Hi Martin,
On Sun, Jul 06, 2025 at 04:35:09PM +0200, Martin Pitt wrote:
Hello Salvatore and Debian Security Team,
Salvatore Bonaccorso [2025-06-27 21:48 +0200]:
The following vulnerabilities were published for libssh.
[0] https://security-tracker.debian.org/tracker/CVE-2025-4877
https://www.cve.org/CVERecord?id=CVE-2025-4877
[1] https://security-tracker.debian.org/tracker/CVE-2025-4878
https://www.cve.org/CVERecord?id=CVE-2025-4878
[2] https://security-tracker.debian.org/tracker/CVE-2025-5318
https://www.cve.org/CVERecord?id=CVE-2025-5318
[3] https://security-tracker.debian.org/tracker/CVE-2025-5351
https://www.cve.org/CVERecord?id=CVE-2025-5351
[4] https://security-tracker.debian.org/tracker/CVE-2025-5372
https://www.cve.org/CVERecord?id=CVE-2025-5372
[5] https://security-tracker.debian.org/tracker/CVE-2025-5449
https://www.cve.org/CVERecord?id=CVE-2025-5449
[6] https://security-tracker.debian.org/tracker/CVE-2025-5987
https://www.cve.org/CVERecord?id=CVE-2025-5987
The unstable → testing fix for these just landed [1], thanks for nudging that!
Wecome!
I backported the fixes to the 0.10.6 package in bookworm. Note that CVE-2025-5449 dos not apply to the 0.10.x and older series, none of the affected code exits. The other patches were relatively straightforward to backport.
Thanks will have a look and update the security-tracker metadata.
I pushed the backport to salsa [2] already and locally prepared the update, debdiff at [3]. I didn't push the release tag/changelog commit to salsa yet, I'll do that once I get your ok to upload this.
We did mark those actually all no-dsa, thinking they do not warrant a
DSA. But can you please fix those via the next bookworm-pu now that
the upper suite is fixed as well?
Thanks for your work!
Regards,
Salvatore
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)