libssh (0.9.6-2ubuntu0.22.04.4) jammy-security; urgency=medium
* SECURITY UPDATE: Write beyond bounds in binary to base64 conversion
functions
- debian/patches/CVE-2025-4877.patch: prevent integer overflow and
potential OOB.
- CVE-2025-4877
* SECURITY UPDATE: Use of uninitialized variable in
privatekey_from_file()
- debian/patches/CVE-2025-4878-1.patch: initialize pointers where
possible.
- debian/patches/CVE-2025-4878-2.patch: properly check return value to
avoid NULL pointer dereference.
- CVE-2025-4878
* SECURITY UPDATE: OOB read in sftp_handle function
- debian/patches/CVE-2025-5318.patch: fix possible buffer overrun.
- CVE-2025-5318
* SECURITY UPDATE: ssh_kdf() returns a success code on certain failures
- debian/patches/CVE-2025-5372-pre1.patch: Reformat ssh_kdf().
- debian/patches/CVE-2025-5372.patch: simplify error checking and
handling of return codes in ssh_kdf().
- CVE-2025-5372
* SECURITY UPDATE: Missing packet filter may expose to variant of
Terrapin attack
- debian/patches/missing_packet_filter.patch: implement missing packet
filter for DH GEX.
- No CVE number
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 02 Jul 2025 14:48:47 -0400
libssh (0.9.6-2ubuntu0.22.04.3) jammy-security; urgency=medium
* SECURITY UPDATE: code injection via ProxyCommand/ProxyJump hostname
- debian/patches/CVE-2023-6004-*.patch: validate hostnames.
- CVE-2023-6004
* SECURITY UPDATE: DoS via incorrect return value checks
- debian/patches/CVE-2023-6918-*.patch: check return values.
- CVE-2023-6918
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 11 Jan 2024 07:44:15 -0500
libssh (0.9.6-2ubuntu0.22.04.2) jammy-security; urgency=medium
* SECURITY UPDATE: Prefix truncation attack on BPP
- debian/patches/CVE-2023-48795-1.patch: add client side mitigation.
- debian/patches/CVE-2023-48795-2.patch: add server side mitigations.
- debian/patches/CVE-2023-48795-3.patch: strip extensions from both kex
lists for matching.
- debian/patches/CVE-2023-48795-4.patch: tests: adjust calculation to
strict kex.
- CVE-2023-48795
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 18 Dec 2023 17:30:05 -0500
libssh (0.9.6-2ubuntu0.22.04.1) jammy-security; urgency=medium
* SECURITY UPDATE: Potential NULL dereference during rekeying with
algorithm guessing
- debian/patches/CVE-2023-1667-*.patch: upstream patches to fix the
issue.
- CVE-2023-1667
* SECURITY UPDATE: Authorization bypass in pki_verify_data_signature
- debian/patches/CVE-2023-2283-*.patch: upstream patches to fix the
issue.
- CVE-2023-2283
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 26 May 2023 06:31:25 -0400
libssh (0.9.6-2build1) jammy; urgency=high
* No change rebuild for ppc64el baseline bump.
-- Julian Andres Klode <juliank@ubuntu.com> Thu, 24 Mar 2022 17:13:50 +0100
libssh (0.9.6-2) unstable; urgency=medium
[ Helmut Grohne ]
* debian/control: Add preferred real zlib1g-dev build dep.
As libz-dev is purely virtual.
* Mark build dependencies for running unit tests.
This reduces dependencies for bootstrapping. (Closes: #1002598)
[ Martin Pitt ]
* debian/copyright: Update and generalize. Replace some over-specific
patterns with globs. A lot of files did not exist any more, a lot of new
copyrights were missing. Spotted by lintian.
* Adjust lintian overrides to renamed tag.
* Quiesce very-long-line-length-in-source-file lintian warning for test keys
* Mark Debian specific patches as not needing upstream forwarding.
This quiesces two lintian complaints for `patch-not-forwarded-upstream`.
Don't mark 1003-custom-lib-names.patch, as that one actually is suitable
for upstream.
-- Martin Pitt <mpitt@debian.org> Sat, 25 Dec 2021 19:36:01 +0100
libssh (0.9.6-1) unstable; urgency=medium
* New upstream version 0.9.6:
- Fix possible heap-buffer overflow when rekeying with different key
exchange mechanism (Closes: #993046, CVE-2021-3634)
* Refresh 2004-install-static-lib.patch for new upstream version
* Bump Standards-Version to 4.6.0. No changes necessary.
* debian/control: Declare Rules-Requires-Root: no
-- Martin Pitt <mpitt@debian.org> Sat, 28 Aug 2021 12:51:05 +0200
libssh (0.9.5-1) unstable; urgency=medium
[ Laurent Bigonville ]
* New upstream version 0.9.5
- Fix a NULL pointer dereference in tftpserver.c if ssh_buffer_new returns
NULL. (Closes: #966560 CVE-2020-16135)
* Drop d/p/1004-hurd-ftbfs.patch, applied upstream
* Drop d/p/1005-reproducible-doc.patch, applied upstream
* debian/control: Add openssh-server to the BD
[ Sebastien Bacher ]
* debian/control: don't build with nacl, it's not needed when building
openssl, see https://bugs.libssh.org/T235 (Closes: #964134)
-- Laurent Bigonville <bigon@debian.org> Wed, 18 Nov 2020 10:01:23 +0100
libssh (0.9.4-2) unstable; urgency=medium
[ Debian Janitor ]
* Trim trailing whitespace.
* Set debhelper-compat version in Build-Depends.
* Drop transition for old debug package migration.
[ Colin Watson ]
* Fix autopkgtests with OpenSSH 8.4p1 (closes: #974039).
[ Laurent Bigonville ]
* debian/copyright: Remove duplicate in the list of files (tests/torture.c)
-- Laurent Bigonville <bigon@debian.org> Thu, 12 Nov 2020 15:01:03 +0100
libssh (0.9.4-1) unstable; urgency=medium
* New upstream release
- Fix possible DoS in client and server when handling AES-CTR keys with
OpenSSL (Closes: #956308 CVE-2020-1730)
* debian/control: Bump Standards-Version to 4.5.0 (no further changes)
* Add default debian/salsa-ci.yml file
* d/p/1004-hurd-ftbfs.patch: Fix FTBFS on hurd-i386 (Closes: #933015)
* d/p/1005-reproducible-doc.patch: Make the documentation reproducible
-- Laurent Bigonville <bigon@debian.org> Thu, 09 Apr 2020 22:27:02 +0200
# For older changelog entries, run 'apt-get changelog libssh-doc'
Generated by dwww version 1.14 on Wed Aug 27 01:46:34 CEST 2025.