The LICENSE did not have complete information.
Some examples of missing license:
Zlib: deps/zlib/
ISC: tests/clar/clar.c
LGPL-2.1-or-later: src/libgit2/xdiff/xdiffi.c
CC0-1.0: src/util/rand.c
(From OE-Core rev: a45bc475c7d983aef57c51dc51cb24902959e6f6)
Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 5560a0e15bd860a59671a66cc76ad1bb7e07c9d1)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Fixes:
libgit2, when compiled using the optional, included libssh2 backend, fails to verify SSH keys by default.
Description:
When using an SSH remote with the optional, included libssh2 backend, libgit2 does not perform certificate checking by default. Prior versions of libgit2 require the caller to set the certificate_check field of libgit2's git_remote_callbacks structure - if a certificate check callback is not set, libgit2 does not perform any certificate checking. This means that by default - without configuring a certificate check callback, clients will not perform validation on the server SSH keys and may be subject to a man-in-the-middle attack.
Beginning in libgit2 v1.4.5 and v1.5.1, libgit2 will now perform host key checking by default. Users can still override the default behavior using the certificate_check function.
The libgit2 security team would like to thank the Julia and Rust security teams for responsibly disclosing this vulnerability and assisting with fixing the vulnerability.
(From OE-Core rev: 63cb8eb147088ae171ffa2b6005410742e50e4e6)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit f59486310cf33c586671a16cf52862c19c3c4c31)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
