Unverified Commit cd6f679a by Edward Thomson Committed by GitHub

Merge pull request #6449 from libgit2/1.4_ssh

ssh: perform host key checking by default
parents 3b7d756c ddf3d295
...@@ -3,7 +3,7 @@ ...@@ -3,7 +3,7 @@
cmake_minimum_required(VERSION 3.5.1) cmake_minimum_required(VERSION 3.5.1)
project(libgit2 VERSION "1.4.4" LANGUAGES C) project(libgit2 VERSION "1.4.5" LANGUAGES C)
# Add find modules to the path # Add find modules to the path
set(CMAKE_MODULE_PATH ${CMAKE_MODULE_PATH} "${PROJECT_SOURCE_DIR}/cmake") set(CMAKE_MODULE_PATH ${CMAKE_MODULE_PATH} "${PROJECT_SOURCE_DIR}/cmake")
......
...@@ -144,6 +144,11 @@ if [ -z "$SKIP_SSH_TESTS" ]; then ...@@ -144,6 +144,11 @@ if [ -z "$SKIP_SSH_TESTS" ]; then
echo "[localhost]:2222 $algorithm $key" >>"${HOME}/.ssh/known_hosts" echo "[localhost]:2222 $algorithm $key" >>"${HOME}/.ssh/known_hosts"
done <"${SSHD_DIR}/id_rsa.pub" done <"${SSHD_DIR}/id_rsa.pub"
# Append the github.com keys for the tests that don't override checks.
# We ask for ssh-rsa to test that the selection based off of known_hosts
# is working.
ssh-keyscan -t ssh-rsa github.com >>"${HOME}/.ssh/known_hosts"
# Get the fingerprint for localhost and remove the colons so we can # Get the fingerprint for localhost and remove the colons so we can
# parse it as a hex number. Older versions have a different output # parse it as a hex number. Older versions have a different output
# format. # format.
......
v1.4.5
------
🔒 This is a security release to address CVE-2023-22742: when compiled using the optional, included libssh2 backend, libgit2 fails to verify SSH keys by default.
When using an SSH remote with the optional, included libssh2 backend, libgit2 does not perform certificate checking by default. Prior versions of libgit2 require the caller to set the `certificate_check` field of libgit2's `git_remote_callbacks` structure - if a certificate check callback is not set, libgit2 does not perform any certificate checking. This means that by default - without configuring a certificate check callback, clients will not perform validation on the server SSH keys and may be subject to a man-in-the-middle attack.
The libgit2 security team would like to thank the Julia and Rust security teams for responsibly disclosing this vulnerability and assisting with fixing the vulnerability.
All users of the v1.4 release line are recommended to upgrade.
v1.4.4 v1.4.4
------ ------
......
...@@ -7,10 +7,10 @@ ...@@ -7,10 +7,10 @@
#ifndef INCLUDE_git_version_h__ #ifndef INCLUDE_git_version_h__
#define INCLUDE_git_version_h__ #define INCLUDE_git_version_h__
#define LIBGIT2_VERSION "1.4.4" #define LIBGIT2_VERSION "1.4.5"
#define LIBGIT2_VER_MAJOR 1 #define LIBGIT2_VER_MAJOR 1
#define LIBGIT2_VER_MINOR 4 #define LIBGIT2_VER_MINOR 4
#define LIBGIT2_VER_REVISION 4 #define LIBGIT2_VER_REVISION 5
#define LIBGIT2_VER_PATCH 0 #define LIBGIT2_VER_PATCH 0
#define LIBGIT2_SOVERSION "1.4" #define LIBGIT2_SOVERSION "1.4"
......
{ {
"name": "libgit2", "name": "libgit2",
"version": "1.4.4", "version": "1.4.5",
"repo": "https://github.com/libgit2/libgit2", "repo": "https://github.com/libgit2/libgit2",
"description": " A cross-platform, linkable library implementation of Git that you can use in your application.", "description": " A cross-platform, linkable library implementation of Git that you can use in your application.",
"install": "mkdir build && cd build && cmake .. && cmake --build ." "install": "mkdir build && cd build && cmake .. && cmake --build ."
......
...@@ -70,10 +70,10 @@ endfunction(ADD_CLAR_TEST) ...@@ -70,10 +70,10 @@ endfunction(ADD_CLAR_TEST)
add_clar_test(offline -v -xonline) add_clar_test(offline -v -xonline)
add_clar_test(invasive -v -score::ftruncate -sfilter::stream::bigfile -sodb::largefiles -siterator::workdir::filesystem_gunk -srepo::init -srepo::init::at_filesystem_root) add_clar_test(invasive -v -score::ftruncate -sfilter::stream::bigfile -sodb::largefiles -siterator::workdir::filesystem_gunk -srepo::init -srepo::init::at_filesystem_root)
add_clar_test(online -v -sonline -xonline::customcert) add_clar_test(online -v -sonline -xonline::customcert -xonline::clone::ssh_auth_methods)
add_clar_test(online_customcert -v -sonline::customcert) add_clar_test(online_customcert -v -sonline::customcert)
add_clar_test(gitdaemon -v -sonline::push) add_clar_test(gitdaemon -v -sonline::push)
add_clar_test(ssh -v -sonline::push -sonline::clone::ssh_cert -sonline::clone::ssh_with_paths -sonline::clone::path_whitespace_ssh) add_clar_test(ssh -v -sonline::push -sonline::clone::ssh_cert -sonline::clone::ssh_with_paths -sonline::clone::path_whitespace_ssh -sonline::clone::ssh_auth_methods)
add_clar_test(proxy -v -sonline::clone::proxy) add_clar_test(proxy -v -sonline::clone::proxy)
add_clar_test(auth_clone -v -sonline::clone::cred) add_clar_test(auth_clone -v -sonline::clone::cred)
add_clar_test(auth_clone_and_push -v -sonline::clone::push -sonline::push) add_clar_test(auth_clone_and_push -v -sonline::clone::push -sonline::push)
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment