Here is my 3rd take on fixing CVE-2016-0739 (libssh) and CVE-2016-0787 (libssh2).
Changes: I "backported" [0] the libssh upstream patch to the old version of libssh that we must keep around for guile-ssh. I cleaned up the commit messages. I added a comment to the curl package explaining the temporary dependency on the old, vulnerable libssh2-1.4. [0] Debian did the same, applying the patch to libssh-0.6.3 without any changes. We apply it to libssh-0.6.5 without any changes. Leo Famulari (2): gnu: libssh2: Update to 1.7.0 [fixes CVE-2016-0787]. gnu: libssh: Update to 0.7.3 [fixes CVE-2016-0739]. gnu-system.am | 2 +- gnu/packages/curl.scm | 11 ++- .../patches/libssh-0.6.5-CVE-2016-0739.patch | 77 +++++++++++++++++++ gnu/packages/patches/libssh-CVE-2014-0017.patch | 89 ---------------------- gnu/packages/ssh.scm | 50 ++++++++---- 5 files changed, 124 insertions(+), 105 deletions(-) create mode 100644 gnu/packages/patches/libssh-0.6.5-CVE-2016-0739.patch delete mode 100644 gnu/packages/patches/libssh-CVE-2014-0017.patch -- 2.7.1
