Re: Regression in X2Go Client caused by CVE-2019-14889/libssh fix

To: Salvatore Bonaccorso <carnil@debian.org>
Cc: team@security.debian.org, debian-lts@lists.debian.org
Subject: Re: Regression in X2Go Client caused by CVE-2019-14889/libssh fix
From: Mike Gabriel <sunweaver@debian.org>
Date: Sun, 22 Dec 2019 21:56:40 +0000
Message-id: <[🔎] 20191222215640.Horde.SDjmh0C8fHB8_wfx62Sxw9h@mail.das-netzwerkteam.de>
In-reply-to: <[🔎] 20191221204343.GA1310816@eldamar.local>
References: <[🔎] 20191221162715.Horde.HjEEnbd41gGCBYuLFGBhGyB@mail.das-netzwerkteam.de> <[🔎] 20191221173609.Horde.0cUD22eM1e1pSyyGlWPbU6Z@mail.das-netzwerkteam.de> <[🔎] 20191221174725.Horde.k5Gb9ExccD-A2vYQZcfK7Av@mail.das-netzwerkteam.de> <[🔎] 20191221204343.GA1310816@eldamar.local>

Hi,

On  Sa 21 Dez 2019 21:43:43 CET, Salvatore Bonaccorso wrote:

Hi Mike,

On Sat, Dec 21, 2019 at 05:47:25PM +0000, Mike Gabriel wrote:

Hi again,

On  Sa 21 Dez 2019 18:36:09 CET, Mike Gabriel wrote:

> Hi again,
>
> On  Sa 21 Dez 2019 17:27:15 CET, Mike Gabriel wrote:
>
> > Hi all,
> >

> > the recent libssh fix for CVE-2019-14889 causes a regresion inX2Go Client:

> >
> > ```
> > Connection failed. Couldn't create remote file
> > ~<user>/.x2go/ssh/key.X18947 - SCP: Warning: status code 1 received:
> > scp: ~<user>/.x2go/ssh: No such file or directory"
> > ```
> >
> > The solution to this is a fix to be applied against X2Go Client (in
> > jessie/stretch/buster/unstable):
> > https://code.x2go.org/gitweb?p=x2goclient.git;a=commitdiff;h=ce559d1
> >
> > Thanks,
> > Mike
>
> See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947129
> and https://bugs.launchpad.net/ubuntu/+source/libssh/+bug/1856795
>
> Btw... if anyone with MOTU (Ubuntu maintainer) status is reading this,
> please follow-up and provide regression fixes (i.e. a patched X2Go
> Client, see LP:#1856795) to Ubuntu.
>
> Thanks+Greets,
> Mike

I just dput x2goclient 4.0.3.1-4+deb8u1 to jessie-security shipping a fix
for regression with CVE-2019-14889/libssh

Does that need a DLA?

If yes, shall it be a regression DLA for DLA-2038-1/libssh? Or a new DLA
number?


In this case I would use a DLA-2038-2 regression update advisory, with
tracking the x2goclient source package and (important) not tracking
the CVE id. Its bit of an unsual case, but that is how it's then
usually handled. You can see DSA-4539-2 as re respective example.

So your entry would look like (data/DLA/list):

[$date] DLA-2038-2 x2goclient - regression update
        [jessie] - x2goclient $version

Regards,
Salvatore


Done. Thanks!

Mike
--

mike gabriel aka sunweaver (Debian Developer)
mobile: +49 (1520) 1976 148
landline: +49 (4351) 486 14 27

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: sunweaver@debian.org, http://sunweavers.net

Attachment: pgpsBvB1YUcRL.pgp
Description: Digitale PGP-Signatur

Reply to:

References:
- Regression in X2Go Client caused by CVE-2019-14889/libssh fix
  - From: Mike Gabriel <sunweaver@debian.org>
- Re: Regression in X2Go Client caused by CVE-2019-14889/libssh fix
  - From: Mike Gabriel <sunweaver@debian.org>
- Re: Regression in X2Go Client caused by CVE-2019-14889/libssh fix
  - From: Mike Gabriel <sunweaver@debian.org>
- Re: Regression in X2Go Client caused by CVE-2019-14889/libssh fix
  - From: Salvatore Bonaccorso <carnil@debian.org>

Prev by Date: Re: Regression in X2Go Client caused by CVE-2019-14889/libssh fix
Next by Date: (semi-)automatic unclaim of packages with more than 2 weeks of inactivity
Previous by thread: Re: Regression in X2Go Client caused by CVE-2019-14889/libssh fix
Next by thread: Re: imagemagick: regression in 8:6.8.9.9-5+deb8u10
Index(es):
- Date
- Thread