Bug#1108459: unblock: libssh/0.11.2-1

2025-07-05 Thread Salvatore Bonaccorso 
Hi,

On Sun, Jun 29, 2025 at 10:12:58AM +0200, Martin Pitt wrote:
> Package: release.debian.org
> Severity: normal
> User: [email protected]
> Usertags: unblock
> X-Debbugs-Cc: [email protected], [email protected]
> Control: affects -1 + src:libssh
> 
> Please unblock the recent libssh security update in unstable to land in 
> trixie.
> 
> [ Reason ]
> That fixes a bunch of CVEs (https://bugs.debian.org/1108407,
> https://www.libssh.org/2025/06/24/libssh-0-11-2-security-and-bugfix-release/),
> plus some good fixes and minor cmake build system cleanups.

One question here from the release team might be: Why are you
following the 0.11.y stable releases instead of cherry-picking the
fixes.

For libssh, while it is not yet on the list of packages which fixes
throuch micro releases the security issues, libssh has a history of
actually doing so:

For the last bookworm-security update:
https://bugs.debian.org/1059061#15 which resulteted in an update from
0.10.5-2 -> 0.10.6-0+deb12u1 and samewise back in bullseye-security it
got bumped to 0.9.8-0+deb11u1. We have don so as well earlier for
https://bugs.debian.org/1035832

So to confirm: if trixie would have already been released, then a DSA
for libssh likely would have accepted a 0.11.2-0+deb13u1 to address
the mentioned CVEs and follow the released upstream version in the
0.11.y branch.

Regards,
Salvatore

Bug#1108459: unblock: libssh/0.11.2-1

2025-06-29 Thread Martin Pitt 
Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock
X-Debbugs-Cc: [email protected], [email protected]
Control: affects -1 + src:libssh

Please unblock the recent libssh security update in unstable to land in trixie.

[ Reason ]
That fixes a bunch of CVEs (https://bugs.debian.org/1108407,
https://www.libssh.org/2025/06/24/libssh-0-11-2-security-and-bugfix-release/),
plus some good fixes and minor cmake build system cleanups.

[ Impact ]
No API/ABI changes, so this does not affect other packages.

[ Tests ]
The less obvious upstream changes have unit tests, e.g.
https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.11&id=3443aec90188d
The more obvious or "shallow but mass-scale" changes don't, e.g.
https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.11&id=6ddb730a273 
or
https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.11&id=697650caa97

However, there were about 6 reverse-dependency autopkgtests and they all
passed. Unfortuantely they disappear from
https://qa.debian.org/excuses.php?package=libssh after passing, I don't know
how to get that list now. But I saw the "in progress" ones yesterday.

[ Risks ]
There are numerous changes, and while I reviewd them they are not 100% risk
free due to sheer size. However, I have some trust in the revdeps autopkgtests.

[ Checklist ]
  [x] all security relevant changes are documented in the d/changelog; I didn't
  enumerate the bug fixes
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

[ Other info ]
I attach the debdiff as a formality, but it's much easier and more useful to
review the individual upstream commits. They can be seen here:
https://git.libssh.org/projects/libssh.git/log/?h=stable-0.11 all the commits
that were made in the recent days, up to the (previous) libssh-0.11.1 tag.

Thanks,

Martin


libssh_0.11.1-2_0.11.2-1.debdiff.gz
Description: application/gzip