* [patch][master][langdale] libgit2: upgrade to 1.5.1
@ 2023-02-09 13:02 chee.yang.lee
2023-02-09 21:32 ` [OE-core] " Luca Ceresoli
0 siblings, 1 reply; 2+ messages in thread
From: chee.yang.lee @ 2023-02-09 13:02 UTC (permalink / raw)
To: openembedded-core
From: Chee Yang Lee <chee.yang.lee@intel.com>
This is a security release to address CVE-2023-22742: when compiled
using the optional, included libssh2 backend, libgit2 fails to verify
SSH keys by default.
When using an SSH remote with the optional, included libssh2 backend,
libgit2 does not perform certificate checking by default. Prior versions
of libgit2 require the caller to set the `certificate_check` field of
libgit2's `git_remote_callbacks` structure - if a certificate check
callback is not set, libgit2 does not perform any certificate checking.
This means that by default - without configuring a certificate check
callback, clients will not perform validation on the server SSH keys and
may be subject to a man-in-the-middle attack.
Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
---
.../libgit2/{libgit2_1.5.0.bb => libgit2_1.5.1.bb} | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
rename meta/recipes-support/libgit2/{libgit2_1.5.0.bb => libgit2_1.5.1.bb} (78%)
diff --git a/meta/recipes-support/libgit2/libgit2_1.5.0.bb b/meta/recipes-support/libgit2/libgit2_1.5.1.bb
similarity index 78%
rename from meta/recipes-support/libgit2/libgit2_1.5.0.bb
rename to meta/recipes-support/libgit2/libgit2_1.5.1.bb
index ee4d79b11a..59866ce385 100644
--- a/meta/recipes-support/libgit2/libgit2_1.5.0.bb
+++ b/meta/recipes-support/libgit2/libgit2_1.5.1.bb
@@ -5,8 +5,8 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=112e6bb421dea73cd41de09e777f2d2c"
DEPENDS = "curl openssl zlib libssh2 libgcrypt libpcre2"
-SRC_URI = "git://github.com/libgit2/libgit2.git;branch=main;protocol=https"
-SRCREV = "fbea439d4b6fc91c6b619d01b85ab3b7746e4c19"
+SRC_URI = "git://github.com/libgit2/libgit2.git;branch=maint/v1.5;protocol=https"
+SRCREV = "42e5db98b963ae503229c63e44e06e439df50e56"
S = "${WORKDIR}/git"
--
2.37.3
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [OE-core] [patch][master][langdale] libgit2: upgrade to 1.5.1
2023-02-09 13:02 [patch][master][langdale] libgit2: upgrade to 1.5.1 chee.yang.lee
@ 2023-02-09 21:32 ` Luca Ceresoli
0 siblings, 0 replies; 2+ messages in thread
From: Luca Ceresoli @ 2023-02-09 21:32 UTC (permalink / raw)
To: Lee Chee Yang; +Cc: openembedded-core
Hello Lee Chee,
On Thu, 9 Feb 2023 21:02:29 +0800
"Lee Chee Yang" <chee.yang.lee@intel.com> wrote:
> From: Chee Yang Lee <chee.yang.lee@intel.com>
>
> This is a security release to address CVE-2023-22742: when compiled
> using the optional, included libssh2 backend, libgit2 fails to verify
> SSH keys by default.
>
> When using an SSH remote with the optional, included libssh2 backend,
> libgit2 does not perform certificate checking by default. Prior versions
> of libgit2 require the caller to set the `certificate_check` field of
> libgit2's `git_remote_callbacks` structure - if a certificate check
> callback is not set, libgit2 does not perform any certificate checking.
> This means that by default - without configuring a certificate check
> callback, clients will not perform validation on the server SSH keys and
> may be subject to a man-in-the-middle attack.
>
> Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
A patch doing this same upgrade has been sent yesterday by Alex Kanavin
and is already in master.
--
Luca Ceresoli, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2023-02-09 21:32 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-02-09 13:02 [patch][master][langdale] libgit2: upgrade to 1.5.1 chee.yang.lee
2023-02-09 21:32 ` [OE-core] " Luca Ceresoli
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.