Bug#1036026: unblock: libssh/0.10.5-1

2023-05-17 Thread Martin Pitt 
Control: tag -1 -moreinfo
Control: retitle -1 unblock: libssh/0.10.5-2

Hello Sebastian,

Sebastian Ramacher [2023-05-16 22:49 +0200]:
> It's too late for debhelper compat bumps. See 
> https://release.debian.org/bookworm/FAQ.html
>
> Please re-upload without that change and remove the moreinfo tag once
> that happened.

Good point. I reverted the change [1], resulting in attached debdiff. Uploaded
as libssh_0.10.5-2.dsc.

Thanks,

Martin

[1] https://salsa.debian.org/debian/libssh/-/commit/49823ffd5c9ce8
diff -Nru libssh-0.10.5/debian/changelog libssh-0.10.5/debian/changelog
--- libssh-0.10.5/debian/changelog  2023-05-10 06:00:26.0 +
+++ libssh-0.10.5/debian/changelog  2023-05-17 19:56:56.0 +
@@ -1,3 +1,10 @@
+libssh (0.10.5-2) unstable; urgency=medium
+
+  * Revert "Bump debhelper from old 12 to 13."
+This is not appropriate at this point of the release cycle any more.
+
+ -- Martin Pitt   Wed, 17 May 2023 19:56:56 +
+
 libssh (0.10.5-1) unstable; urgency=high
 
   [ Martin Pitt ]
diff -Nru libssh-0.10.5/debian/control libssh-0.10.5/debian/control
--- libssh-0.10.5/debian/control2023-05-10 06:00:26.0 +
+++ libssh-0.10.5/debian/control2023-05-17 19:56:56.0 +
@@ -4,7 +4,7 @@
 Maintainer: Laurent Bigonville 
 Uploaders: Mike Gabriel , Martin Pitt 
 Build-Depends: cmake (>= 2.8.5),
-   debhelper-compat (= 13),
+   debhelper-compat (= 12),
libcmocka-dev ,
libgcrypt-dev,
libkrb5-dev | heimdal-dev,


signature.asc
Description: PGP signature

Bug#1036026: unblock: libssh/0.10.5-1

2023-05-16 Thread Sebastian Ramacher 
Control: tags -1 moreinfo confirmed

On 2023-05-13 15:49:12 +0200, Martin Pitt wrote:
> --- libssh-0.10.4/debian/changelog2022-09-19 08:41:22.0 +
> +++ libssh-0.10.5/debian/changelog2023-05-10 06:00:26.0 +
> @@ -1,3 +1,26 @@
> +libssh (0.10.5-1) unstable; urgency=high
> +
> +  [ Martin Pitt ]
> +  * New upstream security release (thus high urgency):
> +- Fix authenticated remote DoS through potential NULL dereference during 
> rekeying
> +  with algorithm guessing (CVE-2023-1667)
> +  https://www.libssh.org/security/advisories/CVE-2023-1667.txt
> +- Client authentication bypass in pki_verify_data_signature() in 
> low-memory
> +  conditions with OpenSSL backend; gcrypt backend is not affected
> +  https://www.libssh.org/security/advisories/CVE-2023-2283.txt
> +  (CVE-2023-2283, Closes: #1035832)
> +  * Bump Standards-Version to 4.6.2. No changes necessary.
> +  * Drop debian/source/lintian-overrides. It now causes a 
> "mismatched-override"
> +warning, and apparently is not necessary any more.
> +  * debian/copyright: Drop files which don't exist any more.
> +Spotted by lintian's "superfluous-file-pattern" warnings.
> +
> +  [ Debian Janitor ]
> +  * Bump debhelper from old 12 to 13.

It's too late for debhelper compat bumps. See 
https://release.debian.org/bookworm/FAQ.html

Please re-upload without that change and remove the moreinfo tag once
that happened.

Cheers
-- 
Sebastian Ramacher

Bug#1036026: unblock: libssh/0.10.5-1

2023-05-13 Thread Martin Pitt 
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: lib...@packages.debian.org
Control: affects -1 + src:libssh

Hello,

a few days ago, a new libssh upstream microrelease [1] was published which fixes
two CVEs. I packaged it for unstable four days ago, it built everywhere, and
thus passed the (rather extensive) upstream tests, as well as the autopkgtest
integration tests everywhere [2]. I know one big consumer of libssh well -- 
cockpit
-- which also has successful tests against 0.10.5.

The packaging git already had a few rather harmless updates from the Debian
janitor [3] which I included into the unstable upload. I attached the debian/*
parts of the debdiff between current testing and unstable. If you want to
inspect the full upstream diff as  well, I suggest the upstream git view for
the stable 0.10 branch [4], or the full debdiff view  on salsa[5].

Salvatore Bonaccorso from the security team pointed out that libssh won't
auto-migrate any more at this point in time, so I'd like to coordinate these
two CVEs with you for fixing testing. If you consider 0.10.5 too risky at this
point, I can also prepare a backport similar to the update that I prepared for
stable-security, but it's more work, and backporting non-trivial patches is
also not risk-free. This gets coordinated in [6].

Thanksk,

Martin

unblock libssh/0.10.5-1


[1] 
https://www.libssh.org/2023/05/04/libssh-0-10-5-and-libssh-0-9-7-security-releases/
[2] https://tracker.debian.org/pkg/libssh
[3] 
https://salsa.debian.org/debian/libssh/-/commit/45b9437b4c4711584dba7debe6600aa2a2d7f6c4

https://salsa.debian.org/debian/libssh/-/commit/5feb4c4e0405e6af69d6d448ab934f7876d2ea90

https://salsa.debian.org/debian/libssh/-/commit/8e55b07477c194630bd60c049ca28c57da2881fd
[4] https://git.libssh.org/projects/libssh.git/log/?h=stable-0.10
[5] 
https://salsa.debian.org/debian/libssh/-/compare/4066480562aa1d2682bd5c831c1acd2a2777...debian?from_project_id=20695=false
[6] https://bugs.debian.org/1035832
--- libssh-0.10.4/debian/changelog  2022-09-19 08:41:22.0 +
+++ libssh-0.10.5/debian/changelog  2023-05-10 06:00:26.0 +
@@ -1,3 +1,26 @@
+libssh (0.10.5-1) unstable; urgency=high
+
+  [ Martin Pitt ]
+  * New upstream security release (thus high urgency):
+- Fix authenticated remote DoS through potential NULL dereference during 
rekeying
+  with algorithm guessing (CVE-2023-1667)
+  https://www.libssh.org/security/advisories/CVE-2023-1667.txt
+- Client authentication bypass in pki_verify_data_signature() in low-memory
+  conditions with OpenSSL backend; gcrypt backend is not affected
+  https://www.libssh.org/security/advisories/CVE-2023-2283.txt
+  (CVE-2023-2283, Closes: #1035832)
+  * Bump Standards-Version to 4.6.2. No changes necessary.
+  * Drop debian/source/lintian-overrides. It now causes a "mismatched-override"
+warning, and apparently is not necessary any more.
+  * debian/copyright: Drop files which don't exist any more.
+Spotted by lintian's "superfluous-file-pattern" warnings.
+
+  [ Debian Janitor ]
+  * Bump debhelper from old 12 to 13.
+  * Avoid explicitly specifying -Wl,--as-needed linker flag.
+
+ -- Martin Pitt   Wed, 10 May 2023 08:00:26 +0200
+
 libssh (0.10.4-2) unstable; urgency=medium

   * autopkgtest: Drop valgrind run. This hasn't worked for years on many
diff -Nru libssh-0.10.4/debian/control libssh-0.10.5/debian/control
--- libssh-0.10.4/debian/control2022-09-19 08:41:22.0 +
+++ libssh-0.10.5/debian/control2023-05-10 06:00:26.0 +
@@ -4,7 +4,7 @@
 Maintainer: Laurent Bigonville 
 Uploaders: Mike Gabriel , Martin Pitt 
 Build-Depends: cmake (>= 2.8.5),
-   debhelper-compat (= 12),
+   debhelper-compat (= 13),
libcmocka-dev ,
libgcrypt-dev,
libkrb5-dev | heimdal-dev,
@@ -15,7 +15,7 @@
pkg-config,
python3:any ,
 Build-Depends-Indep: doxygen , graphviz 
-Standards-Version: 4.6.1
+Standards-Version: 4.6.2
 Rules-Requires-Root: no
 Vcs-Git: https://salsa.debian.org/debian/libssh.git
 Vcs-Browser: https://salsa.debian.org/debian/libssh
@@ -97,6 +97,7 @@
 Suggests: doc-base
 Depends: ${misc:Depends}
 Build-Profiles: 
+Multi-Arch: foreign
 Description: tiny C SSH library - Documentation files
  The ssh library was designed to be used by programmers needing a working SSH
  implementation by the mean of a library. The complete control of the client
diff -Nru libssh-0.10.4/debian/copyright libssh-0.10.5/debian/copyright
--- libssh-0.10.4/debian/copyright  2022-09-19 08:41:22.0 +
+++ libssh-0.10.5/debian/copyright  2023-05-10 06:00:26.0 +
@@ -23,7 +23,6 @@
tests/client/torture_connect.c
tests/client/torture_knownhosts.c
tests/client/torture_session.c
-   tests/test_pcap.c