Package: libssh-4 Version: 0.8.4-1 Severity: important 0.8.5 got released a while ago, with lots of fixes. The most important one is probably https://git.libssh.org/projects/libssh.git/commit/?id=4ea46eecce9f4 which fixes a major regression in 0.8.4 that completely broke "keyboard-interactive" authentication on the server side (https://bugs.libssh.org/T117). Thus I set "important" severity as that regression made it into debian-testing. note that it is also in stretch 0.7.3-2+deb9u1, the regression was part of the security fix. So you might want to consider backporting the fix there?
There is also other good stuff in there, like unbreaking the API if you use ProxyCommand in your ssh options (https://gitlab.com/sanne.raymaekers/libssh-mirror/commit/8ba9f836947f) and lots of known_hosts fixes. It has also been in Fedora 28 and 29 for 10 days, and successfully verified there: https://bodhi.fedoraproject.org/updates/FEDORA-2018-6cd653e005 https://bodhi.fedoraproject.org/updates/FEDORA-2018-25e7ca720f Thank you! Martin Pitt
