Hello Salvatore and all, Salvatore Bonaccorso [2023-12-22 20:34 +0100]: > On Fri, Dec 22, 2023 at 04:39:46PM +0100, Martin Pitt wrote: > > Salvatore Bonaccorso [2023-12-22 13:20 +0100]: > > > > However, the fix for CVE-2023-6004 caused a regression: > > > > https://gitlab.com/libssh/libssh-mirror/-/issues/227 > > > > I will monitor this, and include the fix in the security upload once it > > > > is > > > > available (or presumably they'll do a 0.10.7). So if it's alright with > > > > you, > > > > I'll delay the stable-security update for a few days. > > > > > > Rigth, it's not that pressing that we get updates out, so let's > > > monitor this, have 0.10.7 uploaded and exposed as well then to > > > unstable for a while and then look at bookworm-security. Btw, we will > > > as well need bullseye-security. > > > > Ack. The fix landed upstream, and they said they won't do a 0.10.7 > > immediately, > > so I backported it and uploaded as 0.10.6-2 to sid. I threw the whole > > cockpit > > integration test suite at it (which exercises libssh pretty thoroughly via > > cockpit-ssh), and it is happy. > > > > I'll let that simmer for a few days to let it go into testing, and prepare > > the > > security updates soon. > > Thanks, that sounds good.
The new upstream release plus regression fix have propagated to testing, to Ubuntu devel, and also is progressing well into Fedora. By now the tests have validated it enough for me to be confident in the fixes. I prepared the security update for Debian 12 bookworm, including a debdiff: https://people.debian.org/~mpitt/tmp/ Please feel free to dput it yourself, or I can do it if/when you ack. I'll coordinate the update to oldstable with Sean (see the other thread). Thanks, Martin
