File _patchinfo of Package patchinfo.32066

<patchinfo incident="32066">
  <issue tracker="cve" id="2023-1667"/>
  <issue tracker="cve" id="2023-6918"/>
  <issue tracker="cve" id="2023-48795"/>
  <issue tracker="cve" id="2023-2283"/>
  <issue tracker="cve" id="2023-6004"/>
  <issue tracker="bnc" id="1211190">VUL-0: CVE-2023-2283: libssh: authorization bypass in pki_verify_data_signature</issue>
  <issue tracker="bnc" id="1218126">VUL-0: CVE-2023-48795: libssh: prefix truncation breaking ssh channel integrity</issue>
  <issue tracker="bnc" id="1218186">VUL-0: CVE-2023-6918: libssh: Missing checks for return values for digests</issue>
  <issue tracker="bnc" id="1218209">VUL-0: CVE-2023-6004: libssh: ProxyCommand/ProxyJump features allow injection of malicious code through hostname</issue>
  <issue tracker="bnc" id="1211188">VUL-0: CVE-2023-1667: libssh: NULL pointer dereference during rekeying with algorithm guessing</issue>
  <packager>wfrisch</packager>
  <rating>important</rating>
  <category>security</category>
  <summary>Security update for libssh</summary>
  <description>This update for libssh fixes the following issues:

Security fixes:

  - CVE-2023-6004: Fixed command injection using proxycommand (bsc#1218209)
  - CVE-2023-48795: Fixed potential downgrade attack using strict kex (bsc#1218126)
  - CVE-2023-6918: Fixed missing checks for return values of MD functions (bsc#1218186)
  - CVE-2023-1667: Fixed NULL dereference during rekeying with algorithm  guessing (bsc#1211188)
  - CVE-2023-2283: Fixed possible authorization bypass in pki_verify_data_signature under low-memory conditions (bsc#1211190)

Other fixes:

- Update to version 0.9.8
  - Allow @ in usernames when parsing from URI composes

- Update to version 0.9.7
  - Fix several memory leaks in GSSAPI handling code
</description>
</patchinfo>