""" This is a security release of libssh to address the following security issues: CVE-2025-4877 – Write beyond bounds in binary to base64 conversion functions CVE-2025-4878 – Use of uninitialized variable in privatekey_from_file() CVE-2025-5318 – Likely read beyond bounds in sftp server handle management CVE-2025-5351 – Double free in functions exporting keys CVE-2025-5372 – ssh_kdf() returns a success code on certain failures CVE-2025-5449 – Likely read beyond bounds in sftp server message decoding CVE-2025-5987 – Invalid return code for chacha20 poly1305 with OpenSSL backend """
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1ad83a84728ca9719c46198f3e911fb678b1f230 commit 1ad83a84728ca9719c46198f3e911fb678b1f230 Author: Sam James <sam@gentoo.org> AuthorDate: 2025-06-26 02:12:38 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2025-06-26 02:12:52 +0000 net-libs/libssh: add 0.11.2, use dot-a.eclass for LTO static libs There are two upstream commits to improve test timeouts: * 1d157c57a3c8a34abbbff96266687101ecf246e4 * 747dd17e64141d4875f2616f3e520ee3245b8b7b I'm not going to drop our timeout increases and such now as this is a security bump and we don't want to jeopardise stabilisation beind held up by avoidable test failures. Bug: https://bugs.gentoo.org/959101 Signed-off-by: Sam James <sam@gentoo.org> net-libs/libssh/Manifest | 1 + net-libs/libssh/libssh-0.11.2.ebuild | 144 +++++++++++++++++++++++++++++++++++ net-libs/libssh/libssh-9999.ebuild | 13 +++- 3 files changed, 155 insertions(+), 3 deletions(-)
