Message ID | 20230209130229.3224043-1-chee.yang.lee@intel.com |
---|---|
State | New |
Headers | show |
Series | [master,langdale] libgit2: upgrade to 1.5.1 | expand |
Hello Lee Chee, On Thu, 9 Feb 2023 21:02:29 +0800 "Lee Chee Yang" <chee.yang.lee@intel.com> wrote: > From: Chee Yang Lee <chee.yang.lee@intel.com> > > This is a security release to address CVE-2023-22742: when compiled > using the optional, included libssh2 backend, libgit2 fails to verify > SSH keys by default. > > When using an SSH remote with the optional, included libssh2 backend, > libgit2 does not perform certificate checking by default. Prior versions > of libgit2 require the caller to set the `certificate_check` field of > libgit2's `git_remote_callbacks` structure - if a certificate check > callback is not set, libgit2 does not perform any certificate checking. > This means that by default - without configuring a certificate check > callback, clients will not perform validation on the server SSH keys and > may be subject to a man-in-the-middle attack. > > Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> A patch doing this same upgrade has been sent yesterday by Alex Kanavin and is already in master.
diff --git a/meta/recipes-support/libgit2/libgit2_1.5.0.bb b/meta/recipes-support/libgit2/libgit2_1.5.1.bb similarity index 78% rename from meta/recipes-support/libgit2/libgit2_1.5.0.bb rename to meta/recipes-support/libgit2/libgit2_1.5.1.bb index ee4d79b11a..59866ce385 100644 --- a/meta/recipes-support/libgit2/libgit2_1.5.0.bb +++ b/meta/recipes-support/libgit2/libgit2_1.5.1.bb @@ -5,8 +5,8 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=112e6bb421dea73cd41de09e777f2d2c" DEPENDS = "curl openssl zlib libssh2 libgcrypt libpcre2" -SRC_URI = "git://github.com/libgit2/libgit2.git;branch=main;protocol=https" -SRCREV = "fbea439d4b6fc91c6b619d01b85ab3b7746e4c19" +SRC_URI = "git://github.com/libgit2/libgit2.git;branch=maint/v1.5;protocol=https" +SRCREV = "42e5db98b963ae503229c63e44e06e439df50e56" S = "${WORKDIR}/git"