Security update for libssh2_org (moderate)

An update that fixes 10 vulnerabilities is now available.

Description:

This update for libssh2_org fixes the following issues:

• Version update to 1.9.0: [bsc#1178083, jsc#SLE-16922] Enhancements and
  bugfixes:

  • adds ECDSA keys and host key support when using OpenSSL
  • adds ED25519 key and host key support when using OpenSSL 1.1.1
  • adds OpenSSH style key file reading
  • adds AES CTR mode support when using WinCNG
  • adds PEM passphrase protected file support for Libgcrypt and WinCNG
  • adds SHA256 hostkey fingerprint
  • adds libssh2_agent_get_identity_path() and
    libssh2_agent_set_identity_path()
  • adds explicit zeroing of sensitive data in memory
  • adds additional bounds checks to network buffer reads
  • adds the ability to use the server default permissions when creating
    sftp directories
  • adds support for building with OpenSSL no engine flag
  • adds support for building with LibreSSL
  • increased sftp packet size to 256k
  • fixed oversized packet handling in sftp
  • fixed building with OpenSSL 1.1
  • fixed a possible crash if sftp stat gets an unexpected response
  • fixed incorrect parsing of the KEX preference string value
  • fixed conditional RSA and AES-CTR support
  • fixed a small memory leak during the key exchange process
  • fixed a possible memory leak of the ssh banner string
  • fixed various small memory leaks in the backends
  • fixed possible out of bounds read when parsing public keys from the
    server
  • fixed possible out of bounds read when parsing invalid PEM files
  • no longer null terminates the scp remote exec command
  • now handle errors when diffie hellman key pair generation fails
  • improved building instructions
  • improved unit tests

• Version update to 1.8.2: [bsc#1130103] Bug fixes:

  • Fixed the misapplied userauth patch that broke 1.8.1
  • moved the MAX size declarations from the public header This update
    was imported from the SUSE:SLE-15:Update update project.

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or “zypper patch”.

Alternatively you can run the command listed for your product:

• openSUSE Leap 15.1:

  zypper in -t patch openSUSE-2020-2126=1