Hi Martin, On Mon, Dec 25, 2023 at 11:25:18AM +0100, Martin Pitt wrote: > Hello Salvatore and all, > > Salvatore Bonaccorso [2023-12-22 20:34 +0100]: > > On Fri, Dec 22, 2023 at 04:39:46PM +0100, Martin Pitt wrote: > > > Salvatore Bonaccorso [2023-12-22 13:20 +0100]: > > > > > However, the fix for CVE-2023-6004 caused a regression: > > > > > https://gitlab.com/libssh/libssh-mirror/-/issues/227 > > > > > I will monitor this, and include the fix in the security upload once > > > > > it is > > > > > available (or presumably they'll do a 0.10.7). So if it's alright > > > > > with you, > > > > > I'll delay the stable-security update for a few days. > > > > > > > > Rigth, it's not that pressing that we get updates out, so let's > > > > monitor this, have 0.10.7 uploaded and exposed as well then to > > > > unstable for a while and then look at bookworm-security. Btw, we will > > > > as well need bullseye-security. > > > > > > Ack. The fix landed upstream, and they said they won't do a 0.10.7 > > > immediately, > > > so I backported it and uploaded as 0.10.6-2 to sid. I threw the whole > > > cockpit > > > integration test suite at it (which exercises libssh pretty thoroughly via > > > cockpit-ssh), and it is happy. > > > > > > I'll let that simmer for a few days to let it go into testing, and > > > prepare the > > > security updates soon. > > > > Thanks, that sounds good. > > The new upstream release plus regression fix have propagated to testing, to > Ubuntu devel, and also is progressing well into Fedora. By now the tests have > validated it enough for me to be confident in the fixes. > > I prepared the security update for Debian 12 bookworm, including a debdiff: > https://people.debian.org/~mpitt/tmp/ > > Please feel free to dput it yourself, or I can do it if/when you ack. > > I'll coordinate the update to oldstable with Sean (see the other thread).
Thank for clarifying in the followup, oldoldstable will be handled by LTS so far, and thanks for preparing your work for bookworm and bullseye. For tracking + archiving purpose it would be good if the debdiff can be attached here as well, but realize the size might be a bit off. Could you do the following changes: use bookworm-security instead of stable-securtiy (the bullseye one was already ok). It's not a strict requirement, but is less confusing to explicitly use the codenames. Please do upload to security-master, I will try to handle the DSA in the next few days (will be not around tomorrow at least). Both will need to be build with -sa. Regards, Salvatore
