Merge pull request #6449 from libgit2/1.4_ssh

ssh: perform host key checking by default

CMakeLists.txt

@@ -3,7 +3,7 @@
 
 cmake_minimum_required(VERSION 3.5.1)
 
-project(libgit2 VERSION "1.4.4" LANGUAGES C)
+project(libgit2 VERSION "1.4.5" LANGUAGES C)
 
 # Add find modules to the path
 set(CMAKE_MODULE_PATH ${CMAKE_MODULE_PATH} "${PROJECT_SOURCE_DIR}/cmake")

ci/test.sh

@@ -144,6 +144,11 @@ if [ -z "$SKIP_SSH_TESTS" ]; then
 		echo "[localhost]:2222 $algorithm $key" >>"${HOME}/.ssh/known_hosts"
 	done <"${SSHD_DIR}/id_rsa.pub"
 
+	# Append the github.com keys for the tests that don't override checks.
+	# We ask for ssh-rsa to test that the selection based off of known_hosts
+	# is working.
+	ssh-keyscan -t ssh-rsa github.com >>"${HOME}/.ssh/known_hosts"
+
 	# Get the fingerprint for localhost and remove the colons so we can
 	# parse it as a hex number. Older versions have a different output
 	# format.

docs/changelog.md

+v1.4.5
+------
+
+🔒 This is a security release to address CVE-2023-22742: when compiled using the optional, included libssh2 backend, libgit2 fails to verify SSH keys by default.
+
+When using an SSH remote with the optional, included libssh2 backend, libgit2 does not perform certificate checking by default. Prior versions of libgit2 require the caller to set the `certificate_check` field of libgit2's `git_remote_callbacks` structure - if a certificate check callback is not set, libgit2 does not perform any certificate checking. This means that by default - without configuring a certificate check callback, clients will not perform validation on the server SSH keys and may be subject to a man-in-the-middle attack.
+
+The libgit2 security team would like to thank the Julia and Rust security teams for responsibly disclosing this vulnerability and assisting with fixing the vulnerability.
+
+All users of the v1.4 release line are recommended to upgrade.
+
 v1.4.4
 ------
 

include/git2/version.h

@@ -7,10 +7,10 @@
 #ifndef INCLUDE_git_version_h__
 #define INCLUDE_git_version_h__
 
-#define LIBGIT2_VERSION "1.4.4"
+#define LIBGIT2_VERSION "1.4.5"
 #define LIBGIT2_VER_MAJOR 1
 #define LIBGIT2_VER_MINOR 4
-#define LIBGIT2_VER_REVISION 4
+#define LIBGIT2_VER_REVISION 5
 #define LIBGIT2_VER_PATCH 0
 
 #define LIBGIT2_SOVERSION "1.4"

package.json

 {
   "name": "libgit2",
-  "version": "1.4.4",
+  "version": "1.4.5",
   "repo": "https://github.com/libgit2/libgit2",
   "description": " A cross-platform, linkable library implementation of Git that you can use in your application.",
   "install": "mkdir build && cd build && cmake .. && cmake --build ."

tests/CMakeLists.txt

@@ -70,10 +70,10 @@ endfunction(ADD_CLAR_TEST)
 
 add_clar_test(offline             -v -xonline)
 add_clar_test(invasive            -v -score::ftruncate -sfilter::stream::bigfile -sodb::largefiles -siterator::workdir::filesystem_gunk -srepo::init -srepo::init::at_filesystem_root)
-add_clar_test(online              -v -sonline -xonline::customcert)
+add_clar_test(online              -v -sonline -xonline::customcert -xonline::clone::ssh_auth_methods)
 add_clar_test(online_customcert   -v -sonline::customcert)
 add_clar_test(gitdaemon           -v -sonline::push)
-add_clar_test(ssh                 -v -sonline::push -sonline::clone::ssh_cert -sonline::clone::ssh_with_paths -sonline::clone::path_whitespace_ssh)
+add_clar_test(ssh                 -v -sonline::push -sonline::clone::ssh_cert -sonline::clone::ssh_with_paths -sonline::clone::path_whitespace_ssh -sonline::clone::ssh_auth_methods)
 add_clar_test(proxy               -v -sonline::clone::proxy)
 add_clar_test(auth_clone          -v -sonline::clone::cred)
 add_clar_test(auth_clone_and_push -v -sonline::clone::push -sonline::push)