Hello Salvatore, Salvatore Bonaccorso [2023-12-19 22:34 +0100]: > The following vulnerability was published for libssh. > > CVE-2023-6004[0]: > | ProxyCommand/ProxyJump features allow injection of malicious code > | through hostname
I uploaded the new upstream security fix release 0.10.6 to unstable. It can have a round of autopkgtest regression tests now. I checked the non-CVE commits between 0.10.5 (in current stable) and 0.10.6: https://git.libssh.org/projects/libssh.git/log/?h=stable-0.10 and IMHO they are all harmless/useful/targetted enough to be suitable for stable-security. We did that in the last round as well [1]. However, the fix for CVE-2023-6004 caused a regression: https://gitlab.com/libssh/libssh-mirror/-/issues/227 I will monitor this, and include the fix in the security upload once it is available (or presumably they'll do a 0.10.7). So if it's alright with you, I'll delay the stable-security update for a few days. Thanks, Martin [1] https://tracker.debian.org/news/1431896/accepted-libssh-097-0deb11u1-source-into-stable-security/
