[OE-core][kirkstone 12/23] libgit2: upgrade 1.4.4 -> 1.4.5

Tue, 21 Feb 2023 06:41:40 -0800 

Fixes:

libgit2, when compiled using the optional, included libssh2 backend, fails to 
verify SSH keys by default.

Description
When using an SSH remote with the optional, included libssh2 backend, libgit2 
does not perform certificate checking by default. Prior versions of libgit2 
require the caller to set the certificate_check field of libgit2's 
git_remote_callbacks structure - if a certificate check callback is not set, 
libgit2 does not perform any certificate checking. This means that by default - 
without configuring a certificate check callback, clients will not perform 
validation on the server SSH keys and may be subject to a man-in-the-middle 
attack.

Beginning in libgit2 v1.4.5 and v1.5.1, libgit2 will now perform host key 
checking by default. Users can still override the default behavior using the 
certificate_check function.

The libgit2 security team would like to thank the Julia and Rust security teams 
for responsibly disclosing this vulnerability and assisting with fixing the 
vulnerability.

Signed-off-by: Steve Sakoman <st...@sakoman.com>
---
 .../libgit2/{libgit2_1.4.4.bb => libgit2_1.4.5.bb}              | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename meta/recipes-support/libgit2/{libgit2_1.4.4.bb => libgit2_1.4.5.bb} 
(91%)

diff --git a/meta/recipes-support/libgit2/libgit2_1.4.4.bb 
b/meta/recipes-support/libgit2/libgit2_1.4.5.bb
similarity index 91%
rename from meta/recipes-support/libgit2/libgit2_1.4.4.bb
rename to meta/recipes-support/libgit2/libgit2_1.4.5.bb
index a6f4d8d7f2..aadfe4ad02 100644
--- a/meta/recipes-support/libgit2/libgit2_1.4.4.bb
+++ b/meta/recipes-support/libgit2/libgit2_1.4.5.bb
@@ -6,7 +6,7 @@ LIC_FILES_CHKSUM = 
"file://COPYING;md5=e5a9227de4cb6afb5d35ed7b0fdf480d"
 DEPENDS = "curl openssl zlib libssh2 libgcrypt libpcre2"
 
 SRC_URI = 
"git://github.com/libgit2/libgit2.git;branch=maint/v1.4;protocol=https"
-SRCREV = "3b7d756ccfaf9ec2922d2db22e6cc98f8ab6580c"
+SRCREV = "cd6f679af401eda1f172402006ef8265f8bd58ea"
 
 S = "${WORKDIR}/git"
 
-- 
2.34.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#177512): 
https://lists.openembedded.org/g/openembedded-core/message/177512
Mute This Topic: https://lists.openembedded.org/mt/97109733/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to