[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1036026: marked as done (unblock: libssh/0.10.5-2)

Your message dated Wed, 17 May 2023 22:24:05 +0000
with message-id <E1pzPYz-005FuK-AM@respighi.debian.org>
and subject line unblock libssh
has caused the Debian Bug report #1036026,
regarding unblock: libssh/0.10.5-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1036026: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036026
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: libssh@packages.debian.org
Control: affects -1 + src:libssh

Hello,

a few days ago, a new libssh upstream microrelease [1] was published which fixes
two CVEs. I packaged it for unstable four days ago, it built everywhere, and
thus passed the (rather extensive) upstream tests, as well as the autopkgtest
integration tests everywhere [2]. I know one big consumer of libssh well -- cockpit
-- which also has successful tests against 0.10.5.

The packaging git already had a few rather harmless updates from the Debian
janitor [3] which I included into the unstable upload. I attached the debian/*
parts of the debdiff between current testing and unstable. If you want to
inspect the full upstream diff as  well, I suggest the upstream git view for
the stable 0.10 branch [4], or the full debdiff view  on salsa[5].

Salvatore Bonaccorso from the security team pointed out that libssh won't
auto-migrate any more at this point in time, so I'd like to coordinate these
two CVEs with you for fixing testing. If you consider 0.10.5 too risky at this
point, I can also prepare a backport similar to the update that I prepared for
stable-security, but it's more work, and backporting non-trivial patches is
also not risk-free. This gets coordinated in [6].

Thanksk,

Martin

unblock libssh/0.10.5-1


[1] https://www.libssh.org/2023/05/04/libssh-0-10-5-and-libssh-0-9-7-security-releases/
[2] https://tracker.debian.org/pkg/libssh
[3] https://salsa.debian.org/debian/libssh/-/commit/45b9437b4c4711584dba7debe6600aa2a2d7f6c4
    https://salsa.debian.org/debian/libssh/-/commit/5feb4c4e0405e6af69d6d448ab934f7876d2ea90
    https://salsa.debian.org/debian/libssh/-/commit/8e55b07477c194630bd60c049ca28c57da2881fd
[4] https://git.libssh.org/projects/libssh.git/log/?h=stable-0.10
[5] https://salsa.debian.org/debian/libssh/-/compare/4066480562aa1d2682bd5c8666631c1acd2a2777...debian?from_project_id=20695&straight=false
[6] https://bugs.debian.org/1035832

--- libssh-0.10.4/debian/changelog	2022-09-19 08:41:22.000000000 +0000
+++ libssh-0.10.5/debian/changelog	2023-05-10 06:00:26.000000000 +0000
@@ -1,3 +1,26 @@
+libssh (0.10.5-1) unstable; urgency=high
+
+  [ Martin Pitt ]
+  * New upstream security release (thus high urgency):
+    - Fix authenticated remote DoS through potential NULL dereference during rekeying
+      with algorithm guessing (CVE-2023-1667)
+      https://www.libssh.org/security/advisories/CVE-2023-1667.txt
+    - Client authentication bypass in pki_verify_data_signature() in low-memory
+      conditions with OpenSSL backend; gcrypt backend is not affected
+      https://www.libssh.org/security/advisories/CVE-2023-2283.txt
+      (CVE-2023-2283, Closes: #1035832)
+  * Bump Standards-Version to 4.6.2. No changes necessary.
+  * Drop debian/source/lintian-overrides. It now causes a "mismatched-override"
+    warning, and apparently is not necessary any more.
+  * debian/copyright: Drop files which don't exist any more.
+    Spotted by lintian's "superfluous-file-pattern" warnings.
+
+  [ Debian Janitor ]
+  * Bump debhelper from old 12 to 13.
+  * Avoid explicitly specifying -Wl,--as-needed linker flag.
+
+ -- Martin Pitt <mpitt@debian.org>  Wed, 10 May 2023 08:00:26 +0200
+
 libssh (0.10.4-2) unstable; urgency=medium

   * autopkgtest: Drop valgrind run. This hasn't worked for years on many
diff -Nru libssh-0.10.4/debian/control libssh-0.10.5/debian/control
--- libssh-0.10.4/debian/control	2022-09-19 08:41:22.000000000 +0000
+++ libssh-0.10.5/debian/control	2023-05-10 06:00:26.000000000 +0000
@@ -4,7 +4,7 @@
 Maintainer: Laurent Bigonville <bigon@debian.org>
 Uploaders: Mike Gabriel <sunweaver@debian.org>, Martin Pitt <mpitt@debian.org>
 Build-Depends: cmake (>= 2.8.5),
-               debhelper-compat (= 12),
+               debhelper-compat (= 13),
                libcmocka-dev <!nocheck>,
                libgcrypt-dev,
                libkrb5-dev | heimdal-dev,
@@ -15,7 +15,7 @@
                pkg-config,
                python3:any <!nocheck>,
 Build-Depends-Indep: doxygen <!nodoc>, graphviz <!nodoc>
-Standards-Version: 4.6.1
+Standards-Version: 4.6.2
 Rules-Requires-Root: no
 Vcs-Git: https://salsa.debian.org/debian/libssh.git
 Vcs-Browser: https://salsa.debian.org/debian/libssh
@@ -97,6 +97,7 @@
 Suggests: doc-base
 Depends: ${misc:Depends}
 Build-Profiles: <!nodoc>
+Multi-Arch: foreign
 Description: tiny C SSH library - Documentation files
  The ssh library was designed to be used by programmers needing a working SSH
  implementation by the mean of a library. The complete control of the client
diff -Nru libssh-0.10.4/debian/copyright libssh-0.10.5/debian/copyright
--- libssh-0.10.4/debian/copyright	2022-09-19 08:41:22.000000000 +0000
+++ libssh-0.10.5/debian/copyright	2023-05-10 06:00:26.000000000 +0000
@@ -23,7 +23,6 @@
        tests/client/torture_connect.c
        tests/client/torture_knownhosts.c
        tests/client/torture_session.c
-       tests/test_pcap.c
        tests/test_socket.c
 Copyright: 2003-2021, Aris Adamantiadis
            2008-2018 Andreas Schneider <asn@cryptomilk.org>
@@ -39,7 +38,6 @@
        examples/senddata.c
        examples/CMakeLists.txt
        include/libssh/ssh2.h
-       tests/authentication.c
        tests/benchmarks/bench1.sh
        tests/benchmarks/bench2.sh
        tests/chmodtest.c
@@ -47,13 +45,7 @@
        tests/client/torture_sftp_dir.c
        tests/client/torture_sftp_read.c
        tests/cmdline.c
-       tests/connection.c
        tests/generate.py
-       tests/sftp_stress/main.c
-       tests/test_exec.c
-       tests/test_ssh_bind_accept_fd.c
-       tests/test_tunnel.c
-       tests/tests.h
        tests/unittests/torture_buffer.c
        tests/unittests/torture_callbacks.c
        tests/unittests/torture_channel.c
diff -Nru libssh-0.10.4/debian/rules libssh-0.10.5/debian/rules
--- libssh-0.10.4/debian/rules	2022-09-19 08:41:22.000000000 +0000
+++ libssh-0.10.5/debian/rules	2023-05-10 06:00:26.000000000 +0000
@@ -2,7 +2,7 @@

 DEB_CMAKE_EXTRA_FLAGS := -DBUILD_STATIC_LIB=ON -DLIB_INSTALL_DIR=/usr/lib/$(DEB_HOST_MULTIARCH) -DUNIT_TESTING=$(if $(filter nocheck,$(DEB_BUILD_OPTIONS)),OFF,ON) -DWITH_GSSAPI=ON

-export DEB_LDFLAGS_MAINT_APPEND = -Wl,-z,defs -Wl,-O1 -Wl,--as-needed
+export DEB_LDFLAGS_MAINT_APPEND = -Wl,-z,defs -Wl,-O1
 export DEB_BUILD_MAINT_OPTIONS = hardening=+all

 %:
diff -Nru libssh-0.10.4/debian/source/lintian-overrides libssh-0.10.5/debian/source/lintian-overrides
--- libssh-0.10.4/debian/source/lintian-overrides	2022-09-19 08:41:22.000000000 +0000
+++ libssh-0.10.5/debian/source/lintian-overrides	2023-05-10 06:00:26.000000000 +0000
@@ -1 +0,0 @@
-libssh source: very-long-line-length-in-source-file tests/keys/.*

Attachment: signature.asc
Description: PGP signature


--- End Message ---
--- Begin Message --- 
Unblocked.

--- End Message ---
Reply to: