From b151830bd2b3133a6c60af5b4719e584729a243e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lo=C3=AFc=20Hoguin?= <essen@ninenines.eu>
Date: Thu, 21 Mar 2024 09:40:58 +0100
Subject: OTP-23.3.4.20

---
 early-plugins.mk                       |  4 +-
 release-notes/OTP-23.3.4.20.README.txt | 78 ++++++++++++++++++++++++++++++++++
 2 files changed, 80 insertions(+), 2 deletions(-)
 create mode 100644 release-notes/OTP-23.3.4.20.README.txt

diff --git a/early-plugins.mk b/early-plugins.mk
index a399dfb..d331328 100644
--- a/early-plugins.mk
+++ b/early-plugins.mk
@@ -17,7 +17,7 @@ OTP-19 := OTP-19.0.7 OTP-19.1.6 OTP-19.2.3 OTP-19.3.6.13
 OTP-20 := OTP-20.0.5 OTP-20.1.7 OTP-20.2.4 OTP-20.3.8.26
 OTP-21 := OTP-21.0.9 OTP-21.1.4 OTP-21.2.7 OTP-21.3.8.24
 OTP-22 := OTP-22.0.7 OTP-22.1.8 OTP-22.2.8 OTP-22.3.4.26
-OTP-23 := OTP-23.0.4 OTP-23.1.5 OTP-23.2.7.3 OTP-23.3.4.19
+OTP-23 := OTP-23.0.4 OTP-23.1.5 OTP-23.2.7.3 OTP-23.3.4.20
 OTP-24 := OTP-24.0.6 OTP-24.1.7 OTP-24.2.2 OTP-24.3.4.16
 OTP-25 := OTP-25.0.4 OTP-25.1.2.1 OTP-25.2.3 OTP-25.3.2.10
 OTP-26 := OTP-26.0.2 OTP-26.1.2 OTP-26.2.3
@@ -107,7 +107,7 @@ OTP-23-DROPPED := OTP-23.0-rc1 OTP-23.0-rc2 OTP-23.0-rc3 OTP-23.0 OTP-23.0.1 \
 	OTP-23.2 OTP-23.2.1 OTP-23.2.3 OTP-23.2.4 OTP-23.3.1 OTP-23.3.2 OTP-23.2.7.2 \
 	OTP-23.3.3 OTP-23.3.4 OTP-23.3.4.1 OTP-23.3.4.5 OTP-23.3.4.6 OTP-23.3.4.7 \
 	OTP-23.3.4.8 OTP-23.3.4.9 OTP-23.3.4.10 OTP-23.3.4.11 OTP-23.3.4.12 \
-	OTP-23.3.4.13 OTP-23.3.4.14 OTP-23.3.4.15 OTP-23.3.4.16 OTP-23.3.4.17 OTP-23.3.4.18
+	OTP-23.3.4.13 OTP-23.3.4.14 OTP-23.3.4.15 OTP-23.3.4.16 OTP-23.3.4.17 OTP-23.3.4.18 OTP-23.3.4.19
 OTP-24-DROPPED := OTP-24.0-rc2 OTP-24.0-rc3 OTP-24.0 OTP-24.0.1 OTP-24.0.5 \
 	OTP-24.1 OTP-24.1.1 OTP-24.1.2 OTP-24.1.3 OTP-24.1.4 OTP-24.1.5 OTP-24.1.6 \
 	OTP-24.2 OTP-24.2.1 OTP-24.3 OTP-24.3.1 OTP-24.3.2 OTP-24.3.3 OTP-24.3.4 \
diff --git a/release-notes/OTP-23.3.4.20.README.txt b/release-notes/OTP-23.3.4.20.README.txt
new file mode 100644
index 0000000..1a5d3e9
--- /dev/null
+++ b/release-notes/OTP-23.3.4.20.README.txt
@@ -0,0 +1,78 @@
+Patch Package:           OTP 23.3.4.20
+Git Tag:                 OTP-23.3.4.20
+Date:                    2024-03-18
+Trouble Report Id:       OTP-18897, OTP-19002
+Seq num:                 ERIERL-1041
+System:                  OTP
+Release:                 23
+Application:             ssh-4.11.1.7
+Predecessor:             OTP 23.3.4.19
+
+ Check out the git tag OTP-23.3.4.20, and build a full OTP system
+ including documentation. Apply one or more applications from this
+ build as patches to your installation using the 'otp_patch_apply'
+ tool. For information on install requirements, see descriptions for
+ each application version below.
+
+ ---------------------------------------------------------------------
+ --- POTENTIAL INCOMPATIBILITIES -------------------------------------
+ ---------------------------------------------------------------------
+
+  OTP-18897    Application(s): ssh
+
+               With this change (being response to CVE-2023-48795),
+               ssh can negotiate "strict KEX" OpenSSH extension with
+               peers supporting it; also
+               'chacha20-poly1305@openssh.com' algorithm becomes a
+               less preferred cipher.
+
+               If strict KEX availability cannot be ensured on both
+               connection sides, affected encryption modes(CHACHA and
+               CBC) can be disabled with standard ssh configuration.
+               This will provide protection against vulnerability, but
+               at a cost of affecting interoperability. See
+               Configuring algorithms in SSH User's Guide.
+
+
+ ---------------------------------------------------------------------
+ --- ssh-4.11.1.7 ----------------------------------------------------
+ ---------------------------------------------------------------------
+
+ The ssh-4.11.1.7 application can be applied independently of other
+ applications on a full OTP 23 installation.
+
+ --- Fixed Bugs and Malfunctions ---
+
+  OTP-18897    Application(s): ssh
+
+               *** POTENTIAL INCOMPATIBILITY ***
+
+               With this change (being response to CVE-2023-48795),
+               ssh can negotiate "strict KEX" OpenSSH extension with
+               peers supporting it; also
+               'chacha20-poly1305@openssh.com' algorithm becomes a
+               less preferred cipher.
+
+               If strict KEX availability cannot be ensured on both
+               connection sides, affected encryption modes(CHACHA and
+               CBC) can be disabled with standard ssh configuration.
+               This will provide protection against vulnerability, but
+               at a cost of affecting interoperability. See
+               Configuring algorithms in SSH User's Guide.
+
+
+  OTP-19002    Application(s): ssh
+               Related Id(s): ERIERL-1041
+
+               With this change, KEX strict terminal message is
+               emitted with debug verbosity.
+
+
+ Full runtime dependencies of ssh-4.11.1.7: crypto-4.6.4, erts-9.0,
+ kernel-5.3, public_key-1.6.1, stdlib-3.4.1
+
+
+ ---------------------------------------------------------------------
+ ---------------------------------------------------------------------
+ ---------------------------------------------------------------------
+
-- 
cgit v1.2.3