Discussion:
Bug#1057107: bullseye-pu: package libssh2/1.9.0-2
Add Reply
Nicolas Mora
2023-11-29 21:30:01 UTC
Reply
Permalink
Package: release.debian.org
Severity: normal
Tags: bullseye
User: ***@packages.debian.org
Usertags: pu
X-Debbugs-Cc: ***@packages.debian.org, ***@security.debian.org
Control: affects -1 + src:libssh2

[ Reason ]
Fix CVE-2020-22218
https://security-tracker.debian.org/tracker/CVE-2020-22218

[ Impact ]
allows attackers to access out of bounds memory

[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable

[ Changes ]
This is a backport of the PR 476
Debian Bug Tracking System
2023-11-29 21:30:01 UTC
Reply
Permalink
Post by Nicolas Mora
affects -1 + src:libssh2
Bug #1057107 [release.debian.org] bullseye-pu: package libssh2/1.9.0-2
Added indication that 1057107 affects src:libssh2
--
1057107: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1057107
Debian Bug Tracking System
Contact ***@bugs.debian.org with problems
Nicolas Mora
2023-11-29 21:40:01 UTC
Reply
Permalink
See the debdiff attached
Jonathan Wiltshire
2023-12-19 21:50:02 UTC
Reply
Permalink
Control: tag -1 moreinfo

Hi,
Post by Nicolas Mora
See the debdiff attached
diff -Nru libssh2-1.9.0/debian/changelog libssh2-1.9.0/debian/changelog
--- libssh2-1.9.0/debian/changelog 2020-12-14 10:02:16.000000000 -0500
+++ libssh2-1.9.0/debian/changelog 2023-11-29 07:00:07.000000000 -0500
@@ -1,3 +1,9 @@
+libssh2 (1.9.0-2+debu11u1) bullseye; urgency=medium
Extra 'u' in the version.
Post by Nicolas Mora
+
+ * d/patches: Fix CVE-2020-22218
+
This is not a good changelog description, please expand it.


Thanks,
--
Jonathan Wiltshire ***@debian.org
Debian Developer http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1
Nicolas Mora
2023-12-20 01:00:01 UTC
Reply
Permalink
Hello,

Thank you for the feedback, the new attached debdiff should fix these.

Thanks!
Jonathan Wiltshire
2024-02-06 18:10:02 UTC
Reply
Permalink
Hi,
Post by Nicolas Mora
Hello,
Thank you for the feedback, the new attached debdiff should fix these.
Sorry, your message was not seen in time for 11.9 because the request is
still tagged moreinfo. It will be considered for 11.10.

Thanks,
--
Jonathan Wiltshire ***@debian.org
Debian Developer http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1
Nicolas Mora
2024-02-06 19:10:02 UTC
Reply
Permalink
Control: tag - moreinfo

Thanks,

Sorry, it seems that I'm not very well aware of the BTS process,
according to [1] this is how I should untag the bug.

[1] https://www.debian.org/Bugs/server-control
Nicolas Mora
2024-02-06 19:40:01 UTC
Reply
Permalink
Control: tag -1 moreinfo

Thanks,
Nicolas Mora
2024-02-06 19:40:01 UTC
Reply
Permalink
Control: tag +1 moreinfo

Thanks,
Salvatore Bonaccorso
2024-02-06 21:00:01 UTC
Reply
Permalink
Hi Nicolas,
Post by Nicolas Mora
Control: tag - moreinfo
Thanks,
Sorry, it seems that I'm not very well aware of the BTS process, according
to [1] this is how I should untag the bug.
[1] https://www.debian.org/Bugs/server-control
If you provide the moreinfo which was requested, then you can remove
the tag as follows (or with an equivalent control command, e.g. using
-1 for the bug if directly interacting with the bug).

tags 1057107 - moreinfo

Hope this helps, too bad we missed for this upload the 11.9.

Regards,
Salvatore
Jonathan Wiltshire
2024-04-22 17:10:03 UTC
Reply
Permalink
Control: tag -1 confirmed
Post by Nicolas Mora
Hello,
Thank you for the feedback, the new attached debdiff should fix these.
Thanks!
Please go ahead.

Thanks,
--
Jonathan Wiltshire ***@debian.org
Debian Developer http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1
Nicolas Mora
2024-04-22 21:20:01 UTC
Reply
Permalink
Post by Jonathan Wiltshire
Please go ahead.
Thanks, it's uploaded
Debian Bug Tracking System
2023-12-19 21:50:02 UTC
Reply
Permalink
Post by Jonathan Wiltshire
tag -1 moreinfo
Bug #1057107 [release.debian.org] bullseye-pu: package libssh2/1.9.0-2
Added tag(s) moreinfo.
--
1057107: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1057107
Debian Bug Tracking System
Contact ***@bugs.debian.org with problems
Debian Bug Tracking System
2024-02-06 19:40:01 UTC
Reply
Permalink
Post by Jonathan Wiltshire
tag -1 moreinfo
Bug #1057107 [release.debian.org] bullseye-pu: package libssh2/1.9.0-2
Ignoring request to alter tags of bug #1057107 to the same tags previously set
--
1057107: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1057107
Debian Bug Tracking System
Contact ***@bugs.debian.org with problems
Debian Bug Tracking System
2024-04-22 17:10:05 UTC
Reply
Permalink
Post by Jonathan Wiltshire
tag -1 confirmed
Bug #1057107 [release.debian.org] bullseye-pu: package libssh2/1.9.0-2
Added tag(s) confirmed.
--
1057107: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1057107
Debian Bug Tracking System
Contact ***@bugs.debian.org with problems
Jonathan Wiltshire
2024-04-23 16:50:01 UTC
Reply
Permalink
package release.debian.org
tags 1057107 = bullseye pending
thanks

Hi,

The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bullseye.

Thanks for your contribution!

Upload details
==============

Package: libssh2
Version: 1.9.0-2+deb11u1

Explanation: fix out of bounds memory check in _libssh2_packet_add [CVE-2020-22218]
Debian Bug Tracking System
2024-04-23 16:50:02 UTC
Reply
Permalink
Post by Jonathan Wiltshire
package release.debian.org
Limiting to bugs with field 'package' containing at least one of 'release.debian.org'
Limit currently set to 'package':'release.debian.org'
Post by Jonathan Wiltshire
tags 1057107 = bullseye pending
Bug #1057107 [release.debian.org] bullseye-pu: package libssh2/1.9.0-2
Added tag(s) pending; removed tag(s) confirmed.
Post by Jonathan Wiltshire
thanks
Stopping processing here.

Please contact me if you need assistance.
--
1057107: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1057107
Debian Bug Tracking System
Contact ***@bugs.debian.org with problems
Loading...