Update to 0.11.3

- Update to version 0.11.2
  * Security:
    * CVE-2025-4877 - Write beyond bounds in binary to base64 conversion (bsc#1245309)
    * CVE-2025-4878 - Use of uninitialized variable in privatekey_from_file() (bsc#1245310)
    * CVE-2025-5318 - Likely read beyond bounds in sftp server handle management (bsc#1245311)
    * CVE-2025-5351 - Double free in functions exporting keys (bsc#1245312)
    * CVE-2025-5372 - ssh_kdf() returns a success code on certain failures (bsc#1245314)
    * CVE-2025-5449 - Likely read beyond bounds in sftp server message decoding (bsc#1245316)
    * CVE-2025-5987 - Invalid return code for chacha20 poly1305 with OpenSSL (bsc#1245317)
  * Compatibility
    * Fixed compatibility with CPM.cmake
    * Compatibility with OpenSSH 10.0
    * Tests compatibility with new Dropbear releases
    * Removed p11-kit remoting from the pkcs11 testsuite
  * Bugfixes
    * Implement missing packet filter for DH GEX
    * Properly process the SSH2_MSG_DEBUG message
    * Allow escaping quotes in quoted arguments to ssh configuration
    * Do not fail with unknown match keywords in ssh configuration
    * Process packets before selecting signature algorithm during authentication
    * Do not fail hard when the SFTP status message is not sent by noncompliant
      servers
- Removed libssh-CmakeLists-Fix-multiple-digit-major-version-for-OpenSSH.patch
- Removed libssh-misc-Fix-OpenSSH-banner-parsing.patch

OBS-URL: https://build.opensuse.org/request/show/1288631
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libssh?expand=0&rev=79

0001-disable-timeout-test-on-slow-buildsystems.patch

@@ -1,53 +0,0 @@
-Index: libssh-0.10.0/tests/unittests/torture_misc.c
-===================================================================
---- libssh-0.10.0.orig/tests/unittests/torture_misc.c	2022-07-07 15:53:51.000000000 +0200
-+++ libssh-0.10.0/tests/unittests/torture_misc.c	2022-08-26 14:19:01.827866890 +0200
-@@ -211,11 +211,13 @@ static void torture_timeout_elapsed(void
-     ssh_timestamp_init(&ts);
-     usleep(30000);
- 
-+#ifndef SLOW_TEST_SYSTEM
-     assert_true(ssh_timeout_elapsed(&ts,25));
-     assert_false(ssh_timeout_elapsed(&ts,30000));
-     assert_false(ssh_timeout_elapsed(&ts,75));
-     assert_true(ssh_timeout_elapsed(&ts,0));
-     assert_false(ssh_timeout_elapsed(&ts,-1));
-+#endif /* SLOW_TEST_SYSTEM */
- }
- 
- static void torture_timeout_update(void **state){
-@@ -223,11 +225,13 @@ static void torture_timeout_update(void
-     (void) state;
-     ssh_timestamp_init(&ts);
-     usleep(50000);
-+#ifndef SLOW_TEST_SYSTEM
-     assert_int_equal(ssh_timeout_update(&ts,25), 0);
-     assert_in_range(ssh_timeout_update(&ts,30000),29000,29960);
-     assert_in_range(ssh_timeout_update(&ts,75),1,40);
-     assert_int_equal(ssh_timeout_update(&ts,0),0);
-     assert_int_equal(ssh_timeout_update(&ts,-1),-1);
-+#endif /* SLOW_TEST_SYSTEM */
- }
- 
- static void torture_ssh_analyze_banner(void **state) {
-Index: libssh-0.10.0/DefineOptions.cmake
-===================================================================
---- libssh-0.10.0.orig/DefineOptions.cmake	2022-07-07 15:53:51.000000000 +0200
-+++ libssh-0.10.0/DefineOptions.cmake	2022-08-26 14:19:41.500119198 +0200
-@@ -25,6 +25,7 @@ option(WITH_GEX "Enable DH Group exchang
- option(WITH_INSECURE_NONE "Enable insecure none cipher and MAC algorithms (not suitable for production!)" OFF)
- option(FUZZ_TESTING "Build with fuzzer for the server and client (automatically enables none cipher!)" OFF)
- option(PICKY_DEVELOPER "Build with picky developer flags" OFF)
-+option(SLOW_TEST_SYSTEM "Disable tests that fail on slow systems" OFF)
- 
- if (WITH_ZLIB)
-     set(WITH_LIBZ ON)
-@@ -60,3 +61,8 @@ endif (NOT GLOBAL_CLIENT_CONFIG)
- if (FUZZ_TESTING)
-   set(WITH_INSECURE_NONE ON)
- endif (FUZZ_TESTING)
-+
-+if (SLOW_TEST_SYSTEM)
-+  set (SLOW_TEST_SYSTEM ON)
-+  add_definitions(-DSLOW_TEST_SYSTEM)
-+endif (SLOW_TEST_SYSTEM)

libssh-0.10.6.tar.xz.asc

@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCgAdFiEEjf9T4Y8qvI2PPJIjfuD8TcwBTj0FAmWAeGkACgkQfuD8TcwB
-Tj2yAw//QOMEcCiijJvOgXCKsVoV9oSuK3aYxqpOS9cV2P40eev0KQrAZC2EXNt3
-XAdfNhA21b2C6qSxckmkCWg3vwPmM6LousHG+zpyZkiSziolMoeBkvbEdU42fufE
-SD39cA1bBEbZahyrILWT2I3Bi0d0G7FC13tIBXShS2zIITSXs/2SSRIhg3OXB979
-FTwvEE4zHeSXO4itTMNA/sMJ/0qPccQIzisH0g/TF4318b0qjlQjkHJS1y0f3/PL
-Ge3RORQVcZqGTnhJNlF/tKD8wZ9mfqqurQ9yNshiAu8hH8sDH5ZhI3o5pjQe0mGO
-JNEwTw0X/vZ4iglWFmm2CusiHrh0KUFsrp8f3oaL3HU4i7yYgo0FhzFtgFVt0gXO
-JQOhlSUq50yqbBj6S9C5ecuSR0uPgYA4d8qCFrt9oD77m7Qi3mMi+f/kP+HctIaV
-4ro7lZf6IS54J4/m5hRY3F0nweFnZZL8gn8Da8mBZSvhXCqQL6qbD9buwrTzxGft
-Fct7+PrRwz9igO7j2nNMyWxtX55/GpX06n7vuonRgQQQiT8eQ5R71STMHJaACFPS
-CJHCpuVL28HGdyAxN5d65TCvkNo9/gFGM6ocIH3OlreTFUvy22qNrqwHpCkLgYWU
-ylntVoE/VYtHtwFOe0uuCX+2TiM03P5UT2NqAAa/8D4Z5ur3qUY=
-=nXW5
------END PGP SIGNATURE-----

libssh-0.11.3.tar.xz.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEiKIo2JsHwsd9DHgJA9XfjP3T6OcFAmi/4EwACgkQA9XfjP3T
+6OcdEhAAgwukpUWy2UaOI/xAo+yg4fzRIy7WL2kHwFYL+1qxTV+4xGyGMuMG9r0Y
+uFahO8VTXi6EyzKfW14XP6L2h2h7lnkGw8bET66P2XlcjGFdBXoPCv3DYO8MZKmP
+v0rET33A/64iO7jJeysFWOm+GYDVSn6OiB+uoychDHzXztWYRHIGOrhIFMREa6sT
+CmLugQoSmBBL/EfUTUAgQTyF7/Cufg2P/MQ2QsVrKJnQHhlHWgECPEx7kQWK4xCp
+IlRPIXNwGB1FkMQ84llaTCzFAnlI5Tf2tDMwOexVdgZ8w/5YfFDshLUT1AFkftQV
+du7/597LzbXJujKH2fHeRgXI+Peu4x5i/YXpmWNjvZV3EdkKXS7o2LQb+g9NoTE9
+KpABhc/SFR2Ub7Gk6jTodoiQEF0vgtWHN/uMpIym3XJ1TH12QsQiFKdXKMom5Wue
+mcZ4vbsthLY1zbWL27/rnlJt3iODWGoPT/KPooFNNwauhvTQx+zajcbH1fcQu5ee
+/Mj0F93Kyp1CixVwePKP25Pjas1yX1mpCkuDRLv9RwzA4UYrNq+j6GqItTUBNS+Q
+WOiiQzRp1RhX2lcNogVTdW6pzAmFmmelUykufI72mtpslMCvlEkLX92KcoWoTeK4
+3KuaXreUqKwO8nncQDk2taTV3Gsvu3WZcs878xCDfwdwaWShN3c=
+=wFeb
+-----END PGP SIGNATURE-----

libssh-cmake-Add-option-WITH_HERMETIC_USR.patch

@@ -0,0 +1,347 @@
+From d88dbc1e0fa6dab2de359f211792c0b5c3ec7664 Mon Sep 17 00:00:00 2001
+From: Lucas Mulling <lucas.mulling@suse.com>
+Date: Mon, 17 Feb 2025 14:13:53 -0300
+Subject: [PATCH] cmake: Add option WITH_HERMETIC_USR
+
+Add a cmake option to enable hermetic-usr, i.e., use of config files in /usr/.
+If turned on, GLOBAL_*_CONFIG is prepended with /usr/ and defined as
+USR_GLOBAL_*_CONFIG. Config lookup follows this path GLOBAL_*_CONFIG ->
+USR_GLOBAL_*_CONFIG.
+
+Introduce a ssh_config_parse primitive. This avoids convoluted checks for file
+presence (without modifing the behaviour of ssh_config_parse_file) and allows
+marking whether the config is global at the call site.
+
+Signed-off-by: Lucas Mulling <lucas.mulling@suse.com>
+Reviewed-by: Jakub Jelen <jjelen@redhat.com>
+---
+ CMakeLists.txt           |   8 ++-
+ DefineOptions.cmake      |   6 +++
+ config.h.cmake           |   2 +
+ include/libssh/libssh.h  |   3 +-
+ include/libssh/options.h |   1 +
+ src/config.c             |  56 ++++++++++++++-------
+ src/options.c            | 106 ++++++++++++++++++++++++---------------
+ 7 files changed, 122 insertions(+), 60 deletions(-)
+
+diff --git a/CMakeLists.txt b/CMakeLists.txt
+index 9877cd70..9a4ea9e3 100644
+--- a/CMakeLists.txt
++++ b/CMakeLists.txt
+@@ -249,9 +249,15 @@ message(STATUS "Benchmarks: ${WITH_BENCHMARKS}")
+ message(STATUS "Symbol versioning: ${WITH_SYMBOL_VERSIONING}")
+ message(STATUS "Allow ABI break: ${WITH_ABI_BREAK}")
+ message(STATUS "Release is final: ${WITH_FINAL}")
++if (WITH_HERMETIC_USR)
++    message(STATUS "User global client config: ${USR_GLOBAL_CLIENT_CONFIG}")
++endif ()
+ message(STATUS "Global client config: ${GLOBAL_CLIENT_CONFIG}")
+ if (WITH_SERVER)
+-message(STATUS "Global bind config: ${GLOBAL_BIND_CONFIG}")
++    if (WITH_HERMETIC_USR)
++        message(STATUS "User global bind config: ${USR_GLOBAL_BIND_CONFIG}")
++    endif ()
++    message(STATUS "Global bind config: ${GLOBAL_BIND_CONFIG}")
+ endif()
+ message(STATUS "********************************************")
+ 
+diff --git a/DefineOptions.cmake b/DefineOptions.cmake
+index f1a6a244..91bb96db 100644
+--- a/DefineOptions.cmake
++++ b/DefineOptions.cmake
+@@ -27,6 +27,7 @@ option(WITH_INSECURE_NONE "Enable insecure none cipher and MAC algorithms (not s
+ option(WITH_EXEC "Enable libssh to execute arbitrary commands from configuration files or options (match exec, proxy commands and OpenSSH-based proxy-jumps)." ON)
+ option(FUZZ_TESTING "Build with fuzzer for the server and client (automatically enables none cipher!)" OFF)
+ option(PICKY_DEVELOPER "Build with picky developer flags" OFF)
++option(WITH_HERMETIC_USR "Build with support for hermetic /usr/" OFF)
+ 
+ if (WITH_ZLIB)
+     set(WITH_LIBZ ON)
+@@ -59,6 +60,11 @@ if (NOT GLOBAL_CLIENT_CONFIG)
+   set(GLOBAL_CLIENT_CONFIG "/etc/ssh/ssh_config")
+ endif (NOT GLOBAL_CLIENT_CONFIG)
+ 
++if (WITH_HERMETIC_USR)
++  set(USR_GLOBAL_BIND_CONFIG "/usr${GLOBAL_BIND_CONFIG}")
++  set(USR_GLOBAL_CLIENT_CONFIG "/usr${GLOBAL_CLIENT_CONFIG}")
++endif (WITH_HERMETIC_USR)
++
+ if (FUZZ_TESTING)
+   set(WITH_INSECURE_NONE ON)
+ endif (FUZZ_TESTING)
+diff --git a/config.h.cmake b/config.h.cmake
+index 8dce5273..b61ce1db 100644
+--- a/config.h.cmake
++++ b/config.h.cmake
+@@ -9,9 +9,11 @@
+ #cmakedefine SOURCEDIR "${SOURCEDIR}"
+ 
+ /* Global bind configuration file path */
++#cmakedefine USR_GLOBAL_BIND_CONFIG "${USR_GLOBAL_BIND_CONFIG}"
+ #cmakedefine GLOBAL_BIND_CONFIG "${GLOBAL_BIND_CONFIG}"
+ 
+ /* Global client configuration file path */
++#cmakedefine USR_GLOBAL_CLIENT_CONFIG "${USR_GLOBAL_CLIENT_CONFIG}"
+ #cmakedefine GLOBAL_CLIENT_CONFIG "${GLOBAL_CLIENT_CONFIG}"
+ 
+ /************************** HEADER FILES *************************/
+diff --git a/include/libssh/libssh.h b/include/libssh/libssh.h
+index 3bddb019..28fe7396 100644
+--- a/include/libssh/libssh.h
++++ b/include/libssh/libssh.h
+@@ -49,9 +49,10 @@
+   #endif
+ #endif
+ 
++#include <inttypes.h>
+ #include <stdarg.h>
++#include <stdbool.h>
+ #include <stdint.h>
+-#include <inttypes.h>
+ 
+ #ifdef _MSC_VER
+   typedef int mode_t;
+diff --git a/include/libssh/options.h b/include/libssh/options.h
+index d32e1589..63b207fa 100644
+--- a/include/libssh/options.h
++++ b/include/libssh/options.h
+@@ -25,6 +25,7 @@
+ extern "C" {
+ #endif
+ 
++int ssh_config_parse(ssh_session session, FILE *fp, bool global);
+ int ssh_config_parse_file(ssh_session session, const char *filename);
+ int ssh_config_parse_string(ssh_session session, const char *input);
+ int ssh_options_set_algo(ssh_session session,
+diff --git a/src/config.c b/src/config.c
+index b4171efd..611c0349 100644
+--- a/src/config.c
++++ b/src/config.c
+@@ -1451,45 +1451,67 @@ ssh_config_parse_line(ssh_session session,
+   return 0;
+ }
+ 
+-/* @brief Parse configuration file and set the options to the given session
++/* @brief Parse configuration from a file pointer
+  *
+  * @params[in] session   The ssh session
+- * @params[in] filename  The path to the ssh configuration file
++ * @params[in] fp        A valid file pointer
++ * @params[in] global    Whether the config is global or not
+  *
+  * @returns    0 on successful parsing the configuration file, -1 on error
+  */
+-int ssh_config_parse_file(ssh_session session, const char *filename)
++int ssh_config_parse(ssh_session session, FILE *fp, bool global)
+ {
+     char line[MAX_LINE_SIZE] = {0};
+     unsigned int count = 0;
+-    FILE *f = NULL;
+     int parsing, rv;
++
++    parsing = 1;
++    while (fgets(line, sizeof(line), fp)) {
++        count++;
++        rv = ssh_config_parse_line(session, line, count, &parsing, 0, global);
++        if (rv < 0) {
++            return -1;
++        }
++    }
++
++    return 0;
++}
++
++/* @brief Parse configuration file and set the options to the given session
++ *
++ * @params[in] session   The ssh session
++ * @params[in] filename  The path to the ssh configuration file
++ *
++ * @returns    0 on successful parsing the configuration file, -1 on error
++ */
++int ssh_config_parse_file(ssh_session session, const char *filename)
++{
++    FILE *fp = NULL;
++    int rv;
+     bool global = 0;
+ 
+-    f = fopen(filename, "r");
+-    if (f == NULL) {
++    fp = fopen(filename, "r");
++    if (fp == NULL) {
+         return 0;
+     }
+ 
+     rv = strcmp(filename, GLOBAL_CLIENT_CONFIG);
++#ifdef USR_GLOBAL_CLIENT_CONFIG
++    if (rv != 0) {
++        rv = strcmp(filename, USR_GLOBAL_CLIENT_CONFIG);
++    }
++#endif
++
+     if (rv == 0) {
+         global = true;
+     }
+ 
+     SSH_LOG(SSH_LOG_PACKET, "Reading configuration data from %s", filename);
+ 
+-    parsing = 1;
+-    while (fgets(line, sizeof(line), f)) {
+-        count++;
+-        rv = ssh_config_parse_line(session, line, count, &parsing, 0, global);
+-        if (rv < 0) {
+-            fclose(f);
+-            return -1;
+-        }
+-    }
++    rv = ssh_config_parse(session, fp, global);
+ 
+-    fclose(f);
+-    return 0;
++    fclose(fp);
++    return rv;
+ }
+ 
+ /* @brief Parse configuration string and set the options to the given session
+diff --git a/src/options.c b/src/options.c
+index 785296dd..6a72e0e2 100644
+--- a/src/options.c
++++ b/src/options.c
+@@ -26,6 +26,7 @@
+ #include <stdio.h>
+ #include <stdlib.h>
+ #include <string.h>
++#include <unistd.h>
+ #ifndef _WIN32
+ #include <pwd.h>
+ #else
+@@ -1814,6 +1815,8 @@ int ssh_options_getopt(ssh_session session, int *argcptr, char **argv)
+  *
+  * @param  filename     The options file to use, if NULL the default
+  *                      ~/.ssh/config and /etc/ssh/ssh_config will be used.
++ *                      If complied with support for hermetic-usr,
++ *                      /usr/etc/ssh/ssh_config will be used last.
+  *
+  * @return 0 on success, < 0 on error.
+  *
+@@ -1821,48 +1824,63 @@ int ssh_options_getopt(ssh_session session, int *argcptr, char **argv)
+  */
+ int ssh_options_parse_config(ssh_session session, const char *filename)
+ {
+-  char *expanded_filename = NULL;
+-  int r;
++    char *expanded_filename = NULL;
++    int r;
++    FILE *fp = NULL;
+ 
+-  if (session == NULL) {
+-    return -1;
+-  }
+-  if (session->opts.host == NULL) {
+-    ssh_set_error_invalid(session);
+-    return -1;
+-  }
+-
+-  if (session->opts.sshdir == NULL) {
+-      r = ssh_options_set(session, SSH_OPTIONS_SSH_DIR, NULL);
+-      if (r < 0) {
+-          ssh_set_error_oom(session);
+-          return -1;
+-      }
+-  }
+-
+-  /* set default filename */
+-  if (filename == NULL) {
+-    expanded_filename = ssh_path_expand_escape(session, "%d/config");
+-  } else {
+-    expanded_filename = ssh_path_expand_escape(session, filename);
+-  }
+-  if (expanded_filename == NULL) {
+-    return -1;
+-  }
+-
+-  r = ssh_config_parse_file(session, expanded_filename);
+-  if (r < 0) {
+-      goto out;
+-  }
+-  if (filename == NULL) {
+-      r = ssh_config_parse_file(session, GLOBAL_CLIENT_CONFIG);
+-  }
+-
+-  /* Do not process the default configuration as part of connection again */
+-  session->opts.config_processed = true;
++    if (session == NULL) {
++        return -1;
++    }
++    if (session->opts.host == NULL) {
++        ssh_set_error_invalid(session);
++        return -1;
++    }
++
++    if (session->opts.sshdir == NULL) {
++        r = ssh_options_set(session, SSH_OPTIONS_SSH_DIR, NULL);
++        if (r < 0) {
++            ssh_set_error_oom(session);
++            return -1;
++        }
++    }
++
++    /* set default filename */
++    if (filename == NULL) {
++        expanded_filename = ssh_path_expand_escape(session, "%d/config");
++    } else {
++        expanded_filename = ssh_path_expand_escape(session, filename);
++    }
++    if (expanded_filename == NULL) {
++        return -1;
++    }
++
++    r = ssh_config_parse_file(session, expanded_filename);
++    if (r < 0) {
++        goto out;
++    }
++    if (filename == NULL) {
++        if ((fp = fopen(GLOBAL_CLIENT_CONFIG, "r")) != NULL) {
++            filename = GLOBAL_CLIENT_CONFIG;
++#ifdef USR_GLOBAL_CLIENT_CONFIG
++        } else if ((fp = fopen(USR_GLOBAL_CLIENT_CONFIG, "r")) != NULL) {
++            filename = USR_GLOBAL_CLIENT_CONFIG;
++#endif
++        }
++
++        if (fp) {
++            SSH_LOG(SSH_LOG_PACKET,
++                    "Reading configuration data from %s",
++                    filename);
++            r = ssh_config_parse(session, fp, true);
++            fclose(fp);
++        }
++    }
++
++    /* Do not process the default configuration as part of connection again */
++    session->opts.config_processed = true;
+ out:
+-  free(expanded_filename);
+-  return r;
++    free(expanded_filename);
++    return r;
+ }
+ 
+ int ssh_options_apply(ssh_session session)
+@@ -2706,7 +2724,13 @@ int ssh_bind_options_parse_config(ssh_bind sshbind, const char *filename)
+     /* If the global default configuration hasn't been processed yet, process it
+      * before the provided configuration. */
+     if (!(sshbind->config_processed)) {
+-        rc = ssh_bind_config_parse_file(sshbind, GLOBAL_BIND_CONFIG);
++        if (access(GLOBAL_BIND_CONFIG, F_OK) == 0) {
++            rc = ssh_bind_config_parse_file(sshbind, GLOBAL_BIND_CONFIG);
++#ifdef USR_GLOBAL_BIND_CONFIG
++        } else {
++            rc = ssh_bind_config_parse_file(sshbind, USR_GLOBAL_BIND_CONFIG);
++#endif
++        }
+         if (rc != 0) {
+             return rc;
+         }
+-- 
+2.50.0
+

libssh-fix-ipv6-hostname-regression.patch

@@ -1,265 +0,0 @@
-From 66ac6343b246458a6645ae32f75556a1407031ec Mon Sep 17 00:00:00 2001
-From: Jakub Jelen <jjelen@redhat.com>
-Date: Fri, 22 Dec 2023 10:32:40 +0100
-Subject: [PATCH 1/2] Fix regression in IPv6 addresses in hostname parsing
-
-Signed-off-by: Jakub Jelen <jjelen@redhat.com>
----
- include/libssh/config_parser.h | 11 ++++++++---
- src/config.c                   |  4 ++--
- src/config_parser.c            | 19 ++++++++++++++-----
- src/options.c                  | 10 ++--------
- 4 files changed, 26 insertions(+), 18 deletions(-)
-
-diff --git a/include/libssh/config_parser.h b/include/libssh/config_parser.h
-index a7dd42a2c..ca353432b 100644
---- a/include/libssh/config_parser.h
-+++ b/include/libssh/config_parser.h
-@@ -30,6 +30,8 @@
- extern "C" {
- #endif
- 
-+#include <stdbool.h>
-+
- char *ssh_config_get_cmd(char **str);
- 
- char *ssh_config_get_token(char **str);
-@@ -49,14 +51,17 @@ int ssh_config_get_yesno(char **str, int notfound);
-  *                       be stored or NULL if we do not care about the result.
-  * @param[out]  port     Pointer to the location, where the new port will
-  *                       be stored or NULL if we do not care about the result.
-+ * @param[in]   ignore_port Set to true if the we should not attempt to parse
-+ *                       port number.
-  *
-  * @returns     SSH_OK if the provided string is in format of SSH URI,
-  *              SSH_ERROR on failure
-  */
- int ssh_config_parse_uri(const char *tok,
--        char **username,
--        char **hostname,
--        char **port);
-+                         char **username,
-+                         char **hostname,
-+                         char **port,
-+                         bool ignore_port);
- 
- #ifdef __cplusplus
- }
-diff --git a/src/config.c b/src/config.c
-index 5eedbce96..7135c3b19 100644
---- a/src/config.c
-+++ b/src/config.c
-@@ -464,7 +464,7 @@ ssh_config_parse_proxy_jump(ssh_session session, const char *s, bool do_parsing)
-         }
-         if (parse_entry) {
-             /* We actually care only about the first item */
--            rv = ssh_config_parse_uri(cp, &username, &hostname, &port);
-+            rv = ssh_config_parse_uri(cp, &username, &hostname, &port, false);
-             /* The rest of the list needs to be passed on */
-             if (endp != NULL) {
-                 next = strdup(endp + 1);
-@@ -475,7 +475,7 @@ ssh_config_parse_proxy_jump(ssh_session session, const char *s, bool do_parsing)
-             }
-         } else {
-             /* The rest is just sanity-checked to avoid failures later */
--            rv = ssh_config_parse_uri(cp, NULL, NULL, NULL);
-+            rv = ssh_config_parse_uri(cp, NULL, NULL, NULL, false);
-         }
-         if (rv != SSH_OK) {
-             goto out;
-diff --git a/src/config_parser.c b/src/config_parser.c
-index 9ffc8b8b0..b30e94091 100644
---- a/src/config_parser.c
-+++ b/src/config_parser.c
-@@ -161,10 +161,14 @@ int ssh_config_get_yesno(char **str, int notfound)
-     return notfound;
- }
- 
-+/* Parse the URI extracting parts such as a username, hostname and port.
-+ * If the port is NULL, do not expect port present and be more lax for example
-+ * with matching IPv6 address which have the same separators as host:port */
- int ssh_config_parse_uri(const char *tok,
--        char **username,
--        char **hostname,
--        char **port)
-+                         char **username,
-+                         char **hostname,
-+                         char **port,
-+                         bool ignore_port)
- {
-     char *endp = NULL;
-     long port_n;
-@@ -210,12 +214,17 @@ int ssh_config_parse_uri(const char *tok,
-         if (endp == NULL) {
-             goto error;
-         }
--    } else {
--        /* Hostnames or aliases expand to the last colon or to the end */
-+    } else if (!ignore_port) {
-+        /* Hostnames or aliases expand to the last colon (if port is requested)
-+         * or to the end */
-         endp = strrchr(tok, ':');
-         if (endp == NULL) {
-             endp = strchr(tok, '\0');
-         }
-+    } else {
-+        /* If no port is requested, expand to the end of line
-+         * (to accommodate the IPv6 addresses) */
-+        endp = strchr(tok, '\0');
-     }
-     if (tok == endp) {
-         /* Zero-length hostnames are not valid */
-diff --git a/src/options.c b/src/options.c
-index 2e73be462..676c49e7a 100644
---- a/src/options.c
-+++ b/src/options.c
-@@ -634,17 +634,11 @@ int ssh_options_set(ssh_session session, enum ssh_options_e type,
-                 ssh_set_error_invalid(session);
-                 return -1;
-             } else {
--                char *username = NULL, *hostname = NULL, *port = NULL;
--                rc = ssh_config_parse_uri(value, &username, &hostname, &port);
-+                char *username = NULL, *hostname = NULL;
-+                rc = ssh_config_parse_uri(value, &username, &hostname, NULL, true);
-                 if (rc != SSH_OK) {
-                     return -1;
-                 }
--                if (port != NULL) {
--                    SAFE_FREE(username);
--                    SAFE_FREE(hostname);
--                    SAFE_FREE(port);
--                    return -1;
--                }
-                 if (username != NULL) {
-                     SAFE_FREE(session->opts.username);
-                     session->opts.username = username;
--- 
-GitLab
-
-
-From f2ec751f09901b9c539ae096f5ee4fc63f305f30 Mon Sep 17 00:00:00 2001
-From: Jakub Jelen <jjelen@redhat.com>
-Date: Fri, 22 Dec 2023 09:52:18 +0100
-Subject: [PATCH 2/2] tests: Increase test coverage for IPv6 address parsing as
- hostnames
-
-This was an issue in cockpit:
-
-https://github.com/cockpit-project/cockpit/issues/19772
-
-Signed-off-by: Jakub Jelen <jjelen@redhat.com>
----
- tests/unittests/torture_config.c  | 49 +++++++++++++++++++++++++++++++
- tests/unittests/torture_options.c | 16 ++++++++++
- 2 files changed, 65 insertions(+)
-
-diff --git a/tests/unittests/torture_config.c b/tests/unittests/torture_config.c
-index bc6b08f94..751aa126c 100644
---- a/tests/unittests/torture_config.c
-+++ b/tests/unittests/torture_config.c
-@@ -2332,6 +2332,53 @@ static void torture_config_make_absolute_no_sshdir(void **state)
-     torture_config_make_absolute_int(state, 1);
- }
- 
-+static void torture_config_parse_uri(void **state)
-+{
-+    char *username = NULL;
-+    char *hostname = NULL;
-+    char *port = NULL;
-+    int rc;
-+
-+    (void)state; /* unused */
-+
-+    rc = ssh_config_parse_uri("localhost", &username, &hostname, &port, false);
-+    assert_return_code(rc, errno);
-+    assert_null(username);
-+    assert_string_equal(hostname, "localhost");
-+    SAFE_FREE(hostname);
-+    assert_null(port);
-+
-+    rc = ssh_config_parse_uri("1.2.3.4", &username, &hostname, &port, false);
-+    assert_return_code(rc, errno);
-+    assert_null(username);
-+    assert_string_equal(hostname, "1.2.3.4");
-+    SAFE_FREE(hostname);
-+    assert_null(port);
-+
-+    rc = ssh_config_parse_uri("1.2.3.4:2222", &username, &hostname, &port, false);
-+    assert_return_code(rc, errno);
-+    assert_null(username);
-+    assert_string_equal(hostname, "1.2.3.4");
-+    SAFE_FREE(hostname);
-+    assert_string_equal(port, "2222");
-+    SAFE_FREE(port);
-+
-+    rc = ssh_config_parse_uri("[1:2:3::4]:2222", &username, &hostname, &port, false);
-+    assert_return_code(rc, errno);
-+    assert_null(username);
-+    assert_string_equal(hostname, "1:2:3::4");
-+    SAFE_FREE(hostname);
-+    assert_string_equal(port, "2222");
-+    SAFE_FREE(port);
-+
-+    /* do not want port */
-+    rc = ssh_config_parse_uri("1:2:3::4", &username, &hostname, NULL, true);
-+    assert_return_code(rc, errno);
-+    assert_null(username);
-+    assert_string_equal(hostname, "1:2:3::4");
-+    SAFE_FREE(hostname);
-+}
-+
- int torture_run_tests(void)
- {
-     int rc;
-@@ -2424,6 +2471,8 @@ int torture_run_tests(void)
-                                         setup, teardown),
-         cmocka_unit_test_setup_teardown(torture_config_make_absolute_no_sshdir,
-                                         setup_no_sshdir, teardown),
-+        cmocka_unit_test_setup_teardown(torture_config_parse_uri,
-+                                        setup, teardown),
-     };
- 
- 
-diff --git a/tests/unittests/torture_options.c b/tests/unittests/torture_options.c
-index 5ba3bdc6a..b07712d86 100644
---- a/tests/unittests/torture_options.c
-+++ b/tests/unittests/torture_options.c
-@@ -57,6 +57,20 @@ static void torture_options_set_host(void **state) {
-     assert_non_null(session->opts.host);
-     assert_string_equal(session->opts.host, "localhost");
- 
-+    /* IPv4 address */
-+    rc = ssh_options_set(session, SSH_OPTIONS_HOST, "127.1.1.1");
-+    assert_true(rc == 0);
-+    assert_non_null(session->opts.host);
-+    assert_string_equal(session->opts.host, "127.1.1.1");
-+    assert_null(session->opts.username);
-+
-+    /* IPv6 address */
-+    rc = ssh_options_set(session, SSH_OPTIONS_HOST, "::1");
-+    assert_true(rc == 0);
-+    assert_non_null(session->opts.host);
-+    assert_string_equal(session->opts.host, "::1");
-+    assert_null(session->opts.username);
-+
-     rc = ssh_options_set(session, SSH_OPTIONS_HOST, "guru@meditation");
-     assert_true(rc == 0);
-     assert_non_null(session->opts.host);
-@@ -64,12 +78,14 @@ static void torture_options_set_host(void **state) {
-     assert_non_null(session->opts.username);
-     assert_string_equal(session->opts.username, "guru");
- 
-+    /* more @ in uri is OK -- it should go to the username */
-     rc = ssh_options_set(session, SSH_OPTIONS_HOST, "at@login@hostname");
-     assert_true(rc == 0);
-     assert_non_null(session->opts.host);
-     assert_string_equal(session->opts.host, "hostname");
-     assert_non_null(session->opts.username);
-     assert_string_equal(session->opts.username, "at@login");
-+
- }
- 
- static void torture_options_set_ciphers(void **state) {
--- 
-GitLab
-

libssh-tests-Fix-an-issue-where-torture_session-request-a-SIGTERM-too-early.patch

@@ -0,0 +1,35 @@
+From 886e0288a7f27d11fc0020b48c5d4be997293b04 Mon Sep 17 00:00:00 2001
+From: Lucas Mulling <lucas.mulling@suse.com>
+Date: Mon, 2 Jun 2025 11:48:58 -0300
+Subject: [PATCH] tests: Fix an issue where torture_session request a SIGTERM
+ too early
+
+Signed-off-by: Lucas Mulling <lucas.mulling@suse.com>
+---
+ tests/client/torture_session.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/tests/client/torture_session.c b/tests/client/torture_session.c
+index cc83578f..6c10dee1 100644
+--- a/tests/client/torture_session.c
++++ b/tests/client/torture_session.c
+@@ -447,6 +447,16 @@ static void torture_channel_exit_signal(void **state)
+     /* Make the request, read parts with close */
+     rc = ssh_channel_request_exec(channel, request);
+     assert_ssh_return_code(session, rc);
++
++    /* FIX-SUSE bsc#1243799: Wait a bit before sending the SIGTERM. In real
++     * world use chases this should not happen has there will be network delays,
++     * since we are running the tests locally, it can happen that the server has
++     * yet to spawn the child (by this setting the correct group id). Meaning
++     * when we request TERM the correct gids are not setup and killpg will not
++     * work.
++     */
++    sleep(1);
++
+     rc = ssh_channel_request_send_signal(channel, "TERM");
+     assert_ssh_return_code(session, rc);
+ 
+-- 
+2.49.0
+

libssh.changes

@@ -1,3 +1,108 @@
+-------------------------------------------------------------------
+Tue Sep  9 15:19:24 UTC 2025 - Lucas Mulling <lucas.mulling@suse.com>
+
+- Update to 0.11.3
+  * Security:
+    * CVE-2025-8114: Fix NULL pointer dereference after allocation failure (bsc#1246974)
+    * CVE-2025-8277: Fix memory leak of ephemeral key pair during repeated wrong KEX (bsc#1249375)
+    * Potential UAF when send() fails during key exchange
+  * Bugfixes:
+    * Fix possible timeout during KEX if client sends authentication too early
+    * Cleanup OpenSSL PKCS#11 provider when loaded
+    * Zeroize buffers containing private key blobs during export
+
+-------------------------------------------------------------------
+Tue Jun 24 14:36:44 UTC 2025 - Andreas Schneider <asn@cryptomilk.org>
+
+- Update to version 0.11.2
+  * Security:
+    * CVE-2025-4877 - Write beyond bounds in binary to base64 conversion (bsc#1245309)
+    * CVE-2025-4878 - Use of uninitialized variable in privatekey_from_file() (bsc#1245310)
+    * CVE-2025-5318 - Likely read beyond bounds in sftp server handle management (bsc#1245311)
+    * CVE-2025-5351 - Double free in functions exporting keys (bsc#1245312)
+    * CVE-2025-5372 - ssh_kdf() returns a success code on certain failures (bsc#1245314)
+    * CVE-2025-5449 - Likely read beyond bounds in sftp server message decoding (bsc#1245316)
+    * CVE-2025-5987 - Invalid return code for chacha20 poly1305 with OpenSSL (bsc#1245317)
+  * Compatibility
+    * Fixed compatibility with CPM.cmake
+    * Compatibility with OpenSSH 10.0
+    * Tests compatibility with new Dropbear releases
+    * Removed p11-kit remoting from the pkcs11 testsuite
+  * Bugfixes
+    * Implement missing packet filter for DH GEX
+    * Properly process the SSH2_MSG_DEBUG message
+    * Allow escaping quotes in quoted arguments to ssh configuration
+    * Do not fail with unknown match keywords in ssh configuration
+    * Process packets before selecting signature algorithm during authentication
+    * Do not fail hard when the SFTP status message is not sent by noncompliant
+      servers
+- Removed libssh-CmakeLists-Fix-multiple-digit-major-version-for-OpenSSH.patch
+- Removed libssh-misc-Fix-OpenSSH-banner-parsing.patch
+
+-------------------------------------------------------------------
+Thu May 29 19:31:17 UTC 2025 - Lucas Mulling <lucas.mulling@suse.com>
+
+- Fix hang in torture_session test (bsc#1243799)
+  * Add patch libssh-tests-Fix-an-issue-where-torture_session-request-a-SIGTERM-too-early.patch
+
+-------------------------------------------------------------------
+Wed Apr 23 19:59:55 UTC 2025 - Lucas Mulling <lucas.mulling@suse.com>
+
+- Fix build and tests with OpenSSH >= 10.0
+  * Use %make_build instead of naked make
+  * Add patches:
+    - libssh-CmakeLists-Fix-multiple-digit-major-version-for-OpenSSH.patch
+    - libssh-misc-Fix-OpenSSH-banner-parsing.patch
+
+-------------------------------------------------------------------
+Tue Feb 18 19:08:10 UTC 2025 - Lucas Mulling <lucas.mulling@suse.com>
+
+- Move global config dir to /usr/etc/libssh (bsc#1222716)
+  * Add patch libssh-cmake-Add-option-WITH_HERMETIC_USR.patch
+
+-------------------------------------------------------------------
+Tue Feb  4 16:26:22 UTC 2025 - Dominique Leuenberger <dimstar@opensuse.org>
+
+- Do not Require cmake from the devel package: there is no
+  requirement that consumers would be using cmake.
+- Own %{_libdir}/cmake to not leave traces when uninstalling the
+  package and being the only one left installing files to that
+  directory.
+
+-------------------------------------------------------------------
+Fri Sep 13 07:42:23 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
+
+- Update to version 0.11.1:
+  * Fixed default TTY modes that are set when stdin is not
+    connected to tty.
+  * Fixed zlib cleanup procedure, which could crash on i386.
+  * Various test fixes improving their stability.
+  * Remove 0001-disable-timeout-test-on-slow-buildsystems.patch
+    to enable slow tests also in s390 s390x ppc64le.
+
+-------------------------------------------------------------------
+Fri Sep 13 07:42:23 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
+
+- Update to version 0.11.1:
+  * Fixed default TTY modes that are set when stdin is not
+    connected to tty.
+  * Fixed zlib cleanup procedure, which could crash on i386.
+  * Various test fixes improving their stability.
+
+-------------------------------------------------------------------
+Fri Sep 13 07:41:57 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
+
+- Set BuildArch: noarch for the config package as it only ships
+  configuration files.
+
+-------------------------------------------------------------------
+Fri Aug  9 07:46:28 UTC 2024 - Andreas Schneider <asn@cryptomilk.org>
+
+- Update to version 0.11.0
+  https://www.libssh.org/2024/08/08/libssh-0-11-0-release/
+- Updated 0001-disable-timeout-test-on-slow-buildsystems.patch
+- Removed libssh-fix-ipv6-hostname-regression.patch
+
 -------------------------------------------------------------------
 Fri Apr 12 08:46:41 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
 

libssh.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package libssh
 #
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2025 SUSE LLC and contributors
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -19,31 +19,35 @@
 %global flavor @BUILD_FLAVOR@%{nil}
 %if "%{flavor}" == "test"
 %define pkg_suffix -test
-%ifarch s390 s390x ppc64le
-  %define slow_test_system "ON"
-%else
-  %define slow_test_system "OFF"
-%endif
 %bcond_without test
 %else
 %define pkg_suffix %{nil}
 %bcond_with test
 %endif
+
+%if %{defined _distconfdir}
+%define _configdir %{_distconfdir}
+%else
+%define _configdir %{_sysconfdir}
+%endif
+
 Name:           libssh%{pkg_suffix}
-Version:        0.10.6
+Version:        0.11.3
 Release:        0
 Summary:        The SSH library
 License:        LGPL-2.1-or-later
 Group:          Development/Libraries/C and C++
 URL:            https://www.libssh.org
-Source0:        https://www.libssh.org/files/0.10/libssh-%{version}.tar.xz
-Source1:        https://www.libssh.org/files/0.10/libssh-%{version}.tar.xz.asc
-Source2:        https://cryptomilk.org/gpgkey-8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D.gpg#/libssh.keyring
+Source0:        https://www.libssh.org/files/0.11/libssh-%{version}.tar.xz
+Source1:        https://www.libssh.org/files/0.11/libssh-%{version}.tar.xz.asc
+Source2:        https://www.libssh.org/files/0x03D5DF8CFDD3E8E7_libssh_libssh_org_gpgkey.asc#/libssh.keyring
 Source3:        libssh_client.config
 Source4:        libssh_server.config
 Source99:       baselibs.conf
-Patch0:         0001-disable-timeout-test-on-slow-buildsystems.patch
-Patch1:         https://gitlab.com/libssh/libssh-mirror/-/merge_requests/431.patch#/libssh-fix-ipv6-hostname-regression.patch
+# PATCH-FIX-UPSTREAM: libssh tries to read config from wrong crypto-policies location (bsc#1222716)
+Patch0:         libssh-cmake-Add-option-WITH_HERMETIC_USR.patch
+# PATCH-FIX-SUSE: fix hang in torture_channel tests (bsc#1243799)
+Patch1:         libssh-tests-Fix-an-issue-where-torture_session-request-a-SIGTERM-too-early.patch
 BuildRequires:  cmake
 BuildRequires:  gcc-c++
 BuildRequires:  krb5-devel
@@ -88,6 +92,7 @@ confused with libssh2 available from https://www.libssh2.org (libssh2 package)
 %package config
 Summary:        SSH library configuration files
 Group:          Productivity/Networking/SSH
+BuildArch:      noarch
 
 %description config
 Configuration files for the SSH library.
@@ -95,7 +100,6 @@ Configuration files for the SSH library.
 %package devel
 Summary:        SSH library development headers
 Group:          Development/Libraries/C and C++
-Requires:       cmake
 Requires:       libssh4 = %{version}
 
 %description devel
@@ -109,7 +113,6 @@ Development headers for the SSH library.
     -DCMAKE_C_FLAGS:STRING="%{optflags} -DOPENSSL_LOAD_CONF" \
 %if %{with test}
     -DUNIT_TESTING="ON" \
-    -DSLOW_TEST_SYSTEM=%{slow_test_system} \
 %if 0%{?suse_version} > 1550
     -DCLIENT_TESTING=ON \
     -DSERVER_TESTING=ON \
@@ -117,26 +120,29 @@ Development headers for the SSH library.
 %endif
     -DWITH_GSSAPI=ON \
     -DWITH_EXAMPLES="OFF" \
+%if %{defined _distconfdir}
+    -DWITH_HERMETIC_USR=ON \
+%endif
     -DGLOBAL_CLIENT_CONFIG="%{_sysconfdir}/libssh/libssh_client.config" \
     -DGLOBAL_BIND_CONFIG="%{_sysconfdir}/libssh/libssh_server.config"
 
-make %{?_smp_mflags}
+%make_build
 
 %install
 %if !%{with test}
 %cmake_install
 
-install -d -m755 %{buildroot}%{_sysconfdir}/libssh
-install -m644 %{SOURCE3} %{buildroot}%{_sysconfdir}/libssh/libssh_client.config
-install -m644 %{SOURCE4} %{buildroot}%{_sysconfdir}/libssh/libssh_server.config
+install -d -m755 %{buildroot}%{_configdir}/libssh
+install -m644 %{SOURCE3} %{buildroot}%{_configdir}/libssh/libssh_client.config
+install -m644 %{SOURCE4} %{buildroot}%{_configdir}/libssh/libssh_server.config
 
 # Fix incorrect include path, (boo#1211718).
 %if 0%{?suse_version} > 1600
-sed -i '/^Include/ s|/etc|/usr/etc|' %{buildroot}%{_sysconfdir}/libssh/libssh_client.config
-sed -i '/^Include/ s|/etc|/usr/etc|' %{buildroot}%{_sysconfdir}/libssh/libssh_server.config
+sed -i '/^Include/ s|/etc|/usr/etc|' %{buildroot}%{_configdir}/libssh/libssh_client.config
+sed -i '/^Include/ s|/etc|/usr/etc|' %{buildroot}%{_configdir}/libssh/libssh_server.config
 # Don't change the path for crypto-policies libssh.config (bsc#1222716)
-sed -i '/^Include/ s|/usr/etc/crypto-policies|/etc/crypto-policies|' %{buildroot}%{_sysconfdir}/libssh/libssh_client.config
-sed -i '/^Include/ s|/usr/etc/crypto-policies|/etc/crypto-policies|' %{buildroot}%{_sysconfdir}/libssh/libssh_server.config
+sed -i '/^Include/ s|/usr/etc/crypto-policies|/etc/crypto-policies|' %{buildroot}%{_configdir}/libssh/libssh_client.config
+sed -i '/^Include/ s|/usr/etc/crypto-policies|/etc/crypto-policies|' %{buildroot}%{_configdir}/libssh/libssh_server.config
 %endif
 
 %endif
@@ -157,14 +163,30 @@ sed -i '/^Include/ s|/usr/etc/crypto-policies|/etc/crypto-policies|' %{buildroot
 %{_libdir}/libssh.so.*
 
 %files config
-%dir %{_sysconfdir}/libssh
-%config(noreplace) %{_sysconfdir}/libssh/libssh_client.config
-%config(noreplace) %{_sysconfdir}/libssh/libssh_server.config
+%dir %{_configdir}/libssh
+%if %{defined _distconfdir}
+%{_configdir}/libssh/libssh_client.config
+%{_configdir}/libssh/libssh_server.config
+%else
+%config(noreplace) %{_configdir}/libssh/libssh_client.config
+%config(noreplace) %{_configdir}/libssh/libssh_server.config
+%endif
+
+%if %{defined _distconfdir}
+%pre config
+test -f /etc/libssh/libssh_server.config.rpmsave && mv -v /etc/libssh/libssh_server.config.rpmsave /etc/libssh/libssh_server.config.rpmsave.old ||:
+test -f /etc/libssh/libssh_client.config.rpmsave && mv -v /etc/libssh/libssh_client.config.rpmsave /etc/libssh/libssh_client.config.rpmsave.old ||:
+
+%posttrans config
+test -f /etc/libssh/libssh_server.config.rpmsave && mv -v /etc/libssh/libssh_server.config.rpmsave /etc/libssh/libssh_server.config ||:
+test -f /etc/libssh/libssh_client.config.rpmsave && mv -v /etc/libssh/libssh_client.config.rpmsave /etc/libssh/libssh_client.config ||:
+%endif
 
 %files devel
 %{_includedir}/libssh
 %{_libdir}/libssh.so
 %{_libdir}/pkgconfig/libssh.pc
+%dir %{_libdir}/cmake
 %dir %{_libdir}/cmake/libssh
 %{_libdir}/cmake/libssh/libssh-config.cmake
 %{_libdir}/cmake/libssh/libssh-config-relwithdebinfo.cmake