Re: CVE-2019-16905 OpenSSH for Debian/Buster

To: debian-lts@lists.debian.org
Subject: Re: CVE-2019-16905 OpenSSH for Debian/Buster
From: Bastian Blank <waldi@debian.org>
Date: Tue, 18 Nov 2025 07:58:43 +0100
Message-id: <[🔎] 20251118065843.x2nfsu5w445rkgop@shell.thinkmo.de>
Mail-followup-to: Bastian Blank <waldi@debian.org>, debian-lts@lists.debian.org
In-reply-to: <[🔎] OS3PR01MB97366813162F359D9785B35DB2D6A@OS3PR01MB9736.jpnprd01.prod.outlook.com>
References: <[🔎] OS3PR01MB97366813162F359D9785B35DB2D6A@OS3PR01MB9736.jpnprd01.prod.outlook.com>

On Tue, Nov 18, 2025 at 04:49:26AM +0000, daichi.fukui.h16@mail.toshiba wrote:
> Although Debian Buster is now under ELTS, I'd like to share a patch for CVE-2019-16905 in OpenSSH (1:7.9p1-10+deb10u5).

Do we actually enable this code?  The CVE text reads like this should
not be the case:

| NOTE: the XMSS implementation is considered experimental in all
| released OpenSSH versions, and there is no supported way to enable it
| when building portable OpenSSH.

Bastian

-- 
Love sometimes expresses itself in sacrifice.
		-- Kirk, "Metamorphosis", stardate 3220.3

Reply to:

References:
- CVE-2019-16905 OpenSSH for Debian/Buster
  - From: <daichi.fukui.h16@mail.toshiba>

Prev by Date: Re: CVE-2019-16905 OpenSSH for Debian/Buster
Next by Date: security update for libpng1.6:x
Previous by thread: Re: CVE-2019-16905 OpenSSH for Debian/Buster
Next by thread: security update for libpng1.6:x
Index(es):
- Date
- Thread