diff --git a/.gitignore b/.gitignore
index bfd0bb1..76fb7b8 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,2 @@
-SOURCES/libssh-0.9.4.tar.xz
+SOURCES/libssh-0.9.6.tar.xz
SOURCES/libssh.keyring
diff --git a/.libssh.metadata b/.libssh.metadata
index c453642..6b8b582 100644
--- a/.libssh.metadata
+++ b/.libssh.metadata
@@ -1,2 +1,2 @@
-93289b77379263328c843fa85ba5ed4b274b689f SOURCES/libssh-0.9.4.tar.xz
+1b2dd673b58e1eaf20fde45cd8de2197cfab2f78 SOURCES/libssh-0.9.6.tar.xz
3f2ab0bca02893402ba0ad172a6bd44456a65f86 SOURCES/libssh.keyring
diff --git a/SOURCES/libssh-0.9.4-add-cve-2019-14889-test.patch b/SOURCES/libssh-0.9.4-add-cve-2019-14889-test.patch
deleted file mode 100644
index ce149b4..0000000
--- a/SOURCES/libssh-0.9.4-add-cve-2019-14889-test.patch
+++ /dev/null
@@ -1,125 +0,0 @@
-From 1694606e12d8950b003ff86248883732ef05e00c Mon Sep 17 00:00:00 2001
-From: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
-Date: Fri, 19 Jun 2020 11:59:33 +0200
-Subject: [PATCH] tests: Add test for CVE-2019-14889
-
-The test checks if a command appended to the file path is not executed.
-
-Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
-Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
----
- tests/client/torture_scp.c | 84 ++++++++++++++++++++++++++++++++++++++
- 1 file changed, 84 insertions(+)
-
-diff --git a/tests/client/torture_scp.c b/tests/client/torture_scp.c
-index 8f080af3..59a00bae 100644
---- a/tests/client/torture_scp.c
-+++ b/tests/client/torture_scp.c
-@@ -37,6 +37,7 @@
- #define BUF_SIZE 1024
-
- #define TEMPLATE BINARYDIR "/tests/home/alice/temp_dir_XXXXXX"
-+#define ALICE_HOME BINARYDIR "/tests/home/alice"
-
- struct scp_st {
- struct torture_state *s;
-@@ -540,6 +541,86 @@ static void torture_scp_upload_newline(void **state)
- fclose(file);
- }
-
-+static void torture_scp_upload_appended_command(void **state)
-+{
-+ struct scp_st *ts = NULL;
-+ struct torture_state *s = NULL;
-+
-+ ssh_session session = NULL;
-+ ssh_scp scp = NULL;
-+
-+ FILE *file = NULL;
-+
-+ char buf[1024];
-+ char *rs = NULL;
-+ int rc;
-+
-+ assert_non_null(state);
-+ ts = *state;
-+
-+ assert_non_null(ts->s);
-+ s = ts->s;
-+
-+ session = s->ssh.session;
-+ assert_non_null(session);
-+
-+ assert_non_null(ts->tmp_dir_basename);
-+ assert_non_null(ts->tmp_dir);
-+
-+ /* Upload a file path with a command appended */
-+
-+ /* Append a command to the file path */
-+ snprintf(buf, BUF_SIZE, "%s"
-+ "/;touch hack",
-+ ts->tmp_dir);
-+
-+ /* When writing the file_name must be the directory name */
-+ scp = ssh_scp_new(session, SSH_SCP_WRITE | SSH_SCP_RECURSIVE,
-+ buf);
-+ assert_non_null(scp);
-+
-+ rc = ssh_scp_init(scp);
-+ assert_ssh_return_code(session, rc);
-+
-+ /* Push directory where the new file will be copied */
-+ rc = ssh_scp_push_directory(scp, ";touch hack", 0755);
-+ assert_ssh_return_code(session, rc);
-+
-+ /* Try to push file */
-+ rc = ssh_scp_push_file(scp, "original", 8, 0644);
-+ assert_ssh_return_code(session, rc);
-+
-+ rc = ssh_scp_write(scp, "original", 8);
-+ assert_ssh_return_code(session, rc);
-+
-+ /* Leave the directory */
-+ rc = ssh_scp_leave_directory(scp);
-+ assert_ssh_return_code(session, rc);
-+
-+ /* Cleanup */
-+ ssh_scp_close(scp);
-+ ssh_scp_free(scp);
-+
-+ /* Make sure the command was not executed */
-+ snprintf(buf, BUF_SIZE, ALICE_HOME "/hack");
-+ file = fopen(buf, "r");
-+ assert_null(file);
-+
-+ /* Open the file and check content */
-+ snprintf(buf, BUF_SIZE, "%s"
-+ "/;touch hack/original",
-+ ts->tmp_dir);
-+
-+ file = fopen(buf, "r");
-+ assert_non_null(file);
-+
-+ rs = fgets(buf, 1024, file);
-+ assert_non_null(rs);
-+ assert_string_equal(buf, "original");
-+
-+ fclose(file);
-+}
-+
- int torture_run_tests(void)
- {
- int rc;
-@@ -559,6 +640,9 @@ int torture_run_tests(void)
- cmocka_unit_test_setup_teardown(torture_scp_upload_newline,
- session_setup,
- session_teardown),
-+ cmocka_unit_test_setup_teardown(torture_scp_upload_appended_command,
-+ session_setup,
-+ session_teardown),
- };
-
- ssh_init();
---
-2.26.2
-
diff --git a/SOURCES/libssh-0.9.4-do-not-parse-config-during-tests.patch b/SOURCES/libssh-0.9.4-do-not-parse-config-during-tests.patch
deleted file mode 100644
index ac5ee0d..0000000
--- a/SOURCES/libssh-0.9.4-do-not-parse-config-during-tests.patch
+++ /dev/null
@@ -1,58 +0,0 @@
-From f10d80047c660e33f5c365bf3cf436a0c2a300f1 Mon Sep 17 00:00:00 2001
-From: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
-Date: Tue, 23 Jun 2020 18:31:47 +0200
-Subject: [PATCH] tests: Do not parse configuration file in torture_knownhosts
-
-The test might fail if there is a local configuration file that changes
-the location of the known_hosts file. The test should not be affected
-by configuration files present in the testing environment.
-
-Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
-Reviewed-by: Jakub Jelen <jjelen@redhat.com>
----
- tests/client/torture_knownhosts.c | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
-diff --git a/tests/client/torture_knownhosts.c b/tests/client/torture_knownhosts.c
-index fcc54846..55aee217 100644
---- a/tests/client/torture_knownhosts.c
-+++ b/tests/client/torture_knownhosts.c
-@@ -307,6 +307,7 @@ static void torture_knownhosts_other_auto(void **state) {
- char tmp_file[1024] = {0};
- char *known_hosts_file = NULL;
- int rc;
-+ bool process_config = false;
-
- snprintf(tmp_file,
- sizeof(tmp_file),
-@@ -344,6 +345,9 @@ static void torture_knownhosts_other_auto(void **state) {
-
- s->ssh.session = session;
-
-+ rc = ssh_options_set(session, SSH_OPTIONS_PROCESS_CONFIG, &process_config);
-+ assert_ssh_return_code(session, rc);
-+
- rc = ssh_options_set(session, SSH_OPTIONS_HOST, TORTURE_SSH_SERVER);
- assert_ssh_return_code(session, rc);
-
-@@ -368,6 +372,7 @@ static void torture_knownhosts_conflict(void **state) {
- char *known_hosts_file = NULL;
- FILE *file;
- int rc;
-+ bool process_config = false;
-
- snprintf(tmp_file,
- sizeof(tmp_file),
-@@ -411,6 +416,9 @@ static void torture_knownhosts_conflict(void **state) {
-
- s->ssh.session = session;
-
-+ rc = ssh_options_set(session, SSH_OPTIONS_PROCESS_CONFIG, &process_config);
-+ assert_ssh_return_code(session, rc);
-+
- ssh_options_set(session, SSH_OPTIONS_HOST, TORTURE_SSH_SERVER);
- ssh_options_set(session, SSH_OPTIONS_KNOWNHOSTS, known_hosts_file);
- rc = ssh_options_set(session, SSH_OPTIONS_HOSTKEYS, "rsa-sha2-256");
---
-2.26.2
-
diff --git a/SOURCES/libssh-0.9.4-do-not-return-error-server-closed-channel.patch b/SOURCES/libssh-0.9.4-do-not-return-error-server-closed-channel.patch
deleted file mode 100644
index 387b9c0..0000000
--- a/SOURCES/libssh-0.9.4-do-not-return-error-server-closed-channel.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-From 750e4f3f9d3ec879929801d65a500ec3ad84ff67 Mon Sep 17 00:00:00 2001
-From: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
-Date: Thu, 18 Jun 2020 19:08:54 +0200
-Subject: [PATCH] channel: Do not return error if the server closed the channel
-
-If the server properly closed the channel, the client should not return
-error if it finds the channel closed.
-
-Fixes T231
-
-Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
-Reviewed-by: Jakub Jelen <jjelen@redhat.com>
----
- src/channels.c | 7 ++++---
- 1 file changed, 4 insertions(+), 3 deletions(-)
-
-diff --git a/src/channels.c b/src/channels.c
-index 9fe309d0..607bd568 100644
---- a/src/channels.c
-+++ b/src/channels.c
-@@ -2932,15 +2932,16 @@ int ssh_channel_read_timeout(ssh_channel channel,
- if (session->session_state == SSH_SESSION_STATE_ERROR) {
- return SSH_ERROR;
- }
-+ /* If the server closed the channel properly, there is nothing to do */
-+ if (channel->remote_eof && ssh_buffer_get_len(stdbuf) == 0) {
-+ return 0;
-+ }
- if (channel->state == SSH_CHANNEL_STATE_CLOSED) {
- ssh_set_error(session,
- SSH_FATAL,
- "Remote channel is closed.");
- return SSH_ERROR;
- }
-- if (channel->remote_eof && ssh_buffer_get_len(stdbuf) == 0) {
-- return 0;
-- }
- len = ssh_buffer_get_len(stdbuf);
- /* Read count bytes if len is greater, everything otherwise */
- len = (len > count ? count : len);
---
-2.26.2
-
diff --git a/SOURCES/libssh-0.9.4-enable-sshd-sha1-algorithms.patch b/SOURCES/libssh-0.9.4-enable-sshd-sha1-algorithms.patch
deleted file mode 100644
index a821223..0000000
--- a/SOURCES/libssh-0.9.4-enable-sshd-sha1-algorithms.patch
+++ /dev/null
@@ -1,18 +0,0 @@
---- a/tests/torture.c 2020-04-09 16:16:07.691894761 +0200
-+++ b/tests/torture.c 2020-04-09 20:11:50.577962771 +0200
-@@ -636,6 +636,15 @@
- # else /* HAVE_DSA */
- "HostKeyAlgorithms +ssh-rsa\n"
- # endif /* HAVE_DSA */
-+/* Add back algorithms removed from default in OpenSSH-8.2 due to SHA1
-+ * deprecation*/
-+# if (OPENSSH_VERSION_MAJOR == 8 && OPENSSH_VERSION_MINOR >= 2)
-+ "KexAlgorithms +diffie-hellman-group14-sha1,"
-+ "diffie-hellman-group-exchange-sha1,"
-+ "diffie-hellman-group1-sha1\n"
-+ "HostKeyAlgorithms +ssh-rsa\n"
-+ "CASignatureAlgorithms +ssh-rsa\n"
-+#endif
- # if (OPENSSH_VERSION_MAJOR == 7 && OPENSSH_VERSION_MINOR < 6)
- "Ciphers +3des-cbc,aes128-cbc,aes192-cbc,aes256-cbc,blowfish-cbc\n"
- # else /* OPENSSH_VERSION 7.0 - 7.5 */
diff --git a/SOURCES/libssh-0.9.4-fix-cve-2020-16135.patch b/SOURCES/libssh-0.9.4-fix-cve-2020-16135.patch
deleted file mode 100644
index 9221f03..0000000
--- a/SOURCES/libssh-0.9.4-fix-cve-2020-16135.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-diff -up libssh-0.9.4/src/buffer.c.fix-cve-2020-16135 libssh-0.9.4/src/buffer.c
---- libssh-0.9.4/src/buffer.c.fix-cve-2020-16135 2021-04-21 10:27:53.562473773 +0200
-+++ libssh-0.9.4/src/buffer.c 2021-04-21 10:29:21.768165663 +0200
-@@ -299,6 +299,10 @@ int ssh_buffer_reinit(struct ssh_buffer_
- */
- int ssh_buffer_add_data(struct ssh_buffer_struct *buffer, const void *data, uint32_t len)
- {
-+ if (buffer == NULL) {
-+ return -1;
-+ }
-+
- buffer_verify(buffer);
-
- if (data == NULL) {
-diff -up libssh-0.9.4/src/sftpserver.c.fix-cve-2020-16135 libssh-0.9.4/src/sftpserver.c
---- libssh-0.9.4/src/sftpserver.c.fix-cve-2020-16135 2021-04-21 10:30:43.864796642 +0200
-+++ libssh-0.9.4/src/sftpserver.c 2021-04-21 10:41:52.166933113 +0200
-@@ -67,9 +67,20 @@ sftp_client_message sftp_get_client_mess
-
- /* take a copy of the whole packet */
- msg->complete_message = ssh_buffer_new();
-- ssh_buffer_add_data(msg->complete_message,
-- ssh_buffer_get(payload),
-- ssh_buffer_get_len(payload));
-+ if (msg->complete_message == NULL) {
-+ ssh_set_error_oom(session);
-+ sftp_client_message_free(msg);
-+ return NULL;
-+ }
-+
-+ rc = ssh_buffer_add_data(msg->complete_message,
-+ ssh_buffer_get(payload),
-+ ssh_buffer_get_len(payload));
-+ if (rc < 0) {
-+ ssh_set_error_oom(session);
-+ sftp_client_message_free(msg);
-+ return NULL;
-+ }
-
- ssh_buffer_get_u32(payload, &msg->id);
-
diff --git a/SOURCES/libssh-0.9.4-fix-version.patch b/SOURCES/libssh-0.9.4-fix-version.patch
deleted file mode 100644
index 143e972..0000000
--- a/SOURCES/libssh-0.9.4-fix-version.patch
+++ /dev/null
@@ -1,11 +0,0 @@
---- a/include/libssh/libssh.h 2020-04-15 13:38:32.899177005 +0200
-+++ b/include/libssh/libssh.h 2020-04-15 13:38:57.406454427 +0200
-@@ -79,7 +79,7 @@
- /* libssh version */
- #define LIBSSH_VERSION_MAJOR 0
- #define LIBSSH_VERSION_MINOR 9
--#define LIBSSH_VERSION_MICRO 3
-+#define LIBSSH_VERSION_MICRO 4
-
- #define LIBSSH_VERSION_INT SSH_VERSION_INT(LIBSSH_VERSION_MAJOR, \
- LIBSSH_VERSION_MINOR, \
diff --git a/SOURCES/libssh-0.9.4.tar.xz.asc b/SOURCES/libssh-0.9.4.tar.xz.asc
deleted file mode 100644
index 84b673c..0000000
--- a/SOURCES/libssh-0.9.4.tar.xz.asc
+++ /dev/null
@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCgAdFiEEjf9T4Y8qvI2PPJIjfuD8TcwBTj0FAl6O0BgACgkQfuD8TcwB
-Tj0dCQ/+J0pjZU6uu7h6gkc4BbRciCpYDIv66Lw9iCc2bQmLLhPrukWjz6/PDV+U
-iL/1dlwxG8rOlXdtCEFGyDvm0y4E8NaQCcgjU9jA8nsXo+SyyJAeWT7BeI3m2hPi
-tjbLAjQVHCW1jIite1dJeoPIPg15LChc08t+HWVI3pwQviwlJWTPmHgMaT3uwa1X
-fD66hjgB2UFo5eYnbION3L/jpA0vsI4o4F5CFPEhgbz3H6KmrgQbKLPM3H/103zU
-XjtHEw7gy/85OmjpcskMrUVAMbw9EZ5ESFOrKyuQaFBY57L//tAdUaEloxsMKt+5
-nmYunmlGmDLT6rHfjSg5X1S+NsQaXhGelc0TLVgvlzs4kR+QbApR1ewKTcsYlVwr
-jYG+PuAiROqc18xM/fQYh8UqohluDBmUpEDmVOEKT2tg/S7R5RJtOxdmcZPsLO+W
-EOoP+OeUvQqNlzqu6kBRI4v2lwVU4QwDzKCNRzwQHJOH+azH/3FRJBDF1ZAQvgxy
-w/NqlpFO6P76e0SLzBjHCDyqwbAzfq4WK3f5oE0RAA5RlndWusovTAWaYrAbVaoz
-emkt/guiHHsbLy6S2ELJu4BI9TGGtDMJoo1ScMMQzFqijUISCBgK/+6mUVUlMli0
-lTH6VE+MvpElADE+IYSXWOLHrspTxVa/jVun3iYE8Nexn6G0XE0=
-=xSu8
------END PGP SIGNATURE-----
diff --git a/SOURCES/libssh-0.9.6.tar.xz.asc b/SOURCES/libssh-0.9.6.tar.xz.asc
new file mode 100644
index 0000000..cbed27f
--- /dev/null
+++ b/SOURCES/libssh-0.9.6.tar.xz.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEjf9T4Y8qvI2PPJIjfuD8TcwBTj0FAmEniOkACgkQfuD8TcwB
+Tj0TKQ/9HiMAGSMHoQ+iPVLP06iTc6Cy7rNyON2nPDQwAz0V/dfvkrKAAEflfgYd
+3pt3dbE/qgh2kgQLb9kpbCUmFoGuLgKz36RPOsggwuOsN+eD1n65q8W39sMOQid3
+bjUIOKRdYWC1suZ9fMAO1Ignl69Opd8dAq1Has9YzglaeQaV/lnYQOW4UG0xKHck
+ZOp2qLfjmaQiBAI61eRyxqIYC0F67WKd0bo9D2csoocDVvHLq4syPdbMOfDTB+LL
+KZSAZVW1R1JUVZMkp/P/HU11jNNy3wKoLafocnq8bXkPVrqhyuo+hDJV/OPUvFLa
+VE/BzIRoMNG+1R+GJpwE7ut2DIHPxnZTThRkeVN5qP1+hbhgLJhW62I+HeAnD4s+
++W7fwJovN28I+wqSjVEP8JguprVuoDAX5jVHbeZoMT7p8ATA4Nh3KCbYELEwTtFG
+zsEIlBvoNXD3ce7xGXL3MPqfgKqrZQjRG/iOWvKwDV7WrqK1cFFyL7aeBfK2+dQq
+1Ew7aYlTsH6Hap7XByeSsy4Z5ts3VXIoFix/h+Br5OTYKYgITM7bijNAQ6A2ZWQN
+TxCv8X0sVyaGyXhxG6QhrEWZjFe496MneZkq9e6HKZyaSbzwFwMgOvrUUC7fa8e5
+o1Rvozah81U0nsikwTmDrm15RSK3mr2X34zPW2Ahzr1I5tGZzOk=
+=cO0k
+-----END PGP SIGNATURE-----
diff --git a/SPECS/libssh.spec b/SPECS/libssh.spec
index 0bc82e3..1695472 100644
--- a/SPECS/libssh.spec
+++ b/SPECS/libssh.spec
@@ -1,5 +1,5 @@
Name: libssh
-Version: 0.9.4
+Version: 0.9.6
Release: 3%{?dist}
Summary: A library implementing the SSH protocol
License: LGPLv2+
@@ -11,13 +11,6 @@ Source2: https://cryptomilk.org/gpgkey-8DFF53E18F2ABC8D8F3C92237EE0FC4DCC
Source3: libssh_client.config
Source4: libssh_server.config
-Patch0: libssh-0.9.4-enable-sshd-sha1-algorithms.patch
-Patch1: libssh-0.9.4-fix-version.patch
-Patch2: libssh-0.9.4-do-not-return-error-server-closed-channel.patch
-Patch3: libssh-0.9.4-add-cve-2019-14889-test.patch
-Patch4: libssh-0.9.4-do-not-parse-config-during-tests.patch
-Patch5: libssh-0.9.4-fix-cve-2020-16135.patch
-
BuildRequires: cmake
BuildRequires: doxygen
BuildRequires: gcc-c++
@@ -27,6 +20,13 @@ BuildRequires: pkgconfig
BuildRequires: zlib-devel
BuildRequires: krb5-devel
BuildRequires: libcmocka-devel
+BuildRequires: openssh-clients
+BuildRequires: openssh-server
+BuildRequires: pam_wrapper
+BuildRequires: socket_wrapper
+BuildRequires: nss_wrapper
+BuildRequires: uid_wrapper
+BuildRequires: nmap-ncat
Requires: crypto-policies
Requires: %{name}-config = %{version}-%{release}
@@ -136,6 +136,27 @@ popd
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/libssh/libssh_server.config
%changelog
+* Fri Nov 05 2021 Norbert Pocs <npocs@redhat.com> - 0.9.6-3
+- Remove STI tests
+
+* Thu Oct 21 2021 Norbert Pocs <npocs@redhat.com> - 0.9.6-2
+- Remove bad patch causing errors
+- Adding BuildRequires for openssh (SSHD support)
+
+* Thu Oct 14 2021 Norbert Pocs <npocs@redhat.com> - 0.9.6-1
+- Fix CVE-2021-3634: Fix possible heap-buffer overflow when
+ rekeying with different key exchange mechanism
+- Rebase to version 0.9.6
+- Rename SSHD_EXECUTABLE to SSH_EXECUTABLE in tests/torture.c
+- Resolves: rhbz#1896651, rhbz#1994600
+
+* Thu Oct 14 2021 Sahana Prasad <sahana@redhat.com> - 0.9.4-4
+- Revert previous commit as it is incorrect.
+
+* Thu Oct 14 2021 Norbert Pocs <npocs@redhat.com> - 0.9.6-1
+- Fix CVE-2021-3634: Fix possible heap-buffer overflow when
+ rekeying with different key exchange mechanism (#1978810)
+
* Wed Apr 21 2021 Sahana Prasad <sahana@redhat.com> - 0.9.4-3
- Fix CVE-2020-16135 NULL pointer dereference in sftpserver.c if
ssh_buffer_new returns NULL (#1862646)