security/libssh: Update to 0.9.4
ClosedPublic
Actions

Authored by salvadore on Apr 11 2020, 10:15 PM.

Details

Reviewers

gerald
tcberner

Commits

rP532211: MFH: r532111
rP532111: security/libssh: Update to 0.9.4

Summary

Security release to fix CVE-2020-1730.

Diff Detail

Repository

rP FreeBSD ports repository

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

salvadore created this revision.Apr 11 2020, 10:15 PM

Herald added a subscriber: mat. · View Herald TranscriptApr 11 2020, 10:15 PM

Harbormaster completed remote builds in B30426: Diff 70438.Apr 11 2020, 10:15 PM

I already tested it successfully with poudriere on 11.3, 12.1, 13.0 both amd64 and i386.
According to https://www.freshports.org/security/libssh/ libssh is required by default for 20 ports. I know it is a small number but building all of them 6 times (3 OS versions and 2 architectures) is a real pain on my machine, so I still would like to ask for an exp-run if possible. Does the patch looks good enough? Can I ask the exp-run mentors? :-)

As for PORTREVISION bumps I think they are not necessary because the soname libssh.so.4 stays the same: is that right? On the contrary, when it will eventually become libssh.so.5 I will have to bump PORTREVISIONs, am I right?

Thanks!

Yes, please ask for the exp-run. If portmgr deems it not necessary, they will surely tell you :)

As you probably saw exp-run was successful. Shall we commit it? :)
Also please remember that although https://reviews.freebsd.org/D24377 is already approved I have a question about it, which is the reason why I am waiting to commit that one (it's the review about documenting the libssh's vulnerability in vuln.xml).

salvadore mentioned this in D24377: security/vuxml: Add CVE-2020-1730 affecting security/libssh.Apr 19 2020, 1:01 PM

Oh, I thought you had committed this already. Please make sure you ack antoine@ for the exp-run.

This revision is now accepted and ready to land.Apr 19 2020, 1:17 PM