From 8fa312f7b7c04b49b8433ab8e7a068ea69c8e324 Mon Sep 17 00:00:00 2001 From: AlmaLinux RelEng Bot Date: Tue, 19 May 2026 18:34:20 -0400 Subject: [PATCH] import UBI libssh-0.12.0-2.el10 --- .gitignore | 2 +- ...tly-added-logging-to-be-less-verbose.patch | 137 ++++++++++++++++++ libssh-0.11.1-CVE-2025-5318.patch | 27 ---- libssh-0.11.1-CVE-2025-5987.patch | 31 ---- libssh-0.11.1-fix-provider-loading.patch | 54 ------- libssh-0.11.1.tar.xz.asc | 16 -- libssh-0.12.0.tar.xz.asc | 16 ++ libssh.spec | 43 +++--- sources | 2 +- 9 files changed, 178 insertions(+), 150 deletions(-) create mode 100644 Update-recently-added-logging-to-be-less-verbose.patch delete mode 100644 libssh-0.11.1-CVE-2025-5318.patch delete mode 100644 libssh-0.11.1-CVE-2025-5987.patch delete mode 100644 libssh-0.11.1-fix-provider-loading.patch delete mode 100644 libssh-0.11.1.tar.xz.asc create mode 100644 libssh-0.12.0.tar.xz.asc diff --git a/.gitignore b/.gitignore index fcef151..886d9d1 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -libssh-0.11.1.tar.xz +libssh-0.12.0.tar.xz diff --git a/Update-recently-added-logging-to-be-less-verbose.patch b/Update-recently-added-logging-to-be-less-verbose.patch new file mode 100644 index 0000000..af43d3b --- /dev/null +++ b/Update-recently-added-logging-to-be-less-verbose.patch @@ -0,0 +1,137 @@ +From 3f99712641a584c5390e0d5f67ab23ff2451f778 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavol=20=C5=BD=C3=A1=C4=8Dik?= +Date: Thu, 19 Feb 2026 10:03:28 +0100 +Subject: [PATCH] Update recently added logging to be less verbose +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +In 20d9642c and parent commits, log levels were +recategorized to be less verbose when using the +level INFO and lower. These levels should not +print any information redundant to the end user. + +This commit fixes recently added uses of logging +that are not consistent with the abovementioned +categorization, in particular: + +- logs in ssh_strict_fopen should not have + the RARE/WARNING level since failing to open + a file may not be an issue at all (e.g., when + trying to open the knownhosts file). + +- logging the username used in authentication + or proxyjump-related information should be done + at the DEBUG level, otherwise it could pollute + the output of, e.g., curl. + +Signed-off-by: Pavol Žáčik +--- + src/auth.c | 2 +- + src/config.c | 4 +++- + src/misc.c | 10 +++++----- + src/socket.c | 4 ++-- + 4 files changed, 11 insertions(+), 9 deletions(-) + +diff --git a/src/auth.c b/src/auth.c +index 8dae696d..1f8a08b4 100644 +--- a/src/auth.c ++++ b/src/auth.c +@@ -1397,7 +1397,7 @@ int ssh_userauth_publickey_auto(ssh_session session, + return SSH_AUTH_ERROR; + } + +- SSH_LOG(SSH_LOG_INFO, ++ SSH_LOG(SSH_LOG_DEBUG, + "Starting authentication as a user %s", + username ? username : session->opts.username); + +diff --git a/src/config.c b/src/config.c +index eceaba61..12eb3a71 100644 +--- a/src/config.c ++++ b/src/config.c +@@ -258,7 +258,9 @@ local_parse_file(ssh_session session, + + f = ssh_strict_fopen(filename, SSH_MAX_CONFIG_FILE_SIZE); + if (f == NULL) { +- /* The underlying function logs the reasons */ ++ SSH_LOG(SSH_LOG_RARE, ++ "Failed to open included configuration file %s", ++ filename); + return; + } + +diff --git a/src/misc.c b/src/misc.c +index 0d702f7b..4b8d3616 100644 +--- a/src/misc.c ++++ b/src/misc.c +@@ -2454,7 +2454,7 @@ FILE *ssh_strict_fopen(const char *filename, size_t max_file_size) + /* open first to avoid TOCTOU */ + fd = open(filename, O_RDONLY); + if (fd == -1) { +- SSH_LOG(SSH_LOG_RARE, ++ SSH_LOG(SSH_LOG_TRACE, + "Failed to open a file %s for reading: %s", + filename, + ssh_strerror(errno, err_msg, SSH_ERRNO_MSG_MAX)); +@@ -2464,7 +2464,7 @@ FILE *ssh_strict_fopen(const char *filename, size_t max_file_size) + /* Check the file is sensible for a configuration file */ + r = fstat(fd, &sb); + if (r != 0) { +- SSH_LOG(SSH_LOG_RARE, ++ SSH_LOG(SSH_LOG_TRACE, + "Failed to stat %s: %s", + filename, + ssh_strerror(errno, err_msg, SSH_ERRNO_MSG_MAX)); +@@ -2472,7 +2472,7 @@ FILE *ssh_strict_fopen(const char *filename, size_t max_file_size) + return NULL; + } + if ((sb.st_mode & S_IFMT) != S_IFREG) { +- SSH_LOG(SSH_LOG_RARE, ++ SSH_LOG(SSH_LOG_TRACE, + "The file %s is not a regular file: skipping", + filename); + close(fd); +@@ -2480,7 +2480,7 @@ FILE *ssh_strict_fopen(const char *filename, size_t max_file_size) + } + + if ((size_t)sb.st_size > max_file_size) { +- SSH_LOG(SSH_LOG_RARE, ++ SSH_LOG(SSH_LOG_TRACE, + "The file %s is too large (%jd MB > %zu MB): skipping", + filename, + (intmax_t)sb.st_size / 1024 / 1024, +@@ -2491,7 +2491,7 @@ FILE *ssh_strict_fopen(const char *filename, size_t max_file_size) + + f = fdopen(fd, "r"); + if (f == NULL) { +- SSH_LOG(SSH_LOG_RARE, ++ SSH_LOG(SSH_LOG_TRACE, + "Failed to open a file %s for reading: %s", + filename, + ssh_strerror(r, err_msg, SSH_ERRNO_MSG_MAX)); +diff --git a/src/socket.c b/src/socket.c +index 09bc71ef..7a8bf168 100644 +--- a/src/socket.c ++++ b/src/socket.c +@@ -1435,7 +1435,7 @@ ssh_socket_connect_proxyjump(ssh_socket s) + + session = s->session; + +- SSH_LOG(SSH_LOG_INFO, ++ SSH_LOG(SSH_LOG_DEBUG, + "Connecting to host %s port %d user %s through ProxyJump", + session->opts.host, + session->opts.port, +@@ -1515,7 +1515,7 @@ ssh_socket_connect_proxyjump(ssh_socket s) + /* transferred to the jump_thread_data */ + jump_session = NULL; + +- SSH_LOG(SSH_LOG_INFO, ++ SSH_LOG(SSH_LOG_DEBUG, + "Starting proxy thread to host %s port %d user %s, callbacks=%p", + jump_thread_data->next_jump->hostname, + jump_thread_data->next_jump->port, +-- +2.53.0 + diff --git a/libssh-0.11.1-CVE-2025-5318.patch b/libssh-0.11.1-CVE-2025-5318.patch deleted file mode 100644 index 59e2525..0000000 --- a/libssh-0.11.1-CVE-2025-5318.patch +++ /dev/null @@ -1,27 +0,0 @@ -From b47ccd17559f79bfb2d6b94d2bf84856cf06259e Mon Sep 17 00:00:00 2001 -From: Jakub Jelen -Date: Tue, 22 Apr 2025 21:18:44 +0200 -Subject: [PATCH] CVE-2025-5318: sftpserver: Fix possible buffer overrun - -Signed-off-by: Jakub Jelen -Reviewed-by: Andreas Schneider ---- - src/sftpserver.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/sftpserver.c b/src/sftpserver.c -index 1afd8b2f..2aa28baa 100644 ---- a/src/sftpserver.c -+++ b/src/sftpserver.c -@@ -704,7 +704,7 @@ void *sftp_handle(sftp_session sftp, ssh_string handle) - - memcpy(&val, ssh_string_data(handle), sizeof(uint32_t)); - -- if (val > SFTP_HANDLES) { -+ if (val >= SFTP_HANDLES) { - return NULL; - } - --- -2.50.1 - diff --git a/libssh-0.11.1-CVE-2025-5987.patch b/libssh-0.11.1-CVE-2025-5987.patch deleted file mode 100644 index eb52361..0000000 --- a/libssh-0.11.1-CVE-2025-5987.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 90b4845e0c98574bbf7bea9e97796695f064bf57 Mon Sep 17 00:00:00 2001 -From: Jakub Jelen -Date: Tue, 6 May 2025 22:51:41 +0200 -Subject: [PATCH] CVE-2025-5987 libcrypto: Correctly detect failures of chacha - initialization - -Signed-off-by: Jakub Jelen -Reviewed-by: Andreas Schneider ---- - src/libcrypto.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/libcrypto.c b/src/libcrypto.c -index b2e95cfe..1d583bc5 100644 ---- a/src/libcrypto.c -+++ b/src/libcrypto.c -@@ -794,9 +794,9 @@ chacha20_poly1305_set_key(struct ssh_cipher_struct *cipher, - SSH_LOG(SSH_LOG_TRACE, "EVP_CIPHER_CTX_new failed"); - goto out; - } -- ret = EVP_EncryptInit_ex(ctx->header_evp, EVP_chacha20(), NULL, -+ rv = EVP_EncryptInit_ex(ctx->header_evp, EVP_chacha20(), NULL, - u8key + CHACHA20_KEYLEN, NULL); -- if (ret != 1) { -+ if (rv != 1) { - SSH_LOG(SSH_LOG_TRACE, "EVP_CipherInit failed"); - goto out; - } --- -2.51.0 - diff --git a/libssh-0.11.1-fix-provider-loading.patch b/libssh-0.11.1-fix-provider-loading.patch deleted file mode 100644 index 53170b7..0000000 --- a/libssh-0.11.1-fix-provider-loading.patch +++ /dev/null @@ -1,54 +0,0 @@ -diff -up libssh-0.11.1/tests/client/torture_auth_pkcs11.c.tmp libssh-0.11.1/tests/client/torture_auth_pkcs11.c ---- libssh-0.11.1/tests/client/torture_auth_pkcs11.c.tmp 2024-10-25 11:58:50.341126170 +0200 -+++ libssh-0.11.1/tests/client/torture_auth_pkcs11.c 2024-10-25 12:11:01.766453259 +0200 -@@ -240,6 +240,14 @@ int torture_run_tests(void) { - session_teardown), - }; - -+ /* Do not use system openssl.cnf for the pkcs11 uri tests. -+ * It can load a pkcs11 provider too early before we will set up environment -+ * variables that are needed for the pkcs11 provider to access correct -+ * tokens, causing unexpected failures. -+ * Make sure this comes before ssh_init(), which initializes OpenSSL! -+ */ -+ setenv("OPENSSL_CONF", "/dev/null", 1); -+ - ssh_init(); - torture_filter_tests(tests); - rc = cmocka_run_group_tests(tests, sshd_setup, sshd_teardown); -diff -up libssh-0.11.1/tests/unittests/torture_pki_ecdsa_uri.c.tmp libssh-0.11.1/tests/unittests/torture_pki_ecdsa_uri.c ---- libssh-0.11.1/tests/unittests/torture_pki_ecdsa_uri.c.tmp 2024-10-25 11:59:22.964367137 +0200 -+++ libssh-0.11.1/tests/unittests/torture_pki_ecdsa_uri.c 2024-10-25 12:12:51.473625481 +0200 -@@ -563,6 +563,14 @@ int torture_run_tests(void) { - ssh_session session = ssh_new(); - int verbosity = SSH_LOG_FUNCTIONS; - -+ /* Do not use system openssl.cnf for the pkcs11 uri tests. -+ * It can load a pkcs11 provider too early before we will set up environment -+ * variables that are needed for the pkcs11 provider to access correct -+ * tokens, causing unexpected failures. -+ * Make sure this comes before ssh_init(), which initializes OpenSSL! -+ */ -+ setenv("OPENSSL_CONF", "/dev/null", 1); -+ - ssh_init(); - ssh_options_set(session, SSH_OPTIONS_LOG_VERBOSITY, &verbosity); - -diff -up libssh-0.11.1/tests/unittests/torture_pki_rsa_uri.c.tmp libssh-0.11.1/tests/unittests/torture_pki_rsa_uri.c ---- libssh-0.11.1/tests/unittests/torture_pki_rsa_uri.c.tmp 2024-10-25 11:59:49.241336178 +0200 -+++ libssh-0.11.1/tests/unittests/torture_pki_rsa_uri.c 2024-10-25 12:12:10.985614709 +0200 -@@ -285,6 +285,14 @@ torture_run_tests(void) - ssh_session session = ssh_new(); - int verbosity = SSH_LOG_FUNCTIONS; - -+ /* Do not use system openssl.cnf for the pkcs11 uri tests. -+ * It can load a pkcs11 provider too early before we will set up environment -+ * variables that are needed for the pkcs11 provider to access correct -+ * tokens, causing unexpected failures. -+ * Make sure this comes before ssh_init(), which initializes OpenSSL! -+ */ -+ setenv("OPENSSL_CONF", "/dev/null", 1); -+ - ssh_options_set(session, SSH_OPTIONS_LOG_VERBOSITY, &verbosity); - ssh_init(); - diff --git a/libssh-0.11.1.tar.xz.asc b/libssh-0.11.1.tar.xz.asc deleted file mode 100644 index 3969e70..0000000 --- a/libssh-0.11.1.tar.xz.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCAAdFiEEiKIo2JsHwsd9DHgJA9XfjP3T6OcFAmbRl74ACgkQA9XfjP3T -6OdnSw/+IrXAbSSpjVNG5Wjz3WQjqXkWInCT+qNhcS5w+qasGW5i6mktoNJkg2Fd -P4iRCeJEuZbOHZLWXdUaDKjmlOUIda2xA8U01uw2VrleEu05JV/s5tS1MpVOPfDi -8+CTxPesFQ9uX9q+OojTr4QXqBDqv15sldwRVTKegNpLkk3xHUUaMjwikWKKxXG+ -ypD4UCJWKVVhen9HPRSUOtruliZFPxQSLYvj4XKJxpr/QVaORS0EsTpdYP0h1+18 -6epynp4e1/9GRTmrKa8/JcCd/4c2UnHBFpw0DU1YirLK+54/qD76o63MTbo7mKru -cgfypfA/sdeklGTZYLrCyizcrSc2poaTznczUZC6gi3FxivLoldFyDgXeSQWEieB -QTGgnaLkB2Y2XuBl9F9MatqFC35TBuUUwHBoEa31acQhmotui5tF4oq/JxRtZi8v -OyrTYc/xfmDh4SbWuEVqr6B2SZjhxrIvEGEe4adJQ/tVN2wweoNgTHt8XjBb1amB -M9RPeXG5Uon+gIXDVzjgx+DZ85FweCEngv+OdjHPIBWsJUEc722L/gypIFnBfaPV -JgM84wxQz2J8xyk2zEANog9M8ae5jG9TVJORO8to+gbRlKB2ZRDdDne0cgRUSWaj -0IKsnehsxjF2OqChjRqRMBhfVAA0hrYU1ngxwCcdAcdlbfgs5L0= -=P/pw ------END PGP SIGNATURE----- diff --git a/libssh-0.12.0.tar.xz.asc b/libssh-0.12.0.tar.xz.asc new file mode 100644 index 0000000..8b2466c --- /dev/null +++ b/libssh-0.12.0.tar.xz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEEiKIo2JsHwsd9DHgJA9XfjP3T6OcFAmmK/lAACgkQA9XfjP3T +6OegYQ/9HULQgb5EIr7CJhpbXvydj+jDkts43zea22ioz0sSs1jgzDUmVSXJck6g +AeP3cD0Ij+31sbGh5wdb8n+4tycU/NDBIjjQLb+b8ZVmqEmNQQMcidE/jB3wMQXa +gu8xHy801uDOSYtasIv4sbT0cgu0GwgGUOSTP4xaH2k4KOX9De+YO8mlSBybcgha +YFEUqMf1u1pLVU0b5dV/PUcXv+DIhYCCem1rQWHE96zcQYSWaDCq6ZkcR8/tmUga +rb8ugOd9jjmI/yNlyxCbX/r5IhpfwgipdUHBm0g4C4pJ3mnd9sD5lZRybk7QQrr8 +k8GP1jAuf80NHSDB09PwuYAGQFkYn4n3im9sGUU7Zps3bp3gQnksT3E6avJs/Ce0 +9jCFPzudEpKIgZIES621nZfjT1aheC4MxX8TEdU2GLK93enRrFCUpKf0bNicyOJO +38ksc1EKNiGz7fUqIdiLqC7UWMWxH2oa65TLBwV0dHjJA053b7KrM0itp424myDN +09jJ8SyKHKF/nfYec6xktlbZoEwHlpt0xhpo3VTEpPxTcBm3E6u+Hook12JA2PEJ +OsrjKsM5LgUL6KR6wbTopaiYqdrQpupmPnL5zx8v613yHn1Od203E89El4yP5P3t +G+d5MiOM9/Q5OyEDusn29NzuueiXZmivsQv7aT4rX8yPiGEgMIQ= +=h584 +-----END PGP SIGNATURE----- diff --git a/libssh.spec b/libssh.spec index bab066b..cfbb16c 100644 --- a/libssh.spec +++ b/libssh.spec @@ -1,24 +1,18 @@ Name: libssh -Version: 0.11.1 -Release: 5%{?dist} +Version: 0.12.0 +Release: 2%{?dist} Summary: A library implementing the SSH protocol License: LGPL-2.1-or-later URL: http://www.libssh.org -Source0: https://www.libssh.org/files/0.11/%{name}-%{version}.tar.xz -Source1: https://www.libssh.org/files/0.11/%{name}-%{version}.tar.xz.asc +Source0: https://www.libssh.org/files/0.12/%{name}-%{version}.tar.xz +Source1: https://www.libssh.org/files/0.12/%{name}-%{version}.tar.xz.asc Source2: https://www.libssh.org/files/0x03D5DF8CFDD3E8E7_libssh_libssh_org_gpgkey.asc#/%{name}.keyring Source3: libssh_client.config Source4: libssh_server.config -# Don't use global openssl.cnf for PKCS#11 URI Tests -# https://gitlab.com/libssh/libssh-mirror/-/commit/46d74176 -Patch1: libssh-0.11.1-fix-provider-loading.patch -# Fix possible buffer overrun in the SFTP server -# https://gitlab.com/libssh/libssh-mirror/-/commit/ae8881df -Patch2: libssh-0.11.1-CVE-2025-5318.patch -# libcrypto: Correctly detect failures of chacha initialization -# https://gitlab.com/libssh/libssh-mirror/-/commit/bc4804aa -Patch3: libssh-0.11.1-CVE-2025-5987.patch + +# https://gitlab.com/libssh/libssh-mirror/-/merge_requests/742 +Patch1: Update-recently-added-logging-to-be-less-verbose.patch BuildRequires: cmake BuildRequires: gcc-c++ @@ -41,13 +35,17 @@ BuildRequires: nmap-ncat BuildRequires: pkcs11-provider BuildRequires: p11-kit-devel BuildRequires: p11-kit-server +BuildRequires: p11-kit-client BuildRequires: opensc BuildRequires: softhsm BuildRequires: gnutls-utils +BuildRequires: libfido2-devel +BuildRequires: openssh-sk-dummy +BuildRequires: hostname Requires: %{name}-config = %{version}-%{release} -Recommends: crypto-policies +Requires: crypto-policies %ifarch aarch64 ppc64 ppc64le s390x x86_64 riscv64 Provides: libssh_threads.so.4()(64bit) @@ -92,6 +90,7 @@ The %{name}-config package provides the default configuration files for %{name}. -DGSSAPI_TESTING=ON \ -DWITH_PKCS11_URI=ON \ -DWITH_PKCS11_PROVIDER=ON \ + -DWITH_FIDO2=ON \ -DGLOBAL_CLIENT_CONFIG="%{_sysconfdir}/libssh/libssh_client.config" \ -DGLOBAL_BIND_CONFIG="%{_sysconfdir}/libssh/libssh_server.config" @@ -147,16 +146,20 @@ popd %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/libssh/libssh_server.config %changelog -* Thu Dec 11 2025 Pavol Žáčik - 0.11.1-5 -- Fix CVE-2025-5987 - Resolves: RHEL-130040 +* Thu Feb 19 2026 Pavol Žáčik - 0.12.0-2 +- Fix the verbosity of some new logs added in 0.12.0 + Resolves: RHEL-93748 -* Tue Sep 30 2025 Pavol Žáčik - 0.11.1-4 -- Rebuild due to broken build auto-tagging +* Tue Feb 10 2026 Pavol Žáčik - 0.12.0-1 +- Rebase to 0.12.0 + Resolves: RHEL-133421, RHEL-70825, RHEL-130042 +- Add a Requires for crypto-policies instead of a Recommends + Resolves: RHEL-139045 * Tue Sep 30 2025 Pavol Žáčik - 0.11.1-3 - Fix CVE-2025-5318 - Resolves: RHEL-111719 + Resolves: RHEL-111721 +- Add BuildRequires for p11-kit-client * Tue Oct 29 2024 Troy Dawson - 0.11.1-2 - Bump release for October 2024 mass rebuild: diff --git a/sources b/sources index c68554e..262e67e 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (libssh-0.11.1.tar.xz) = 284d376ad9ea30b0274b4ac754b27d168286dca862ece43ef15ca6d89e66865ad7a6703cc12dd4a8564a60b8449ae9b36e6496fd51d34cc27ac4030f6cf216d6 +SHA512 (libssh-0.12.0.tar.xz) = dd28483f391e36c9da0f0b8c469bc9e19f75dc1016d04e35930b1a28e0711fa02a1eae9ddeb95b9e48cb1fd3f2bc456789457bc092cf53d00d55b20257f082a2