Your message dated Sun, 15 Mar 2026 09:19:16 +0000
with message-id <[email protected]>
and subject line Bug#1127693: fixed in libssh 0.12.0-1
has caused the Debian Bug report #1127693,
regarding libssh: CVE-2026-0964 CVE-2026-0965 CVE-2026-0966 CVE-2026-0967
CVE-2026-0968 CVE-2026-3731
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1127693: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1127693
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libssh
Version: 0.11.3-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Control: found -1 0.11.2-1+deb13u1
Hi,
The following vulnerabilities were published for libssh.
CVE-2026-0964[0]:
| Improper sanitation of paths received from SCP servers
CVE-2026-0965[1]:
| Denial of Service via improper configuration file handling
CVE-2026-0966[2]:
| Buffer underflow in ssh_get_hexa() on invalid input
CVE-2026-0967[3]:
| Denial of Service via inefficient regular expression processing
CVE-2026-0968[4]:
| Denial of Service due to malformed SFTP message
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-0964
https://www.cve.org/CVERecord?id=CVE-2026-0964
[1] https://security-tracker.debian.org/tracker/CVE-2026-0965
https://www.cve.org/CVERecord?id=CVE-2026-0965
[2] https://security-tracker.debian.org/tracker/CVE-2026-0966
https://www.cve.org/CVERecord?id=CVE-2026-0966
[3] https://security-tracker.debian.org/tracker/CVE-2026-0967
https://www.cve.org/CVERecord?id=CVE-2026-0967
[4] https://security-tracker.debian.org/tracker/CVE-2026-0968
https://www.cve.org/CVERecord?id=CVE-2026-0968
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libssh
Source-Version: 0.12.0-1
Done: Martin Pitt <[email protected]>
We believe that the bug you reported is fixed in the latest version of
libssh, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Martin Pitt <[email protected]> (supplier of updated libssh package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 15 Mar 2026 08:56:59 +0000
Source: libssh
Architecture: source
Version: 0.12.0-1
Distribution: unstable
Urgency: medium
Maintainer: Laurent Bigonville <[email protected]>
Changed-By: Martin Pitt <[email protected]>
Closes: 1127693
Changes:
libssh (0.12.0-1) unstable; urgency=medium
.
* New upstream security/feature release:
- CVE-2026-0964: SCP Protocol Path Traversal in ssh_scp_pull_request()
- CVE-2026-0965: Possible Denial of Service when parsing unexpected
configuration files
- CVE-2026-0966: Buffer underflow in ssh_get_hexa() on invalid input
- CVE-2026-0967: Specially crafted patterns could cause DoS
- CVE-2026-0968: OOB Read in sftp_parse_longname()
- CVE-2026-3731: Read buffer overrun when handling SFTP extensions
- Note: CVE-2025-14821 is Windows specific, does not apply to Linux
(Closes: #1127693)
* Enable new FIDO/U2F support. Build-depend on libfido2-dev.
* Drop "Priority: optional" field. Debian Policy 4.7.3 made this obsolete.
Bump Standards-Version accordingly.
Checksums-Sha1:
820beaf979645ec3a76cc80bd1123da3ad42dd0e 2615 libssh_0.12.0-1.dsc
468fc33daa7822fb5f90cb599a62242607f3e425 751928 libssh_0.12.0.orig.tar.xz
e6d2bec8530cda5779e9e0b9058dc4d89be2c2b9 833 libssh_0.12.0.orig.tar.xz.asc
be8be65311179f7e2d9732d9ea9d360fcc40108d 31932 libssh_0.12.0-1.debian.tar.xz
b035d073a2d1c7d83fe43f6e765107d4d4c1c55d 7663 libssh_0.12.0-1_source.buildinfo
Checksums-Sha256:
72aba33c68ba6b89d2c72c095f9e10d0252f31138feaf24086d72a3798ad8c27 2615
libssh_0.12.0-1.dsc
1a6af424d8327e5eedef4e5fe7f5b924226dd617ac9f3de80f217d82a36a7121 751928
libssh_0.12.0.orig.tar.xz
8eaf061c358ffc7ead729d6cd93da9286d831224e97b6fc6535669a2955d1be5 833
libssh_0.12.0.orig.tar.xz.asc
8f76de597989f3e4e0090467a244c2c57fd96f9ef5027218f67b26c744a3be36 31932
libssh_0.12.0-1.debian.tar.xz
88dc61c89cd1489c36c8b12d7476d183d0607a0ab38b481053cf1189199e6cba 7663
libssh_0.12.0-1_source.buildinfo
Files:
7f16589a71ef85e166aa3b11d344e4bf 2615 libs optional libssh_0.12.0-1.dsc
244ff82e0902ba4bcd89e27f8cc2590c 751928 libs optional libssh_0.12.0.orig.tar.xz
3fe0c5318468835f0d89328d357ba261 833 libs optional
libssh_0.12.0.orig.tar.xz.asc
602ebab4a69a485990ff559210fecdf8 31932 libs optional
libssh_0.12.0-1.debian.tar.xz
9b34f8539914c8ebf38f704e91d21c35 7663 libs optional
libssh_0.12.0-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEbEuHi35jHxYFV8PN7nvd5LhrVxMFAmm2dH8ACgkQ7nvd5Lhr
VxM+FA//X4I8gdTiQedAQWTZUWcrl7PYjwC87w6C8dai1h0F6dYpyykbZyW+i+UZ
UmPo45SIpnDOhgzRvv0N+V8Hjbzibp3CTIxjRvgMmeELsMSnNed0bP+/1Rssg3QJ
75aWqvA6ggX8QX6/e2OZi8JZoexPnlwEmipX+xhaYtTIgKm8J8TCngXkvnJgSQoe
W8CLXgwufshPzlkeiENpPuse1cjTtMcgGj7yoEWn6VPu5aGIAowddXPbxel7Utw/
ryUsRjRvYbYaNcSFKCwQYsaV3kfH0+qVLdGAH2q83qKfZwQcqVI34u8AkHRZUZld
ti2hTOLrCkGNKgF1pzv9kPJOvFcwTLhmQslJi6EAa/DEbrx+g+bym5uUIHL2lebt
pYDz3TvAZF2+CwvpwgmhUPUHV2dgTkk1SItxSR3ELoVJQsvfU1Rg73QWOIDvsenw
dpn8TZtWh19eNdOmf/bWPmxhef3EJHwovKgQ+m6GGQyQ1JJs8KzUjk8PecZGbyNc
MlJA9q8HsgpHXY7QYJw++ut5IhP/LyRjN8hw/QX99WXnT8t07CQYjELQWEmx9E/y
l7GaAyvaHGRrJ4BsG5644o0GquyN3SfhCAO0ty3MYNp/20Xz83AG61Oc3hZL/wck
r+m1s/gcZ2l5OTY558xsV9bCa3yl0UwiZv/xUorv4RySpvihTEs=
=X94n
-----END PGP SIGNATURE-----
pgp81JgqxZwTh.pgp
Description: PGP signature
--- End Message ---
