Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: unblock X-Debbugs-Cc: libssh@packages.debian.org Control: affects -1 + src:libssh Hello, a few days ago, a new libssh upstream microrelease [1] was published which fixes two CVEs. I packaged it for unstable four days ago, it built everywhere, and thus passed the (rather extensive) upstream tests, as well as the autopkgtest integration tests everywhere [2]. I know one big consumer of libssh well -- cockpit -- which also has successful tests against 0.10.5. The packaging git already had a few rather harmless updates from the Debian janitor [3] which I included into the unstable upload. I attached the debian/* parts of the debdiff between current testing and unstable. If you want to inspect the full upstream diff as well, I suggest the upstream git view for the stable 0.10 branch [4], or the full debdiff view on salsa[5]. Salvatore Bonaccorso from the security team pointed out that libssh won't auto-migrate any more at this point in time, so I'd like to coordinate these two CVEs with you for fixing testing. If you consider 0.10.5 too risky at this point, I can also prepare a backport similar to the update that I prepared for stable-security, but it's more work, and backporting non-trivial patches is also not risk-free. This gets coordinated in [6]. Thanksk, Martin unblock libssh/0.10.5-1 [1] https://www.libssh.org/2023/05/04/libssh-0-10-5-and-libssh-0-9-7-security-releases/ [2] https://tracker.debian.org/pkg/libssh [3] https://salsa.debian.org/debian/libssh/-/commit/45b9437b4c4711584dba7debe6600aa2a2d7f6c4 https://salsa.debian.org/debian/libssh/-/commit/5feb4c4e0405e6af69d6d448ab934f7876d2ea90 https://salsa.debian.org/debian/libssh/-/commit/8e55b07477c194630bd60c049ca28c57da2881fd [4] https://git.libssh.org/projects/libssh.git/log/?h=stable-0.10 [5] https://salsa.debian.org/debian/libssh/-/compare/4066480562aa1d2682bd5c8666631c1acd2a2777...debian?from_project_id=20695&straight=false [6] https://bugs.debian.org/1035832
--- libssh-0.10.4/debian/changelog 2022-09-19 08:41:22.000000000 +0000 +++ libssh-0.10.5/debian/changelog 2023-05-10 06:00:26.000000000 +0000 @@ -1,3 +1,26 @@ +libssh (0.10.5-1) unstable; urgency=high + + [ Martin Pitt ] + * New upstream security release (thus high urgency): + - Fix authenticated remote DoS through potential NULL dereference during rekeying + with algorithm guessing (CVE-2023-1667) + https://www.libssh.org/security/advisories/CVE-2023-1667.txt + - Client authentication bypass in pki_verify_data_signature() in low-memory + conditions with OpenSSL backend; gcrypt backend is not affected + https://www.libssh.org/security/advisories/CVE-2023-2283.txt + (CVE-2023-2283, Closes: #1035832) + * Bump Standards-Version to 4.6.2. No changes necessary. + * Drop debian/source/lintian-overrides. It now causes a "mismatched-override" + warning, and apparently is not necessary any more. + * debian/copyright: Drop files which don't exist any more. + Spotted by lintian's "superfluous-file-pattern" warnings. + + [ Debian Janitor ] + * Bump debhelper from old 12 to 13. + * Avoid explicitly specifying -Wl,--as-needed linker flag. + + -- Martin Pitt <mpitt@debian.org> Wed, 10 May 2023 08:00:26 +0200 + libssh (0.10.4-2) unstable; urgency=medium * autopkgtest: Drop valgrind run. This hasn't worked for years on many diff -Nru libssh-0.10.4/debian/control libssh-0.10.5/debian/control --- libssh-0.10.4/debian/control 2022-09-19 08:41:22.000000000 +0000 +++ libssh-0.10.5/debian/control 2023-05-10 06:00:26.000000000 +0000 @@ -4,7 +4,7 @@ Maintainer: Laurent Bigonville <bigon@debian.org> Uploaders: Mike Gabriel <sunweaver@debian.org>, Martin Pitt <mpitt@debian.org> Build-Depends: cmake (>= 2.8.5), - debhelper-compat (= 12), + debhelper-compat (= 13), libcmocka-dev <!nocheck>, libgcrypt-dev, libkrb5-dev | heimdal-dev, @@ -15,7 +15,7 @@ pkg-config, python3:any <!nocheck>, Build-Depends-Indep: doxygen <!nodoc>, graphviz <!nodoc> -Standards-Version: 4.6.1 +Standards-Version: 4.6.2 Rules-Requires-Root: no Vcs-Git: https://salsa.debian.org/debian/libssh.git Vcs-Browser: https://salsa.debian.org/debian/libssh @@ -97,6 +97,7 @@ Suggests: doc-base Depends: ${misc:Depends} Build-Profiles: <!nodoc> +Multi-Arch: foreign Description: tiny C SSH library - Documentation files The ssh library was designed to be used by programmers needing a working SSH implementation by the mean of a library. The complete control of the client diff -Nru libssh-0.10.4/debian/copyright libssh-0.10.5/debian/copyright --- libssh-0.10.4/debian/copyright 2022-09-19 08:41:22.000000000 +0000 +++ libssh-0.10.5/debian/copyright 2023-05-10 06:00:26.000000000 +0000 @@ -23,7 +23,6 @@ tests/client/torture_connect.c tests/client/torture_knownhosts.c tests/client/torture_session.c - tests/test_pcap.c tests/test_socket.c Copyright: 2003-2021, Aris Adamantiadis 2008-2018 Andreas Schneider <asn@cryptomilk.org> @@ -39,7 +38,6 @@ examples/senddata.c examples/CMakeLists.txt include/libssh/ssh2.h - tests/authentication.c tests/benchmarks/bench1.sh tests/benchmarks/bench2.sh tests/chmodtest.c @@ -47,13 +45,7 @@ tests/client/torture_sftp_dir.c tests/client/torture_sftp_read.c tests/cmdline.c - tests/connection.c tests/generate.py - tests/sftp_stress/main.c - tests/test_exec.c - tests/test_ssh_bind_accept_fd.c - tests/test_tunnel.c - tests/tests.h tests/unittests/torture_buffer.c tests/unittests/torture_callbacks.c tests/unittests/torture_channel.c diff -Nru libssh-0.10.4/debian/rules libssh-0.10.5/debian/rules --- libssh-0.10.4/debian/rules 2022-09-19 08:41:22.000000000 +0000 +++ libssh-0.10.5/debian/rules 2023-05-10 06:00:26.000000000 +0000 @@ -2,7 +2,7 @@ DEB_CMAKE_EXTRA_FLAGS := -DBUILD_STATIC_LIB=ON -DLIB_INSTALL_DIR=/usr/lib/$(DEB_HOST_MULTIARCH) -DUNIT_TESTING=$(if $(filter nocheck,$(DEB_BUILD_OPTIONS)),OFF,ON) -DWITH_GSSAPI=ON -export DEB_LDFLAGS_MAINT_APPEND = -Wl,-z,defs -Wl,-O1 -Wl,--as-needed +export DEB_LDFLAGS_MAINT_APPEND = -Wl,-z,defs -Wl,-O1 export DEB_BUILD_MAINT_OPTIONS = hardening=+all %: diff -Nru libssh-0.10.4/debian/source/lintian-overrides libssh-0.10.5/debian/source/lintian-overrides --- libssh-0.10.4/debian/source/lintian-overrides 2022-09-19 08:41:22.000000000 +0000 +++ libssh-0.10.5/debian/source/lintian-overrides 2023-05-10 06:00:26.000000000 +0000 @@ -1 +0,0 @@ -libssh source: very-long-line-length-in-source-file tests/keys/.*
Attachment:
signature.asc
Description: PGP signature