[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[v3 0/2] libssh / libssh2 security updates
From: |
Leo Famulari |
Subject: |
[v3 0/2] libssh / libssh2 security updates |
Date: |
Wed, 24 Feb 2016 15:57:29 -0500 |
Here is my 3rd take on fixing CVE-2016-0739 (libssh) and CVE-2016-0787
(libssh2).
Changes:
I "backported" [0] the libssh upstream patch to the old version of libssh
that we must keep around for guile-ssh.
I cleaned up the commit messages.
I added a comment to the curl package explaining the temporary
dependency on the old, vulnerable libssh2-1.4.
[0] Debian did the same, applying the patch to libssh-0.6.3 without any
changes. We apply it to libssh-0.6.5 without any changes.
Leo Famulari (2):
gnu: libssh2: Update to 1.7.0 [fixes CVE-2016-0787].
gnu: libssh: Update to 0.7.3 [fixes CVE-2016-0739].
gnu-system.am | 2 +-
gnu/packages/curl.scm | 11 ++-
.../patches/libssh-0.6.5-CVE-2016-0739.patch | 77 +++++++++++++++++++
gnu/packages/patches/libssh-CVE-2014-0017.patch | 89 ----------------------
gnu/packages/ssh.scm | 50 ++++++++----
5 files changed, 124 insertions(+), 105 deletions(-)
create mode 100644 gnu/packages/patches/libssh-0.6.5-CVE-2016-0739.patch
delete mode 100644 gnu/packages/patches/libssh-CVE-2014-0017.patch
--
2.7.1
- [v3 0/2] libssh / libssh2 security updates,
Leo Famulari <=