[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: libssh CVE-2023-6004, CVE-2023-6918, CVE-2023-48795


On Mon 25 Dec 2023 at 11:31am +01, Martin Pitt wrote:

> Hello Sean and security team,
> Sean Whitton [2023-12-24  9:12 +0000]:
>> I have taken responsibility for fixing these CVEs in libssh in buster,
>> as part of Freexian-funded LTS work.  I would like to see if I can help
>> get them fixed in bullseye & bookworm in parallel, to avoid a situation
>> where they're fixed in buster but not fixed in releases to which LTS
>> users might soon upgrade their machines.
>> I see the fixes are all in sid.  Are you expecting to issue DSAs for
>> bullseye and bookworm?  I would be grateful for some information on the
>> sec team's plans for these fixes.
> By now it propagated to testing as well. I have the update for Debian 12
> bookworm prepared, we just wanted to give some field testing to the patches, as
> there was at least one major regression [1], so I needed to backport the fix
> [2] and tests [3].
> I am happy to work on the Debian 11 bullseye update now, as there is a
> validated upstream microrelease for it. But if you can work on the Debian 10
> buster (oldoldstable) update, that'd be great -- I don't have a meaningful way
> of testing it, nor enough time over the Christmas holidays.

Many thanks for the info, both.

Sean Whitton

Attachment: signature.asc
Description: PGP signature

Reply to: