Hi Nicolas, On Tue, Dec 19, 2023 at 01:35:50PM -0500, Nicolas Mora wrote: > Hello, thanks for the notification! > > Le 2023-12-19 à 03 h 26, Salvatore Bonaccorso a écrit : > > Source: libssh2 > > Version: 1.11.0-3 > > Severity: important > > Tags: security upstream > > Forwarded: https://github.com/libssh2/libssh2/issues/1290 > > X-Debbugs-Cc: [email protected], Debian Security Team > > <[email protected]> > > > I've noticed on [1] that this CVE is fixed for libssh2 on bookworm and > under, is it the case? > > I'm wondering also because they have the same version in bookworm and > trixie, and the issue on github doesn't mention the version that is > affected, therefore I assume all versions are vulnerable, isn't it?
It's not the same version :). bookworm has 0.10.0 based version, whereas in testing and bove we have 1.11.0 based one. For bookworm and older there is no haCha20-Poly1305 and CBC-EtM support, which was only introduced after the 0.10.0 release. Thus for libssh2 only unstable needs fixing (and then the fix mgirate to testing). Does this help? Regards, Salvatore
