Accepted libssh2 1.4.3-4.1+deb8u4 (source amd64) into oldoldstable

To: dispatch@tracker.debian.org, debian-lts-changes@lists.debian.org
Subject: Accepted libssh2 1.4.3-4.1+deb8u4 (source amd64) into oldoldstable
From: Mike Gabriel <sunweaver@debian.org>
Date: Thu, 25 Jul 2019 18:40:14 +0000
Message-id: <[🔎] E1hqif0-000394-LS@seger.debian.org>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 24 Jul 2019 23:52:01 +0200
Source: libssh2
Binary: libssh2-1 libssh2-1-dev libssh2-1-dbg
Architecture: source amd64
Version: 1.4.3-4.1+deb8u4
Distribution: jessie-security
Urgency: medium
Maintainer: Mikhail Gusarov <dottedmag@debian.org>
Changed-By: Mike Gabriel <sunweaver@debian.org>
Description:
 libssh2-1  - SSH2 client-side library
 libssh2-1-dbg - SSH2 client-side library (debug package)
 libssh2-1-dev - SSH2 client-side library (development headers)
Changes:
 libssh2 (1.4.3-4.1+deb8u4) jessie-security; urgency=medium
 .
   * Non-maintainer upload by the LTS team.
   * CVE-2019-3859:
     - CVE-2019-3859 (+ CVE-2019-13115): Correctly check key_state data length
       in kex_method_diffie_hellman_group_exchange_sha1_key_exchange() in kex.c.
       Avoid various signedness flaws introduced by the initial fix(es) around
       CVE-2019-3859 (regression CVE registered as CVE-2019-13115).
     - Add CVE-2019-3859-4_channel-c.patch and CVE-2019-3859-5_userauth-c.patch.
       Derived by manually comparing upstream security fix commit
       dc109a7f518757741590bb993c0c8412928ccec2 against what we had in
       Debian jessie LTS's versions of libssh2, so far.
     - This completes a series of fixes unfortunately only partially provided
       in earlier security uploads of libssh2 to Debian jessie LTS.
       Due to non-optimal CVE documentation and the manifold of upstream security
       changes before libssh2 1.9, it hasn't been easy to identify all
       necessary changes to fix the recent CVEs (2019-3855 - 2019-3863).
       Furthermore, for a non-upstream dev it has neither been easy to identify
       which upstream fix was for which CVE.
   * Add additional-bounds-checks-in-diffie_hellman_sha1.patch. Additional
     bound checks in diffie_hellman_sha1.
Checksums-Sha1:
 8d641aeee99e8b794f55e1687cb66e3f7e35911e 1928 libssh2_1.4.3-4.1+deb8u4.dsc
 b99bd9b745257afff48c4d57ffffffd6a84be817 20156 libssh2_1.4.3-4.1+deb8u4.debian.tar.xz
 de3d5ec45b0e3d3e84d4b4f1471715c053bd4b30 128178 libssh2-1_1.4.3-4.1+deb8u4_amd64.deb
 0dea0a00985e1b34de5b3a959d5921616b01f7e5 292814 libssh2-1-dev_1.4.3-4.1+deb8u4_amd64.deb
 88b785b3b63ea72d5aa8f84076064a71ef11cb4f 234494 libssh2-1-dbg_1.4.3-4.1+deb8u4_amd64.deb
Checksums-Sha256:
 d1a376b374716428beacaea56183aa5e266dcb62541b4b92017315eecf379478 1928 libssh2_1.4.3-4.1+deb8u4.dsc
 e56f275f519e4dd268684c9b64954913858768c1aeed490dd201638ef1e57c42 20156 libssh2_1.4.3-4.1+deb8u4.debian.tar.xz
 cf343318fb491b04efc7fc02e545c477c03a5ae524fd117e150736db394ad46b 128178 libssh2-1_1.4.3-4.1+deb8u4_amd64.deb
 820e93fd3f120ad794be81626482e2cc531c3d80aaeb75dfb0d95d0c70dd17e1 292814 libssh2-1-dev_1.4.3-4.1+deb8u4_amd64.deb
 10a77e1c552a65089aef2f5648bd1c167681b51390629e670896483d59b973c4 234494 libssh2-1-dbg_1.4.3-4.1+deb8u4_amd64.deb
Files:
 95886648f8f3bb10dffaee8697e2a596 1928 libs optional libssh2_1.4.3-4.1+deb8u4.dsc
 3e640ffb7928640320fccaab24869715 20156 libs optional libssh2_1.4.3-4.1+deb8u4.debian.tar.xz
 188105456864a29804481c65a97a0ca1 128178 libs optional libssh2-1_1.4.3-4.1+deb8u4_amd64.deb
 dd779d89c0c7bf03b219c58ec4e7b321 292814 libdevel optional libssh2-1-dev_1.4.3-4.1+deb8u4_amd64.deb
 3c9c2c9c9d0088fe9a482fbe83b4be3e 234494 debug extra libssh2-1-dbg_1.4.3-4.1+deb8u4_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQJJBAEBCAAzFiEEm/uu6GwKpf+/IgeCmvRrMCV3GzEFAl058/sVHHN1bndlYXZl
ckBkZWJpYW4ub3JnAAoJEJr0azAldxsxyIQQAJHYrpCejc0FxeFLAKqG9wq8M2hw
2pFhG7OzTDXNHPsInOkJe1usgwoEuylI1dDwGcLIRK+T2UseWGwuEay1Nng4kMdW
xX5wP3VFt5AVgVgmOshZXJ0VK1lFdgMoyeJrUwiwS3a0QLUsabb/NosbT1yKS2de
N/jE3f7uc5qDjUmjvrlSBfAEDz9U3/S5B80F0T0SE472oApgdV37ft+wH8sTajDf
+XP9uQdxmkcwmyzjelKzsY3sAVt5v56R448ZAc+StdBsauogyMfvRTXiTKR2OMIJ
Jh4KnjvympgeA3QezRnN9GQ/z3dcPj1YV1LlB97V019uU6GUN1U1FSnDJTHVyRLH
2kqpZXgRXncYbBvROqUAUQkgwEcZb1pJ9jajPV5g3qzu5yP6TkoI1a0fxVAByJLp
bHSk9/r54rH56sHZelrsUHietkcKRV49bq/GPyQrwFcj1drO40LtvOwOFfQnqUNP
7LnAavCyXpSWBbyAU9tJKQSMHH8jvxG2dP5FvwH6bXLYEas1MoXZtruXfROmtX1V
JhY8wtXa3iKVbtuJFhVpWVYz+OimEn4AEDxB6DuviCkaySbtqX6fobsadJb1Z9ev
pCUx4oHixqtndcNZc1dKyfKh1Q5QecQ5pNSdv/FuPsZvj/T4cDa1maVOHNzfCwjj
RiwTc6XvfTL98nmw
=F2cE
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: Accepted linux-4.9 4.9.168-1+deb9u4~deb8u1 (all source) into oldoldstable
Next by Date: Accepted patch 2.7.5-1+deb8u3 (source amd64) into oldoldstable
Previous by thread: Accepted linux-4.9 4.9.168-1+deb9u4~deb8u1 (all source) into oldoldstable
Next by thread: Accepted patch 2.7.5-1+deb8u3 (source amd64) into oldoldstable
Index(es):
- Date
- Thread