openSUSE-SU-2020:2129-1

See a problem?
Import Source
https://ftp.suse.com/pub/projects/security/osv/openSUSE-SU-2020:2129-1.json
JSON Data
https://api.osv.dev/v1/vulns/openSUSE-SU-2020:2129-1
Related
Published
2020-12-01T05:25:38Z
Modified
2020-12-01T05:25:38Z
Summary
Security update for libssh2_org
Details

This update for libssh2_org fixes the following issues:

  • Version update to 1.9.0: [bsc#1178083, jsc#SLE-16922] Enhancements and bugfixes:

    • adds ECDSA keys and host key support when using OpenSSL
    • adds ED25519 key and host key support when using OpenSSL 1.1.1
    • adds OpenSSH style key file reading
    • adds AES CTR mode support when using WinCNG
    • adds PEM passphrase protected file support for Libgcrypt and WinCNG
    • adds SHA256 hostkey fingerprint
    • adds libssh2agentgetidentitypath() and libssh2agentsetidentitypath()
    • adds explicit zeroing of sensitive data in memory
    • adds additional bounds checks to network buffer reads
    • adds the ability to use the server default permissions when creating sftp directories
    • adds support for building with OpenSSL no engine flag
    • adds support for building with LibreSSL
    • increased sftp packet size to 256k
    • fixed oversized packet handling in sftp
    • fixed building with OpenSSL 1.1
    • fixed a possible crash if sftp stat gets an unexpected response
    • fixed incorrect parsing of the KEX preference string value
    • fixed conditional RSA and AES-CTR support
    • fixed a small memory leak during the key exchange process
    • fixed a possible memory leak of the ssh banner string
    • fixed various small memory leaks in the backends
    • fixed possible out of bounds read when parsing public keys from the server
    • fixed possible out of bounds read when parsing invalid PEM files
    • no longer null terminates the scp remote exec command
    • now handle errors when diffie hellman key pair generation fails
    • improved building instructions
    • improved unit tests
  • Version update to 1.8.2: [bsc#1130103] Bug fixes:

    • Fixed the misapplied userauth patch that broke 1.8.1
    • moved the MAX size declarations from the public header This update was imported from the SUSE:SLE-15:Update update project.
References

Affected packages

openSUSE:Leap 15.2 / libssh2_org

Package

Name
libssh2_org
Purl
pkg:rpm/opensuse/libssh2_org&distro=openSUSE%20Leap%2015.2

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.9.0-lp152.8.3.1

Ecosystem specific

{
    "binaries": [
        {
            "libssh2-1": "1.9.0-lp152.8.3.1",
            "libssh2-devel": "1.9.0-lp152.8.3.1",
            "libssh2-1-32bit": "1.9.0-lp152.8.3.1"
        }
    ]
}