dwww Home | Show directory contents | Find package

libssh (0.10.6-0+deb12u1) bookworm-security; urgency=medium

  * New upstream security release:
   - Fix Command injection using ProxyCommand
     (CVE-2023-6004, Closes: #1059061)
   - Fix missing checks for return values of MD functions
     (CVE-2023-6918, Closes: #1059059)
   - Fix potential downgrade attack using strict kex
     (CVE-2023-48795, Closes: #1059004)
  * Fix regression in IPv6 addresses in hostname parsing from CVE-2023-6004
    fix.  Patch and unit test backported from upstream stable-0.10 branch.
    See https://gitlab.com/libssh/libssh-mirror/-/issues/227

 -- Martin Pitt <mpitt@debian.org>  Mon, 25 Dec 2023 11:15:40 +0100

libssh (0.10.5-2) unstable; urgency=medium

  * Revert "Bump debhelper from old 12 to 13."
    This is not appropriate at this point of the release cycle any more.

 -- Martin Pitt <mpitt@debian.org>  Wed, 17 May 2023 19:56:56 +0000

libssh (0.10.5-1) unstable; urgency=high

  [ Martin Pitt ]
  * New upstream security release (thus high urgency):
    - Fix authenticated remote DoS through potential NULL dereference during rekeying
      with algorithm guessing (CVE-2023-1667)
      https://www.libssh.org/security/advisories/CVE-2023-1667.txt
    - Client authentication bypass in pki_verify_data_signature() in low-memory
      conditions with OpenSSL backend; gcrypt backend is not affected
      https://www.libssh.org/security/advisories/CVE-2023-2283.txt
      (CVE-2023-2283, Closes: #1035832)
  * Bump Standards-Version to 4.6.2. No changes necessary.
  * Drop debian/source/lintian-overrides. It now causes a "mismatched-override"
    warning, and apparently is not necessary any more.
  * debian/copyright: Drop files which don't exist any more.
    Spotted by lintian's "superfluous-file-pattern" warnings.

  [ Debian Janitor ]
  * Bump debhelper from old 12 to 13.
  * Avoid explicitly specifying -Wl,--as-needed linker flag.

 -- Martin Pitt <mpitt@debian.org>  Wed, 10 May 2023 08:00:26 +0200

libssh (0.10.4-2) unstable; urgency=medium

  * autopkgtest: Drop valgrind run. This hasn't worked for years on many
    architectures, is also acting up on s390x, and does not belong into a
    downstream integration test.

 -- Martin Pitt <mpitt@debian.org>  Mon, 19 Sep 2022 10:41:22 +0200

libssh (0.10.4-1) unstable; urgency=medium

  * New upstream release (Closes: #1019260)
  * Disable new tilde expansion test. This does not work in our buildd
    environment for the same reason as the two in torture_misc. Update
    debian/patches/2003-disable-expand_tilde_unix-test.patch accordingly.
  * debian/*.symbols: Add newly exported symbols
  * Bump Standards-Version to 4.6.1. No changes needed.

 -- Martin Pitt <mpitt@debian.org>  Wed, 14 Sep 2022 08:13:19 +0200

libssh (0.9.6-2) unstable; urgency=medium

  [ Helmut Grohne ]
  * debian/control: Add preferred real zlib1g-dev build dep.
    As libz-dev is purely virtual.
  * Mark build dependencies for running unit tests.
    This reduces dependencies for bootstrapping. (Closes: #1002598)

  [ Martin Pitt ]
  * debian/copyright: Update and generalize. Replace some over-specific
    patterns with globs. A lot of files did not exist any more, a lot of new
    copyrights were missing.  Spotted by lintian.
  * Adjust lintian overrides to renamed tag.
  * Quiesce very-long-line-length-in-source-file lintian warning for test keys
  * Mark Debian specific patches as not needing upstream forwarding.
    This quiesces two lintian complaints for `patch-not-forwarded-upstream`.
    Don't mark 1003-custom-lib-names.patch, as that one actually is suitable
    for upstream.

 -- Martin Pitt <mpitt@debian.org>  Sat, 25 Dec 2021 19:36:01 +0100

libssh (0.9.6-1) unstable; urgency=medium

  * New upstream version 0.9.6:
    - Fix possible heap-buffer overflow when rekeying with different key
      exchange mechanism (Closes: #993046, CVE-2021-3634)
  * Refresh 2004-install-static-lib.patch for new upstream version
  * Bump Standards-Version to 4.6.0. No changes necessary.
  * debian/control: Declare Rules-Requires-Root: no

 -- Martin Pitt <mpitt@debian.org>  Sat, 28 Aug 2021 12:51:05 +0200

libssh (0.9.5-1) unstable; urgency=medium

  [ Laurent Bigonville ]
  * New upstream version 0.9.5
    - Fix a NULL pointer dereference in tftpserver.c if ssh_buffer_new returns
      NULL. (Closes: #966560 CVE-2020-16135)
  * Drop d/p/1004-hurd-ftbfs.patch, applied upstream
  * Drop d/p/1005-reproducible-doc.patch, applied upstream
  * debian/control: Add openssh-server to the BD

  [ Sebastien Bacher ]
  * debian/control: don't build with nacl, it's not needed when building
    openssl, see https://bugs.libssh.org/T235 (Closes: #964134)

 -- Laurent Bigonville <bigon@debian.org>  Wed, 18 Nov 2020 10:01:23 +0100

libssh (0.9.4-2) unstable; urgency=medium

  [ Debian Janitor ]
  * Trim trailing whitespace.
  * Set debhelper-compat version in Build-Depends.
  * Drop transition for old debug package migration.

  [ Colin Watson ]
  * Fix autopkgtests with OpenSSH 8.4p1 (closes: #974039).

  [ Laurent Bigonville ]
  * debian/copyright: Remove duplicate in the list of files (tests/torture.c)

 -- Laurent Bigonville <bigon@debian.org>  Thu, 12 Nov 2020 15:01:03 +0100

libssh (0.9.4-1) unstable; urgency=medium

  * New upstream release
    - Fix possible DoS in client and server when handling AES-CTR keys with
      OpenSSL (Closes: #956308 CVE-2020-1730)
  * debian/control: Bump Standards-Version to 4.5.0 (no further changes)
  * Add default debian/salsa-ci.yml file
  * d/p/1004-hurd-ftbfs.patch: Fix FTBFS on hurd-i386 (Closes: #933015)
  * d/p/1005-reproducible-doc.patch: Make the documentation reproducible

 -- Laurent Bigonville <bigon@debian.org>  Thu, 09 Apr 2020 22:27:02 +0200

libssh (0.9.3-2) unstable; urgency=medium

  * debian/rules: Rename libssh-gcrypt.a to libssh.a to ensure that the
    correct static library is installed in the libssh-gcrypt-dev package

 -- Laurent Bigonville <bigon@debian.org>  Sun, 15 Dec 2019 19:18:53 +0100

libssh (0.9.3-1) unstable; urgency=medium

  [ Laurent Bigonville ]
  * New upstream release
    - Fix an unsanitized location in scp that could lead to unwanted command
      execution (Closes: #946548 CVE-2019-14889)
    - d/p/1003-custom-lib-names.patch: Refreshed
    - d/p/2003-disable-expand_tilde_unix-test.patch: Refreshed
    - debian/rules: Fix the parameter name used to build the static library
    - debian/patches/install_static_lib.patch: Install the static library again
  * debian/control: Bump Standards-Version to 4.4.1 (no further changes)
  * Bump debhelper compatibility to 12

  [ Sebastien Bacher ]
  * debian/tests/libssh-server:
    - Use the correct compiler for proposed autopkgtest cross-testing
      support. (Closes: #946536)

 -- Laurent Bigonville <bigon@debian.org>  Sun, 15 Dec 2019 12:46:20 +0100

libssh (0.9.0-1) unstable; urgency=medium

  * New upstream release
    - debian/*.symbols: Add newly exported symbols
  * debian/control: Bump Standards-Version to 4.4.0 (no further changes)

 -- Laurent Bigonville <bigon@debian.org>  Thu, 11 Jul 2019 12:35:29 +0200

# Older entries have been removed from this changelog.
# To read the complete changelog use `apt changelog libssh-gcrypt-4`.

Generated by dwww version 1.15 on Sun Jun 16 20:36:02 CEST 2024.