Overview
Request 1134726 accepted
- Fix regression parsing IPv6 addresses provided as hostname
* Added libssh-fix-ipv6-hostname-regression.patch
- Update to version 0.10.6
https://www.libssh.org/2023/12/18/libssh-0-10-6-and-libssh-0-9-8-security-releases/
- Fix CVE-2023-6004: ProxyCommand/ProxyJump features allow injection of malicious code through hostname (bsc#1218209)
- Fix CVE-2023-48795: prefix truncation breaking ssh channel integrity (bsc#1218126)
- Fix CVE-2023-6918: Added Missing checks for return values for digests (bsc#1218186)
FTR, the FTBFS with cockpit is still present
[ 115s] ok 3 /ssh-bridge/echo-large
[ 115s] # cockpit-protocol-DEBUG: test-ssh: output queue empty
[ 115s] # cockpit-protocol-DEBUG: test-ssh: reading input 1
[ 115s] # cockpit-protocol-DEBUG: test-ssh: received a 73 byte payload
[ 115s] # cockpit-protocol-DEBUG: test-ssh: want more data
[ 115s] # cockpit-protocol-DEBUG: test-ssh: queued 112 byte payload
[ 115s] # cockpit-protocol-DEBUG: test-ssh: wrote 5 bytes
[ 115s] # cockpit-protocol-DEBUG: test-ssh: wrote 112 bytes
[ 115s] # cockpit-protocol-DEBUG: test-ssh: output queue empty
[ 115s]
[ 115s] (cockpit-ssh:8831): cockpit-ssh-WARNING **: 12:39:40.380: (src/ssh/cockpitsshrelay.c:1349):cockpit_ssh_connect: runtime check failed: (ssh_options_set (data->session, SSH_OPTIONS_HOST, host) == 0)
[ 115s]
[ 115s] (cockpit-ssh:8831): cockpit-ssh-WARNING **: 12:39:40.380: (src/ssh/cockpitsshrelay.c:1350):cockpit_ssh_connect: runtime check failed: (ssh_options_parse_config (data->session, NULL) == 0)
[ 115s] # cockpit-protocol-DEBUG: test-ssh: reading input 1
[ 115s] # cockpit-protocol-DEBUG: test-ssh: received a 82 byte payload
[ 115s] # cockpit-protocol-DEBUG: test-ssh: want more data
[ 115s] **
[ 115s] cockpit-ssh:ERROR:src/ssh/test-sshbridge.c:542:wait_until_transport_init: assertion failed (json_object_get_string_member (init, "command") == "init"): ("authorize" == "init")
[ 115s] not ok /ssh-bridge/ipv6-address - cockpit-ssh:ERROR:src/ssh/test-sshbridge.c:542:wait_until_transport_init: assertion failed (json_object_get_string_member (init, "command") == "init"): ("authorize" == "init")
[ 115s] Bail out!
[ 115s] cockpit-ssh-Message: 12:39:40.380: cockpit-ssh [::1]:37775: -1 couldn't connect: Hostname required '::1' '37775'
[ 115s] cockpit-ssh-Message: 12:39:40.380: couldn't write control message: Broken pipe
[ 115s] cockpit-ssh-Message: 12:39:40.380: couldn't write authorize message: Inappropriate ioctl for device
[ 115s] FAIL test-sshbridge (exit status: 134)
[ 115s]
[ 115s] ============================================================================
[ 115s] Testsuite summary for Cockpit 300.1
[ 115s] ============================================================================
[ 115s] # TOTAL: 89
[ 115s] # PASS: 88
[ 115s] # SKIP: 0
[ 115s] # XFAIL: 0
[ 115s] # FAIL: 1
[ 115s] # XPASS: 0
[ 115s] # ERROR: 0
[ 115s] ============================================================================
breaks cockpit, it's a security update!
See https://gitlab.com/libssh/libssh-mirror/-/issues/227
FWIW the short message is automatically added when updating the exclude list:
https://build.opensuse.org/staging_workflows/openSUSE:Factory/excluded_requests
Request History
gladiac created request
- Fix regression parsing IPv6 addresses provided as hostname
* Added libssh-fix-ipv6-hostname-regression.patch
- Update to version 0.10.6
https://www.libssh.org/2023/12/18/libssh-0-10-6-and-libssh-0-9-8-security-releases/
- Fix CVE-2023-6004: ProxyCommand/ProxyJump features allow injection of malicious code through hostname (bsc#1218209)
- Fix CVE-2023-48795: prefix truncation breaking ssh channel integrity (bsc#1218126)
- Fix CVE-2023-6918: Added Missing checks for return values for digests (bsc#1218186)
factory-auto added opensuse-review-team as a reviewer
Please review sources
factory-auto accepted review
Check script succeeded
licensedigger accepted review
ok
anag+factory set openSUSE:Factory:Staging:G as a staging project
Being evaluated by staging project "openSUSE:Factory:Staging:G"
anag+factory accepted review
Picked "openSUSE:Factory:Staging:G"
dimstar accepted review
anag+factory added factory-staging as a reviewer
Being evaluated by group "factory-staging"
anag+factory accepted review
Unstaged from project "openSUSE:Factory:Staging:G"
anag+factory set openSUSE:Factory:Staging:E as a staging project
Being evaluated by staging project "openSUSE:Factory:Staging:E"
anag+factory accepted review
Picked "openSUSE:Factory:Staging:E"
anag+factory added factory-staging as a reviewer
Being evaluated by group "factory-staging"
anag+factory accepted review
Unstaged from project "openSUSE:Factory:Staging:E"
anag+factory set openSUSE:Factory:Staging:F as a staging project
Being evaluated by staging project "openSUSE:Factory:Staging:F"
anag+factory accepted review
Picked "openSUSE:Factory:Staging:F"
anag+factory added factory-staging as a reviewer
Being evaluated by group "factory-staging"
anag+factory accepted review
Unstaged from project "openSUSE:Factory:Staging:F"
anag+factory set openSUSE:Factory:Staging:M as a staging project
Being evaluated by staging project "openSUSE:Factory:Staging:M"
anag+factory accepted review
Picked "openSUSE:Factory:Staging:M"
anag+factory accepted review
Staging Project openSUSE:Factory:Staging:M got accepted.
anag+factory approved review
Staging Project openSUSE:Factory:Staging:M got accepted.
anag+factory accepted request
Staging Project openSUSE:Factory:Staging:M got accepted.
https://gitlab.com/libssh/libssh-mirror/-/issues/227
@gladiac if you can take a look, it seems a fix was merged already.
I'm not sure what I should look at, this patch is already added, see the first two lines in the changes file ...
Fix for cockpit:
https://github.com/cockpit-project/cockpit/commit/518d36c349202052578a459872c3657760226648
the actually needed fix is
https://github.com/cockpit-project/cockpit/commit/518d36c349202052578a459872c3657760226648
which we can get via updating cockpit to 309 or backporting the fix.
found via https://github.com/cockpit-project/cockpit/compare/307...309