Your message dated Thu, 02 Sep 2021 19:47:18 +0000
with message-id <[email protected]>
and subject line Bug#993046: fixed in libssh 0.9.5-1+deb11u1
has caused the Debian Bug report #993046,
regarding libssh: CVE-2021-3634
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
993046: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=993046
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libssh
Version: 0.9.5-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for libssh.
CVE-2021-3634[0]:
| Possible heap-buffer overflow when rekeying
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-3634
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3634
[1] https://www.libssh.org/security/advisories/CVE-2021-3634.txt
[2]
https://git.libssh.org/projects/libssh.git/commit/?id=d3060bc84ed4e160082e819b4d404f76df7c8063
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libssh
Source-Version: 0.9.5-1+deb11u1
Done: Martin Pitt <[email protected]>
We believe that the bug you reported is fixed in the latest version of
libssh, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Martin Pitt <[email protected]> (supplier of updated libssh package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 28 Aug 2021 13:52:11 +0200
Source: libssh
Architecture: source
Version: 0.9.5-1+deb11u1
Distribution: bullseye-security
Urgency: high
Maintainer: Laurent Bigonville <[email protected]>
Changed-By: Martin Pitt <[email protected]>
Closes: 993046
Changes:
libssh (0.9.5-1+deb11u1) bullseye-security; urgency=high
.
* dh-gex: Avoid memory leaks.
Add 0001-dh-gex-Avoid-memory-leaks.patch: Backported from upstream 0.9.6
release.
* Fix handshake bug with AEAD ciphers and no HMAC overlap.
Add 0002-Fix-handshake-bug-with-AEAD-ciphers-and-no-HMAC-over.patch and
0003-Add-initial-server-algorithm-test-for-no-HMAC-overla.patch:
Backport fix and test from upstream 0.9.6 release.
* Create a separate length for session_id.
Add 0004-CVE-2021-3634-Create-a-separate-length-for-session_i.patch and
0005-tests-Simple-reproducer-for-rekeying-with-different-.patch:
Backport fix and test from upstream 0.9.6 release.
CVE-2021-3634 (Closes: #993046)
Checksums-Sha1:
c0d2ed5c8eab7d36708add8474d293fc1dfc7aad 2717 libssh_0.9.5-1+deb11u1.dsc
cac8772e6bea068e4defea067d4290991d566964 502876 libssh_0.9.5.orig.tar.xz
6d7ec8cce3e6d4fc6a4cb399ea4cd2580e6b0640 833 libssh_0.9.5.orig.tar.xz.asc
c008b35eb8ddedb82c4871265c1ca67574d5d8fe 34424
libssh_0.9.5-1+deb11u1.debian.tar.xz
f729f3b7c6856065ea5dad6cc0f88e9c76366dde 7270
libssh_0.9.5-1+deb11u1_source.buildinfo
Checksums-Sha256:
7865bc43f9f194547a36eacf86d74e3761f7045652c544479979cddb18a63215 2717
libssh_0.9.5-1+deb11u1.dsc
acffef2da98e761fc1fd9c4fddde0f3af60ab44c4f5af05cd1b2d60a3fa08718 502876
libssh_0.9.5.orig.tar.xz
e8b6141b7370ea08f83b5d78233e4ab0789a7dab8a11561accf36fb18544fae7 833
libssh_0.9.5.orig.tar.xz.asc
b5ab07da2e44689868bea58d9d606269a0b9f8b5773a9916b83b0642f4d472cd 34424
libssh_0.9.5-1+deb11u1.debian.tar.xz
7b7c0fb5d65df9b9eab48308cd619fb33e093f7bd9c109d00ab291feb4bed04a 7270
libssh_0.9.5-1+deb11u1_source.buildinfo
Files:
1034c7c90f57ff4a136b022a7ce99e98 2717 libs optional libssh_0.9.5-1+deb11u1.dsc
6211e47ba4dfd7f7e9f8a17a601245f4 502876 libs optional libssh_0.9.5.orig.tar.xz
49564e894ab537b4fdd323dc945ff473 833 libs optional libssh_0.9.5.orig.tar.xz.asc
2ad34520735156abb83a9536b123f93e 34424 libs optional
libssh_0.9.5-1+deb11u1.debian.tar.xz
d64b7caa61eb6b9c1f07fbb5090a14b9 7270 libs optional
libssh_0.9.5-1+deb11u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEPbRrVe+lnUDmIyFI0U7xXa/hE0cFAmEsUnoACgkQ0U7xXa/h
E0fZFRAAnCb8PsxnvjZ/zleSpC4Q5XIi1/Iob/IJJKRcf8EIuT77EBYQS2OLkTq/
z+IJOomS/S1sFdkcK5Ka9VXV7ONMOaVSnSg8YCzEvU7PXeHHX/8b+Mr2UGOBlpOB
fOz5JNNgEe+V5AxIS2aBn+NGu7Um3eJy5jIuPvCrQ2k9fXpiRulX04OmxhZUFMXF
03Ig0B8vqDQrncfNtSBuNQaz2I4d/9Uwgz1GNilOUFu4IXneUvHDdZA9dd6dOqly
pOal43hPWkLXPx1nmWyNKT3fD1zHxDqBiwYC4ayPn0bvKoGTUeqBFvrTIxMHg/Ul
L7eNl7VFZNZOdHpuDHz41jEY7Z9coV+/XuU67l/zLicd0kZJIAY+pdoVDsMFMJeH
/3ETnfQ/aIRqCAwp/pgfRAXlPGqKF5LHT0mEpamC88YwOd6+2o5GJ5Lb9F+MhYPB
S0aGTjOdWGaH0Yvq5J/vTb9U2X70n1oKXHGiiWEA5MSawWocticNHsbLJx7wNe03
bGNKyYLVCWQRBxp6o781IjpRQFgZK84lv+D+i+6KG85wx8nbxzl+zvx9Pc2ts1pj
xxctHC+bTxv5BOH2fVK/P7vBLpyH6PDK54Hog0TlOs0i76ns1TMULMhzWYQhOYRN
jH+oCkAlLLpBRzyPfK4HcaUWVryw41ndqYYNRNdkllQ84haZfl0=
=0LOJ
-----END PGP SIGNATURE-----
--- End Message ---