CVS commit: pkgsrc/security/libssh

["Benny Siegert" <bsiegert%netbsd.org@localhost>]

Module Name:    pkgsrc
Committed By:   bsiegert
Date:           Tue Mar 17 19:33:34 UTC 2026

Modified Files:
        pkgsrc/security/libssh: Makefile PLIST distinfo
        pkgsrc/security/libssh/patches: patch-tests_CMakeLists.txt
Removed Files:
        pkgsrc/security/libssh/patches: patch-src_misc.c
            patch-tests_client_torture__session.c
            patch-tests_unittests_torture__misc.c

Log Message:
libssh: update to 0.11.4

This is a stable release in the 0.11 series. There is also 0.12.0
available, but this has less potential for breakage, I assume.

version 0.11.4 (released 2026-02-10)
 * Security:
   * CVE-2025-14821: libssh loads configuration files from the C:\etc directory
     on Windows
   * CVE-2026-0964: SCP Protocol Path Traversal in ssh_scp_pull_request()
   * CVE-2026-0965: Possible Denial of Service when parsing unexpected
     configuration files
   * CVE-2026-0966: Buffer underflow in ssh_get_hexa() on invalid input
   * CVE-2026-0967: Specially crafted patterns could cause DoS
   * CVE-2026-0968: OOB Read in sftp_parse_longname()
   * libssh-2026-sftp-extensions: Read buffer overrun when handling SFTP
     extensions
 * Stability and compatibility improvements of ProxyJump

version 0.11.3 (released 2025-09-09)
 * Security:
   * CVE-2025-8114: Fix NULL pointer dereference after allocation failure
   * CVE-2025-8277: Fix memory leak of ephemeral key pair during repeated wrong KEX
   * Potential UAF when send() fails during key exchange
 * Fix possible timeout during KEX if client sends authentication too early (#311)
 * Cleanup OpenSSL PKCS#11 provider when loaded
 * Zeroize buffers containing private key blobs during export

version 0.11.2 (released 2025-06-24)
 * Security:
   * CVE-2025-4877 - Write beyond bounds in binary to base64 conversion
   * CVE-2025-4878 - Use of uninitialized variable in privatekey_from_file()
   * CVE-2025-5318 - Likely read beyond bounds in sftp server handle management
   * CVE-2025-5351 - Double free in functions exporting keys
   * CVE-2025-5372 - ssh_kdf() returns a success code on certain failures
   * CVE-2025-5449 - Likely read beyond bounds in sftp server message decoding
   * CVE-2025-5987 - Invalid return code for chacha20 poly1305 with OpenSSL
 * Compatibility
   * Fixed compatibility with CPM.cmake
   * Compatibility with OpenSSH 10.0
   * Tests compatibility with new Dropbear releases
   * Removed p11-kit remoting from the pkcs11 testsuite
 * Bugfixes
   * Implement missing packet filter for DH GEX
   * Properly process the SSH2_MSG_DEBUG message
   * Allow escaping quotes in quoted arguments to ssh configuration
   * Do not fail with unknown match keywords in ssh configuration
   * Process packets before selecting signature algorithm during authentication
   * Do not fail hard when the SFTP status message is not sent by noncompliant
     servers


To generate a diff of this commit:
cvs rdiff -u -r1.55 -r1.56 pkgsrc/security/libssh/Makefile
cvs rdiff -u -r1.22 -r1.23 pkgsrc/security/libssh/PLIST
cvs rdiff -u -r1.34 -r1.35 pkgsrc/security/libssh/distinfo
cvs rdiff -u -r1.1 -r0 pkgsrc/security/libssh/patches/patch-src_misc.c \
    pkgsrc/security/libssh/patches/patch-tests_client_torture__session.c \
    pkgsrc/security/libssh/patches/patch-tests_unittests_torture__misc.c
cvs rdiff -u -r1.2 -r1.3 \
    pkgsrc/security/libssh/patches/patch-tests_CMakeLists.txt

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/security/libssh/Makefile
diff -u pkgsrc/security/libssh/Makefile:1.55 pkgsrc/security/libssh/Makefile:1.56
--- pkgsrc/security/libssh/Makefile:1.55        Mon Sep 29 21:24:22 2025
+++ pkgsrc/security/libssh/Makefile     Tue Mar 17 19:33:33 2026
@@ -1,12 +1,11 @@
-# $NetBSD: Makefile,v 1.55 2025/09/29 21:24:22 nia Exp $
+# $NetBSD: Makefile,v 1.56 2026/03/17 19:33:33 bsiegert Exp $
 #
 # history: upstream renamed 0.11 to 0.1.1;
 # we have to use the old-style convention so that version compares work.
 
-VER=           0.11.1
+VER=           0.11.4
 DISTNAME=      libssh-${VER}
-PKGNAME=       libssh-0.111
-PKGREVISION=   2
+PKGNAME=       libssh-0.114
 CATEGORIES=    security
 MASTER_SITES=  https://www.libssh.org/files/${VER:R}/
 EXTRACT_SUFX=  .tar.xz

Index: pkgsrc/security/libssh/PLIST
diff -u pkgsrc/security/libssh/PLIST:1.22 pkgsrc/security/libssh/PLIST:1.23
--- pkgsrc/security/libssh/PLIST:1.22   Fri Dec 27 11:15:39 2024
+++ pkgsrc/security/libssh/PLIST        Tue Mar 17 19:33:33 2026
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.22 2024/12/27 11:15:39 adam Exp $
+@comment $NetBSD: PLIST,v 1.23 2026/03/17 19:33:33 bsiegert Exp $
 include/libssh/callbacks.h
 include/libssh/legacy.h
 include/libssh/libssh.h
@@ -13,5 +13,5 @@ lib/cmake/libssh/libssh-config-version.c
 lib/cmake/libssh/libssh-config.cmake
 lib/libssh.so
 lib/libssh.so.4
-lib/libssh.so.4.10.1
+lib/libssh.so.4.10.4
 lib/pkgconfig/libssh.pc

Index: pkgsrc/security/libssh/distinfo
diff -u pkgsrc/security/libssh/distinfo:1.34 pkgsrc/security/libssh/distinfo:1.35
--- pkgsrc/security/libssh/distinfo:1.34        Thu May  1 18:19:22 2025
+++ pkgsrc/security/libssh/distinfo     Tue Mar 17 19:33:33 2026
@@ -1,12 +1,9 @@
-$NetBSD: distinfo,v 1.34 2025/05/01 18:19:22 tnn Exp $
+$NetBSD: distinfo,v 1.35 2026/03/17 19:33:33 bsiegert Exp $
 
-BLAKE2s (libssh-0.11.1.tar.xz) = 097094811bc8708196c48f9b237d2da6ebd5d3b48cf19d0d6f69e8cec83a5cd9
-SHA512 (libssh-0.11.1.tar.xz) = 284d376ad9ea30b0274b4ac754b27d168286dca862ece43ef15ca6d89e66865ad7a6703cc12dd4a8564a60b8449ae9b36e6496fd51d34cc27ac4030f6cf216d6
-Size (libssh-0.11.1.tar.xz) = 621108 bytes
+BLAKE2s (libssh-0.11.4.tar.xz) = d25e69defcccff547fac66700f8fd30d1af90c2a65a4be19d2be4ffad3ddba56
+SHA512 (libssh-0.11.4.tar.xz) = 00c7e1317dcca8feab07eb3d6feb7bbc74c563149173d439d618f431386c4ca1d6f258567ef0599f08275a3a165c04105568f55e6ed7f0fe1a88382e2ebdc850
+Size (libssh-0.11.4.tar.xz) = 626652 bytes
 SHA1 (patch-CompilerChecks.cmake) = 8a650be5b69e956a0a54f54b71c4927ce685b8ca
 SHA1 (patch-examples_sshd__direct-tcpip.c) = 62de8625d58dbc03c38b0eb23f6e7f20a46e91de
-SHA1 (patch-src_misc.c) = f022c1a888ef1d9a7f1963981a989a82c41afcb3
-SHA1 (patch-tests_CMakeLists.txt) = 42728a0af04fababbbe973c3408ea31038b59276
-SHA1 (patch-tests_client_torture__session.c) = d3c67c2e17afb8e980486815b1debb6c8d9eb060
+SHA1 (patch-tests_CMakeLists.txt) = b5baa8db2161d3f1c7aab317b2919de5dbca6e6a
 SHA1 (patch-tests_torture.c) = 2c70e9d827f15ec36a62e0d0f5dd98774f24f79e
-SHA1 (patch-tests_unittests_torture__misc.c) = aba0eb9f590a5c91152dc026fcba714acef823be

Index: pkgsrc/security/libssh/patches/patch-tests_CMakeLists.txt
diff -u pkgsrc/security/libssh/patches/patch-tests_CMakeLists.txt:1.2 pkgsrc/security/libssh/patches/patch-tests_CMakeLists.txt:1.3
--- pkgsrc/security/libssh/patches/patch-tests_CMakeLists.txt:1.2       Thu May  1 18:19:22 2025
+++ pkgsrc/security/libssh/patches/patch-tests_CMakeLists.txt   Tue Mar 17 19:33:33 2026
@@ -1,23 +1,12 @@
-$NetBSD: patch-tests_CMakeLists.txt,v 1.2 2025/05/01 18:19:22 tnn Exp $
+$NetBSD: patch-tests_CMakeLists.txt,v 1.3 2026/03/17 19:33:33 bsiegert Exp $
 
 * OpenSSH 10 support
 * Search for sshd also in /usr/lib/ssh where it is located
   in SunOS/SmartOS.
 
---- tests/CMakeLists.txt.orig  2024-08-29 13:01:56.000000000 +0000
+--- tests/CMakeLists.txt.orig  2026-02-10 09:47:00.000000000 +0000
 +++ tests/CMakeLists.txt
-@@ -100,8 +100,8 @@ add_subdirectory(unittests)
- find_program(SSH_EXECUTABLE NAMES ssh)
- if (SSH_EXECUTABLE)
-     execute_process(COMMAND ${SSH_EXECUTABLE} -V ERROR_VARIABLE OPENSSH_VERSION_STR)
--    string(REGEX REPLACE "^.*OpenSSH_([0-9]).[0-9].*$" "\\1" OPENSSH_VERSION_MAJOR "${OPENSSH_VERSION_STR}")
--    string(REGEX REPLACE "^.*OpenSSH_[0-9].([0-9]).*$" "\\1" OPENSSH_VERSION_MINOR "${OPENSSH_VERSION_STR}")
-+    string(REGEX REPLACE "^.*OpenSSH_([0-9]+)[.]([0-9]+).*$" "\\1" OPENSSH_VERSION_MAJOR "${OPENSSH_VERSION_STR}")
-+    string(REGEX REPLACE "^.*OpenSSH_([0-9]+)[.]([0-9]+).*$" "\\2" OPENSSH_VERSION_MINOR "${OPENSSH_VERSION_STR}")
-     set(OPENSSH_VERSION "${OPENSSH_VERSION_MAJOR}.${OPENSSH_VERSION_MINOR}")
-     if("${OPENSSH_VERSION}" VERSION_LESS "6.3")
-         # ssh - Q was introduced in 6.3
-@@ -168,7 +168,8 @@ find_program(SSHD_EXECUTABLE
+@@ -192,7 +192,8 @@ find_program(SSHD_EXECUTABLE
               PATHS
                  /sbin
                  /usr/sbin
@@ -25,16 +14,5 @@ $NetBSD: patch-tests_CMakeLists.txt,v 1.
 +                /usr/local/sbin
 +                /usr/lib/ssh)
  
- if (CLIENT_TESTING OR SERVER_TESTING)
-     find_package(socket_wrapper 1.1.5 REQUIRED)
-@@ -212,8 +213,8 @@ if (CLIENT_TESTING OR SERVER_TESTING)
-     find_program(SSH_EXECUTABLE NAMES ssh)
-     if (SSH_EXECUTABLE)
-         execute_process(COMMAND ${SSH_EXECUTABLE} -V ERROR_VARIABLE OPENSSH_VERSION_STR)
--        string(REGEX REPLACE "^.*OpenSSH_([0-9]).[0-9].*$" "\\1" OPENSSH_VERSION_MAJOR "${OPENSSH_VERSION_STR}")
--        string(REGEX REPLACE "^.*OpenSSH_[0-9].([0-9]).*$" "\\1" OPENSSH_VERSION_MINOR "${OPENSSH_VERSION_STR}")
-+        string(REGEX REPLACE "^.*OpenSSH_([0-9]+)[.]([0-9]+).*$" "\\1" OPENSSH_VERSION_MAJOR "${OPENSSH_VERSION_STR}")
-+        string(REGEX REPLACE "^.*OpenSSH_([0-9]+)[.]([0-9]+).*$" "\\2" OPENSSH_VERSION_MINOR "${OPENSSH_VERSION_STR}")
-         add_definitions(-DOPENSSH_VERSION_MAJOR=${OPENSSH_VERSION_MAJOR} -DOPENSSH_VERSION_MINOR=${OPENSSH_VERSION_MINOR})
-     endif()
- 
+ if (WITH_PKCS11_URI)
+     find_package(softhsm)