Bug#1108459: unblock: libssh/0.11.2-1
Hi,
On Sun, Jun 29, 2025 at 10:12:58AM +0200, Martin Pitt wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> X-Debbugs-Cc: libssh@packages.debian.org, carnil@debian.org
> Control: affects -1 + src:libssh
>
> Please unblock the recent libssh security update in unstable to land in trixie.
>
> [ Reason ]
> That fixes a bunch of CVEs (https://bugs.debian.org/1108407,
> https://www.libssh.org/2025/06/24/libssh-0-11-2-security-and-bugfix-release/),
> plus some good fixes and minor cmake build system cleanups.
One question here from the release team might be: Why are you
following the 0.11.y stable releases instead of cherry-picking the
fixes.
For libssh, while it is not yet on the list of packages which fixes
throuch micro releases the security issues, libssh has a history of
actually doing so:
For the last bookworm-security update:
https://bugs.debian.org/1059061#15 which resulteted in an update from
0.10.5-2 -> 0.10.6-0+deb12u1 and samewise back in bullseye-security it
got bumped to 0.9.8-0+deb11u1. We have don so as well earlier for
https://bugs.debian.org/1035832
So to confirm: if trixie would have already been released, then a DSA
for libssh likely would have accepted a 0.11.2-0+deb13u1 to address
the mentioned CVEs and follow the released upstream version in the
0.11.y branch.
Regards,
Salvatore
Reply to: