Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: lib...@packages.debian.org
Control: affects -1 + src:libssh
Hello,
a few days ago, a new libssh upstream microrelease [1] was published which fixes
two CVEs. I packaged it for unstable four days ago, it built everywhere, and
thus passed the (rather extensive) upstream tests, as well as the autopkgtest
integration tests everywhere [2]. I know one big consumer of libssh well --
cockpit
-- which also has successful tests against 0.10.5.
The packaging git already had a few rather harmless updates from the Debian
janitor [3] which I included into the unstable upload. I attached the debian/*
parts of the debdiff between current testing and unstable. If you want to
inspect the full upstream diff as well, I suggest the upstream git view for
the stable 0.10 branch [4], or the full debdiff view on salsa[5].
Salvatore Bonaccorso from the security team pointed out that libssh won't
auto-migrate any more at this point in time, so I'd like to coordinate these
two CVEs with you for fixing testing. If you consider 0.10.5 too risky at this
point, I can also prepare a backport similar to the update that I prepared for
stable-security, but it's more work, and backporting non-trivial patches is
also not risk-free. This gets coordinated in [6].
Thanksk,
Martin
unblock libssh/0.10.5-1
[1]
https://www.libssh.org/2023/05/04/libssh-0-10-5-and-libssh-0-9-7-security-releases/
[2] https://tracker.debian.org/pkg/libssh
[3]
https://salsa.debian.org/debian/libssh/-/commit/45b9437b4c4711584dba7debe6600aa2a2d7f6c4
https://salsa.debian.org/debian/libssh/-/commit/5feb4c4e0405e6af69d6d448ab934f7876d2ea90
https://salsa.debian.org/debian/libssh/-/commit/8e55b07477c194630bd60c049ca28c57da2881fd
[4] https://git.libssh.org/projects/libssh.git/log/?h=stable-0.10
[5]
https://salsa.debian.org/debian/libssh/-/compare/4066480562aa1d2682bd5c831c1acd2a2777...debian?from_project_id=20695&straight=false
[6] https://bugs.debian.org/1035832
--- libssh-0.10.4/debian/changelog 2022-09-19 08:41:22.0 +
+++ libssh-0.10.5/debian/changelog 2023-05-10 06:00:26.0 +
@@ -1,3 +1,26 @@
+libssh (0.10.5-1) unstable; urgency=high
+
+ [ Martin Pitt ]
+ * New upstream security release (thus high urgency):
+- Fix authenticated remote DoS through potential NULL dereference during
rekeying
+ with algorithm guessing (CVE-2023-1667)
+ https://www.libssh.org/security/advisories/CVE-2023-1667.txt
+- Client authentication bypass in pki_verify_data_signature() in low-memory
+ conditions with OpenSSL backend; gcrypt backend is not affected
+ https://www.libssh.org/security/advisories/CVE-2023-2283.txt
+ (CVE-2023-2283, Closes: #1035832)
+ * Bump Standards-Version to 4.6.2. No changes necessary.
+ * Drop debian/source/lintian-overrides. It now causes a "mismatched-override"
+warning, and apparently is not necessary any more.
+ * debian/copyright: Drop files which don't exist any more.
+Spotted by lintian's "superfluous-file-pattern" warnings.
+
+ [ Debian Janitor ]
+ * Bump debhelper from old 12 to 13.
+ * Avoid explicitly specifying -Wl,--as-needed linker flag.
+
+ -- Martin Pitt Wed, 10 May 2023 08:00:26 +0200
+
libssh (0.10.4-2) unstable; urgency=medium
* autopkgtest: Drop valgrind run. This hasn't worked for years on many
diff -Nru libssh-0.10.4/debian/control libssh-0.10.5/debian/control
--- libssh-0.10.4/debian/control2022-09-19 08:41:22.0 +
+++ libssh-0.10.5/debian/control2023-05-10 06:00:26.0 +
@@ -4,7 +4,7 @@
Maintainer: Laurent Bigonville
Uploaders: Mike Gabriel , Martin Pitt
Build-Depends: cmake (>= 2.8.5),
- debhelper-compat (= 12),
+ debhelper-compat (= 13),
libcmocka-dev ,
libgcrypt-dev,
libkrb5-dev | heimdal-dev,
@@ -15,7 +15,7 @@
pkg-config,
python3:any ,
Build-Depends-Indep: doxygen , graphviz
-Standards-Version: 4.6.1
+Standards-Version: 4.6.2
Rules-Requires-Root: no
Vcs-Git: https://salsa.debian.org/debian/libssh.git
Vcs-Browser: https://salsa.debian.org/debian/libssh
@@ -97,6 +97,7 @@
Suggests: doc-base
Depends: ${misc:Depends}
Build-Profiles:
+Multi-Arch: foreign
Description: tiny C SSH library - Documentation files
The ssh library was designed to be used by programmers needing a working SSH
implementation by the mean of a library. The complete control of the client
diff -Nru libssh-0.10.4/debian/copyright libssh-0.10.5/debian/copyright
--- libssh-0.10.4/debian/copyright 2022-09-19 08:41:22.0 +
+++ libssh-0.10.5/debian/copyright 2023-05-10 06:00:26.0 +
@@ -23,7 +23,6 @@
tests/client/torture_connect.c
tests/client/torture_knownhosts.c
tests/client/torture_session.c
- tests/test_pcap.c
tests/tes