Re: libssh 0.10.6 and libssh 0.9.8 security releases

[Jakub Jelen <jjelen@xxxxxxxxxx>]

Thank you for the update of cygwin! Note, that the 0.10.6 had a
regression in IPv6 parsing as mentioned in the updated announcement on
the blog (but not yet mentioned here). So please, consider pulling
also the fix for following issue:

https://gitlab.com/libssh/libssh-mirror/-/issues/227

Jakub

On Mon, Dec 25, 2023 at 2:12 PM Carlo Bramini <carlo.bramix@xxxxxxxxx> wrote:
>
> Thank you very much!
> I updated my packages of libssh to version 0.10.6-1 for CYGWIN into my repo:
> https://github.com/carlo-bramini/packages-cygwin/tree/main/libssh
>
> Sincerely,
>
> Carlo Bramini.
>
> > Il 18/12/2023 21:54 CET Jakub Jelen <jjelen@xxxxxxxxxx> ha scritto:
> >
> >
> > The two new releases of libssh 0.9 and 0.10 address the following
> > security issues:
> >
> >  * CVE-2023-6004: Command Injection using malicious hostname in
> > expanded proxycommand. More details can be found in the advisory.
> >  * CVE-2023-48795: Avoid potential downgrade attacks by implementing
> > strict kex. More details can be found in the advisory.
> >  * CVE-2023-6918: Avoid potential use of weak keys in low memory
> > conditions by systematically checking return values of MD functions.
> > More details can be found in the advisory.
> >
> > In addition the 0.10 version contains several bugfixes and backports.
> > For full list, see the changelog below.
> >
> > If you are new to libssh you should read our tutorial how to get
> > started. Please join our mailing list or visit Matrix channel if you
> > have questions.
> >
> > You can read the full advisories, changelog and download updated
> > libssh on the following announcement post:
> >
> > https://www.libssh.org/2023/12/18/libssh-0-10-6-and-libssh-0-9-8-security-releases/
>