[ You missed the correct mailing list. debian-security is _not_
the correct way to reach the security team, fixing ]
On Sun, Dec 24, 2023 at 09:12:04AM +0000, Sean Whitton wrote:
> Hello,
>
> I have taken responsibility for fixing these CVEs in libssh in buster,
> as part of Freexian-funded LTS work. I would like to see if I can help
> get them fixed in bullseye & bookworm in parallel, to avoid a situation
> where they're fixed in buster but not fixed in releases to which LTS
> users might soon upgrade their machines.
>
> I see the fixes are all in sid. Are you expecting to issue DSAs for
> bullseye and bookworm? I would be grateful for some information on the
> sec team's plans for these fixes.
There will be updates via s.d.i, but with some intentional delay to
first spot regressions based on the upload to sid.
Cheers,
Moritz
