Control: tag -1 pending Hello Salvatore,
Salvatore Bonaccorso [2023-05-09 22:30 +0200]: > The following vulnerabilities were published for libssh. > > CVE-2023-1667[0]: > | Potential NULL dereference during rekeying with algorithm guessing > > CVE-2023-2283[1]: > | Authorization bypass in pki_verify_data_signature > > If you fix the vulnerabilities please also make sure to include the > CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. I uploaded the new upstream release to unstable, with urgency=high to hopefully make it into the release in time. With upstream's extensive unit tests and Debian's reverse dependency autopkgtesting etc. I have enough confidence in that. I also checked buster. It's not affected by CVE-2023-2283, that code does not exist in the 0.8 branch at all. The code for CVE-2023-1667 does exist, but it is wildly different. Upstream does not maintain the 0.8 branch any more, and I'm afraid I will not have the time/skills to analyze, understand, and backport the patches myself, at least not to an extent where I'd have faith in them. I'll attempt to backport the fixes for stable now. https://git.libssh.org/projects/libssh.git/log/?h=stable-0.9 has quite some changes before and beyond the actual security fix: some memory leak fixes, moving some code around, indentation fixes, more unit tests. Personally I'd rather trust upstream's release validation and update to 0.9.7 wholesale than trying to pick it apart, but how is the Debian security team stanza wrt. upstream microreleases these days? Thanks, Martin
