Update to Factory level

- Update to version 0.11.2
  * Security:
    * CVE-2025-4877 - Write beyond bounds in binary to base64 conversion (bsc#1245309)
    * CVE-2025-4878 - Use of uninitialized variable in privatekey_from_file() (bsc#1245310)
    * CVE-2025-5318 - Likely read beyond bounds in sftp server handle management (bsc#1245311)
    * CVE-2025-5351 - Double free in functions exporting keys (bsc#1245312)
    * CVE-2025-5372 - ssh_kdf() returns a success code on certain failures (bsc#1245314)
    * CVE-2025-5449 - Likely read beyond bounds in sftp server message decoding (bsc#1245316)
    * CVE-2025-5987 - Invalid return code for chacha20 poly1305 with OpenSSL (bsc#1245317)
  * Compatibility
    * Fixed compatibility with CPM.cmake
    * Compatibility with OpenSSH 10.0
    * Tests compatibility with new Dropbear releases
    * Removed p11-kit remoting from the pkcs11 testsuite
  * Bugfixes
    * Implement missing packet filter for DH GEX
    * Properly process the SSH2_MSG_DEBUG message
    * Allow escaping quotes in quoted arguments to ssh configuration
    * Do not fail with unknown match keywords in ssh configuration
    * Process packets before selecting signature algorithm during authentication
    * Do not fail hard when the SFTP status message is not sent by noncompliant
      servers
- Removed libssh-CmakeLists-Fix-multiple-digit-major-version-for-OpenSSH.patch
- Removed libssh-misc-Fix-OpenSSH-banner-parsing.patch

OBS-URL: https://build.opensuse.org/request/show/1288631
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libssh?expand=0&rev=79

libssh-0.11.2.tar.xz.asc

@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCgAdFiEEiKIo2JsHwsd9DHgJA9XfjP3T6OcFAmhaqdkACgkQA9XfjP3T
-6Oe5xA/+LkbLEPKgNRKMFbXZX2UIyotnFUbZ2o0bujswAxGPqY2paYDHuA5njjKD
-b9I7WGKstrlywyDr3c+fBSak4uRkLgV7vb6GfjSTXwUoqCwXkUqjVMSO58iSnblZ
-gjuRglsL0dgTd6jF+LCGqD5JMDNk2spvK0xD/8i53MCqaLv2ysevR1Q2osaw8Hca
-AM3kHoCRK1TR2gDMLDoX9zSh0UrbHj7o5yG7KBTFoXJsJeR6OtTir72RVTuro8v7
-8rT1nWbEcgIk/W9+5k7fVuIZc7w1wHqkX8Rj3aubKsLLPPRRJ0Yy7eCRJ26i3d5J
-51NlmkjrXzmAVd80DOfcd8Ux4I3p85QFXqkgd3J5TgzeV1r0/xJ0Qer612pSPTXq
-7UPZmyD914ak0EUdiBmud9OIKNmS+szAW2gAtz3Es59aK3LrLO/wgSi09Jq0wqfZ
-yyvG4/a9dkHaNk0+cSy5YsL0truGCoIPYfKe5ESy5OdzYSYbCdymS8cQRVH3t0is
-inVV5PbfymbPtscYAliTOMhSYL6VktRBOf5kFA/8EG4+SPI6ingTecc0GqOMPhVu
-gYuj6G+bmschKkhHcMpbkmo7HN+sDBpdOWyPqs68RvytNWjng0x5jAFdDvA/I/6b
-ZNmiDlTUfTgsNqBLMNkQ+cx+mRzpp4L87Xvm4ZQhDl3MwxvY048=
-=aw47
------END PGP SIGNATURE-----

libssh-0.11.4.tar.xz.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEiKIo2JsHwsd9DHgJA9XfjP3T6OcFAmmK/70ACgkQA9XfjP3T
+6Od1yQ/9Gw+gAhVkj5ibOVLHrqngOEg85acL7PRpaOsCn/1ZKMXXLCVmgPM7Yxvc
+sZmkXufMCj+EEJgDayccbfj90DLl6iEl0+u+jGlR7Ck8Sy8BcA/T9xk+fD0S5mKF
+3VmgrdmdChyAKU94SzBNjhWxktbWHuPZhW7gwM8tLn3iuj7eIiCpqRjpUpNji2Bt
+0ZnHo8QT1Y7SnqTOZcPhEPJRVINwN4n1pqIQQKL8PVa+Ewk4xbQVLOThQljqJ8PR
+Fe6Te89rtpfD9Mauta4ME1gbFCzgfTen4qlZl28yPm/Yd07biwScVZHdk4m9Jtpn
+hcX74AMesfz0S9GAUlALjSedhMT6lq31L2DzdMiGekhkXQcosxykC6g+KJFhZrfY
+T8JwxzXadGBb1CXBz18rgl+EZfBiTWLZ7Z88DNvbcZIWeW8q7ZqX+yJRT8RZiUHU
+GBy/R5M0LBKPJtBRh0SmaNNBYsgej3ExyqUbMabpXyQRfk52MUNYxjUwiVZrgKj6
+z4vxEo0NtsrA4Uy6en/qZls+KzvmfB63XfccIlcfeUuEPFrS0RwPprTOidPwK934
+h6wyWC479xevYE3boGWDI/3CyBcnX8PpXPy3yjPjxGgSjKIJYJ9Y64C9figXFf9l
+AEzIao4x0tHPiDRoUfxfPd2POAQhZxgMvyTWqYhCgz8QgUFzV3Q=
+=KKhf
+-----END PGP SIGNATURE-----

libssh-cmake-Add-option-WITH_HERMETIC_USR.patch

@@ -1,347 +0,0 @@
-From d88dbc1e0fa6dab2de359f211792c0b5c3ec7664 Mon Sep 17 00:00:00 2001
-From: Lucas Mulling <lucas.mulling@suse.com>
-Date: Mon, 17 Feb 2025 14:13:53 -0300
-Subject: [PATCH] cmake: Add option WITH_HERMETIC_USR
-
-Add a cmake option to enable hermetic-usr, i.e., use of config files in /usr/.
-If turned on, GLOBAL_*_CONFIG is prepended with /usr/ and defined as
-USR_GLOBAL_*_CONFIG. Config lookup follows this path GLOBAL_*_CONFIG ->
-USR_GLOBAL_*_CONFIG.
-
-Introduce a ssh_config_parse primitive. This avoids convoluted checks for file
-presence (without modifing the behaviour of ssh_config_parse_file) and allows
-marking whether the config is global at the call site.
-
-Signed-off-by: Lucas Mulling <lucas.mulling@suse.com>
-Reviewed-by: Jakub Jelen <jjelen@redhat.com>
----
- CMakeLists.txt           |   8 ++-
- DefineOptions.cmake      |   6 +++
- config.h.cmake           |   2 +
- include/libssh/libssh.h  |   3 +-
- include/libssh/options.h |   1 +
- src/config.c             |  56 ++++++++++++++-------
- src/options.c            | 106 ++++++++++++++++++++++++---------------
- 7 files changed, 122 insertions(+), 60 deletions(-)
-
-diff --git a/CMakeLists.txt b/CMakeLists.txt
-index 9877cd70..9a4ea9e3 100644
---- a/CMakeLists.txt
-+++ b/CMakeLists.txt
-@@ -249,9 +249,15 @@ message(STATUS "Benchmarks: ${WITH_BENCHMARKS}")
- message(STATUS "Symbol versioning: ${WITH_SYMBOL_VERSIONING}")
- message(STATUS "Allow ABI break: ${WITH_ABI_BREAK}")
- message(STATUS "Release is final: ${WITH_FINAL}")
-+if (WITH_HERMETIC_USR)
-+    message(STATUS "User global client config: ${USR_GLOBAL_CLIENT_CONFIG}")
-+endif ()
- message(STATUS "Global client config: ${GLOBAL_CLIENT_CONFIG}")
- if (WITH_SERVER)
--message(STATUS "Global bind config: ${GLOBAL_BIND_CONFIG}")
-+    if (WITH_HERMETIC_USR)
-+        message(STATUS "User global bind config: ${USR_GLOBAL_BIND_CONFIG}")
-+    endif ()
-+    message(STATUS "Global bind config: ${GLOBAL_BIND_CONFIG}")
- endif()
- message(STATUS "********************************************")
- 
-diff --git a/DefineOptions.cmake b/DefineOptions.cmake
-index f1a6a244..91bb96db 100644
---- a/DefineOptions.cmake
-+++ b/DefineOptions.cmake
-@@ -27,6 +27,7 @@ option(WITH_INSECURE_NONE "Enable insecure none cipher and MAC algorithms (not s
- option(WITH_EXEC "Enable libssh to execute arbitrary commands from configuration files or options (match exec, proxy commands and OpenSSH-based proxy-jumps)." ON)
- option(FUZZ_TESTING "Build with fuzzer for the server and client (automatically enables none cipher!)" OFF)
- option(PICKY_DEVELOPER "Build with picky developer flags" OFF)
-+option(WITH_HERMETIC_USR "Build with support for hermetic /usr/" OFF)
- 
- if (WITH_ZLIB)
-     set(WITH_LIBZ ON)
-@@ -59,6 +60,11 @@ if (NOT GLOBAL_CLIENT_CONFIG)
-   set(GLOBAL_CLIENT_CONFIG "/etc/ssh/ssh_config")
- endif (NOT GLOBAL_CLIENT_CONFIG)
- 
-+if (WITH_HERMETIC_USR)
-+  set(USR_GLOBAL_BIND_CONFIG "/usr${GLOBAL_BIND_CONFIG}")
-+  set(USR_GLOBAL_CLIENT_CONFIG "/usr${GLOBAL_CLIENT_CONFIG}")
-+endif (WITH_HERMETIC_USR)
-+
- if (FUZZ_TESTING)
-   set(WITH_INSECURE_NONE ON)
- endif (FUZZ_TESTING)
-diff --git a/config.h.cmake b/config.h.cmake
-index 8dce5273..b61ce1db 100644
---- a/config.h.cmake
-+++ b/config.h.cmake
-@@ -9,9 +9,11 @@
- #cmakedefine SOURCEDIR "${SOURCEDIR}"
- 
- /* Global bind configuration file path */
-+#cmakedefine USR_GLOBAL_BIND_CONFIG "${USR_GLOBAL_BIND_CONFIG}"
- #cmakedefine GLOBAL_BIND_CONFIG "${GLOBAL_BIND_CONFIG}"
- 
- /* Global client configuration file path */
-+#cmakedefine USR_GLOBAL_CLIENT_CONFIG "${USR_GLOBAL_CLIENT_CONFIG}"
- #cmakedefine GLOBAL_CLIENT_CONFIG "${GLOBAL_CLIENT_CONFIG}"
- 
- /************************** HEADER FILES *************************/
-diff --git a/include/libssh/libssh.h b/include/libssh/libssh.h
-index 3bddb019..28fe7396 100644
---- a/include/libssh/libssh.h
-+++ b/include/libssh/libssh.h
-@@ -49,9 +49,10 @@
-   #endif
- #endif
- 
-+#include <inttypes.h>
- #include <stdarg.h>
-+#include <stdbool.h>
- #include <stdint.h>
--#include <inttypes.h>
- 
- #ifdef _MSC_VER
-   typedef int mode_t;
-diff --git a/include/libssh/options.h b/include/libssh/options.h
-index d32e1589..63b207fa 100644
---- a/include/libssh/options.h
-+++ b/include/libssh/options.h
-@@ -25,6 +25,7 @@
- extern "C" {
- #endif
- 
-+int ssh_config_parse(ssh_session session, FILE *fp, bool global);
- int ssh_config_parse_file(ssh_session session, const char *filename);
- int ssh_config_parse_string(ssh_session session, const char *input);
- int ssh_options_set_algo(ssh_session session,
-diff --git a/src/config.c b/src/config.c
-index b4171efd..611c0349 100644
---- a/src/config.c
-+++ b/src/config.c
-@@ -1451,45 +1451,67 @@ ssh_config_parse_line(ssh_session session,
-   return 0;
- }
- 
--/* @brief Parse configuration file and set the options to the given session
-+/* @brief Parse configuration from a file pointer
-  *
-  * @params[in] session   The ssh session
-- * @params[in] filename  The path to the ssh configuration file
-+ * @params[in] fp        A valid file pointer
-+ * @params[in] global    Whether the config is global or not
-  *
-  * @returns    0 on successful parsing the configuration file, -1 on error
-  */
--int ssh_config_parse_file(ssh_session session, const char *filename)
-+int ssh_config_parse(ssh_session session, FILE *fp, bool global)
- {
-     char line[MAX_LINE_SIZE] = {0};
-     unsigned int count = 0;
--    FILE *f = NULL;
-     int parsing, rv;
-+
-+    parsing = 1;
-+    while (fgets(line, sizeof(line), fp)) {
-+        count++;
-+        rv = ssh_config_parse_line(session, line, count, &parsing, 0, global);
-+        if (rv < 0) {
-+            return -1;
-+        }
-+    }
-+
-+    return 0;
-+}
-+
-+/* @brief Parse configuration file and set the options to the given session
-+ *
-+ * @params[in] session   The ssh session
-+ * @params[in] filename  The path to the ssh configuration file
-+ *
-+ * @returns    0 on successful parsing the configuration file, -1 on error
-+ */
-+int ssh_config_parse_file(ssh_session session, const char *filename)
-+{
-+    FILE *fp = NULL;
-+    int rv;
-     bool global = 0;
- 
--    f = fopen(filename, "r");
--    if (f == NULL) {
-+    fp = fopen(filename, "r");
-+    if (fp == NULL) {
-         return 0;
-     }
- 
-     rv = strcmp(filename, GLOBAL_CLIENT_CONFIG);
-+#ifdef USR_GLOBAL_CLIENT_CONFIG
-+    if (rv != 0) {
-+        rv = strcmp(filename, USR_GLOBAL_CLIENT_CONFIG);
-+    }
-+#endif
-+
-     if (rv == 0) {
-         global = true;
-     }
- 
-     SSH_LOG(SSH_LOG_PACKET, "Reading configuration data from %s", filename);
- 
--    parsing = 1;
--    while (fgets(line, sizeof(line), f)) {
--        count++;
--        rv = ssh_config_parse_line(session, line, count, &parsing, 0, global);
--        if (rv < 0) {
--            fclose(f);
--            return -1;
--        }
--    }
-+    rv = ssh_config_parse(session, fp, global);
- 
--    fclose(f);
--    return 0;
-+    fclose(fp);
-+    return rv;
- }
- 
- /* @brief Parse configuration string and set the options to the given session
-diff --git a/src/options.c b/src/options.c
-index 785296dd..6a72e0e2 100644
---- a/src/options.c
-+++ b/src/options.c
-@@ -26,6 +26,7 @@
- #include <stdio.h>
- #include <stdlib.h>
- #include <string.h>
-+#include <unistd.h>
- #ifndef _WIN32
- #include <pwd.h>
- #else
-@@ -1814,6 +1815,8 @@ int ssh_options_getopt(ssh_session session, int *argcptr, char **argv)
-  *
-  * @param  filename     The options file to use, if NULL the default
-  *                      ~/.ssh/config and /etc/ssh/ssh_config will be used.
-+ *                      If complied with support for hermetic-usr,
-+ *                      /usr/etc/ssh/ssh_config will be used last.
-  *
-  * @return 0 on success, < 0 on error.
-  *
-@@ -1821,48 +1824,63 @@ int ssh_options_getopt(ssh_session session, int *argcptr, char **argv)
-  */
- int ssh_options_parse_config(ssh_session session, const char *filename)
- {
--  char *expanded_filename = NULL;
--  int r;
-+    char *expanded_filename = NULL;
-+    int r;
-+    FILE *fp = NULL;
- 
--  if (session == NULL) {
--    return -1;
--  }
--  if (session->opts.host == NULL) {
--    ssh_set_error_invalid(session);
--    return -1;
--  }
--
--  if (session->opts.sshdir == NULL) {
--      r = ssh_options_set(session, SSH_OPTIONS_SSH_DIR, NULL);
--      if (r < 0) {
--          ssh_set_error_oom(session);
--          return -1;
--      }
--  }
--
--  /* set default filename */
--  if (filename == NULL) {
--    expanded_filename = ssh_path_expand_escape(session, "%d/config");
--  } else {
--    expanded_filename = ssh_path_expand_escape(session, filename);
--  }
--  if (expanded_filename == NULL) {
--    return -1;
--  }
--
--  r = ssh_config_parse_file(session, expanded_filename);
--  if (r < 0) {
--      goto out;
--  }
--  if (filename == NULL) {
--      r = ssh_config_parse_file(session, GLOBAL_CLIENT_CONFIG);
--  }
--
--  /* Do not process the default configuration as part of connection again */
--  session->opts.config_processed = true;
-+    if (session == NULL) {
-+        return -1;
-+    }
-+    if (session->opts.host == NULL) {
-+        ssh_set_error_invalid(session);
-+        return -1;
-+    }
-+
-+    if (session->opts.sshdir == NULL) {
-+        r = ssh_options_set(session, SSH_OPTIONS_SSH_DIR, NULL);
-+        if (r < 0) {
-+            ssh_set_error_oom(session);
-+            return -1;
-+        }
-+    }
-+
-+    /* set default filename */
-+    if (filename == NULL) {
-+        expanded_filename = ssh_path_expand_escape(session, "%d/config");
-+    } else {
-+        expanded_filename = ssh_path_expand_escape(session, filename);
-+    }
-+    if (expanded_filename == NULL) {
-+        return -1;
-+    }
-+
-+    r = ssh_config_parse_file(session, expanded_filename);
-+    if (r < 0) {
-+        goto out;
-+    }
-+    if (filename == NULL) {
-+        if ((fp = fopen(GLOBAL_CLIENT_CONFIG, "r")) != NULL) {
-+            filename = GLOBAL_CLIENT_CONFIG;
-+#ifdef USR_GLOBAL_CLIENT_CONFIG
-+        } else if ((fp = fopen(USR_GLOBAL_CLIENT_CONFIG, "r")) != NULL) {
-+            filename = USR_GLOBAL_CLIENT_CONFIG;
-+#endif
-+        }
-+
-+        if (fp) {
-+            SSH_LOG(SSH_LOG_PACKET,
-+                    "Reading configuration data from %s",
-+                    filename);
-+            r = ssh_config_parse(session, fp, true);
-+            fclose(fp);
-+        }
-+    }
-+
-+    /* Do not process the default configuration as part of connection again */
-+    session->opts.config_processed = true;
- out:
--  free(expanded_filename);
--  return r;
-+    free(expanded_filename);
-+    return r;
- }
- 
- int ssh_options_apply(ssh_session session)
-@@ -2706,7 +2724,13 @@ int ssh_bind_options_parse_config(ssh_bind sshbind, const char *filename)
-     /* If the global default configuration hasn't been processed yet, process it
-      * before the provided configuration. */
-     if (!(sshbind->config_processed)) {
--        rc = ssh_bind_config_parse_file(sshbind, GLOBAL_BIND_CONFIG);
-+        if (access(GLOBAL_BIND_CONFIG, F_OK) == 0) {
-+            rc = ssh_bind_config_parse_file(sshbind, GLOBAL_BIND_CONFIG);
-+#ifdef USR_GLOBAL_BIND_CONFIG
-+        } else {
-+            rc = ssh_bind_config_parse_file(sshbind, USR_GLOBAL_BIND_CONFIG);
-+#endif
-+        }
-         if (rc != 0) {
-             return rc;
-         }
--- 
-2.50.0
-

libssh.changes

@@ -1,3 +1,34 @@
+-------------------------------------------------------------------
+Wed Feb 11 11:28:10 UTC 2026 - Pedro Monreal <pmonreal@suse.com>
+
+- Update to 0.11.4:
+  * Security fixes:
+    - CVE-2026-0964: SCP Protocol Path Traversal in ssh_scp_pull_request()
+      (bsc#1258049)
+    - CVE-2026-0965: Possible Denial of Service when parsing unexpected
+      configuration files (bsc#1258045)
+    - CVE-2026-0966: Buffer underflow in ssh_get_hexa() on invalid input
+      (bsc#1258054)
+    - CVE-2026-0967: Specially crafted patterns could cause DoS (bsc#1258081)
+    - CVE-2026-0968: OOB Read in sftp_parse_longname() (bsc#1258080)
+    - libssh-2026-sftp-extensions: Read buffer overrun when handling SFTP extensions
+  * Other fixes:
+    - Stability and compatibility improvements of ProxyJump
+  * Remove patch upstream: libssh-cmake-Add-option-WITH_HERMETIC_USR.patch
+
+-------------------------------------------------------------------
+Tue Sep  9 15:19:24 UTC 2025 - Lucas Mulling <lucas.mulling@suse.com>
+
+- Update to 0.11.3
+  * Security:
+    * CVE-2025-8114: Fix NULL pointer dereference after allocation failure (bsc#1246974)
+    * CVE-2025-8277: Fix memory leak of ephemeral key pair during repeated wrong KEX (bsc#1249375)
+    * Potential UAF when send() fails during key exchange
+  * Bugfixes:
+    * Fix possible timeout during KEX if client sends authentication too early
+    * Cleanup OpenSSL PKCS#11 provider when loaded
+    * Zeroize buffers containing private key blobs during export
+
 -------------------------------------------------------------------
 Tue Jun 24 14:36:44 UTC 2025 - Andreas Schneider <asn@cryptomilk.org>
 

libssh.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package libssh
 #
-# Copyright (c) 2025 SUSE LLC
+# Copyright (c) 2026 SUSE LLC and contributors
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -32,7 +32,7 @@
 %endif
 
 Name:           libssh%{pkg_suffix}
-Version:        0.11.2
+Version:        0.11.4
 Release:        0
 Summary:        The SSH library
 License:        LGPL-2.1-or-later
@@ -44,8 +44,6 @@ Source2:        https://www.libssh.org/files/0x03D5DF8CFDD3E8E7_libssh_libssh_or
 Source3:        libssh_client.config
 Source4:        libssh_server.config
 Source99:       baselibs.conf
-# PATCH-FIX-UPSTREAM: libssh tries to read config from wrong crypto-policies location (bsc#1222716)
-Patch0:         libssh-cmake-Add-option-WITH_HERMETIC_USR.patch
 # PATCH-FIX-SUSE: fix hang in torture_channel tests (bsc#1243799)
 Patch1:         libssh-tests-Fix-an-issue-where-torture_session-request-a-SIGTERM-too-early.patch
 BuildRequires:  cmake