Your message dated Sat, 28 Jun 2025 06:05:01 +0000
with message-id <[email protected]>
and subject line Bug#1108407: fixed in libssh 0.11.2-1
has caused the Debian Bug report #1108407,
regarding libssh: CVE-2025-4877 CVE-2025-4878 CVE-2025-5318 CVE-2025-5351
CVE-2025-5372 CVE-2025-5449 CVE-2025-5987
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1108407: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108407
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libssh
Version: 0.11.1-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerabilities were published for libssh.
CVE-2025-4877[0], CVE-2025-4878[1], CVE-2025-5318[2],
CVE-2025-5351[3], CVE-2025-5372[4], CVE-2025-5449[5] and
CVE-2025-5987[6].
The security-tracker already links as well to additional information
from upstream, still some CVEs are not yet published officially on
MITRE.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-4877
https://www.cve.org/CVERecord?id=CVE-2025-4877
[1] https://security-tracker.debian.org/tracker/CVE-2025-4878
https://www.cve.org/CVERecord?id=CVE-2025-4878
[2] https://security-tracker.debian.org/tracker/CVE-2025-5318
https://www.cve.org/CVERecord?id=CVE-2025-5318
[3] https://security-tracker.debian.org/tracker/CVE-2025-5351
https://www.cve.org/CVERecord?id=CVE-2025-5351
[4] https://security-tracker.debian.org/tracker/CVE-2025-5372
https://www.cve.org/CVERecord?id=CVE-2025-5372
[5] https://security-tracker.debian.org/tracker/CVE-2025-5449
https://www.cve.org/CVERecord?id=CVE-2025-5449
[6] https://security-tracker.debian.org/tracker/CVE-2025-5987
https://www.cve.org/CVERecord?id=CVE-2025-5987
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libssh
Source-Version: 0.11.2-1
Done: Martin Pitt <[email protected]>
We believe that the bug you reported is fixed in the latest version of
libssh, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Martin Pitt <[email protected]> (supplier of updated libssh package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 28 Jun 2025 07:42:47 +0200
Source: libssh
Architecture: source
Version: 0.11.2-1
Distribution: unstable
Urgency: medium
Maintainer: Laurent Bigonville <[email protected]>
Changed-By: Martin Pitt <[email protected]>
Closes: 1108407
Changes:
libssh (0.11.2-1) unstable; urgency=medium
.
* New upstream security/bug fix release:
- CVE-2025-4877: Write beyond bounds in binary to base64 conversion
functions
- CVE-2025-4878: Use of uninitialized variable in privatekey_from_file()
- CVE-2025-5318: Likely read beyond bounds in sftp server handle
management
- CVE-2025-5351: Double free in functions exporting keys
- CVE-2025-5372: ssh_kdf() returns a success code on certain failures
- CVE-2025-5449: Likely read beyond bounds in sftp server message decoding
- CVE-2025-5987: Invalid return code for chacha20 poly1305 with OpenSSL
backend
(Closes: #1108407)
* Drop 0001-Fix-multiple-digit-major-version-for-OpenSSH.patch.
Applied upstream.
Checksums-Sha1:
4dc4f1cad010349b6c3f99dff9227d4bffabf36d 2583 libssh_0.11.2-1.dsc
ece1eb034eab3b1cc7a283d2a7bd2dc59a57686b 619428 libssh_0.11.2.orig.tar.xz
b8030dd740e50343e68cb88d7b67d1a3f8db9aef 833 libssh_0.11.2.orig.tar.xz.asc
275ca113390300b71acaddf5941d40bf600a9b42 31360 libssh_0.11.2-1.debian.tar.xz
46eb42fbcfb58378842db8ad95390dfa9e12141f 7668 libssh_0.11.2-1_source.buildinfo
Checksums-Sha256:
e784a9c8dce71b0a5a069a855020049c13e54786761c6c506a257c11d6013426 2583
libssh_0.11.2-1.dsc
69529fc18f5b601f0baf0e5a4501a2bc26df5e2f116f5f8f07f19fafaa6d04e7 619428
libssh_0.11.2.orig.tar.xz
fd0f8ddd79a118a58b04919a6907da81b8ab9a70f5173a4080fbf5484a26d4ea 833
libssh_0.11.2.orig.tar.xz.asc
a1f2ce49cf49f83139bee0fb2af1e7c9c8c1daa62b316b2f5fa2b41d157f3a61 31360
libssh_0.11.2-1.debian.tar.xz
6f454b4f2aee7b6b686f89923c0c1efa07cff99d34a131382a2bc0f95376f31b 7668
libssh_0.11.2-1_source.buildinfo
Files:
342972c454f28ca9ebba78a144e752fe 2583 libs optional libssh_0.11.2-1.dsc
7e9afb4cf63abbcd8bc448124dfdf3fa 619428 libs optional libssh_0.11.2.orig.tar.xz
2568a84e31e2bd0f5ae1cf664d26c8e0 833 libs optional
libssh_0.11.2.orig.tar.xz.asc
40f7fcb44ed0f9760ead3ce8662b7163 31360 libs optional
libssh_0.11.2-1.debian.tar.xz
85e7168016492a2400b1489743d051bf 7668 libs optional
libssh_0.11.2-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEbEuHi35jHxYFV8PN7nvd5LhrVxMFAmhfgsQACgkQ7nvd5Lhr
VxMrGQ/+ORSWc8Lb2jSp/ooyuZ/qxSLZkQ5gdN4RXG1/fne5jJ8FoXzBzhUb4P+j
MiD0sI+fd4u8mjFW3DQqcjb0oPIowxbtKG3+QiaaUMcLgtMnF4mg1St5r7vCfnK1
50dtKggSaPUxT9yM4SvgVm+uNKuEoFCIsx+D+H7apWTY2sBrTlXL7xnn9khHUZmI
vT86vZ+d7F9c+cmb6uO4yof4hYTX1ZlwDlNZZtmb3qboHEqyKBJvzLoJfuwKukaH
g68v6mwU9oVBPW2iMsJB9b4riLdWY1V4XPHHC/MDUN4VuZp2/2gZ8QOp6RhacrOc
4gucDx/+HG/MJ6bbZGsI/+ed9m4Q6QLi6AWNPgsEYBtOiGpF+Onr+99Qq0K0Abmt
0YL0II6sIbSPLHZd776vm1iwCHYa2og0x+1uUi+pBWKq4xuGlZZu/0xqVsBVGPF7
z449jDwGjt9zZf+mmamu7I2I9Fv+nPM3w0kfsEdF3LDotAW8MQkehzH0vcfXw5zd
plLGiJqtXEPhwQENjCC5OnBu98cZblwSoknhh+7rmfk3ozBLvT66cnh9UkBu6/S7
9DfBeK+WvT77HULHtGj9KvTXzdnBxzMopuCDBfAsglZ6Tv+kgJYVZax90QsN9db/
gXYoPF7VuIxgmn+Bttg22dzXLSgGOlhqShyk4Itvt19qOsuGIDY=
=Iy/m
-----END PGP SIGNATURE-----
pgpTakeBASoHQ.pgp
Description: PGP signature
--- End Message ---
