pkg/47518: security/libssh MUST be replaced by the real wip/libssh

[noud4%home.nl@localhost]

>Number:         47518
>Category:       pkg
>Synopsis:       security/libssh MUST be replaced by the real wip/libssh
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    pkg-manager
>State:          open
>Class:          change-request
>Submitter-Id:   net
>Arrival-Date:   Thu Jan 31 15:20:00 +0000 2013
>Originator:     Noud de Brouwer
>Release:        does imply all releases that can build security/libssh
>Organization:
-none-
>Environment:
NetBSD 10.0.2.17 6.99.16 NetBSD 6.99.16 (MONOLITHIC.UGEN) #7: Wed Jan 16 
02:06:10 UTC 2013  
mickey55@10.0.2.17:/obj-src/sys/arch/i386/compile/MONOLITHIC.UGEN i386
>Description:
security/libssh in an imposter and wip/libssh is the real thing.

security/libssh/Makefile:
DISTNAME=       libssh-0.11
PKGREVISION=    3
CATEGORIES=     security
MASTER_SITES=   http://www.0xbadc0de.be/libssh/

wip/libssh/Makefile:
DISTNAME=               libssh-0.5.3
CATEGORIES=             security
MASTER_SITES=           http://www.libssh.org/files/0.5/

now what are the implications!!, we do _not_ know in the current situation if 
we are exploitable through:
CVE-2012-4559, CVE-2012-4560, CVE-2012-4561 and CVE-2012-4562.

furthermore: this _total_ unknown security/libssh is used in
wip/gtk-grdc that can be removed given we now have net/remmina.

furthermore: we now have security/hydra,
if we want to keep this it should be in malware/hydra.

i high advise to retrieve ASau his account, even want his
sponsor to be monitored now (given i do not constant want to
check for booby-traps, backdoors and the like given time.)
>How-To-Repeat:
yeah (use your eyes and knowledge).
>Fix:
remove existing security/libssh and pull-up wip/libssh,
preferably immediate.