1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.DIST

  • Bug#1108459: unblock: libssh/0.11.2-1

    From Salvatore Bonaccorso@21:1/5 to Martin Pitt on Sat Jul 5 21:40:01 2025
    XPost: linux.debian.devel.release

    Hi,

    On Sun, Jun 29, 2025 at 10:12:58AM +0200, Martin Pitt wrote:
    Package: release.debian.org
    Severity: normal
    User: [email protected]
    Usertags: unblock
    X-Debbugs-Cc: [email protected], [email protected]
    Control: affects -1 + src:libssh

    Please unblock the recent libssh security update in unstable to land in trixie.

    [ Reason ]
    That fixes a bunch of CVEs (https://bugs.debian.org/1108407, https://www.libssh.org/2025/06/24/libssh-0-11-2-security-and-bugfix-release/),
    plus some good fixes and minor cmake build system cleanups.

    One question here from the release team might be: Why are you
    following the 0.11.y stable releases instead of cherry-picking the
    fixes.

    For libssh, while it is not yet on the list of packages which fixes
    throuch micro releases the security issues, libssh has a history of
    actually doing so:

    For the last bookworm-security update:
    https://bugs.debian.org/1059061#15 which resulteted in an update from
    0.10.5-2 -> 0.10.6-0+deb12u1 and samewise back in bullseye-security it
    got bumped to 0.9.8-0+deb11u1. We have don so as well earlier for https://bugs.debian.org/1035832

    So to confirm: if trixie would have already been released, then a DSA
    for libssh likely would have accepted a 0.11.2-0+deb13u1 to address
    the mentioned CVEs and follow the released upstream version in the
    0.11.y branch.

    Regards,
    Salvatore

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)