Your message dated Wed, 17 May 2023 22:24:05 +0000 with message-id <E1pzPYz-005FuK-AM@respighi.debian.org> and subject line unblock libssh has caused the Debian Bug report #1036026, regarding unblock: libssh/0.10.5-2 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 1036026: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036026 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian BTS Submit <submit@bugs.debian.org>
- Cc: 1035832@bugs.debian.org
- Subject: unblock: libssh/0.10.5-1
- From: Martin Pitt <mpitt@debian.org>
- Date: Sat, 13 May 2023 15:49:12 +0200
- Message-id: <[🔎] ZF+VWEtF1hkNpElr@piware.de>
Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: unblock X-Debbugs-Cc: libssh@packages.debian.org Control: affects -1 + src:libssh Hello, a few days ago, a new libssh upstream microrelease [1] was published which fixes two CVEs. I packaged it for unstable four days ago, it built everywhere, and thus passed the (rather extensive) upstream tests, as well as the autopkgtest integration tests everywhere [2]. I know one big consumer of libssh well -- cockpit -- which also has successful tests against 0.10.5. The packaging git already had a few rather harmless updates from the Debian janitor [3] which I included into the unstable upload. I attached the debian/* parts of the debdiff between current testing and unstable. If you want to inspect the full upstream diff as well, I suggest the upstream git view for the stable 0.10 branch [4], or the full debdiff view on salsa[5]. Salvatore Bonaccorso from the security team pointed out that libssh won't auto-migrate any more at this point in time, so I'd like to coordinate these two CVEs with you for fixing testing. If you consider 0.10.5 too risky at this point, I can also prepare a backport similar to the update that I prepared for stable-security, but it's more work, and backporting non-trivial patches is also not risk-free. This gets coordinated in [6]. Thanksk, Martin unblock libssh/0.10.5-1 [1] https://www.libssh.org/2023/05/04/libssh-0-10-5-and-libssh-0-9-7-security-releases/ [2] https://tracker.debian.org/pkg/libssh [3] https://salsa.debian.org/debian/libssh/-/commit/45b9437b4c4711584dba7debe6600aa2a2d7f6c4 https://salsa.debian.org/debian/libssh/-/commit/5feb4c4e0405e6af69d6d448ab934f7876d2ea90 https://salsa.debian.org/debian/libssh/-/commit/8e55b07477c194630bd60c049ca28c57da2881fd [4] https://git.libssh.org/projects/libssh.git/log/?h=stable-0.10 [5] https://salsa.debian.org/debian/libssh/-/compare/4066480562aa1d2682bd5c8666631c1acd2a2777...debian?from_project_id=20695&straight=false [6] https://bugs.debian.org/1035832--- libssh-0.10.4/debian/changelog 2022-09-19 08:41:22.000000000 +0000 +++ libssh-0.10.5/debian/changelog 2023-05-10 06:00:26.000000000 +0000 @@ -1,3 +1,26 @@ +libssh (0.10.5-1) unstable; urgency=high + + [ Martin Pitt ] + * New upstream security release (thus high urgency): + - Fix authenticated remote DoS through potential NULL dereference during rekeying + with algorithm guessing (CVE-2023-1667) + https://www.libssh.org/security/advisories/CVE-2023-1667.txt + - Client authentication bypass in pki_verify_data_signature() in low-memory + conditions with OpenSSL backend; gcrypt backend is not affected + https://www.libssh.org/security/advisories/CVE-2023-2283.txt + (CVE-2023-2283, Closes: #1035832) + * Bump Standards-Version to 4.6.2. No changes necessary. + * Drop debian/source/lintian-overrides. It now causes a "mismatched-override" + warning, and apparently is not necessary any more. + * debian/copyright: Drop files which don't exist any more. + Spotted by lintian's "superfluous-file-pattern" warnings. + + [ Debian Janitor ] + * Bump debhelper from old 12 to 13. + * Avoid explicitly specifying -Wl,--as-needed linker flag. + + -- Martin Pitt <mpitt@debian.org> Wed, 10 May 2023 08:00:26 +0200 + libssh (0.10.4-2) unstable; urgency=medium * autopkgtest: Drop valgrind run. This hasn't worked for years on many diff -Nru libssh-0.10.4/debian/control libssh-0.10.5/debian/control --- libssh-0.10.4/debian/control 2022-09-19 08:41:22.000000000 +0000 +++ libssh-0.10.5/debian/control 2023-05-10 06:00:26.000000000 +0000 @@ -4,7 +4,7 @@ Maintainer: Laurent Bigonville <bigon@debian.org> Uploaders: Mike Gabriel <sunweaver@debian.org>, Martin Pitt <mpitt@debian.org> Build-Depends: cmake (>= 2.8.5), - debhelper-compat (= 12), + debhelper-compat (= 13), libcmocka-dev <!nocheck>, libgcrypt-dev, libkrb5-dev | heimdal-dev, @@ -15,7 +15,7 @@ pkg-config, python3:any <!nocheck>, Build-Depends-Indep: doxygen <!nodoc>, graphviz <!nodoc> -Standards-Version: 4.6.1 +Standards-Version: 4.6.2 Rules-Requires-Root: no Vcs-Git: https://salsa.debian.org/debian/libssh.git Vcs-Browser: https://salsa.debian.org/debian/libssh @@ -97,6 +97,7 @@ Suggests: doc-base Depends: ${misc:Depends} Build-Profiles: <!nodoc> +Multi-Arch: foreign Description: tiny C SSH library - Documentation files The ssh library was designed to be used by programmers needing a working SSH implementation by the mean of a library. The complete control of the client diff -Nru libssh-0.10.4/debian/copyright libssh-0.10.5/debian/copyright --- libssh-0.10.4/debian/copyright 2022-09-19 08:41:22.000000000 +0000 +++ libssh-0.10.5/debian/copyright 2023-05-10 06:00:26.000000000 +0000 @@ -23,7 +23,6 @@ tests/client/torture_connect.c tests/client/torture_knownhosts.c tests/client/torture_session.c - tests/test_pcap.c tests/test_socket.c Copyright: 2003-2021, Aris Adamantiadis 2008-2018 Andreas Schneider <asn@cryptomilk.org> @@ -39,7 +38,6 @@ examples/senddata.c examples/CMakeLists.txt include/libssh/ssh2.h - tests/authentication.c tests/benchmarks/bench1.sh tests/benchmarks/bench2.sh tests/chmodtest.c @@ -47,13 +45,7 @@ tests/client/torture_sftp_dir.c tests/client/torture_sftp_read.c tests/cmdline.c - tests/connection.c tests/generate.py - tests/sftp_stress/main.c - tests/test_exec.c - tests/test_ssh_bind_accept_fd.c - tests/test_tunnel.c - tests/tests.h tests/unittests/torture_buffer.c tests/unittests/torture_callbacks.c tests/unittests/torture_channel.c diff -Nru libssh-0.10.4/debian/rules libssh-0.10.5/debian/rules --- libssh-0.10.4/debian/rules 2022-09-19 08:41:22.000000000 +0000 +++ libssh-0.10.5/debian/rules 2023-05-10 06:00:26.000000000 +0000 @@ -2,7 +2,7 @@ DEB_CMAKE_EXTRA_FLAGS := -DBUILD_STATIC_LIB=ON -DLIB_INSTALL_DIR=/usr/lib/$(DEB_HOST_MULTIARCH) -DUNIT_TESTING=$(if $(filter nocheck,$(DEB_BUILD_OPTIONS)),OFF,ON) -DWITH_GSSAPI=ON -export DEB_LDFLAGS_MAINT_APPEND = -Wl,-z,defs -Wl,-O1 -Wl,--as-needed +export DEB_LDFLAGS_MAINT_APPEND = -Wl,-z,defs -Wl,-O1 export DEB_BUILD_MAINT_OPTIONS = hardening=+all %: diff -Nru libssh-0.10.4/debian/source/lintian-overrides libssh-0.10.5/debian/source/lintian-overrides --- libssh-0.10.4/debian/source/lintian-overrides 2022-09-19 08:41:22.000000000 +0000 +++ libssh-0.10.5/debian/source/lintian-overrides 2023-05-10 06:00:26.000000000 +0000 @@ -1 +0,0 @@ -libssh source: very-long-line-length-in-source-file tests/keys/.*Attachment: signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
- To: 1036026-done@bugs.debian.org
- Subject: unblock libssh
- From: Sebastian Ramacher <sramacher@respighi.debian.org>
- Date: Wed, 17 May 2023 22:24:05 +0000
- Message-id: <E1pzPYz-005FuK-AM@respighi.debian.org>
Unblocked.
--- End Message ---