest to fix it upstream, as usual, but as we provi= de sandboxes package with flatpak, all dependencies are managed by us in th= at workflow.

So I wanted= to dig a little bit on this.

Looks like release should be done in near time:


But still is not.

Is there any chance for a bugfix rele= ase?

Can I help on that = in anyway?

I understand = the CVE is pretty rare, but stil interesting to learn to collaborate on lib= ssh2

Cheers,
Alberto
--00000000000092816f05be3195bc-- --===============0019523228== Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: inline X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KbGlic3NoMi1k ZXZlbCBodHRwczovL2Nvb2wuaGF4eC5zZS9jZ2ktYmluL21haWxtYW4vbGlzdGluZm8vbGlic3No Mi1kZXZlbAo= --===============0019523228==--