import UBI libssh-0.12.0-2.el10

2026-05-19 18:34:20 -04:00 · 2026-05-19 18:34:20 -04:00 · 8fa312f7b7
commit 8fa312f7b7
parent e135cee12f
9 changed files with 178 additions and 150 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1 @@
-libssh-0.11.1.tar.xz
+libssh-0.12.0.tar.xz
--- a/Update-recently-added-logging-to-be-less-verbose.patch
+++ b/Update-recently-added-logging-to-be-less-verbose.patch
@ -0,0 +1,137 @@
+From 3f99712641a584c5390e0d5f67ab23ff2451f778 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavol=20=C5=BD=C3=A1=C4=8Dik?= <pzacik@redhat.com>
+Date: Thu, 19 Feb 2026 10:03:28 +0100
+Subject: [PATCH] Update recently added logging to be less verbose
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+In 20d9642c and parent commits, log levels were
+recategorized to be less verbose when using the
+level INFO and lower. These levels should not
+print any information redundant to the end user.
+
+This commit fixes recently added uses of logging
+that are not consistent with the abovementioned
+categorization, in particular:
+
+- logs in ssh_strict_fopen should not have
+  the RARE/WARNING level since failing to open
+  a file may not be an issue at all (e.g., when
+  trying to open the knownhosts file).
+
+- logging the username used in authentication
+  or proxyjump-related information should be done
+  at the DEBUG level, otherwise it could pollute
+  the output of, e.g., curl.
+
+Signed-off-by: Pavol Žáčik <pzacik@redhat.com>
+---
+ src/auth.c   |  2 +-
+ src/config.c |  4 +++-
+ src/misc.c   | 10 +++++-----
+ src/socket.c |  4 ++--
+ 4 files changed, 11 insertions(+), 9 deletions(-)
+
+diff --git a/src/auth.c b/src/auth.c
+index 8dae696d..1f8a08b4 100644
+--- a/src/auth.c
+++ b/src/auth.c
+@@ -1397,7 +1397,7 @@ int ssh_userauth_publickey_auto(ssh_session session,
+         return SSH_AUTH_ERROR;
+     }
+ 
+-    SSH_LOG(SSH_LOG_INFO,
+    SSH_LOG(SSH_LOG_DEBUG,
+             "Starting authentication as a user %s",
+             username ? username : session->opts.username);
+ 
+diff --git a/src/config.c b/src/config.c
+index eceaba61..12eb3a71 100644
+--- a/src/config.c
+++ b/src/config.c
+@@ -258,7 +258,9 @@ local_parse_file(ssh_session session,
+ 
+     f = ssh_strict_fopen(filename, SSH_MAX_CONFIG_FILE_SIZE);
+     if (f == NULL) {
+-        /* The underlying function logs the reasons */
+        SSH_LOG(SSH_LOG_RARE,
+                "Failed to open included configuration file %s",
+                filename);
+         return;
+     }
+ 
+diff --git a/src/misc.c b/src/misc.c
+index 0d702f7b..4b8d3616 100644
+--- a/src/misc.c
+++ b/src/misc.c
+@@ -2454,7 +2454,7 @@ FILE *ssh_strict_fopen(const char *filename, size_t max_file_size)
+     /* open first to avoid TOCTOU */
+     fd = open(filename, O_RDONLY);
+     if (fd == -1) {
+-        SSH_LOG(SSH_LOG_RARE,
+        SSH_LOG(SSH_LOG_TRACE,
+                 "Failed to open a file %s for reading: %s",
+                 filename,
+                 ssh_strerror(errno, err_msg, SSH_ERRNO_MSG_MAX));
+@@ -2464,7 +2464,7 @@ FILE *ssh_strict_fopen(const char *filename, size_t max_file_size)
+     /* Check the file is sensible for a configuration file */
+     r = fstat(fd, &sb);
+     if (r != 0) {
+-        SSH_LOG(SSH_LOG_RARE,
+        SSH_LOG(SSH_LOG_TRACE,
+                 "Failed to stat %s: %s",
+                 filename,
+                 ssh_strerror(errno, err_msg, SSH_ERRNO_MSG_MAX));
+@@ -2472,7 +2472,7 @@ FILE *ssh_strict_fopen(const char *filename, size_t max_file_size)
+         return NULL;
+     }
+     if ((sb.st_mode & S_IFMT) != S_IFREG) {
+-        SSH_LOG(SSH_LOG_RARE,
+        SSH_LOG(SSH_LOG_TRACE,
+                 "The file %s is not a regular file: skipping",
+                 filename);
+         close(fd);
+@@ -2480,7 +2480,7 @@ FILE *ssh_strict_fopen(const char *filename, size_t max_file_size)
+     }
+ 
+     if ((size_t)sb.st_size > max_file_size) {
+-        SSH_LOG(SSH_LOG_RARE,
+        SSH_LOG(SSH_LOG_TRACE,
+                 "The file %s is too large (%jd MB > %zu MB): skipping",
+                 filename,
+                 (intmax_t)sb.st_size / 1024 / 1024,
+@@ -2491,7 +2491,7 @@ FILE *ssh_strict_fopen(const char *filename, size_t max_file_size)
+ 
+     f = fdopen(fd, "r");
+     if (f == NULL) {
+-        SSH_LOG(SSH_LOG_RARE,
+        SSH_LOG(SSH_LOG_TRACE,
+                 "Failed to open a file %s for reading: %s",
+                 filename,
+                 ssh_strerror(r, err_msg, SSH_ERRNO_MSG_MAX));
+diff --git a/src/socket.c b/src/socket.c
+index 09bc71ef..7a8bf168 100644
+--- a/src/socket.c
+++ b/src/socket.c
+@@ -1435,7 +1435,7 @@ ssh_socket_connect_proxyjump(ssh_socket s)
+ 
+     session = s->session;
+ 
+-    SSH_LOG(SSH_LOG_INFO,
+    SSH_LOG(SSH_LOG_DEBUG,
+             "Connecting to host %s port %d user %s through ProxyJump",
+             session->opts.host,
+             session->opts.port,
+@@ -1515,7 +1515,7 @@ ssh_socket_connect_proxyjump(ssh_socket s)
+     /* transferred to the jump_thread_data */
+     jump_session = NULL;
+ 
+-    SSH_LOG(SSH_LOG_INFO,
+    SSH_LOG(SSH_LOG_DEBUG,
+             "Starting proxy thread to host %s port %d user %s, callbacks=%p",
+             jump_thread_data->next_jump->hostname,
+             jump_thread_data->next_jump->port,
+-- 
+2.53.0
+
--- a/libssh-0.11.1-CVE-2025-5318.patch
+++ b/libssh-0.11.1-CVE-2025-5318.patch
@ -1,27 +0,0 @@
-From b47ccd17559f79bfb2d6b94d2bf84856cf06259e Mon Sep 17 00:00:00 2001
-From: Jakub Jelen <jjelen@redhat.com>
-Date: Tue, 22 Apr 2025 21:18:44 +0200
-Subject: [PATCH] CVE-2025-5318: sftpserver: Fix possible buffer overrun
-
-Signed-off-by: Jakub Jelen <jjelen@redhat.com>
-Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
---
- src/sftpserver.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/sftpserver.c b/src/sftpserver.c
-index 1afd8b2f..2aa28baa 100644
--- a/src/sftpserver.c
-+++ b/src/sftpserver.c
-@@ -704,7 +704,7 @@ void *sftp_handle(sftp_session sftp, ssh_string handle)
- 
-     memcpy(&val, ssh_string_data(handle), sizeof(uint32_t));
- 
-    if (val > SFTP_HANDLES) {
-+    if (val >= SFTP_HANDLES) {
-         return NULL;
-     }
- 
-- 
-2.50.1
-
--- a/libssh-0.11.1-CVE-2025-5987.patch
+++ b/libssh-0.11.1-CVE-2025-5987.patch
@ -1,31 +0,0 @@
-From 90b4845e0c98574bbf7bea9e97796695f064bf57 Mon Sep 17 00:00:00 2001
-From: Jakub Jelen <jjelen@redhat.com>
-Date: Tue, 6 May 2025 22:51:41 +0200
-Subject: [PATCH] CVE-2025-5987 libcrypto: Correctly detect failures of chacha
- initialization
-
-Signed-off-by: Jakub Jelen <jjelen@redhat.com>
-Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
---
- src/libcrypto.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/src/libcrypto.c b/src/libcrypto.c
-index b2e95cfe..1d583bc5 100644
--- a/src/libcrypto.c
-+++ b/src/libcrypto.c
-@@ -794,9 +794,9 @@ chacha20_poly1305_set_key(struct ssh_cipher_struct *cipher,
-         SSH_LOG(SSH_LOG_TRACE, "EVP_CIPHER_CTX_new failed");
-         goto out;
-     }
-    ret = EVP_EncryptInit_ex(ctx->header_evp, EVP_chacha20(), NULL,
-+    rv = EVP_EncryptInit_ex(ctx->header_evp, EVP_chacha20(), NULL,
-                              u8key + CHACHA20_KEYLEN, NULL);
-    if (ret != 1) {
-+    if (rv != 1) {
-         SSH_LOG(SSH_LOG_TRACE, "EVP_CipherInit failed");
-         goto out;
-     }
-- 
-2.51.0
-
--- a/libssh-0.11.1-fix-provider-loading.patch
+++ b/libssh-0.11.1-fix-provider-loading.patch
@ -1,54 +0,0 @@
-diff -up libssh-0.11.1/tests/client/torture_auth_pkcs11.c.tmp libssh-0.11.1/tests/client/torture_auth_pkcs11.c
--- libssh-0.11.1/tests/client/torture_auth_pkcs11.c.tmp	2024-10-25 11:58:50.341126170 +0200
-+++ libssh-0.11.1/tests/client/torture_auth_pkcs11.c	2024-10-25 12:11:01.766453259 +0200
-@@ -240,6 +240,14 @@ int torture_run_tests(void) {
-                                         session_teardown),
-     };
- 
-+    /* Do not use system openssl.cnf for the pkcs11 uri tests.
-+     * It can load a pkcs11 provider too early before we will set up environment
-+     * variables that are needed for the pkcs11 provider to access correct
-+     * tokens, causing unexpected failures.
-+     * Make sure this comes before ssh_init(), which initializes OpenSSL!
-+     */
-+    setenv("OPENSSL_CONF", "/dev/null", 1);
-+
-     ssh_init();
-     torture_filter_tests(tests);
-     rc = cmocka_run_group_tests(tests, sshd_setup, sshd_teardown);
-diff -up libssh-0.11.1/tests/unittests/torture_pki_ecdsa_uri.c.tmp libssh-0.11.1/tests/unittests/torture_pki_ecdsa_uri.c
--- libssh-0.11.1/tests/unittests/torture_pki_ecdsa_uri.c.tmp	2024-10-25 11:59:22.964367137 +0200
-+++ libssh-0.11.1/tests/unittests/torture_pki_ecdsa_uri.c	2024-10-25 12:12:51.473625481 +0200
-@@ -563,6 +563,14 @@ int torture_run_tests(void) {
-     ssh_session session = ssh_new();
-     int verbosity = SSH_LOG_FUNCTIONS;
- 
-+    /* Do not use system openssl.cnf for the pkcs11 uri tests.
-+     * It can load a pkcs11 provider too early before we will set up environment
-+     * variables that are needed for the pkcs11 provider to access correct
-+     * tokens, causing unexpected failures.
-+     * Make sure this comes before ssh_init(), which initializes OpenSSL!
-+     */
-+    setenv("OPENSSL_CONF", "/dev/null", 1);
-+
-     ssh_init();
-     ssh_options_set(session, SSH_OPTIONS_LOG_VERBOSITY, &verbosity);
- 
-diff -up libssh-0.11.1/tests/unittests/torture_pki_rsa_uri.c.tmp libssh-0.11.1/tests/unittests/torture_pki_rsa_uri.c
--- libssh-0.11.1/tests/unittests/torture_pki_rsa_uri.c.tmp	2024-10-25 11:59:49.241336178 +0200
-+++ libssh-0.11.1/tests/unittests/torture_pki_rsa_uri.c	2024-10-25 12:12:10.985614709 +0200
-@@ -285,6 +285,14 @@ torture_run_tests(void)
-     ssh_session session = ssh_new();
-     int verbosity = SSH_LOG_FUNCTIONS;
- 
-+    /* Do not use system openssl.cnf for the pkcs11 uri tests.
-+     * It can load a pkcs11 provider too early before we will set up environment
-+     * variables that are needed for the pkcs11 provider to access correct
-+     * tokens, causing unexpected failures.
-+     * Make sure this comes before ssh_init(), which initializes OpenSSL!
-+     */
-+    setenv("OPENSSL_CONF", "/dev/null", 1);
-+
-     ssh_options_set(session, SSH_OPTIONS_LOG_VERBOSITY, &verbosity);
-     ssh_init();
- 
--- a/libssh-0.11.1.tar.xz.asc
+++ b/libssh-0.11.1.tar.xz.asc
@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
-
-iQIzBAABCAAdFiEEiKIo2JsHwsd9DHgJA9XfjP3T6OcFAmbRl74ACgkQA9XfjP3T
-6OdnSw/+IrXAbSSpjVNG5Wjz3WQjqXkWInCT+qNhcS5w+qasGW5i6mktoNJkg2Fd
-P4iRCeJEuZbOHZLWXdUaDKjmlOUIda2xA8U01uw2VrleEu05JV/s5tS1MpVOPfDi
-8+CTxPesFQ9uX9q+OojTr4QXqBDqv15sldwRVTKegNpLkk3xHUUaMjwikWKKxXG+
-ypD4UCJWKVVhen9HPRSUOtruliZFPxQSLYvj4XKJxpr/QVaORS0EsTpdYP0h1+18
-6epynp4e1/9GRTmrKa8/JcCd/4c2UnHBFpw0DU1YirLK+54/qD76o63MTbo7mKru
-cgfypfA/sdeklGTZYLrCyizcrSc2poaTznczUZC6gi3FxivLoldFyDgXeSQWEieB
-QTGgnaLkB2Y2XuBl9F9MatqFC35TBuUUwHBoEa31acQhmotui5tF4oq/JxRtZi8v
-OyrTYc/xfmDh4SbWuEVqr6B2SZjhxrIvEGEe4adJQ/tVN2wweoNgTHt8XjBb1amB
-M9RPeXG5Uon+gIXDVzjgx+DZ85FweCEngv+OdjHPIBWsJUEc722L/gypIFnBfaPV
-JgM84wxQz2J8xyk2zEANog9M8ae5jG9TVJORO8to+gbRlKB2ZRDdDne0cgRUSWaj
-0IKsnehsxjF2OqChjRqRMBhfVAA0hrYU1ngxwCcdAcdlbfgs5L0=
-=P/pw
-----END PGP SIGNATURE-----
--- a/libssh-0.12.0.tar.xz.asc
+++ b/libssh-0.12.0.tar.xz.asc
@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEiKIo2JsHwsd9DHgJA9XfjP3T6OcFAmmK/lAACgkQA9XfjP3T
+6OegYQ/9HULQgb5EIr7CJhpbXvydj+jDkts43zea22ioz0sSs1jgzDUmVSXJck6g
+AeP3cD0Ij+31sbGh5wdb8n+4tycU/NDBIjjQLb+b8ZVmqEmNQQMcidE/jB3wMQXa
+gu8xHy801uDOSYtasIv4sbT0cgu0GwgGUOSTP4xaH2k4KOX9De+YO8mlSBybcgha
+YFEUqMf1u1pLVU0b5dV/PUcXv+DIhYCCem1rQWHE96zcQYSWaDCq6ZkcR8/tmUga
+rb8ugOd9jjmI/yNlyxCbX/r5IhpfwgipdUHBm0g4C4pJ3mnd9sD5lZRybk7QQrr8
+k8GP1jAuf80NHSDB09PwuYAGQFkYn4n3im9sGUU7Zps3bp3gQnksT3E6avJs/Ce0
+9jCFPzudEpKIgZIES621nZfjT1aheC4MxX8TEdU2GLK93enRrFCUpKf0bNicyOJO
+38ksc1EKNiGz7fUqIdiLqC7UWMWxH2oa65TLBwV0dHjJA053b7KrM0itp424myDN
+09jJ8SyKHKF/nfYec6xktlbZoEwHlpt0xhpo3VTEpPxTcBm3E6u+Hook12JA2PEJ
+OsrjKsM5LgUL6KR6wbTopaiYqdrQpupmPnL5zx8v613yHn1Od203E89El4yP5P3t
+G+d5MiOM9/Q5OyEDusn29NzuueiXZmivsQv7aT4rX8yPiGEgMIQ=
+=h584
+-----END PGP SIGNATURE-----
--- a/libssh.spec
+++ b/libssh.spec
@ -1,24 +1,18 @@
 Name:           libssh
-Version:        0.11.1
-Release:        5%{?dist}
+Version:        0.12.0
+Release:        2%{?dist}
 Summary:        A library implementing the SSH protocol
 License:        LGPL-2.1-or-later
 URL:            http://www.libssh.org

-Source0:        https://www.libssh.org/files/0.11/%{name}-%{version}.tar.xz
-Source1:        https://www.libssh.org/files/0.11/%{name}-%{version}.tar.xz.asc
+Source0:        https://www.libssh.org/files/0.12/%{name}-%{version}.tar.xz
+Source1:        https://www.libssh.org/files/0.12/%{name}-%{version}.tar.xz.asc
 Source2:        https://www.libssh.org/files/0x03D5DF8CFDD3E8E7_libssh_libssh_org_gpgkey.asc#/%{name}.keyring
 Source3:        libssh_client.config
 Source4:        libssh_server.config
-# Don't use global openssl.cnf for PKCS#11 URI Tests
-# https://gitlab.com/libssh/libssh-mirror/-/commit/46d74176
-Patch1:         libssh-0.11.1-fix-provider-loading.patch
-# Fix possible buffer overrun in the SFTP server
-# https://gitlab.com/libssh/libssh-mirror/-/commit/ae8881df
-Patch2:         libssh-0.11.1-CVE-2025-5318.patch
-# libcrypto: Correctly detect failures of chacha initialization
-# https://gitlab.com/libssh/libssh-mirror/-/commit/bc4804aa
-Patch3:         libssh-0.11.1-CVE-2025-5987.patch
+
+# https://gitlab.com/libssh/libssh-mirror/-/merge_requests/742
+Patch1:         Update-recently-added-logging-to-be-less-verbose.patch

 BuildRequires:  cmake
 BuildRequires:  gcc-c++
@ -41,13 +35,17 @@ BuildRequires:  nmap-ncat
 BuildRequires:  pkcs11-provider
 BuildRequires:  p11-kit-devel
 BuildRequires:  p11-kit-server
+BuildRequires:  p11-kit-client
 BuildRequires:  opensc
 BuildRequires:  softhsm
 BuildRequires:  gnutls-utils
+BuildRequires:  libfido2-devel
+BuildRequires:  openssh-sk-dummy
+BuildRequires:  hostname

 Requires:       %{name}-config = %{version}-%{release}

-Recommends:     crypto-policies
+Requires:       crypto-policies

 %ifarch aarch64 ppc64 ppc64le s390x x86_64 riscv64
 Provides: libssh_threads.so.4()(64bit)
@ -92,6 +90,7 @@ The %{name}-config package provides the default configuration files for %{name}.
    -DGSSAPI_TESTING=ON \
    -DWITH_PKCS11_URI=ON \
    -DWITH_PKCS11_PROVIDER=ON \
+    -DWITH_FIDO2=ON \
    -DGLOBAL_CLIENT_CONFIG="%{_sysconfdir}/libssh/libssh_client.config" \
    -DGLOBAL_BIND_CONFIG="%{_sysconfdir}/libssh/libssh_server.config"

@ -147,16 +146,20 @@ popd
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/libssh/libssh_server.config

 %changelog
-* Thu Dec 11 2025 Pavol Žáčik <pzacik@redhat.com> - 0.11.1-5
- Fix CVE-2025-5987
-  Resolves: RHEL-130040
+* Thu Feb 19 2026 Pavol Žáčik <pzacik@redhat.com> - 0.12.0-2
+- Fix the verbosity of some new logs added in 0.12.0
+  Resolves: RHEL-93748

-* Tue Sep 30 2025 Pavol Žáčik <pzacik@redhat.com> - 0.11.1-4
- Rebuild due to broken build auto-tagging
+* Tue Feb 10 2026 Pavol Žáčik <pzacik@redhat.com> - 0.12.0-1
+- Rebase to 0.12.0
+  Resolves: RHEL-133421, RHEL-70825, RHEL-130042
+- Add a Requires for crypto-policies instead of a Recommends
+  Resolves: RHEL-139045

 * Tue Sep 30 2025 Pavol Žáčik <pzacik@redhat.com> - 0.11.1-3
 - Fix CVE-2025-5318
-  Resolves: RHEL-111719
+  Resolves: RHEL-111721
+- Add BuildRequires for p11-kit-client

 * Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 0.11.1-2
 - Bump release for October 2024 mass rebuild:
--- a/2
+++ b/2
@ -1 +1 @@
-SHA512 (libssh-0.11.1.tar.xz) = 284d376ad9ea30b0274b4ac754b27d168286dca862ece43ef15ca6d89e66865ad7a6703cc12dd4a8564a60b8449ae9b36e6496fd51d34cc27ac4030f6cf216d6
+SHA512 (libssh-0.12.0.tar.xz) = dd28483f391e36c9da0f0b8c469bc9e19f75dc1016d04e35930b1a28e0711fa02a1eae9ddeb95b9e48cb1fd3f2bc456789457bc092cf53d00d55b20257f082a2