Fixes CVE-2018-10933: authentication bypass vulnerability in the server
code. By presenting the server an SSH2_MSG_USERAUTH_SUCCESS message in
place of the SSH2_MSG_USERAUTH_REQUEST message which the server would
expect to initiate authentication, the attacker could successfully
authenticate without any credentials.
https://www.libssh.org/security/advisories/CVE-2018-10933.txt
Drop an upstream patch.
Cc: Scott Fan <fancp2007@gmail.com>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Drop GNU glob detection patch; issue fixed upstream.
Add upstream patch that completes the build fix when GNU glob is not
present.
Cc: Scott Fan <fancp2007@gmail.com>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Also, require threads support. cmake detects threads support correctly, but
libssh build system uses this information incorrectly.
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
libssh2 and libssh both implement SSH and provide a library API for apps.
Both support SSH, SFTP, auth, channels etc. Both are 25K-30K lines of code.
[libssh2 vs libssh - A comparison]
http://www.libssh2.org/libssh2-vs-libssh.html
[Peter: add sha256 hash, fix typo in help text]
Signed-off-by: Scott Fan <fancp2007@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
