[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: libssh CVE-2023-6004, CVE-2023-6918, CVE-2023-48795

Hello Sean and security team,

Sean Whitton [2023-12-24  9:12 +0000]:
> I have taken responsibility for fixing these CVEs in libssh in buster,
> as part of Freexian-funded LTS work.  I would like to see if I can help
> get them fixed in bullseye & bookworm in parallel, to avoid a situation
> where they're fixed in buster but not fixed in releases to which LTS
> users might soon upgrade their machines.
> I see the fixes are all in sid.  Are you expecting to issue DSAs for
> bullseye and bookworm?  I would be grateful for some information on the
> sec team's plans for these fixes.

By now it propagated to testing as well. I have the update for Debian 12
bookworm prepared, we just wanted to give some field testing to the patches, as
there was at least one major regression [1], so I needed to backport the fix
[2] and tests [3].

I am happy to work on the Debian 11 bullseye update now, as there is a
validated upstream microrelease for it. But if you can work on the Debian 10
buster (oldoldstable) update, that'd be great -- I don't have a meaningful way
of testing it, nor enough time over the Christmas holidays.



[1] https://gitlab.com/libssh/libssh-mirror/-/issues/227
[2] https://gitlab.com/libssh/libssh-mirror/-/commit/1a02364b5107a4125ea3cb76fcdb6beabaebf3be
[3] https://gitlab.com/libssh/libssh-mirror/-/commit/6f1b1e76bb38bc89819132e1810e4301ec9034a4

Attachment: signature.asc
Description: PGP signature

Reply to: