libssh (0.11.2-1+deb13u1) trixie; urgency=medium
* CVE-2025-8277 (Closes: #1114859)
* CVE-2025-8114 (Closes: #1109860)
-- Moritz Mühlenhoff <jmm@debian.org> Tue, 04 Nov 2025 00:32:14 +0100
libssh (0.11.2-1) unstable; urgency=medium
* New upstream security/bug fix release:
- CVE-2025-4877: Write beyond bounds in binary to base64 conversion
functions
- CVE-2025-4878: Use of uninitialized variable in privatekey_from_file()
- CVE-2025-5318: Likely read beyond bounds in sftp server handle
management
- CVE-2025-5351: Double free in functions exporting keys
- CVE-2025-5372: ssh_kdf() returns a success code on certain failures
- CVE-2025-5449: Likely read beyond bounds in sftp server message decoding
- CVE-2025-5987: Invalid return code for chacha20 poly1305 with OpenSSL
backend
(Closes: #1108407)
* Drop 0001-Fix-multiple-digit-major-version-for-OpenSSH.patch.
Applied upstream.
-- Martin Pitt <mpitt@debian.org> Sat, 28 Jun 2025 07:42:47 +0200
libssh (0.11.1-2) unstable; urgency=medium
* Fix multiple digit major version for OpenSSH.
Patch cherry-picked from upstream master. (Closes: #1103224)
* Update Standards-Version to 4.7.2. No changes necessary.
* debian/copyright: Move to FSF URL.
Fixes "old-fsf-address-in-copyright-file" lintian warning.
-- Martin Pitt <mpitt@debian.org> Tue, 22 Apr 2025 12:21:58 +0000
libssh (0.11.1-1) unstable; urgency=medium
[ Simon Josefsson ]
* New upstream version 0.11.1 (Closes: #1078677)
* Add new upstream signing key to d/upstream/signing-key.asc
* Refresh patches for new upstream release.
Drop 0001-Fix-regression-in-IPv6-addresses-in-hostname-parsing.patch and
0002-tests-Increase-test-coverage-for-IPv6-address-parsin.patch, applied
upstream.
* Update symbols file
* Use pkgconf instead of obsolete pkg-config
* Add d/upstream/metadata
* Bump d/copyright years
[ Bastian Germann ]
* Drop gcrypt flavor (Closes: #1074337)
* d/copyright: Move blowfish files to their own section
[ Martin Pitt ]
* Bump Standards-Version to 4.7.0
[ Debian Janitor ]
* debian/control: Remove constraints unnecessary since buster (oldstable)
-- Martin Pitt <mpitt@debian.org> Wed, 04 Sep 2024 08:27:52 +0200
libssh (0.10.6-3) unstable; urgency=medium
* debian/copyright: Add bcrypt_pbkdf.c (Closes: #1071567)
-- Martin Pitt <mpitt@debian.org> Mon, 03 Jun 2024 07:32:19 +0200
libssh (0.10.6-2) unstable; urgency=medium
* Fix regression in IPv6 addresses in hostname parsing.
Patch and unit test backported from upstream stable-0.10 branch.
See https://gitlab.com/libssh/libssh-mirror/-/issues/227
-- Martin Pitt <mpitt@debian.org> Fri, 22 Dec 2023 16:29:47 +0100
libssh (0.10.6-1) unstable; urgency=high
* New upstream security release (thus high urgency):
- Fix Command injection using ProxyCommand
(CVE-2023-6004, Closes: #1059061)
- Fix missing checks for return values of MD functions
(CVE-2023-6918, Closes: #1059059)
- Fix potential downgrade attack using strict kex
(CVE-2023-48795, Closes: #1059004)
-- Martin Pitt <mpitt@debian.org> Fri, 22 Dec 2023 09:46:12 +0100
libssh (0.10.5-3) unstable; urgency=medium
* Bump debhelper compat level to 13.
* Remove compile_commands.json during package cleaning. Fixes "Fails to
build source after successful build". (Closes: #1045639)
-- Martin Pitt <mpitt@debian.org> Fri, 18 Aug 2023 17:01:59 +0200
libssh (0.10.5-2) unstable; urgency=medium
* Revert "Bump debhelper from old 12 to 13."
This is not appropriate at this point of the release cycle any more.
-- Martin Pitt <mpitt@debian.org> Wed, 17 May 2023 19:56:56 +0000
libssh (0.10.5-1) unstable; urgency=high
[ Martin Pitt ]
* New upstream security release (thus high urgency):
- Fix authenticated remote DoS through potential NULL dereference during rekeying
with algorithm guessing (CVE-2023-1667)
https://www.libssh.org/security/advisories/CVE-2023-1667.txt
- Client authentication bypass in pki_verify_data_signature() in low-memory
conditions with OpenSSL backend; gcrypt backend is not affected
https://www.libssh.org/security/advisories/CVE-2023-2283.txt
(CVE-2023-2283, Closes: #1035832)
* Bump Standards-Version to 4.6.2. No changes necessary.
* Drop debian/source/lintian-overrides. It now causes a "mismatched-override"
warning, and apparently is not necessary any more.
* debian/copyright: Drop files which don't exist any more.
Spotted by lintian's "superfluous-file-pattern" warnings.
[ Debian Janitor ]
* Bump debhelper from old 12 to 13.
* Avoid explicitly specifying -Wl,--as-needed linker flag.
-- Martin Pitt <mpitt@debian.org> Wed, 10 May 2023 08:00:26 +0200
libssh (0.10.4-2) unstable; urgency=medium
* autopkgtest: Drop valgrind run. This hasn't worked for years on many
architectures, is also acting up on s390x, and does not belong into a
downstream integration test.
-- Martin Pitt <mpitt@debian.org> Mon, 19 Sep 2022 10:41:22 +0200
libssh (0.10.4-1) unstable; urgency=medium
* New upstream release (Closes: #1019260)
* Disable new tilde expansion test. This does not work in our buildd
environment for the same reason as the two in torture_misc. Update
debian/patches/2003-disable-expand_tilde_unix-test.patch accordingly.
* debian/*.symbols: Add newly exported symbols
* Bump Standards-Version to 4.6.1. No changes needed.
-- Martin Pitt <mpitt@debian.org> Wed, 14 Sep 2022 08:13:19 +0200
libssh (0.9.6-2) unstable; urgency=medium
[ Helmut Grohne ]
* debian/control: Add preferred real zlib1g-dev build dep.
As libz-dev is purely virtual.
* Mark build dependencies for running unit tests.
This reduces dependencies for bootstrapping. (Closes: #1002598)
[ Martin Pitt ]
* debian/copyright: Update and generalize. Replace some over-specific
patterns with globs. A lot of files did not exist any more, a lot of new
copyrights were missing. Spotted by lintian.
* Adjust lintian overrides to renamed tag.
* Quiesce very-long-line-length-in-source-file lintian warning for test keys
* Mark Debian specific patches as not needing upstream forwarding.
This quiesces two lintian complaints for `patch-not-forwarded-upstream`.
Don't mark 1003-custom-lib-names.patch, as that one actually is suitable
for upstream.
-- Martin Pitt <mpitt@debian.org> Sat, 25 Dec 2021 19:36:01 +0100
libssh (0.9.6-1) unstable; urgency=medium
* New upstream version 0.9.6:
- Fix possible heap-buffer overflow when rekeying with different key
exchange mechanism (Closes: #993046, CVE-2021-3634)
* Refresh 2004-install-static-lib.patch for new upstream version
* Bump Standards-Version to 4.6.0. No changes necessary.
* debian/control: Declare Rules-Requires-Root: no
-- Martin Pitt <mpitt@debian.org> Sat, 28 Aug 2021 12:51:05 +0200
libssh (0.9.5-1) unstable; urgency=medium
[ Laurent Bigonville ]
* New upstream version 0.9.5
- Fix a NULL pointer dereference in tftpserver.c if ssh_buffer_new returns
NULL. (Closes: #966560 CVE-2020-16135)
* Drop d/p/1004-hurd-ftbfs.patch, applied upstream
* Drop d/p/1005-reproducible-doc.patch, applied upstream
* debian/control: Add openssh-server to the BD
[ Sebastien Bacher ]
* debian/control: don't build with nacl, it's not needed when building
openssl, see https://bugs.libssh.org/T235 (Closes: #964134)
-- Laurent Bigonville <bigon@debian.org> Wed, 18 Nov 2020 10:01:23 +0100
libssh (0.9.4-2) unstable; urgency=medium
[ Debian Janitor ]
* Trim trailing whitespace.
* Set debhelper-compat version in Build-Depends.
* Drop transition for old debug package migration.
[ Colin Watson ]
* Fix autopkgtests with OpenSSH 8.4p1 (closes: #974039).
[ Laurent Bigonville ]
* debian/copyright: Remove duplicate in the list of files (tests/torture.c)
-- Laurent Bigonville <bigon@debian.org> Thu, 12 Nov 2020 15:01:03 +0100
libssh (0.9.4-1) unstable; urgency=medium
* New upstream release
- Fix possible DoS in client and server when handling AES-CTR keys with
OpenSSL (Closes: #956308 CVE-2020-1730)
* debian/control: Bump Standards-Version to 4.5.0 (no further changes)
* Add default debian/salsa-ci.yml file
* d/p/1004-hurd-ftbfs.patch: Fix FTBFS on hurd-i386 (Closes: #933015)
* d/p/1005-reproducible-doc.patch: Make the documentation reproducible
-- Laurent Bigonville <bigon@debian.org> Thu, 09 Apr 2020 22:27:02 +0200
libssh (0.9.3-2) unstable; urgency=medium
* debian/rules: Rename libssh-gcrypt.a to libssh.a to ensure that the
correct static library is installed in the libssh-gcrypt-dev package
-- Laurent Bigonville <bigon@debian.org> Sun, 15 Dec 2019 19:18:53 +0100
libssh (0.9.3-1) unstable; urgency=medium
[ Laurent Bigonville ]
* New upstream release
- Fix an unsanitized location in scp that could lead to unwanted command
execution (Closes: #946548 CVE-2019-14889)
- d/p/1003-custom-lib-names.patch: Refreshed
- d/p/2003-disable-expand_tilde_unix-test.patch: Refreshed
- debian/rules: Fix the parameter name used to build the static library
- debian/patches/install_static_lib.patch: Install the static library again
* debian/control: Bump Standards-Version to 4.4.1 (no further changes)
* Bump debhelper compatibility to 12
[ Sebastien Bacher ]
* debian/tests/libssh-server:
- Use the correct compiler for proposed autopkgtest cross-testing
support. (Closes: #946536)
-- Laurent Bigonville <bigon@debian.org> Sun, 15 Dec 2019 12:46:20 +0100
libssh (0.9.0-1) unstable; urgency=medium
* New upstream release
- debian/*.symbols: Add newly exported symbols
* debian/control: Bump Standards-Version to 4.4.0 (no further changes)
-- Laurent Bigonville <bigon@debian.org> Thu, 11 Jul 2019 12:35:29 +0200
# Older entries have been removed from this changelog.
# To read the complete changelog use `apt changelog libssh-4`.
Generated by dwww version 1.16 on Tue Dec 16 16:04:07 CET 2025.