Bug#1059294: trilead-ssh2: CVE-2023-48795
Andreas Tille
andreas at an3as.eu
Tue Feb 18 16:21:55 GMT 2025
Hi,
since trilead-ssh2 came up as a candidate for the Bug of the Day[1]. I
realised the watch file was outdated and pointed it to Github where a
long series of newer releases was tagged. Unfortunately the version
string is a bit unfortunate and we might need an epoch most probably.
I found some workaround without this for the moment but I'd recommend
to find a better solution.
Upstream does *not* mention CVE-2023-48795 inside the code and the Git
log. However, the log mentions CVE-2021-22569 - so its probably worth
uploading the latest version anyway and ping upstream about
CVE-2023-48795.
Unfortunately its not that simple to build the new upstream version. As
you can see in Salsa CI[2] it seems we need two new Build-Depends. Thus
for the moment I simply updated the metadata of the package and hope
someone else will catch up from here.
Kind regards
Andreas.
[1] https://salsa.debian.org/tille/tiny_qa_tools/-/wikis/Tiny-QA-tasks#bug-of-the-day
[2] https://salsa.debian.org/java-team/trilead-ssh2/-/jobs/7114202#L1665
--
https://fam-tille.de
More information about the pkg-java-maintainers
mailing list