Subject: Re: time to release another libssh2 version!

Re: time to release another libssh2 version!

From: Yuriy M. Kaminskiy <>
Date: Fri, 14 Oct 2016 13:33:14 +0300

Daniel Stenberg <> writes:

> I think it is about time we ship another release. The OpenSSL 1.1.0
> support being a major reason I think.
> So, please bring up your issues that we should squeeze in before we
> release.

E.g. that libssh2 uses oversized exponent (private key) in DH handshake,
which renders it several times slower than it should?

E.g. that libssh2 fails to verify if received field length fits in
buffer size *everywhere*, and so malicious server (or maybe even MitM
attacker) can trivially crash client, or steal host (client) memory?

> We have a whole bunch of issues and pull-requests we could use more
> eyes and hands on to deal with. Maybe we could take care of some of
> them before next release?
> The mbedTLS backend for example maybe?
> Any suggestion on how long time we should set for ourselves to prepare
> until we ship? I would like to propose that we aim for doing the
> release on Tuesday October 11. And this means that if there's anything
> larger anyone wants to merge, it needs to be done ASAP so that we have
> at least a week with no large changes before we ship.
> Feel free to object, agree or suggest something different!

Received on 2016-10-16