-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 26 Nov 2025 10:29:30 +0100 Source: libssh Architecture: source Version: 0.10.6-0+deb12u2 Distribution: bookworm Urgency: medium Maintainer: Laurent Bigonville Changed-By: Emilio Pozuelo Monfort Closes: 1108407 Changes: libssh (0.10.6-0+deb12u2) bookworm; urgency=medium . [ Martin Pitt ] * stable-security → bookworm-security * Backport security patches from 0.11.2. - CVE-2025-4877: Write beyond bounds in binary to base64 conversion functions - CVE-2025-4878: Use of uninitialized variable in privatekey_from_file() - CVE-2025-5318: Likely read beyond bounds in sftp server handle management - CVE-2025-5351: Double free in functions exporting keys - CVE-2025-5372: ssh_kdf() returns a success code on certain failures - CVE-2025-5987: Invalid return code for chacha20 poly1305 with OpenSSL backend https://www.libssh.org/2025/06/24/libssh-0-11-2-security-and-bugfix-release/ (Closes: #1108407) . [ Emilio Pozuelo Monfort ] * Add patch for CVE-2025-8114 * Add patches for CVE-2025-8277 Checksums-Sha1: d49167960c39304c6ee0aae2879b553db591ab6a 2774 libssh_0.10.6-0+deb12u2.dsc e8fb3b4750db11d2483cac4b5f046e301c09b72f 561036 libssh_0.10.6.orig.tar.xz ef01c0d5506ae2c6d3fbda6c89dca53079f422d6 833 libssh_0.10.6.orig.tar.xz.asc e2f3f43a7d5333822057a3bceed64e8a73bd862d 35196 libssh_0.10.6-0+deb12u2.debian.tar.xz dd4b8f0d800764e341ac4258f548355738d321a4 6566 libssh_0.10.6-0+deb12u2_source.buildinfo Checksums-Sha256: 4e798a40fd3a97317683b818f28a41a6e9658a66da7375c40fe0d45f0168c755 2774 libssh_0.10.6-0+deb12u2.dsc 1861d498f5b6f1741b6abc73e608478491edcf9c9d4b6630eef6e74596de9dc1 561036 libssh_0.10.6.orig.tar.xz 140420406d7796548b0beaf736e73864c32291787cf2bd3983fdbc41741494ae 833 libssh_0.10.6.orig.tar.xz.asc 42fab6ba35f5338a63f5c593966f4669c41f6192a1262c5575f719ab33cdc1d5 35196 libssh_0.10.6-0+deb12u2.debian.tar.xz d95a26e5a77954d1c86968c63df967c07fc15102983bf428ad6c9b0f1bd655c3 6566 libssh_0.10.6-0+deb12u2_source.buildinfo Files: a2d799e17191a880ffcb8a6acea0b252 2774 libs optional libssh_0.10.6-0+deb12u2.dsc 5f46371aa8bfa7e6bff7f2a6f3edf80e 561036 libs optional libssh_0.10.6.orig.tar.xz 75a12048601da804564cfa523bd77bcf 833 libs optional libssh_0.10.6.orig.tar.xz.asc 3b83514fce296185b2dfc1dc1ab0d4ca 35196 libs optional libssh_0.10.6-0+deb12u2.debian.tar.xz 8de4fe514eb34d0a4b0935b1b32b339b 6566 libs optional libssh_0.10.6-0+deb12u2_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAmkr9eMACgkQnUbEiOQ2 gwKSXhAArq3ZPNGhjR4djC+O3liB2jgXeS6Qv0txbVxV5JZ23COKxAnop3WTNkcV adnCBbJrrqel1i1p6huKU5iS9IhYgpA8ALgKvmzFbZZykxND8t9awZ8hcygN2Iwl Q2/ejJ+USwaRDeV8cziW5vDZ+kb4cLjf4aGvrqaDyCvJVoLPKI8ZefoddUz0blby UvbVKiA634IwCi7djhdi5n6SwMH2A/B2f77c5AGzzc563GOvyjm9xXMXFHFcmEYj K5GZL489PKmGCYO1WXaMawKwDbo3AQSMBE26wIgls8BRmhSmcnS+zDAdZkQIaBWI E77Iy4UWPd5nZu28vHttcZPPNETVQEitKQJVwggsFONQvw1aabGA5mqRtL4Ju3ML k49TxoT5RREusMzAMAvnC/H6RvXLjYrhLWOQDZ7v1HqSwp8exWbMr3LlJLyyC8bq LRX+FPG8B3yZzOinACGqOPaakgzhxvzmF4o6oRO7OpPSUHgcAx/QT+gEGAjcVKLT xILCmBGHUdPfRnpkOC6rTElwx0a0/Umj4wWtvwqha6T6XSTcelYuQMJG2+V/Yron KgGxCrI/4rfXuB+QqxJ08bjxwm6a8r0+S9tauLFDk6wmNrxVsf5xd492O9BzWQs7 6WZY/QihzW8z3iZuRBUvd4HiodsHhseaysikbB4ZkIABblQg8j4= =cJIP -----END PGP SIGNATURE-----