Hi Martin, On Sun, Jul 06, 2025 at 04:35:09PM +0200, Martin Pitt wrote: > Hello Salvatore and Debian Security Team, > > Salvatore Bonaccorso [2025-06-27 21:48 +0200]: > > The following vulnerabilities were published for libssh. > > > > [0] https://security-tracker.debian.org/tracker/CVE-2025-4877 > > https://www.cve.org/CVERecord?id=CVE-2025-4877 > > [1] https://security-tracker.debian.org/tracker/CVE-2025-4878 > > https://www.cve.org/CVERecord?id=CVE-2025-4878 > > [2] https://security-tracker.debian.org/tracker/CVE-2025-5318 > > https://www.cve.org/CVERecord?id=CVE-2025-5318 > > [3] https://security-tracker.debian.org/tracker/CVE-2025-5351 > > https://www.cve.org/CVERecord?id=CVE-2025-5351 > > [4] https://security-tracker.debian.org/tracker/CVE-2025-5372 > > https://www.cve.org/CVERecord?id=CVE-2025-5372 > > [5] https://security-tracker.debian.org/tracker/CVE-2025-5449 > > https://www.cve.org/CVERecord?id=CVE-2025-5449 > > [6] https://security-tracker.debian.org/tracker/CVE-2025-5987 > > https://www.cve.org/CVERecord?id=CVE-2025-5987 > > The unstable → testing fix for these just landed [1], thanks for nudging that!
Wecome! > I backported the fixes to the 0.10.6 package in bookworm. Note that > CVE-2025-5449 dos not apply to the 0.10.x and older series, none of the > affected code exits. The other patches were relatively straightforward to > backport. Thanks will have a look and update the security-tracker metadata. > I pushed the backport to salsa [2] already and locally prepared the update, > debdiff at [3]. I didn't push the release tag/changelog commit to salsa yet, > I'll do that once I get your ok to upload this. We did mark those actually all no-dsa, thinking they do not warrant a DSA. But can you please fix those via the next bookworm-pu now that the upper suite is fixed as well? Thanks for your work! Regards, Salvatore
