Hi Martin, On Fri, Dec 22, 2023 at 12:09:35PM +0100, Martin Pitt wrote: > Hello Salvatore, > > Salvatore Bonaccorso [2023-12-19 22:34 +0100]: > > The following vulnerability was published for libssh. > > > > CVE-2023-6004[0]: > > | ProxyCommand/ProxyJump features allow injection of malicious code > > | through hostname > > I uploaded the new upstream security fix release 0.10.6 to unstable. It can > have a round of autopkgtest regression tests now. > > I checked the non-CVE commits between 0.10.5 (in current stable) and 0.10.6: > https://git.libssh.org/projects/libssh.git/log/?h=stable-0.10 > and IMHO they are all harmless/useful/targetted enough to be suitable for > stable-security. We did that in the last round as well [1].
Ok we can do that indeed. But see below. > However, the fix for CVE-2023-6004 caused a regression: > https://gitlab.com/libssh/libssh-mirror/-/issues/227 > I will monitor this, and include the fix in the security upload once it is > available (or presumably they'll do a 0.10.7). So if it's alright with you, > I'll delay the stable-security update for a few days. Rigth, it's not that pressing that we get updates out, so let's monitor this, have 0.10.7 uploaded and exposed as well then to unstable for a while and then look at bookworm-security. Btw, we will as well need bullseye-security. Thanks for working on it! Regards, Salvatore
