Hello security team, Martin Pitt [2023-05-10 8:19 +0200]: > I'll attempt to backport the fixes for stable now. > https://git.libssh.org/projects/libssh.git/log/?h=stable-0.9 has quite some > changes before and beyond the actual security fix: some memory leak fixes, > moving some code around, indentation fixes, more unit tests. Personally I'd > rather trust upstream's release validation and update to 0.9.7 wholesale than > trying to pick it apart, but how is the Debian security team stanza wrt. > upstream microreleases these days?
I prepared a security update for the two CVEs, plus four "reformat code" cherry-picks which changed the actual security fix from "hairy and risky" to "only causes minor and obvious conflicts". https://salsa.debian.org/debian/libssh/-/commit/5aa68cee3d2e8a50402ef77623ff8ceac9eb183c https://salsa.debian.org/debian/libssh/-/commit/baa5cda9287580b16d3ecd9ecfc7fef82f2e12c2 They were taken from https://git.libssh.org/projects/libssh.git/log/?h=stable-0.9 as "95% clean" cherry-picks, which I found the best compromise wrt. minimizing risk. See the Debian commit messages for details. I built the package in a clean bullseye container, unit tests and autopkgtest pass. The commit messages are more wordy than appropriate for the changelog. I'd use a similar format as for unstable [1], e.g. -------------- ✂️ ------------------ * Fix authenticated remote DoS through potential NULL dereference during rekeying with algorithm guessing (CVE-2023-1667) https://www.libssh.org/security/advisories/CVE-2023-1667.txt * Fix client authentication bypass in pki_verify_data_signature() in low-memory conditions with OpenSSL backend; gcrypt backend is not affected (CVE-2023-2283, Closes: #1035832) https://www.libssh.org/security/advisories/CVE-2023-2283.txt -------------- ✂️ ------------------ I'm happy to upload to the queue if/once you give me the signal, or massage the patches/changelog according to your liking. Thanks, Martin [1] https://git.libssh.org/projects/libssh.git/log/?h=stable-0.9
