This update for libssh fixes the following issues: Update to version 0.9.8 : * Fix CVE-2023-6004: Command injection using proxycommand * Fix CVE-2023-48795: Potential downgrade attack using strict kex * Fix CVE-2023-6918: Missing checks for return values of MD functions * Allow @ in usernames when parsing from URI composes Update to version 0.9.7 * Fix CVE-2023-1667: a NULL dereference during rekeying with algorithm guessing * Fix CVE-2023-2283: a possible authorization bypass in pki_verify_data_signature under low-memory conditions * Fix several memory leaks in GSSAPI handling code Update to version 0.9.6 * https://git.libssh.org/projects/libssh.git/tag/?h=libssh-0.9.6 Update to version 0.9.5 : * CVE-2020-16135: Avoid null pointer dereference in sftpserver * Improve handling of library initialization * Fix parsing of subsecond times in SFTP * Make the documentation reproducible * Remove deprecated API usage in OpenSSL * Fix regression of ssh_channel_poll_timeout returning SSH_AGAIN * Define version in one place * Prevent invalid free when using different C runtimes than OpenSSL * Compatibility improvements to testsuite Update to version 0.9.4: * https://www.libssh.org/2020/04/09/libssh-0-9-4-and-libssh-0-8-9-security- release/ * Fix possible Denial of Service attack when using AES-CTR-ciphers CVE-2020-1730 Update to version 0.9.3: * Fixed CVE-2019-14889 - SCP: Unsanitized location leads to command execution * SSH-01-003 Client: Missing NULL check leads to crash in erroneous state * SSH-01-006 General: Various unchecked Null-derefs cause DOS * SSH-01-007 PKI Gcrypt: Potential UAF/double free with RSA pubkeys * SSH-01-010 SSH: Deprecated hash function in fingerprinting * SSH-01-013 Conf-Parsing: Recursive wildcards in hostnames lead to DOS * SSH-01-014 Conf-Parsing: Integer underflow leads to OOB array access * SSH-01-001 State Machine: Initial machine states should be set explicitly * SSH-01-002 Kex: Differently bound macros used to iterate same array * SSH-01-005 Code-Quality: Integer sign confusion during assignments * SSH-01-008 SCP: Protocol Injection via unescaped File Names * SSH-01-009 SSH: Update documentation which RFCs are implemented * SSH-01-012 PKI: Information leak via uninitialized stack buffer Update to version 0.9.2: * Fixed libssh-config.cmake * Fixed issues with rsa algorithm negotiation * Fixed detection of OpenSSL ed25519 support Update to version 0.9.1: * Added support for Ed25519 via OpenSSL * Added support for X25519 via OpenSSL * Added support for localuser in Match keyword * Fixed Match keyword to be case sensitive * Fixed compilation with LibreSSL * Fixed error report of channel open * Fixed sftp documentation * Fixed known_hosts parsing * Fixed build issue with MinGW * Fixed build with gcc 9 * Fixed deprecation issues * Fixed known_hosts directory creation Update to verion 0.9.0: * Added support for AES-GCM * Added improved rekeying support * Added performance improvements * Disabled blowfish support by default * Fixed several ssh config parsing issues * Added support for DH Group Exchange KEX * Added support for Encrypt-then-MAC mode * Added support for parsing server side configuration file * Added support for ECDSA/Ed25519 certificates * Added FIPS 140-2 compatibility * Improved known_hosts parsing * Improved documentation * Improved OpenSSL API usage for KEX, DH, and signatures * Add libssh client and server config files