<feed xmlns='http://www.w3.org/2005/Atom'>
<title>buildroot/package/libssh2, branch 2019.02-op-build</title>
<subtitle>OpenPOWER buildroot sources</subtitle>
<id>https://git.raptorcs.com/git/buildroot/atom?h=2019.02-op-build</id>
<link rel='self' href='https://git.raptorcs.com/git/buildroot/atom?h=2019.02-op-build'/>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/'/>
<updated>2019-03-27T21:31:53+00:00</updated>
<entry>
<title>package/libssh2: security bump to latest git</title>
<updated>2019-03-27T21:31:53+00:00</updated>
<author>
<name>Peter Korsgaard</name>
<email>peter@korsgaard.com</email>
</author>
<published>2019-03-20T21:18:59+00:00</published>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/commit/?id=b5735379c5713aa994e4bf4209692cb4e0f6e3c8'/>
<id>urn:sha1:b5735379c5713aa994e4bf4209692cb4e0f6e3c8</id>
<content type='text'>
Bump the version to latest git to fix the following security issues:

CVE-2019-3855
 Possible integer overflow in transport read allows out-of-bounds write
 URL: https://www.libssh2.org/CVE-2019-3855.html
 Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3855.patch

CVE-2019-3856
 Possible integer overflow in keyboard interactive handling allows
 out-of-bounds write
 URL: https://www.libssh2.org/CVE-2019-3856.html
 Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3856.patch

CVE-2019-3857
 Possible integer overflow leading to zero-byte allocation and out-of-bounds
 write
 URL: https://www.libssh2.org/CVE-2019-3857.html
 Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3857.patch

CVE-2019-3858
 Possible zero-byte allocation leading to an out-of-bounds read
 URL: https://www.libssh2.org/CVE-2019-3858.html
 Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3858.patch

CVE-2019-3859
 Out-of-bounds reads with specially crafted payloads due to unchecked use of
 `_libssh2_packet_require` and `_libssh2_packet_requirev`
 URL: https://www.libssh2.org/CVE-2019-3859.html
 Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3859.patch

CVE-2019-3860
 Out-of-bounds reads with specially crafted SFTP packets
 URL: https://www.libssh2.org/CVE-2019-3860.html
 Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3860.patch

CVE-2019-3861
 Out-of-bounds reads with specially crafted SSH packets
 URL: https://www.libssh2.org/CVE-2019-3861.html
 Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3861.patch

CVE-2019-3862
 Out-of-bounds memory comparison
 URL: https://www.libssh2.org/CVE-2019-3862.html
 Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3862.patch

CVE-2019-3863
 Integer overflow in user authenicate keyboard interactive allows
 out-of-bounds writes
 URL: https://www.libssh2.org/CVE-2019-3863.html
 Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3863.txt

Drop 0003-openssl-fix-dereferencing-ambiguity-potentially-caus.patch as that
is now upstream.

Signed-off-by: Peter Korsgaard &lt;peter@korsgaard.com&gt;
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) &lt;arnout@mind.be&gt;
(cherry picked from commit f4f7dd9557cf139f6014ada77e947152d5a82fb3)
Signed-off-by: Peter Korsgaard &lt;peter@korsgaard.com&gt;
</content>
</entry>
<entry>
<title>libssh2: fix static linking scenarios involving mbedtls</title>
<updated>2018-11-04T20:28:29+00:00</updated>
<author>
<name>Fabrice Fontaine</name>
<email>fontaine.fabrice@gmail.com</email>
</author>
<published>2018-11-04T12:52:11+00:00</published>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/commit/?id=8b575ffd1b9d0635be5de5a7848d354b53babb49'/>
<id>urn:sha1:8b575ffd1b9d0635be5de5a7848d354b53babb49</id>
<content type='text'>
curl can be statically linked with mbedtls, in this case build will fail
on:
kex.c:(.text+0x1be0): undefined reference to `mbedtls_mpi_read_binary'

This is due to the fact that CURL_LIBRARIES does not contain mbedtls
library:
CURL_LIBRARIES:INTERNAL=curl;cares;ssh2;ssh2;z;ssl;crypto;z;z;crypto;z;z;ssl;z;z;crypto;z

even if libcurl.pc is correct:
Libs.private: -lcares -lssh2 -L/home/fabrice/buildroot/output/host/bin/../arm-buildroot-linux-uclibcgnueabi/sysroot/usr/lib -lssh2 /home/fabrice/buildroot/output/host/arm-buildroot-linux-uclibcgnueabi/sysroot/usr/lib/libmbedcrypto.a /home/fabrice/buildroot/output/host/arm-buildroot-linux-uclibcgnueabi/sysroot/usr/lib/libmbedcrypto.a -L/home/fabrice/buildroot/output/host/bin/../arm-buildroot-linux-uclibcgnueabi/sysroot/usr/lib -L/home/fabrice/buildroot/output/host/bin/../arm-buildroot-linux-uclibcgnueabi/sysroot/usr/lib -lz -lssl -lcrypto -lssl -lz -lz -lcrypto -lz -lz

This full library path is added by patch
0002-acinclude.m4-add-mbedtls-to-LIBS.patch on libssh2 so update it to
replace $LIBMBDEDCRYPTO by -lmbedcrypto

Signed-off-by: Fabrice Fontaine &lt;fontaine.fabrice@gmail.com&gt;
Signed-off-by: Thomas Petazzoni &lt;thomas.petazzoni@bootlin.com&gt;
</content>
</entry>
<entry>
<title>Revert "package/libssh2: fix static linking scenarios involving mbedtls"</title>
<updated>2018-11-04T20:28:26+00:00</updated>
<author>
<name>Fabrice Fontaine</name>
<email>fontaine.fabrice@gmail.com</email>
</author>
<published>2018-11-04T12:52:10+00:00</published>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/commit/?id=ac21b43f328f49837e64203dd0c6cd8fb1b0ed76'/>
<id>urn:sha1:ac21b43f328f49837e64203dd0c6cd8fb1b0ed76</id>
<content type='text'>
This reverts commit 48218732a3a7b983825ff3a8cf0767f847ac8d04 because
LTLIBMBEDCRYPTO will return "-lmbedcrypto
-R/accts/mlweber1/scripts/instance-3/output/host/i586-buildroot-linux-musl/sysroot/usr/lib"

On some compilers, -R option won't be recognized and this will prevent
the detection of libz:

configure:17809: /accts/mlweber1/scripts/instance-3/output/host/bin/i586-linux-gcc -o conftest -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64  -Os   -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -I/accts/mlweber1/scripts/instance-3/output/host/i586-buildroot-linux-musl/sysroot/usr/include  conftest.c /accts/mlweber1/scripts/instance-3/output/host/i586-buildroot-linux-musl/sysroot/usr/lib/libz.so -Wl,-rpath -Wl,/accts/mlweber1/scripts/instance-3/output/host/i586-buildroot-linux-musl/sysroot/usr/lib  -L/accts/mlweber1/scripts/instance-3/output/host/i586-buildroot-linux-musl/sysroot/usr/lib -lmbedcrypto -R/accts/mlweber1/scripts/instance-3/output/host/i586-buildroot-linux-musl/sysroot/usr/lib &gt;&amp;5
i586-linux-gcc.br_real: error: unrecognized command line option '-R'; did you mean '-R'?

Fixes:
 - http://autobuild.buildroot.org/results/68623f22b49473177c889fe7b12625d779cbd1ed

Signed-off-by: Fabrice Fontaine &lt;fontaine.fabrice@gmail.com&gt;
Signed-off-by: Thomas Petazzoni &lt;thomas.petazzoni@bootlin.com&gt;
</content>
</entry>
<entry>
<title>package/libssh2: fix static linking scenarios involving mbedtls</title>
<updated>2018-11-03T21:16:36+00:00</updated>
<author>
<name>Fabrice Fontaine</name>
<email>fontaine.fabrice@gmail.com</email>
</author>
<published>2018-11-03T15:28:11+00:00</published>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/commit/?id=48218732a3a7b983825ff3a8cf0767f847ac8d04'/>
<id>urn:sha1:48218732a3a7b983825ff3a8cf0767f847ac8d04</id>
<content type='text'>
curl can be statically linked with mbedtls, in this case build will
fail on:
kex.c:(.text+0x1be0): undefined reference to `mbedtls_mpi_read_binary'

This is due to the fact that CURL_LIBRARIES does not contain mbedtls
library:
CURL_LIBRARIES:INTERNAL=curl;cares;ssh2;ssh2;z;ssl;crypto;z;z;crypto;z;z;ssl;z;z;crypto;z

even if libcurl.pc is correct:
Libs.private: -lcares -lssh2 -L/home/fabrice/buildroot/output/host/bin/../arm-buildroot-linux-uclibcgnueabi/sysroot/usr/lib -lssh2 /home/fabrice/buildroot/output/host/arm-buildroot-linux-uclibcgnueabi/sysroot/usr/lib/libmbedcrypto.a /home/fabrice/buildroot/output/host/arm-buildroot-linux-uclibcgnueabi/sysroot/usr/lib/libmbedcrypto.a -L/home/fabrice/buildroot/output/host/bin/../arm-buildroot-linux-uclibcgnueabi/sysroot/usr/lib -L/home/fabrice/buildroot/output/host/bin/../arm-buildroot-linux-uclibcgnueabi/sysroot/usr/lib -lz -lssl -lcrypto -lssl -lz -lz -lcrypto -lz -lz

This full library path is added by patch
0002-acinclude.m4-add-mbedtls-to-LIBS.patch on libssh2 so update it to
replace $LIBMBDEDCRYPTO by $LTLIBMBEDCRYPTO as suggested by Thomas
during review of https://patchwork.ozlabs.org/patch/989339

Fixes:
 - http://autobuild.buildroot.org/results/dc7810d5d5c62658837cdd2faae6fe3390f968a2

Signed-off-by: Fabrice Fontaine &lt;fontaine.fabrice@gmail.com&gt;
Signed-off-by: Thomas Petazzoni &lt;thomas.petazzoni@bootlin.com&gt;
</content>
</entry>
<entry>
<title>package: clean up remaining references to $(HOST_DIR)/usr</title>
<updated>2018-09-25T20:22:24+00:00</updated>
<author>
<name>Ferdinand van Aartsen</name>
<email>ferdinand@ombud.nl</email>
</author>
<published>2018-09-23T22:04:59+00:00</published>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/commit/?id=af0cd44a15e18aa4280cbbb5000c448987d3c98f'/>
<id>urn:sha1:af0cd44a15e18aa4280cbbb5000c448987d3c98f</id>
<content type='text'>
Signed-off-by: Ferdinand van Aartsen &lt;ferdinand@ombud.nl&gt;
Reviewed-by: "Yann E. MORIN" &lt;yann.morin.1998@free.fr&gt;
Signed-off-by: Thomas Petazzoni &lt;thomas.petazzoni@bootlin.com&gt;
</content>
</entry>
<entry>
<title>libssh2: fix build failure due to pointer dereferencing ambiguity</title>
<updated>2018-09-16T14:11:21+00:00</updated>
<author>
<name>Giulio Benetti</name>
<email>giulio.benetti@micronovasrl.com</email>
</author>
<published>2018-09-13T08:08:54+00:00</published>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/commit/?id=4a7da55eb3d5236e3559f5492fa2c03bfb95084f'/>
<id>urn:sha1:4a7da55eb3d5236e3559f5492fa2c03bfb95084f</id>
<content type='text'>
When dereferencing from *aes_ctr_cipher, being a pointer itself,
ambiguity can occur with compiler and build can fail reporting:
openssl.c:574:20: error: ‘*aes_ctr_cipher’ is a pointer; did you mean to use ‘-&gt;’?
     *aes_ctr_cipher-&gt;nid = type;

Add a patch to sorround every *aes_ctr_cipher-&gt; occurence with
paranthesis like this (*aes_ctr_cipher)-&gt;

Fixes:
http://autobuild.buildroot.net/results/97c/97c43dd2122f55f3166683aa1b29ce1ca54bcb9c/
http://autobuild.buildroot.net/results/4b7/4b728d275f1399e3cb72d40482076ee54b35852a/

Signed-off-by: Giulio Benetti &lt;giulio.benetti@micronovasrl.com&gt;
Signed-off-by: Thomas Petazzoni &lt;thomas.petazzoni@bootlin.com&gt;
</content>
</entry>
<entry>
<title>package/libssh2: bump version</title>
<updated>2018-09-12T08:30:18+00:00</updated>
<author>
<name>Bernd Kuhls</name>
<email>bernd.kuhls@t-online.de</email>
</author>
<published>2018-09-11T20:56:13+00:00</published>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/commit/?id=9c31063b0fe4e73ade03d0d02d8d90cffc1bc191'/>
<id>urn:sha1:9c31063b0fe4e73ade03d0d02d8d90cffc1bc191</id>
<content type='text'>
Added license hash.

This bump includes "ECDSA key types are now explicit"
https://github.com/libssh2/libssh2/commit/62b825c8afb9e5efb6ea9c05b40b309590249fb6

which is needed by vlc since
http://git.videolan.org/?p=vlc.git;a=commitdiff;h=afee1e72a8e08866bbe35d1a57e859cac81052b4

Fixes
http://autobuild.buildroot.net/results/579/579e2418e59680ad4bf3dc85f2918457b6221bfa/
http://autobuild.buildroot.net/results/c73/c7348c442d3f585ace0bc62860f802dc08150776/
http://autobuild.buildroot.net/results/731/73187b883d7fe14b08a4903b326706c9d1f8b519/
http://autobuild.buildroot.net/results/f6d/f6d4fca6063c81a8e240fed4db89269e455f057e/
http://autobuild.buildroot.net/results/371/371f4f017f4a5af0ac6d6a8b1b8276858ad47f75/
http://autobuild.buildroot.net/results/d6a/d6a3b43211eb740bdebbb339668b854d26e878b7/
http://autobuild.buildroot.net/results/a05/a0576aeeb57a49958e5229d9ec08f2bd792d48b6/
http://autobuild.buildroot.net/results/57a/57a9ae2f157183a86fbf1b2cc5cbb38e948690ce/

Signed-off-by: Bernd Kuhls &lt;bernd.kuhls@t-online.de&gt;
Signed-off-by: Thomas Petazzoni &lt;thomas.petazzoni@bootlin.com&gt;
</content>
</entry>
<entry>
<title>libssh2: fix pkg-config info for mbedtls backend</title>
<updated>2018-03-24T20:39:49+00:00</updated>
<author>
<name>Baruch Siach</name>
<email>baruch@tkos.co.il</email>
</author>
<published>2018-03-20T18:46:35+00:00</published>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/commit/?id=ebbf8746243ee4fa6b51a5a6afa8b14459b4178f'/>
<id>urn:sha1:ebbf8746243ee4fa6b51a5a6afa8b14459b4178f</id>
<content type='text'>
The libssh2.pc file did not contain the needed info for static link with
libssh2. Add a patch fixing that.

Fixes (qemu):
http://autobuild.buildroot.net/results/634/6346b25be2844f9ef722e52040ac1b43d9c38899/

Cc: Matt Weber &lt;matthew.weber@rockwellcollins.com&gt;
Signed-off-by: Baruch Siach &lt;baruch@tkos.co.il&gt;
Signed-off-by: Peter Korsgaard &lt;peter@korsgaard.com&gt;
</content>
</entry>
<entry>
<title>libssh2: add host variant</title>
<updated>2018-02-05T13:57:47+00:00</updated>
<author>
<name>Eric Le Bihan</name>
<email>eric.le.bihan.dev@free.fr</email>
</author>
<published>2018-02-04T18:07:44+00:00</published>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/commit/?id=93a911fd5b14536e5c32298f0aa264c285015bcd'/>
<id>urn:sha1:93a911fd5b14536e5c32298f0aa264c285015bcd</id>
<content type='text'>
Allow build of host variant of libssh2, which depends on host-openssl.

Signed-off-by: Eric Le Bihan &lt;eric.le.bihan.dev@free.fr&gt;
Signed-off-by: Peter Korsgaard &lt;peter@korsgaard.com&gt;
</content>
</entry>
<entry>
<title>libssh2: revert to previous crypto defaults</title>
<updated>2017-11-06T17:43:54+00:00</updated>
<author>
<name>Peter Korsgaard</name>
<email>peter@korsgaard.com</email>
</author>
<published>2017-11-05T21:34:02+00:00</published>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/commit/?id=d9a521f00886e4c9082bd998f267b4bafcfe2b17'/>
<id>urn:sha1:d9a521f00886e4c9082bd998f267b4bafcfe2b17</id>
<content type='text'>
The recent crypto handling change (commit 04a1031d3: package/libssh2: Add
selectable crypto libraries) had the unfortunate side effect that it no
longer automatically selects the most suitable crypto backend (E.G.  one
where the dependency is already enabled), so all users not wanting to use
the mbedtls backend need to explicitly configure this.

Fix this by inverting the logic so the crypto backend sub options use
'depends on' their dependencies instead of 'select', so only the available
backends are displayed.

Like before, default to openssl if no crypto backend dependencies are
currently enabled.

Signed-off-by: Peter Korsgaard &lt;peter@korsgaard.com&gt;
</content>
</entry>
</feed>
