Hello Sean and security team, Sean Whitton [2023-12-24 9:12 +0000]: > I have taken responsibility for fixing these CVEs in libssh in buster, > as part of Freexian-funded LTS work. I would like to see if I can help > get them fixed in bullseye & bookworm in parallel, to avoid a situation > where they're fixed in buster but not fixed in releases to which LTS > users might soon upgrade their machines. > > I see the fixes are all in sid. Are you expecting to issue DSAs for > bullseye and bookworm? I would be grateful for some information on the > sec team's plans for these fixes. By now it propagated to testing as well. I have the update for Debian 12 bookworm prepared, we just wanted to give some field testing to the patches, as there was at least one major regression [1], so I needed to backport the fix [2] and tests [3]. I am happy to work on the Debian 11 bullseye update now, as there is a validated upstream microrelease for it. But if you can work on the Debian 10 buster (oldoldstable) update, that'd be great -- I don't have a meaningful way of testing it, nor enough time over the Christmas holidays. Thanks, Martin [1] https://gitlab.com/libssh/libssh-mirror/-/issues/227 [2] https://gitlab.com/libssh/libssh-mirror/-/commit/1a02364b5107a4125ea3cb76fcdb6beabaebf3be [3] https://gitlab.com/libssh/libssh-mirror/-/commit/6f1b1e76bb38bc89819132e1810e4301ec9034a4
Attachment:
signature.asc
Description: PGP signature