Upgrade libgit2 to 1.3.0, libssh2 to 1.10.2, mbedtls to 2.28 and libcurl to 7.81.0

deps/Versions.make

@@ -36,7 +36,7 @@ LAPACK_VER := 3.9.0
 LIBGIT2_JLL_NAME := LibGit2
 
 # LibSSH2
-LIBSSH2_VER := 1.9.0
+LIBSSH2_VER := 1.10.2
 LIBSSH2_JLL_NAME := LibSSH2
 
 # LibUV
@@ -58,7 +58,7 @@ LLVMUNWIND_VER := 12.0.1
 LLVMUNWIND_JLL_NAME := LLVMLibUnwind
 
 # MbedTLS
-MBEDTLS_VER := 2.24.0
+MBEDTLS_VER := 2.28.0
 MBEDTLS_JLL_NAME := MbedTLS
 
 # MPFR

deps/checksums/libssh2-635caa90787220ac3773c1d5ba11f1236c22eae8.tar.gz/md5

@@ -0,0 +1 @@
+d0b060310da22a245fc488a300288198

deps/checksums/libssh2-635caa90787220ac3773c1d5ba11f1236c22eae8.tar.gz/sha512

@@ -0,0 +1 @@
+17770f8de4f081840e765d6f7842d562e20f46972fb53a15e3c9e10421f3654a559c5dd1dfbafd7b4a0e5205d800e848b9c9c26ec1d8fc0d229d5070b6d19463

deps/checksums/mbedtls

@@ -1,34 +1,34 @@
-mbedtls-2.24.0.tar.gz/md5/9d1adcec4aa6729ae1dc56c3a24cb7d2
-mbedtls-2.24.0.tar.gz/sha512/a51e80cedfa5c1772c79cba2dacd33f551516debf083803f7a5c1f4817c928e3bfb343fbe0c2e70ed591d0eba8fdc1bc46d11de7c3d12f50826de8f2f2ece279
-MbedTLS.v2.24.0+2.aarch64-apple-darwin.tar.gz/md5/89acea2c0b9ea2b8e242a915f920f2f9
-MbedTLS.v2.24.0+2.aarch64-apple-darwin.tar.gz/sha512/3ac7cb48316466aeffc09c94b8af9f677972022f070975c7b5d782ac09ddd2e6a4eb95c34e90e2902339d3b77523a10ebe5da6357a12b38a2390d8ff5f320d52
-MbedTLS.v2.24.0+2.aarch64-linux-gnu.tar.gz/md5/7f5f0e559f63f028492c882f9b59e4c8
-MbedTLS.v2.24.0+2.aarch64-linux-gnu.tar.gz/sha512/08a5e3234d82551681693ddc357ebd78178315edc9b5a1d306e4a1f6cb750defaac39646bd1b87adae61783763922f6164a7806c0b707cb73a35e330bd51a4c5
-MbedTLS.v2.24.0+2.aarch64-linux-musl.tar.gz/md5/48b5ff73cfe8423636760acf2dd9d5d9
-MbedTLS.v2.24.0+2.aarch64-linux-musl.tar.gz/sha512/be349fc9db28feae347240dc4e89dc9f64c6da9ec07b7503e3f549980e0e7cb79e27cab1db5359a294119cb850623e3c2099f753e3245e2050075bf3925d6a5f
-MbedTLS.v2.24.0+2.armv6l-linux-gnueabihf.tar.gz/md5/2c291039ebd31e7ed38abad7652bca6c
-MbedTLS.v2.24.0+2.armv6l-linux-gnueabihf.tar.gz/sha512/b32ce3481ad62c0e50398d9e52800b535a4b75ee2204f26b295afbb20f17dde275c3f0454f6b62a6fbe32e3ff2a2d82bd58637eddfa671a3822142b568bc23de
-MbedTLS.v2.24.0+2.armv6l-linux-musleabihf.tar.gz/md5/f09c82e674d4d4127791cc1663f3edb4
-MbedTLS.v2.24.0+2.armv6l-linux-musleabihf.tar.gz/sha512/8bf11a1fdffe5d24dce7305e564a85a1365d427c5e9d7a64d19dd4a4d9d6d14af58cdeb01130105d4eb2e5660304b4e1d876c8811000e20cf63da371724d8b53
-MbedTLS.v2.24.0+2.armv7l-linux-gnueabihf.tar.gz/md5/fa072b7d8e462d2ffcd023029bbaa888
-MbedTLS.v2.24.0+2.armv7l-linux-gnueabihf.tar.gz/sha512/6a5f6b911b9235ea24e1d85f48378dd32214b93902a505ab5bad32407175fca39beecd51ad6406b39372dff32ca1279798b22b87e3161b7b3bc886b99e9bab23
-MbedTLS.v2.24.0+2.armv7l-linux-musleabihf.tar.gz/md5/d5ba2094542b57a89dba785b409a8e3d
-MbedTLS.v2.24.0+2.armv7l-linux-musleabihf.tar.gz/sha512/806fc661aab78a6498fd07390ae17e0dcf8ff059c35485dbebfeb7d67ecdd63d4338e888f529e824ba1a7e19efcfcf870ba0e77d17796601d3d9eba60c71ec48
-MbedTLS.v2.24.0+2.i686-linux-gnu.tar.gz/md5/472bbc20dea953e84a2f4285d02ae34f
-MbedTLS.v2.24.0+2.i686-linux-gnu.tar.gz/sha512/b199e56362414620a2017d439ff5532f402f8818ea6de5b89fc8a0f0a8379634b9828d85592c3bdab6a9cc577b49a204f05c401c176a4d89b8657ea620c72a2c
-MbedTLS.v2.24.0+2.i686-linux-musl.tar.gz/md5/013bf8bc2631be22e5eafd29959be7ae
-MbedTLS.v2.24.0+2.i686-linux-musl.tar.gz/sha512/fea4c10167cdfa5eea3691ff3bd3456e1cbdc58f46e426773f89bf07458fc62388094c0ea2de9c08b59ddf666d1cc21d562ea138ecee1f77ecb747c9280e51f9
-MbedTLS.v2.24.0+2.i686-w64-mingw32.tar.gz/md5/cc1df8b667a9d59f680d5a441cd1111d
-MbedTLS.v2.24.0+2.i686-w64-mingw32.tar.gz/sha512/7daa94492c1613f2b5109ee54eae9c8deb75d2bbec43040238bf54088d7020b4e6406a24561b4bf9ed49f0ea16130e0bdb4f7ca0a9f57494444fd95adec34bd7
-MbedTLS.v2.24.0+2.powerpc64le-linux-gnu.tar.gz/md5/530623572e7513c1deec9ee48c0d7cec
-MbedTLS.v2.24.0+2.powerpc64le-linux-gnu.tar.gz/sha512/57bd76d3fc25e84acd7b36fab87b49c4ad6e7f276a030efcc0f1c58288ab9d641ae5291194435ab0cf8ddb4366fbd8c813e77d16d05cc97cc9f3a818191ab3e3
-MbedTLS.v2.24.0+2.x86_64-apple-darwin.tar.gz/md5/cafce731fa866c2dcb3cbe63fd314c67
-MbedTLS.v2.24.0+2.x86_64-apple-darwin.tar.gz/sha512/61b12c959b2db726cef80cfd34880beac3d6a4722492ada88007c2e12d70bf01da57af50e11e760df3db930f5e5ce33c1aeb282c38bb4d1c9521ef2a5440b9d6
-MbedTLS.v2.24.0+2.x86_64-linux-gnu.tar.gz/md5/c54cd5248b854314cb7e85b3d83e25fe
-MbedTLS.v2.24.0+2.x86_64-linux-gnu.tar.gz/sha512/5e1659766d7949ba54456fea7eb62d19ef5952f6511be8a5992371ace1a85203dc8cf1274fec8b7934f856beb679facb6c4141deada9f39301b1079473092d5c
-MbedTLS.v2.24.0+2.x86_64-linux-musl.tar.gz/md5/3cacfb653a3c8acef2f26765333ef1c8
-MbedTLS.v2.24.0+2.x86_64-linux-musl.tar.gz/sha512/4a8eea91c0d523370f71823a3b07f22f89a87eb9d408b9dc3b68e438e405fa12879de48a5ed8d88bfcaa53457a1892d018d0ecfb3af214617efff936f3e4e396
-MbedTLS.v2.24.0+2.x86_64-unknown-freebsd.tar.gz/md5/d28184bbe5eb687144f2dc0b945eca9b
-MbedTLS.v2.24.0+2.x86_64-unknown-freebsd.tar.gz/sha512/eff3a2ca8a95eb412636fd085822c20be89b2b788bdc4e814b147883f40f7353c7f298a4b892dab48184355226c4b10010b7a839d6f9162fbaaeb78ab3922b5f
-MbedTLS.v2.24.0+2.x86_64-w64-mingw32.tar.gz/md5/645fcd040da480c11d5eee41291c7354
-MbedTLS.v2.24.0+2.x86_64-w64-mingw32.tar.gz/sha512/30753fdb2e3856472bbc46ad0747955d258b08ae4d8961f363489ba04c869a3cd09653e6061f38636cc973a6cb96ca2da55a819f573931de654a837ffb602516
+MbedTLS.v2.28.0+0.aarch64-apple-darwin.tar.gz/md5/ba33f960c7bcc3fda818c84f5e716df7
+MbedTLS.v2.28.0+0.aarch64-apple-darwin.tar.gz/sha512/3878531424317954417d09090b0a7618c6c0a6907bb04db34aef37d55a033972371455fcffca548ac03be41c0b0d1f8e51a9fe6e8f8fb4d8ef4fcbf91f15b3ea
+MbedTLS.v2.28.0+0.aarch64-linux-gnu.tar.gz/md5/9e7c78fc7c39fd19dcb170d57c8c0ec6
+MbedTLS.v2.28.0+0.aarch64-linux-gnu.tar.gz/sha512/59eaeec1a772265e62fa4049e0bc8c96cd7403d954213ac6098921acf6e128b624d6bc1ba5c6062c88ecb92aa8bf9d0a06e365eee241b6516ef0bfe2b4c47188
+MbedTLS.v2.28.0+0.aarch64-linux-musl.tar.gz/md5/44f939956834d5d8130ccb3bd5962b0c
+MbedTLS.v2.28.0+0.aarch64-linux-musl.tar.gz/sha512/f9797a44851222c005fd4068df6e0bcee68133c9a48e19e16d188b8a6927be56c620fec83264398d682eb5c89b7f01683e5898d3cbcb7aecf53e5ce678464db6
+MbedTLS.v2.28.0+0.armv6l-linux-gnueabihf.tar.gz/md5/fc07035dddd51e9c57e62edfc3fc5691
+MbedTLS.v2.28.0+0.armv6l-linux-gnueabihf.tar.gz/sha512/ffb707ba7439050862654316b4388f52e8bd09bbeb7076cf6cdc924cb60c61f871c01ccfe14e1ae1e62a5733490487324ba60e8545d60902f3317039264db83b
+MbedTLS.v2.28.0+0.armv6l-linux-musleabihf.tar.gz/md5/fc54575519130bd468ee4dbe23da0ea9
+MbedTLS.v2.28.0+0.armv6l-linux-musleabihf.tar.gz/sha512/d4b9e1bd8877f7d93d1b4e0d1c4c3d4e5d2af6920e39222667e689ec84cf9817988c91a826755a734a60ce05fed913e5421b8aa9980f257450da7f51c5e9342a
+MbedTLS.v2.28.0+0.armv7l-linux-gnueabihf.tar.gz/md5/0753a99f4645ba7e1ceb27a03c65a107
+MbedTLS.v2.28.0+0.armv7l-linux-gnueabihf.tar.gz/sha512/a7a65338ee6f93117d44975651d77c351f0c919a3ae2eea6e220719dd084f71617946adf04a08a82d55c22af0275d21fce3c692becf87ccf2d932c8aa32af7af
+MbedTLS.v2.28.0+0.armv7l-linux-musleabihf.tar.gz/md5/ff335caa1cec22366cfa2c2bf87f61f7
+MbedTLS.v2.28.0+0.armv7l-linux-musleabihf.tar.gz/sha512/a3ff7d53b45134165347dec209bc27f48be984b4fb58ddd54286a146b837d038ab21e22033f1e0713d359c72adc0b97e979532ebaa734495eb88bfceaf3c2155
+MbedTLS.v2.28.0+0.i686-linux-gnu.tar.gz/md5/c4c9728ee9d875685765eb4c9c3bf731
+MbedTLS.v2.28.0+0.i686-linux-gnu.tar.gz/sha512/214142ee7ca3a5b447a97928ffcbe0389fbb8c1fa68de387656e5c0e4406f02411e4183fb051b2107600b222bd5279b9fd3a5aec43a9d97a9556b08c5338cb7b
+MbedTLS.v2.28.0+0.i686-linux-musl.tar.gz/md5/2684f2bc8a04234ae67603150e6d0917
+MbedTLS.v2.28.0+0.i686-linux-musl.tar.gz/sha512/a533afd26893464bee62dbfa9babf6e4e1119a4be31ecb242e2ff28f5f6e3a3969057e2ce653c98c1b8d2a19e340df7a17dac8693fce270399df92cfbf3a32ca
+MbedTLS.v2.28.0+0.i686-w64-mingw32.tar.gz/md5/f205fd351e94f42cd38d34d3eff6e69a
+MbedTLS.v2.28.0+0.i686-w64-mingw32.tar.gz/sha512/cfdb819d3e6fa9ce3985e29ac733c2af6c988230ae49bbdc13f0fc234e82444d17ce5da4d3b6d8cc6ac45ea4a999f0ce03ac42533223c87bea066a371487ef1e
+MbedTLS.v2.28.0+0.powerpc64le-linux-gnu.tar.gz/md5/41b1f61ebda30a8e8f02dcd955ae0d40
+MbedTLS.v2.28.0+0.powerpc64le-linux-gnu.tar.gz/sha512/25b62106404cb3b9be3e0f778ed953bdcf9d18cb289be823f97f7a1759012c84cfe7240fc936f2e6e858273ce2022d75ecc2554d5696cea110eda6d059362416
+MbedTLS.v2.28.0+0.x86_64-apple-darwin.tar.gz/md5/e7b286dac94bef06915930180b2d3bac
+MbedTLS.v2.28.0+0.x86_64-apple-darwin.tar.gz/sha512/a2acaacb77ca6e2704144d8d99e51df49b1fc69c8751e43973e0c41219d023676d35ae05bd4ff7a3680dc0edf5438e51b67baa76f5b78947560dcc420623a3da
+MbedTLS.v2.28.0+0.x86_64-linux-gnu.tar.gz/md5/39662265088efadb142fdc7255a0b7a3
+MbedTLS.v2.28.0+0.x86_64-linux-gnu.tar.gz/sha512/a3648c78bebf4c024ddf491965cb7707df887ce10dec6f9e42eb6493bc7d1220e5b23c53f5e4e73dfe94e8d8dcf35ffc6860d1992deb9b63a0c4691d4167e59f
+MbedTLS.v2.28.0+0.x86_64-linux-musl.tar.gz/md5/1fbe9f2593bc11af031075b58a108bc8
+MbedTLS.v2.28.0+0.x86_64-linux-musl.tar.gz/sha512/d185ced64d471fba9ae1aa495b2eba0e60738e8e5ef918670b1c40cc8981389ecd48e4f17506229bafab4a11f7a257d3d544cfe87ad198482778931c2a7a8aa9
+MbedTLS.v2.28.0+0.x86_64-unknown-freebsd.tar.gz/md5/26beed62ee2abe8c6e52c1dbddbe0b1a
+MbedTLS.v2.28.0+0.x86_64-unknown-freebsd.tar.gz/sha512/f04a417d99e3b908383d3c14cf8512b2f13e4b226d07235e2334090aadb6aecce40a23ae8f8df9c0ed9618707e839aaac6de64d5fee6d7e3955b290bc564d3a2
+MbedTLS.v2.28.0+0.x86_64-w64-mingw32.tar.gz/md5/cc55fe5537719aa8bf3bbee981c01413
+MbedTLS.v2.28.0+0.x86_64-w64-mingw32.tar.gz/sha512/3436647e81fdb9db138063229f20f47e2c8405e6379ca3e7cf38fb9fde84d2b6618a5f29b8df19cbffe75af7f99e00e9583d67be7b53dcce27bff453b96dcf13
+mbedtls-2.28.0.tar.gz/md5/d64054513df877458493dbb28e2935fa
+mbedtls-2.28.0.tar.gz/sha512/907867edf532ba3b099f4fb7ce31f5773ceceb072a8d067b1d830e879d541f92f401d64f13bbe6b4eb0845e58bb765d7d28896be414bb0fc7ac5b3876066be5f

deps/libgit2.mk

@@ -40,28 +40,14 @@ $(LIBGIT2_SRC_PATH)/libgit2-agent-nonfatal.patch-applied: $(LIBGIT2_SRC_PATH)/so
 		patch -p1 -f < $(SRCDIR)/patches/libgit2-agent-nonfatal.patch
 	echo 1 > $@
 
-# This can be removed once a release with https://github.com/libgit2/libgit2/pull/5685 lands
-$(LIBGIT2_SRC_PATH)/libgit2-mbedtls-incdir.patch-applied: $(LIBGIT2_SRC_PATH)/libgit2-agent-nonfatal.patch-applied
-	cd $(LIBGIT2_SRC_PATH) && \
-		patch -p1 -f < $(SRCDIR)/patches/libgit2-mbedtls-incdir.patch
-	echo 1 > $@
-
-$(LIBGIT2_SRC_PATH)/libgit2-hostkey.patch-applied: $(LIBGIT2_SRC_PATH)/libgit2-mbedtls-incdir.patch-applied
+$(LIBGIT2_SRC_PATH)/libgit2-hostkey.patch-applied: $(LIBGIT2_SRC_PATH)/libgit2-agent-nonfatal.patch-applied
 	cd $(LIBGIT2_SRC_PATH) && \
 		patch -p1 -f < $(SRCDIR)/patches/libgit2-hostkey.patch
 	echo 1 > $@
 
-# This can be removed once a release with https://github.com/libgit2/libgit2/pull/5740 lands
-$(LIBGIT2_SRC_PATH)/libgit2-continue-zlib.patch-applied: $(LIBGIT2_SRC_PATH)/libgit2-hostkey.patch-applied
-	cd $(LIBGIT2_SRC_PATH) && \
-		patch -p1 -f < $(SRCDIR)/patches/libgit2-continue-zlib.patch
-	echo 1 > $@
-
 $(BUILDDIR)/$(LIBGIT2_SRC_DIR)/build-configured: \
 	$(LIBGIT2_SRC_PATH)/libgit2-agent-nonfatal.patch-applied \
-	$(LIBGIT2_SRC_PATH)/libgit2-mbedtls-incdir.patch-applied \
-	$(LIBGIT2_SRC_PATH)/libgit2-hostkey.patch-applied \
-	$(LIBGIT2_SRC_PATH)/libgit2-continue-zlib.patch-applied
+	$(LIBGIT2_SRC_PATH)/libgit2-hostkey.patch-applied
 
 $(BUILDDIR)/$(LIBGIT2_SRC_DIR)/build-configured: $(LIBGIT2_SRC_PATH)/source-extracted
 	mkdir -p $(dir $@)

deps/libgit2.version

@@ -1,2 +1,2 @@
-LIBGIT2_BRANCH=v1.1.0
-LIBGIT2_SHA1=7f4fa178629d559c037a1f72f79f79af9c1ef8ce
+LIBGIT2_BRANCH=v1.3.0
+LIBGIT2_SHA1=b7bad55e4bb0a285b073ba5e02b01d3f522fc95d

deps/libssh2.mk

@@ -28,7 +28,18 @@ ifeq ($(LIBSSH2_ENABLE_TESTS), 0)
 LIBSSH2_OPTS += -DBUILD_TESTING=OFF
 endif
 
-$(BUILDDIR)/$(LIBSSH2_SRC_DIR)/build-configured: $(SRCCACHE)/$(LIBSSH2_SRC_DIR)/source-extracted
+LIBSSH2_SRC_PATH := $(SRCCACHE)/$(LIBSSH2_SRC_DIR)
+
+ # Apply patch to fix v1.10.0 CVE (https://github.com/libssh2/libssh2/issues/649), drop with v1.11
+$(LIBSSH2_SRC_PATH)/libssh2-userauth-check.patch-applied: $(LIBSSH2_SRC_PATH)/source-extracted
+	cd $(LIBSSH2_SRC_PATH) && \
+		patch -p1 -f < $(SRCDIR)/patches/libssh2-userauth-check.patch
+	echo 1 > $@
+
+$(BUILDDIR)/$(LIBSSH2_SRC_DIR)/build-configured: \
+	$(LIBSSH2_SRC_PATH)/libssh2-userauth-check.patch-applied
+
+$(BUILDDIR)/$(LIBSSH2_SRC_DIR)/build-configured: $(LIBSSH2_SRC_PATH)/source-extracted
 	mkdir -p $(dir $@)
 	cd $(dir $@) && \
 	$(CMAKE) $(dir $<) $(LIBSSH2_OPTS)

deps/libssh2.version

@@ -1,2 +1,2 @@
-LIBSSH2_BRANCH=libssh2-1.9.0
-LIBSSH2_SHA1=42d37aa63129a1b2644bf6495198923534322d64
+LIBSSH2_BRANCH=libssh2-1.10.0
+LIBSSH2_SHA1=635caa90787220ac3773c1d5ba11f1236c22eae8

deps/mbedtls.mk

@@ -31,17 +31,6 @@ $(SRCCACHE)/$(MBEDTLS_SRC)/source-extracted: $(SRCCACHE)/$(MBEDTLS_SRC).tar.gz
 checksum-mbedtls: $(SRCCACHE)/$(MBEDTLS_SRC).tar.gz
 	$(JLCHECKSUM) $<
 
-$(SRCCACHE)/$(MBEDTLS_SRC)/mbedtls-cmake-findpy.patch-applied: $(SRCCACHE)/$(MBEDTLS_SRC)/source-extracted
-	# Apply workaround for CMake 3.18.2 bug (https://github.com/ARMmbed/mbedtls/pull/3691).
-	# This patch merged upstream shortly after MBedTLS's 2.25.0 minor release, so chances
-	# are it will be included at least in their next minor release (2.26.0?).
-	cd $(SRCCACHE)/$(MBEDTLS_SRC) && \
-		patch -p1 -f < $(SRCDIR)/patches/mbedtls-cmake-findpy.patch
-	echo 1 > $@
-
-$(BUILDDIR)/$(MBEDTLS_SRC)/build-configured: \
-	$(SRCCACHE)/$(MBEDTLS_SRC)/mbedtls-cmake-findpy.patch-applied
-
 $(BUILDDIR)/$(MBEDTLS_SRC)/build-configured: $(SRCCACHE)/$(MBEDTLS_SRC)/source-extracted
 	mkdir -p $(dir $@)
 	cd $(dir $@) && \

deps/patches/libgit2-hostkey.patch

@@ -1,48 +1,16 @@
-diff --git a/include/git2/cert.h b/include/git2/cert.h
-index e8cd2d180..54293cd31 100644
---- a/include/git2/cert.h
-+++ b/include/git2/cert.h
-@@ -111,6 +111,14 @@ typedef struct {
- 	 * have the SHA-256 hash of the hostkey.
- 	 */
- 	unsigned char hash_sha256[32];
-+
-+	/**
-+	 * Hostkey itself.
-+	 */
-+	int hostkey_type;
-+	size_t hostkey_len;
-+	unsigned char hostkey[1024];
-+
- } git_cert_hostkey;
-
- /**
 diff --git a/src/transports/ssh.c b/src/transports/ssh.c
-index f4ed05bb1..ec6366a5f 100644
+index 471c3273ed..32189d0979 100644
 --- a/src/transports/ssh.c
 +++ b/src/transports/ssh.c
-@@ -523,6 +523,7 @@ static int _git_ssh_setup_conn(
+@@ -525,6 +525,7 @@ static int _git_ssh_setup_conn(
  	git_credential *cred = NULL;
- 	LIBSSH2_SESSION* session=NULL;
- 	LIBSSH2_CHANNEL* channel=NULL;
+ 	LIBSSH2_SESSION *session=NULL;
+ 	LIBSSH2_CHANNEL *channel=NULL;
 +	char *host_and_port;
 
  	t->current_stream = NULL;
 
-@@ -566,6 +567,12 @@ post_extract:
-
- 		cert.parent.cert_type = GIT_CERT_HOSTKEY_LIBSSH2;
-
-+		key = libssh2_session_hostkey(session, &cert.hostkey_len, &cert.hostkey_type);
-+		bzero(&cert.hostkey, sizeof(cert.hostkey));
-+		if (cert.hostkey_len > sizeof(cert.hostkey))
-+			cert.hostkey_len = sizeof(cert.hostkey);
-+		memcpy(&cert.hostkey, key, cert.hostkey_len);
-+
- #ifdef LIBSSH2_HOSTKEY_HASH_SHA256
- 		key = libssh2_hostkey_hash(session, LIBSSH2_HOSTKEY_HASH_SHA256);
- 		if (key != NULL) {
-@@ -597,7 +604,15 @@ post_extract:
+@@ -636,7 +637,15 @@ post_extract:
 
  		cert_ptr = &cert;
 

deps/patches/libssh2-userauth-check.patch

@@ -0,0 +1,30 @@
+From 37ee0aa214655b63e7869d1d74ff1ec9f9818a5e Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <[email protected]>
+Date: Fri, 17 Dec 2021 17:46:29 +0100
+Subject: [PATCH] userauth: check for too large userauth_kybd_auth_name_len
+ (#650)
+
+... before using it.
+
+Reported-by: MarcoPoloPie
+Fixes #649
+---
+ src/userauth.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/userauth.c b/src/userauth.c
+index 40ef915..caa5635 100644
+--- a/src/userauth.c
++++ b/src/userauth.c
+@@ -1769,6 +1769,11 @@ userauth_keyboard_interactive(LIBSSH2_SESSION * session,
+             if(session->userauth_kybd_data_len >= 5) {
+                 /* string    name (ISO-10646 UTF-8) */
+                 session->userauth_kybd_auth_name_len = _libssh2_ntohu32(s);
++                if(session->userauth_kybd_auth_name_len >
++                   session->userauth_kybd_data_len - 5)
++                    return _libssh2_error(session,
++                                          LIBSSH2_ERROR_OUT_OF_BOUNDARY,
++                                          "Bad keyboard auth name");
+                 s += 4;
+             }
+             else {

stdlib/LibGit2/src/callbacks.jl

@@ -366,8 +366,8 @@ struct CertHostKey
     sha1    :: NTuple{20,UInt8}
     sha256  :: NTuple{32,UInt8}
     type    :: Cint
+    hostkey :: Ptr{Cchar}
     len     :: Csize_t
-    data    :: NTuple{1024,UInt8}
 end
 
 function verify_host_error(message::AbstractString)
@@ -433,14 +433,14 @@ function ssh_knownhost_check(
     host  :: AbstractString,
     cert  :: CertHostKey,
 )
-    key = collect(cert.data)[1:cert.len]
+    key = unsafe_wrap(Array, cert.hostkey, cert.len)
     return ssh_knownhost_check(files, host, key)
 end
 
 function ssh_knownhost_check(
     files :: AbstractVector{<:AbstractString},
     host  :: AbstractString,
-    key   :: Vector{UInt8},
+    key   :: Vector{Cchar},
 )
     if (m = match(r"^(.+):(\d+)$", host)) !== nothing
         host = m.captures[1]
@@ -476,7 +476,7 @@ function ssh_knownhost_check(
             hosts  :: Ptr{Cvoid},
             host   :: Cstring,
             port   :: Cint,
-            key    :: Ptr{UInt8},
+            key    :: Ptr{Cchar},
             len    :: Csize_t,
             mask   :: Cint,
             C_NULL :: Ptr{Ptr{KnownHost}},