[Git][security-tracker-team/security-tracker][master] Reserve DLA-4385-1 for libssh

Emilio Pozuelo Monfort (@pochu) pochu at debian.org
Thu Nov 27 09:36:28 GMT 2025 


Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker


Commits:
0c7492e2 by Emilio Pozuelo Monfort at 2025-11-27T10:36:13+01:00
Reserve DLA-4385-1 for libssh

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -27150,7 +27150,6 @@ CVE-2025-8277 (A flaw was found in libssh's handling of key exchange (KEX) proce
 	- libssh 0.11.3-1 (bug #1114859)
 	[trixie] - libssh 0.11.2-1+deb13u1
 	[bookworm] - libssh <no-dsa> (Minor issue)
-	[bullseye] - libssh <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2383888
 	NOTE: https://www.libssh.org/security/advisories/CVE-2025-8277.txt
 	NOTE: https://git.libssh.org/projects/libssh.git/commit/?id=ffed80f8c078122990a4eba2b275facd56dd43e0
@@ -41540,7 +41539,6 @@ CVE-2025-8114 (A flaw was found in libssh, a library that implements the SSH pro
 	- libssh 0.11.3-1 (bug #1109860)
 	[trixie] - libssh 0.11.2-1+deb13u1
 	[bookworm] - libssh <no-dsa> (Minor issue)
-	[bullseye] - libssh <postponed> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2383220
 	NOTE: https://gitlab.com/libssh/libssh-mirror/-/issues/317
 	NOTE: https://www.libssh.org/security/advisories/CVE-2025-8114.txt
@@ -50610,7 +50608,6 @@ CVE-2025-5449 (A flaw was found in the SFTP server message decoding logic of lib
 CVE-2025-5372 (A flaw was found in libssh versions built with OpenSSL versions older  ...)
 	- libssh 0.11.2-1 (bug #1108407)
 	[bookworm] - libssh <no-dsa> (Minor issue)
-	[bullseye] - libssh <postponed> (Minor issue)
 	NOTE: https://www.libssh.org/security/advisories/CVE-2025-5372.txt
 	NOTE: Fixed by: https://git.libssh.org/projects/libssh.git/commit/?id=a9d8a3d44829cf9182b252bc951f35fb0d573972 (libssh-0.11.2)
 CVE-2025-5351 (A flaw was found in the key export functionality of libssh. The issue  ...)
@@ -50622,20 +50619,17 @@ CVE-2025-5351 (A flaw was found in the key export functionality of libssh. The i
 CVE-2025-5318 (A flaw was found in the libssh library in versions less than 0.11.2. A ...)
 	- libssh 0.11.2-1 (bug #1108407)
 	[bookworm] - libssh <no-dsa> (Minor issue)
-	[bullseye] - libssh <postponed> (Minor issue)
 	NOTE: https://www.libssh.org/security/advisories/CVE-2025-5318.txt
 	NOTE: Fixed by: https://git.libssh.org/projects/libssh.git/commit/?id=5f4ffda88770f95482fd0e66aa44106614dbf466 (libssh-0.11.2)
 CVE-2025-4878 (A vulnerability was found in libssh, where an uninitialized variable e ...)
 	- libssh 0.11.2-1 (bug #1108407)
 	[bookworm] - libssh <no-dsa> (Minor issue)
-	[bullseye] - libssh <postponed> (Minor issue)
 	NOTE: https://www.libssh.org/security/advisories/CVE-2025-4878.txt
 	NOTE: Fixed by: https://git.libssh.org/projects/libssh.git/commit/?id=697650caa97eaf7623924c75f9fcfec6dd423cd1 (libssh-0.11.2)
 	NOTE: Fixed by: https://git.libssh.org/projects/libssh.git/commit/?id=b35ee876adc92a208d47194772e99f9c71e0bedb (libssh-0.11.2)
 CVE-2025-4877 (There's a vulnerability in the libssh package where when a libssh cons ...)
 	- libssh 0.11.2-1 (bug #1108407)
 	[bookworm] - libssh <no-dsa> (Minor issue)
-	[bullseye] - libssh <postponed> (Minor issue)
 	NOTE: https://www.libssh.org/security/advisories/CVE-2025-4877.txt
 	NOTE: Fixed by: https://git.libssh.org/projects/libssh.git/commit/?id=6fd9cc8ce3958092a1aae11f1f2e911b2747732d (libssh-0.11.2)
 CVE-2025-5087 (Kaleris NAVIS N4 ULC (Ultra Light Client) communicates insecurely usin ...)


=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[27 Nov 2025] DLA-4385-1 libssh - security update
+	{CVE-2025-4877 CVE-2025-4878 CVE-2025-5318 CVE-2025-5372 CVE-2025-8114 CVE-2025-8277}
+	[bullseye] - libssh 0.9.8-0+deb11u2
 [26 Nov 2025] DLA-4384-1 samba - security update
 	{CVE-2025-9640}
 	[bullseye] - samba 2:4.13.13+dfsg-1~deb11u7


=====================================
data/dla-needed.txt
=====================================
@@ -193,10 +193,6 @@ libsoup2.4
   NOTE: 20250520: than me with getting the backported tests to run.  (spwhitton)
   NOTE: 20250630: spwhitton contributor status: inactive
 --
-libssh (Emilio)
-  NOTE: 20251118: Added by pochu
-  NOTE: 20251118: several no-dsa issues, backport fixes (pochu)
---
 libxmltok
   NOTE: 20250421: Added by Front-Desk (ta)
   NOTE: 20250421: Also review all other expat CVEs. (bunk)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0c7492e2b88fe5519519cd138fd2aaab26516aea

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0c7492e2b88fe5519519cd138fd2aaab26516aea
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20251127/0fbf115b/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list