From mboxrd@z Thu Jan 1 00:00:00 1970 From: Leo Famulari Subject: Re: [PATCH 0/2] libssh / libssh2 security updates Date: Tue, 23 Feb 2016 18:37:03 -0500 Message-ID: <20160223233703.GA10004@jasmine> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:58117) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aYMVx-0001be-Ga for guix-devel@gnu.org; Tue, 23 Feb 2016 18:37:10 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1aYMVt-0003Vf-Br for guix-devel@gnu.org; Tue, 23 Feb 2016 18:37:09 -0500 Received: from out4-smtp.messagingengine.com ([66.111.4.28]:39214) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aYMVt-0003VZ-7q for guix-devel@gnu.org; Tue, 23 Feb 2016 18:37:05 -0500 Received: from localhost (c-69-249-5-231.hsd1.pa.comcast.net [69.249.5.231]) by mail.messagingengine.com (Postfix) with ESMTPA id 3DF00C0001D for ; Tue, 23 Feb 2016 18:37:04 -0500 (EST) Content-Disposition: inline In-Reply-To: List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org To: guix-devel@gnu.org I mistakenly sent an earlier draft of this email. Here is the correct message: These patches address CVE-2016-0739 (libssh) and CVE-2016-0786 (libssh2) [0]. For libssh, we update to the latest upstream release, 0.7.3 [1]. Guile-ssh depends on a private package of an older version of libssh [2], so we update that private package to the latest version supported by guile-ssh, 0.6.5. This happens to be the previous version of our public libssh package. This allows us to remove the patch for CVE-2014-0017, which was fixed in libssh-0.6.3 [3]. For libssh2, we update to the latest upstream release, 1.7.0. [4] Many packages depend on libssh2, including curl, so we create a temporary package of the old, vulnerable version, 1.4. When we have rebuilt all packages affected by CVE-2016-0786, this temporary package should be removed and curl should be made to depend on the latest version. That future commit should state "Fixes CVE-2016-7087". Please double check that curl does not need to be rebuilt before applying these patches. Feel free to reorganize them changes or alter the commit messages as desired. [0] http://seclists.org/oss-sec/2016/q1/408 http://www.libssh.org/archive/libssh/2016-02/0000013.html https://libssh2.org/changes.html [1] http://www.libssh.org/archive/libssh/2016-02/0000013.html [2] https://github.com/artyom-poptsov/guile-ssh#requirements [3] https://www.libssh.org/2014/03/04/libssh-0-6-3-security-release/ https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0017 [4] https://libssh2.org/changes.html On Tue, Feb 23, 2016 at 06:32:13PM -0500, Leo Famulari wrote: > These patches address CVE-2016-0739 (libssh) and CVE-2016-0786 (libssh2) > [0]. > > For libssh, we update to the latest upstream release, 0.7.3. > > Guile-ssh depends on a private package of an older version of libssh [1], so > we update that private package to the latest version supported by > guile-ssh, 0.6.5. This happens to be the previous version of our public > libssh package. > > This allows us to remove the patch for CVE-2014-0017, which was fixed in > libssh-0.6.3 [2]. > > For libssh2, we update to the latest upstream release, 1.7.0. > > Many packages depend on libssh2, including curl, so we create a > temporary package of the old, vulnerable version, 1.4. When we have > rebuilt all packages affected by CVE-2016-0786, this temporary package > should be removed and curl should be made to depend on the latest > version. That future commit should state "Fixes CVE-2016-7087". > > Please double check that curl does not need to be rebuilt before > applying these patches. Feel free to reorganize them changes or alter > the commit messages as desired. > > [0] > http://seclists.org/oss-sec/2016/q1/408 > http://www.libssh.org/archive/libssh/2016-02/0000013.html > https://libssh2.org/changes.html > > [1] > https://github.com/artyom-poptsov/guile-ssh#requirements > > [2] > https://www.libssh.org/2014/03/04/libssh-0-6-3-security-release/ > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0017 > > > Leo Famulari (2): > gnu: libssh2: Update to 1.7.0. > gnu: libssh: Update to 0.7.3. > > gnu-system.am | 1 - > gnu/packages/curl.scm | 2 +- > gnu/packages/patches/libssh-CVE-2014-0017.patch | 89 ------------------------- > gnu/packages/ssh.scm | 48 +++++++++---- > 4 files changed, 35 insertions(+), 105 deletions(-) > delete mode 100644 gnu/packages/patches/libssh-CVE-2014-0017.patch > > -- > 2.7.1 > >