-
libssh (0.9.6-2ubuntu0.22.04.3) jammy-security; urgency=medium
* SECURITY UPDATE: code injection via ProxyCommand/ProxyJump hostname
- debian/patches/CVE-2023-6004-*.patch: validate hostnames.
- CVE-2023-6004
* SECURITY UPDATE: DoS via incorrect return value checks
- debian/patches/CVE-2023-6918-*.patch: check return values.
- CVE-2023-6918
-- Marc Deslauriers <email address hidden> Thu, 11 Jan 2024 07:44:15 -0500
-
libssh (0.9.6-2ubuntu0.22.04.2) jammy-security; urgency=medium
* SECURITY UPDATE: Prefix truncation attack on BPP
- debian/patches/CVE-2023-48795-1.patch: add client side mitigation.
- debian/patches/CVE-2023-48795-2.patch: add server side mitigations.
- debian/patches/CVE-2023-48795-3.patch: strip extensions from both kex
lists for matching.
- debian/patches/CVE-2023-48795-4.patch: tests: adjust calculation to
strict kex.
- CVE-2023-48795
-- Marc Deslauriers <email address hidden> Mon, 18 Dec 2023 17:30:05 -0500
-
libssh (0.9.6-2ubuntu0.22.04.1) jammy-security; urgency=medium
* SECURITY UPDATE: Potential NULL dereference during rekeying with
algorithm guessing
- debian/patches/CVE-2023-1667-*.patch: upstream patches to fix the
issue.
- CVE-2023-1667
* SECURITY UPDATE: Authorization bypass in pki_verify_data_signature
- debian/patches/CVE-2023-2283-*.patch: upstream patches to fix the
issue.
- CVE-2023-2283
-- Marc Deslauriers <email address hidden> Fri, 26 May 2023 06:31:25 -0400
-
libssh (0.9.6-2build1) jammy; urgency=high
* No change rebuild for ppc64el baseline bump.
-- Julian Andres Klode <email address hidden> Thu, 24 Mar 2022 17:13:50 +0100
-
libssh (0.9.6-2) unstable; urgency=medium
[ Helmut Grohne ]
* debian/control: Add preferred real zlib1g-dev build dep.
As libz-dev is purely virtual.
* Mark build dependencies for running unit tests.
This reduces dependencies for bootstrapping. (Closes: #1002598)
[ Martin Pitt ]
* debian/copyright: Update and generalize. Replace some over-specific
patterns with globs. A lot of files did not exist any more, a lot of new
copyrights were missing. Spotted by lintian.
* Adjust lintian overrides to renamed tag.
* Quiesce very-long-line-length-in-source-file lintian warning for test keys
* Mark Debian specific patches as not needing upstream forwarding.
This quiesces two lintian complaints for `patch-not-forwarded-upstream`.
Don't mark 1003-custom-lib-names.patch, as that one actually is suitable
for upstream.
-- Martin Pitt <email address hidden> Sat, 25 Dec 2021 19:36:01 +0100
-
libssh (0.9.6-1build1) jammy; urgency=medium
* No-change rebuild against openssl3
-- Jeremy Bicha <email address hidden> Sun, 05 Dec 2021 12:43:22 -0500
-
libssh (0.9.6-1) unstable; urgency=medium
* New upstream version 0.9.6:
- Fix possible heap-buffer overflow when rekeying with different key
exchange mechanism (Closes: #993046, CVE-2021-3634)
* Refresh 2004-install-static-lib.patch for new upstream version
* Bump Standards-Version to 4.6.0. No changes necessary.
* debian/control: Declare Rules-Requires-Root: no
-- Martin Pitt <email address hidden> Sat, 28 Aug 2021 12:51:05 +0200
