Control: tags -1 moreinfo confirmed Martin Pitt: > Package: release.debian.org > Severity: normal > User: release.debian....@packages.debian.org > Usertags: unblock > > Three months ago, a new libssh upstream bug fix release 0.8.7 was done, which > fixes a dozen security issues, crashes, and other bugs: > > https://git.libssh.org/projects/libssh.git/log/?h=stable-0.8 > (the bits between 0.8.6 and 0.8.7) > > (Our package already has the oldest three patches backported) > At first I wanted to cherry-pick, but honestly I think we should have all > these > fixes in buster, including the "Remove SHA384 HMAC" before that hits stable. > > I haven't yet uploaded this new version, as I'd like to get your approval > first. If you do approve, I'll upload it to unstable, otherwise to > experimental > and later through s-p-u. > > I attach the full debdiff between the current unstable/testing version and the > one I'd like to upload. If you prefer looking at it on salsa: > > These are the upstream changes: > https://salsa.debian.org/debian/libssh/commit/aab54d0cc04dd > and the corresponding packaging changes for it (dropping patches): > https://salsa.debian.org/debian/libssh/commit/34591503a1b4b > > I also added valgrinding to the autopkgtest, which exposes a bug: > https://salsa.debian.org/debian/libssh/commit/59593bc7cf4 > > This bug also happens on 0.8.6 and earlier versions (not yet on 0.6.x), so > this > is unrelated to this particular upstream update, but I'd still like to land it > to avoid regressions under valgrind. > > Thanks for considering! > > Martin Pitt >
Hi Martin, Please go ahead with the upload (with the debdiff attached to your initial mail in the bug) and remove the moreinfo tag once it is in unstable ready to be unblocked (e.g. autopkgtests have succeeded). Thanks, ~Niels
