Hi, On Sun, Jun 29, 2025 at 10:12:58AM +0200, Martin Pitt wrote: > Package: release.debian.org > Severity: normal > User: [email protected] > Usertags: unblock > X-Debbugs-Cc: [email protected], [email protected] > Control: affects -1 + src:libssh > > Please unblock the recent libssh security update in unstable to land in > trixie. > > [ Reason ] > That fixes a bunch of CVEs (https://bugs.debian.org/1108407, > https://www.libssh.org/2025/06/24/libssh-0-11-2-security-and-bugfix-release/), > plus some good fixes and minor cmake build system cleanups.
One question here from the release team might be: Why are you following the 0.11.y stable releases instead of cherry-picking the fixes. For libssh, while it is not yet on the list of packages which fixes throuch micro releases the security issues, libssh has a history of actually doing so: For the last bookworm-security update: https://bugs.debian.org/1059061#15 which resulteted in an update from 0.10.5-2 -> 0.10.6-0+deb12u1 and samewise back in bullseye-security it got bumped to 0.9.8-0+deb11u1. We have don so as well earlier for https://bugs.debian.org/1035832 So to confirm: if trixie would have already been released, then a DSA for libssh likely would have accepted a 0.11.2-0+deb13u1 to address the mentioned CVEs and follow the released upstream version in the 0.11.y branch. Regards, Salvatore
