Wednesday 11th March 2015
Fedora Project
Updated libssh2 to 1.5.0 in F-20, F-21, F-22 and Rawhide:
Security Advisory for CVE-2015-1782, using SSH_MSG_KEXINIT data unbounded
Missing _libssh2_error in _libssh2_channel_write
knownhost: Fix DSS keys being detected as unknown
knownhost: Restore behaviour of 'libssh2_knownhost_writeline' with short buffer
libssh2.h: On Windows, a socket is of type SOCKET, not int
libssh2_priv.h: A 1 bit bit-field should be unsigned
- Windows build: Do not export externals from static library
Fixed two potential use-after-frees of the payload buffer
- Fixed a few memory leaks in error paths
userauth: Fixed an attempt to free from stack on error
agent_list_identities: Fixed memory leak on OOM
knownhosts: Abort if the hosts buffer is too small
sftp_close_handle: Ensure the handle is always closed
channel_close: Close the channel even in the case of errors
Docs: Added missing libssh2_session_handshake.3 file
- Docs: Fixed a bunch of typos
userauth_password: Pass on the underlying error code
_libssh2_channel_forward_cancel: Accessed struct after free
_libssh2_packet_add: Avoid using uninitialized memory
_libssh2_channel_forward_cancel: Avoid memory leaks on error
_libssh2_channel_write: Client spins on write when window full
- Windows build: Fix build errors
publickey_packet_receive: Avoid junk in returned pointers
channel_receive_window_adjust: Store windows size always
userauth_hostbased_fromfile: Zero assign to avoid uninitialized use
configure: Change LIBS not LDFLAGS when checking for libs
agent_connect_unix: Make sure there's a trailing zero
- MinGW build: Fixed redefine warnings
sftpdir.c: Added authentication method detection
- Watcom build: Added support for WinCNG build
configure.ac: Replace AM_CONFIG_HEADER with AC_CONFIG_HEADERS
sftp_statvfs: Fix for servers not supporting statfvs extension
knownhost.c: Use LIBSSH2_FREE macro instead of free
Fixed compilation using mingw-w64
knownhost.c: Fixed that 'key_type_len' may be used uninitialized
configure: Display individual crypto backends on separate lines
Examples on Windows: Check for WSAStartup return code
Examples on Windows: Check for socket return code
agent.c: Check return code of MapViewOfFile
kex.c: Fix possible NULL pointer de-reference with session->kex
packet.c: Fix possible NULL pointer de-reference within listen_state
Tests on Windows: Check for WSAStartup return code
userauth.c: Improve readability and clarity of for-loops
Examples on Windows: Use native SOCKET-type instead of int
packet.c: i < 256 was always true and i would overflow to 0
kex.c: Make sure mlist is not set to NULL
session.c: Check return value of session_nonblock in debug mode
session.c: Check return value of session_nonblock during startup
userauth.c: Make sure that sp_len is positive and avoid overflows
knownhost.c: Fix use of uninitialized argument variable wrote
openssl: Initialise the digest context before calling EVP_DigestInit()
libssh2_agent_init: Init ->fd to LIBSSH2_INVALID_SOCKET
configure.ac: Add zlib to Requires.private in libssh2.pc if using zlib`
configure.ac: Rework crypto library detection
configure.ac: Reorder --with-* options in --help output
configure.ac: Call zlib zlib and not libz in text but keep option names
Fix non-autotools builds: Always define the LIBSSH2_OPENSSL CPP macro
sftp: seek: Don't flush buffers on same offset
sftp: statvfs: Along error path, reset the correct 'state' variable
sftp: Add support for fsync (OpenSSH extension)
_libssh2_channel_read: Fix data drop when out of window
comp_method_zlib_decomp: Improve buffer growing algorithm
_libssh2_channel_read: Honour window_size_initial
window_size: Redid window handling for flow control reasons
knownhosts: Handle unknown key types
Local Packages
Updated libssh2 to 1.5.0 as per the Fedora version
Updated perl-Variable-Magic to 0.56:
Remove lvalue uses of ERRSV (CPAN RT#101410)
Test: $ENV{$Config{ldlibpthname}} is now preserved on all platforms, which will address failures of t/17-ctl.t with unusual compilers (like icc) that link all their compiled objects to their own libraries
Test: The global destruction test is now only run on perl 5.13.4 and higher, and only if either Perl::Destruct::Level is installed or PERL_DESTRUCT_LEVEL is set and the perl is a debugging perl; this will solve rare crashes of t/15-self.t on perl 5.13.3 and older
Updated sendmail (8.15.1) to drop the sysvinit sub-package (FESCO #615)