Hello Salvatore and Laurent, Salvatore Bonaccorso [2021-08-26 22:21 +0200]: > The following vulnerability was published for libssh. > > CVE-2021-3634[0]: > | Possible heap-buffer overflow when rekeying > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
I backported the security fix, the AEAD handshake failure fix, and two (trivial) memory leak fixes, in the first three commits here: https://salsa.debian.org/debian/libssh/-/commits/bullseye-security The fourth is just administrative (tell git-buildpackage about the new bullseye-security branch) and not user-visible. The (mostly autogenerated) changelook would look like this: libssh (0.9.5-1+deb11u1) bullseye-security; urgency=high * dh-gex: Avoid memory leaks. Add 0001-dh-gex-Avoid-memory-leaks.patch: Backported from upstream 0.9.6 release. * Fix handshake bug with AEAD ciphers and no HMAC overlap. Add 0002-Fix-handshake-bug-with-AEAD-ciphers-and-no-HMAC-over.patch and 0003-Add-initial-server-algorithm-test-for-no-HMAC-overla.patch: Backport fix and test from upstream 0.9.6 release. * Create a separate length for session_id. Add 0004-CVE-2021-3634-Create-a-separate-length-for-session_i.patch and 0005-tests-Simple-reproducer-for-rekeying-with-different-.patch: Backport fix and test from upstream 0.9.6 release. CVE-2021-3634 (Closes: #993046) -- Martin Pitt <mp...@debian.org> Sat, 28 Aug 2021 13:52:11 +0200 Is that ok with you, in particular the not-quite-CVE patches? Should I upload directly or put the dsc somewhere? Laurent, ok with you or do you have something else? Thanks, Martin
