Created attachment 203042 [details] update to 1.8.1 - Update to 1.8.1 Bug fixes: fixed possible integer overflow when reading a specially crafted packet fixed possible integer overflow in userauth_keyboard_interactive with a number of extremely long prompt strings fixed possible integer overflow if the server sent an extremely large number of keyboard prompts fixed possible out of bounds read when processing a specially crafted packet fixed possible integer overflow when receiving a specially crafted exit signal message channel packet fixed possible out of bounds read when receiving a specially crafted exit status message channel packet fixed possible zero byte allocation when reading a specially crafted SFTP packet fixed possible out of bounds reads when processing specially crafted SFTP packets fixed possible out of bounds reads in _libssh2_packet_require(v)
Approved and handover to swills@ by private email. It will handle this PR because at the moment I don't have shell access. Thanks!
A commit references this bug: Author: swills Date: Thu Apr 18 10:37:13 UTC 2019 New revision: 499246 URL: https://svnweb.freebsd.org/changeset/ports/499246 Log: security/libssh2: update to 1.8.1 PR: 236711 Submitted by: Leonid Nevecherya <nevecherya@gmail.com> Approved by: sbz (maintainer) MFH: 2019Q2 Security: 6e58e1e9-2636-413e-9f84-4c0e21143628 Changes: head/security/libssh2/Makefile head/security/libssh2/distinfo
A commit references this bug: Author: swills Date: Thu Apr 18 10:38:11 UTC 2019 New revision: 499247 URL: https://svnweb.freebsd.org/changeset/ports/499247 Log: MFH: r499246 security/libssh2: update to 1.8.1 PR: 236711 Submitted by: Leonid Nevecherya <nevecherya@gmail.com> Approved by: sbz (maintainer) Security: 6e58e1e9-2636-413e-9f84-4c0e21143628 Approved by: ports-secteam (implicit) Changes: _U branches/2019Q2/ branches/2019Q2/security/libssh2/Makefile branches/2019Q2/security/libssh2/distinfo
Committed, thanks!
Previous port versions weren't marked as vulnerable!
You added entry in VuXML ... <affects> <package> <name>libssh2</name> <range><lt>1.8.1</lt></range> </package> </affects> ... But needs ... <affects> <package> <name>libssh2</name> <range><lt>1.8.1,3</lt></range> </package> </affects> ... Otherwise previous port versions aren't marked as vulnerable.
(In reply to Leonid Nevecherya from comment #6) Ah, done in ports r499864. Thanks for the pointer, sorry I missed that.