Hello Salvatore and Debian Security Team, Salvatore Bonaccorso [2025-06-27 21:48 +0200]: > The following vulnerabilities were published for libssh. > > [0] https://security-tracker.debian.org/tracker/CVE-2025-4877 > https://www.cve.org/CVERecord?id=CVE-2025-4877 > [1] https://security-tracker.debian.org/tracker/CVE-2025-4878 > https://www.cve.org/CVERecord?id=CVE-2025-4878 > [2] https://security-tracker.debian.org/tracker/CVE-2025-5318 > https://www.cve.org/CVERecord?id=CVE-2025-5318 > [3] https://security-tracker.debian.org/tracker/CVE-2025-5351 > https://www.cve.org/CVERecord?id=CVE-2025-5351 > [4] https://security-tracker.debian.org/tracker/CVE-2025-5372 > https://www.cve.org/CVERecord?id=CVE-2025-5372 > [5] https://security-tracker.debian.org/tracker/CVE-2025-5449 > https://www.cve.org/CVERecord?id=CVE-2025-5449 > [6] https://security-tracker.debian.org/tracker/CVE-2025-5987 > https://www.cve.org/CVERecord?id=CVE-2025-5987
The unstable → testing fix for these just landed [1], thanks for nudging that! I backported the fixes to the 0.10.6 package in bookworm. Note that CVE-2025-5449 dos not apply to the 0.10.x and older series, none of the affected code exits. The other patches were relatively straightforward to backport. I pushed the backport to salsa [2] already and locally prepared the update, debdiff at [3]. I didn't push the release tag/changelog commit to salsa yet, I'll do that once I get your ok to upload this. Thanks, Martin [1] https://tracker.debian.org/news/1650288/libssh-0112-1-migrated-to-testing/ [2] https://salsa.debian.org/debian/libssh/-/commit/ae681fa733b65a2792d04660232e8e1407d92e75 [3] https://people.debian.org/~mpitt/tmp/libssh_0.10.6-0+deb12u2.debdiff
