Re: libssh CVE-2023-6004, CVE-2023-6918, CVE-2023-48795

To: Sean Whitton <spwhitton@spwhitton.name>
Cc: team@security.debian.org, libssh@packages.debian.org, debian-lts@lists.debian.org
Subject: Re: libssh CVE-2023-6004, CVE-2023-6918, CVE-2023-48795
From: Moritz Muehlenhoff <jmm@inutil.org>
Date: Sun, 24 Dec 2023 11:32:24 +0100
Message-id: <[🔎] 20231224103224.GB21358@inutil.org>
In-reply-to: <[🔎] 87cyuwvuaj.fsf@zephyr.silentflame.com>
References: <[🔎] 87cyuwvuaj.fsf@zephyr.silentflame.com>

[ You missed the correct mailing list. debian-security is _not_
  the correct way to reach the security team, fixing ]

On Sun, Dec 24, 2023 at 09:12:04AM +0000, Sean Whitton wrote:
> Hello,
> 
> I have taken responsibility for fixing these CVEs in libssh in buster,
> as part of Freexian-funded LTS work.  I would like to see if I can help
> get them fixed in bullseye & bookworm in parallel, to avoid a situation
> where they're fixed in buster but not fixed in releases to which LTS
> users might soon upgrade their machines.
> 
> I see the fixes are all in sid.  Are you expecting to issue DSAs for
> bullseye and bookworm?  I would be grateful for some information on the
> sec team's plans for these fixes.

There will be updates via s.d.i, but with some intentional delay to
first spot regressions based on the upload to sid.

Cheers,
        Moritz

Reply to:

References:
- libssh CVE-2023-6004, CVE-2023-6918, CVE-2023-48795
  - From: Sean Whitton <spwhitton@spwhitton.name>

Prev by Date: libssh CVE-2023-6004, CVE-2023-6918, CVE-2023-48795
Next by Date: Re: libssh CVE-2023-6004, CVE-2023-6918, CVE-2023-48795
Previous by thread: libssh CVE-2023-6004, CVE-2023-6918, CVE-2023-48795
Next by thread: Re: libssh CVE-2023-6004, CVE-2023-6918, CVE-2023-48795
Index(es):
- Date
- Thread