From eca462813d7586063deb5c9989ae9bcef29f9495 Mon Sep 17 00:00:00 2001
From: Linus Heckemann <git@sphalerite.org>
Date: Tue, 16 Oct 2018 18:28:09 +0200
Subject: libssh: 0.7.5 -> 0.7.6

Fixes CVE-2018-10933:

libssh versions 0.6 and above have an authentication bypass
vulnerability in the server code. By presenting the server an
SSH2_MSG_USERAUTH_SUCCESS message in place of the
SSH2_MSG_USERAUTH_REQUEST message which the server would expect to
initiate authentication, the attacker could successfully authentciate
without any credentials.

Source:
https://www.libssh.org/2018/10/16/libssh-0-8-4-and-0-7-6-security-and-bugfix-release/
---
 pkgs/development/libraries/libssh/default.nix | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

(limited to 'pkgs/development/libraries')

diff --git a/pkgs/development/libraries/libssh/default.nix b/pkgs/development/libraries/libssh/default.nix
index 9b5c3d530ebf..1ec15e88f13d 100644
--- a/pkgs/development/libraries/libssh/default.nix
+++ b/pkgs/development/libraries/libssh/default.nix
@@ -1,11 +1,11 @@
 { stdenv, fetchurl, fetchpatch, pkgconfig, cmake, zlib, openssl, libsodium }:
 
 stdenv.mkDerivation rec {
-  name = "libssh-0.7.5";
+  name = "libssh-0.7.6";
 
   src = fetchurl {
-    url = "https://red.libssh.org/attachments/download/218/${name}.tar.xz";
-    sha256 = "15bh6dm9c50ndddzh3gqcgw7axp3ghrspjpkb1z3dr90vkanvs2l";
+    url = "https://www.libssh.org/files/0.7/libssh-0.7.6.tar.xz";
+    sha256 = "14hhdpn2hflywsi9d5bz2pfjxqkyi07znjij89cpakr7b4w7sq0x";
   };
 
   patches = [
-- 
cgit 1.4.1