CVE-2019-16905 OpenSSH for Debian/Buster
********************************************************************************
All attached files have been changed to URL for security purposes.
Please download from the following URL. The password is notified by another mail.
メールシステムから添付ファイルURL化のお知らせ
弊社では情報セキュリティを強化するため、メール添付ファイル自動URL化
システムを導入しております。以下のURLから添付ファイルをダウンロードできます。
あなたのメールアドレスと別途お知らせするパスワードの入力をお願いいたします。
ご面倒をおかけいたしますが、ご理解賜りますようお願いいたします。
********************************************************************************
ダウンロードURL(Download):
https://enc01.toshiba.co.jp/sa/download/5578/0e6360300fc12dd467c6880c5fd8ae174ab8c601.htm
----------- original message-----------
Hi LTS/ELTS team,
Although Debian Buster is now under ELTS, I'd like to share a patch for CVE-2019-16905 in OpenSSH (1:7.9p1-10+deb10u5).
I understand ELTS is a commercial service, but ELTS-specific topics have been discussed publicly on this list before, so I hope this is acceptable.
What's included:
* Backport of upstream OpenBSD fixes for integer overflow and type validation issues in key parsing.
* Patch applies cleanly and builds successfully as 1:7.9p1-10+deb10u6.
* Basic tests show no regressions.
I'm not requesting ELTS service or support ? just sharing a patch that may help ELTS maintainers or others running Buster-based systems.
If anyone can review or sanity-check it, that would be greatly appreciated.
Ideally, we hope this patch could be picked up and eventually land in Debian Buster ELTS, saving time for future updates and improving security for remaining Buster deployments.
Patch and changelog are attached.
Please let me know if contributions like this should be sent differently.
Thank you for taking the time.
Best regards,
Daichi Fukui
Reply to: