Accepted libssh2 1.4.3-4.1+deb8u4 (source amd64) into oldoldstable
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 24 Jul 2019 23:52:01 +0200
Source: libssh2
Binary: libssh2-1 libssh2-1-dev libssh2-1-dbg
Architecture: source amd64
Version: 1.4.3-4.1+deb8u4
Distribution: jessie-security
Urgency: medium
Maintainer: Mikhail Gusarov <dottedmag@debian.org>
Changed-By: Mike Gabriel <sunweaver@debian.org>
Description:
libssh2-1 - SSH2 client-side library
libssh2-1-dbg - SSH2 client-side library (debug package)
libssh2-1-dev - SSH2 client-side library (development headers)
Changes:
libssh2 (1.4.3-4.1+deb8u4) jessie-security; urgency=medium
.
* Non-maintainer upload by the LTS team.
* CVE-2019-3859:
- CVE-2019-3859 (+ CVE-2019-13115): Correctly check key_state data length
in kex_method_diffie_hellman_group_exchange_sha1_key_exchange() in kex.c.
Avoid various signedness flaws introduced by the initial fix(es) around
CVE-2019-3859 (regression CVE registered as CVE-2019-13115).
- Add CVE-2019-3859-4_channel-c.patch and CVE-2019-3859-5_userauth-c.patch.
Derived by manually comparing upstream security fix commit
dc109a7f518757741590bb993c0c8412928ccec2 against what we had in
Debian jessie LTS's versions of libssh2, so far.
- This completes a series of fixes unfortunately only partially provided
in earlier security uploads of libssh2 to Debian jessie LTS.
Due to non-optimal CVE documentation and the manifold of upstream security
changes before libssh2 1.9, it hasn't been easy to identify all
necessary changes to fix the recent CVEs (2019-3855 - 2019-3863).
Furthermore, for a non-upstream dev it has neither been easy to identify
which upstream fix was for which CVE.
* Add additional-bounds-checks-in-diffie_hellman_sha1.patch. Additional
bound checks in diffie_hellman_sha1.
Checksums-Sha1:
8d641aeee99e8b794f55e1687cb66e3f7e35911e 1928 libssh2_1.4.3-4.1+deb8u4.dsc
b99bd9b745257afff48c4d57ffffffd6a84be817 20156 libssh2_1.4.3-4.1+deb8u4.debian.tar.xz
de3d5ec45b0e3d3e84d4b4f1471715c053bd4b30 128178 libssh2-1_1.4.3-4.1+deb8u4_amd64.deb
0dea0a00985e1b34de5b3a959d5921616b01f7e5 292814 libssh2-1-dev_1.4.3-4.1+deb8u4_amd64.deb
88b785b3b63ea72d5aa8f84076064a71ef11cb4f 234494 libssh2-1-dbg_1.4.3-4.1+deb8u4_amd64.deb
Checksums-Sha256:
d1a376b374716428beacaea56183aa5e266dcb62541b4b92017315eecf379478 1928 libssh2_1.4.3-4.1+deb8u4.dsc
e56f275f519e4dd268684c9b64954913858768c1aeed490dd201638ef1e57c42 20156 libssh2_1.4.3-4.1+deb8u4.debian.tar.xz
cf343318fb491b04efc7fc02e545c477c03a5ae524fd117e150736db394ad46b 128178 libssh2-1_1.4.3-4.1+deb8u4_amd64.deb
820e93fd3f120ad794be81626482e2cc531c3d80aaeb75dfb0d95d0c70dd17e1 292814 libssh2-1-dev_1.4.3-4.1+deb8u4_amd64.deb
10a77e1c552a65089aef2f5648bd1c167681b51390629e670896483d59b973c4 234494 libssh2-1-dbg_1.4.3-4.1+deb8u4_amd64.deb
Files:
95886648f8f3bb10dffaee8697e2a596 1928 libs optional libssh2_1.4.3-4.1+deb8u4.dsc
3e640ffb7928640320fccaab24869715 20156 libs optional libssh2_1.4.3-4.1+deb8u4.debian.tar.xz
188105456864a29804481c65a97a0ca1 128178 libs optional libssh2-1_1.4.3-4.1+deb8u4_amd64.deb
dd779d89c0c7bf03b219c58ec4e7b321 292814 libdevel optional libssh2-1-dev_1.4.3-4.1+deb8u4_amd64.deb
3c9c2c9c9d0088fe9a482fbe83b4be3e 234494 debug extra libssh2-1-dbg_1.4.3-4.1+deb8u4_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQJJBAEBCAAzFiEEm/uu6GwKpf+/IgeCmvRrMCV3GzEFAl058/sVHHN1bndlYXZl
ckBkZWJpYW4ub3JnAAoJEJr0azAldxsxyIQQAJHYrpCejc0FxeFLAKqG9wq8M2hw
2pFhG7OzTDXNHPsInOkJe1usgwoEuylI1dDwGcLIRK+T2UseWGwuEay1Nng4kMdW
xX5wP3VFt5AVgVgmOshZXJ0VK1lFdgMoyeJrUwiwS3a0QLUsabb/NosbT1yKS2de
N/jE3f7uc5qDjUmjvrlSBfAEDz9U3/S5B80F0T0SE472oApgdV37ft+wH8sTajDf
+XP9uQdxmkcwmyzjelKzsY3sAVt5v56R448ZAc+StdBsauogyMfvRTXiTKR2OMIJ
Jh4KnjvympgeA3QezRnN9GQ/z3dcPj1YV1LlB97V019uU6GUN1U1FSnDJTHVyRLH
2kqpZXgRXncYbBvROqUAUQkgwEcZb1pJ9jajPV5g3qzu5yP6TkoI1a0fxVAByJLp
bHSk9/r54rH56sHZelrsUHietkcKRV49bq/GPyQrwFcj1drO40LtvOwOFfQnqUNP
7LnAavCyXpSWBbyAU9tJKQSMHH8jvxG2dP5FvwH6bXLYEas1MoXZtruXfROmtX1V
JhY8wtXa3iKVbtuJFhVpWVYz+OimEn4AEDxB6DuviCkaySbtqX6fobsadJb1Z9ev
pCUx4oHixqtndcNZc1dKyfKh1Q5QecQ5pNSdv/FuPsZvj/T4cDa1maVOHNzfCwjj
RiwTc6XvfTL98nmw
=F2cE
-----END PGP SIGNATURE-----
Reply to: