-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Wed, 24 Jul 2019 23:52:01 +0200 Source: libssh2 Binary: libssh2-1 libssh2-1-dev libssh2-1-dbg Architecture: source amd64 Version: 1.4.3-4.1+deb8u4 Distribution: jessie-security Urgency: medium Maintainer: Mikhail Gusarov <dottedmag@debian.org> Changed-By: Mike Gabriel <sunweaver@debian.org> Description: libssh2-1 - SSH2 client-side library libssh2-1-dbg - SSH2 client-side library (debug package) libssh2-1-dev - SSH2 client-side library (development headers) Changes: libssh2 (1.4.3-4.1+deb8u4) jessie-security; urgency=medium . * Non-maintainer upload by the LTS team. * CVE-2019-3859: - CVE-2019-3859 (+ CVE-2019-13115): Correctly check key_state data length in kex_method_diffie_hellman_group_exchange_sha1_key_exchange() in kex.c. Avoid various signedness flaws introduced by the initial fix(es) around CVE-2019-3859 (regression CVE registered as CVE-2019-13115). - Add CVE-2019-3859-4_channel-c.patch and CVE-2019-3859-5_userauth-c.patch. Derived by manually comparing upstream security fix commit dc109a7f518757741590bb993c0c8412928ccec2 against what we had in Debian jessie LTS's versions of libssh2, so far. - This completes a series of fixes unfortunately only partially provided in earlier security uploads of libssh2 to Debian jessie LTS. Due to non-optimal CVE documentation and the manifold of upstream security changes before libssh2 1.9, it hasn't been easy to identify all necessary changes to fix the recent CVEs (2019-3855 - 2019-3863). Furthermore, for a non-upstream dev it has neither been easy to identify which upstream fix was for which CVE. * Add additional-bounds-checks-in-diffie_hellman_sha1.patch. Additional bound checks in diffie_hellman_sha1. Checksums-Sha1: 8d641aeee99e8b794f55e1687cb66e3f7e35911e 1928 libssh2_1.4.3-4.1+deb8u4.dsc b99bd9b745257afff48c4d57ffffffd6a84be817 20156 libssh2_1.4.3-4.1+deb8u4.debian.tar.xz de3d5ec45b0e3d3e84d4b4f1471715c053bd4b30 128178 libssh2-1_1.4.3-4.1+deb8u4_amd64.deb 0dea0a00985e1b34de5b3a959d5921616b01f7e5 292814 libssh2-1-dev_1.4.3-4.1+deb8u4_amd64.deb 88b785b3b63ea72d5aa8f84076064a71ef11cb4f 234494 libssh2-1-dbg_1.4.3-4.1+deb8u4_amd64.deb Checksums-Sha256: d1a376b374716428beacaea56183aa5e266dcb62541b4b92017315eecf379478 1928 libssh2_1.4.3-4.1+deb8u4.dsc e56f275f519e4dd268684c9b64954913858768c1aeed490dd201638ef1e57c42 20156 libssh2_1.4.3-4.1+deb8u4.debian.tar.xz cf343318fb491b04efc7fc02e545c477c03a5ae524fd117e150736db394ad46b 128178 libssh2-1_1.4.3-4.1+deb8u4_amd64.deb 820e93fd3f120ad794be81626482e2cc531c3d80aaeb75dfb0d95d0c70dd17e1 292814 libssh2-1-dev_1.4.3-4.1+deb8u4_amd64.deb 10a77e1c552a65089aef2f5648bd1c167681b51390629e670896483d59b973c4 234494 libssh2-1-dbg_1.4.3-4.1+deb8u4_amd64.deb Files: 95886648f8f3bb10dffaee8697e2a596 1928 libs optional libssh2_1.4.3-4.1+deb8u4.dsc 3e640ffb7928640320fccaab24869715 20156 libs optional libssh2_1.4.3-4.1+deb8u4.debian.tar.xz 188105456864a29804481c65a97a0ca1 128178 libs optional libssh2-1_1.4.3-4.1+deb8u4_amd64.deb dd779d89c0c7bf03b219c58ec4e7b321 292814 libdevel optional libssh2-1-dev_1.4.3-4.1+deb8u4_amd64.deb 3c9c2c9c9d0088fe9a482fbe83b4be3e 234494 debug extra libssh2-1-dbg_1.4.3-4.1+deb8u4_amd64.deb -----BEGIN PGP SIGNATURE----- iQJJBAEBCAAzFiEEm/uu6GwKpf+/IgeCmvRrMCV3GzEFAl058/sVHHN1bndlYXZl ckBkZWJpYW4ub3JnAAoJEJr0azAldxsxyIQQAJHYrpCejc0FxeFLAKqG9wq8M2hw 2pFhG7OzTDXNHPsInOkJe1usgwoEuylI1dDwGcLIRK+T2UseWGwuEay1Nng4kMdW xX5wP3VFt5AVgVgmOshZXJ0VK1lFdgMoyeJrUwiwS3a0QLUsabb/NosbT1yKS2de N/jE3f7uc5qDjUmjvrlSBfAEDz9U3/S5B80F0T0SE472oApgdV37ft+wH8sTajDf +XP9uQdxmkcwmyzjelKzsY3sAVt5v56R448ZAc+StdBsauogyMfvRTXiTKR2OMIJ Jh4KnjvympgeA3QezRnN9GQ/z3dcPj1YV1LlB97V019uU6GUN1U1FSnDJTHVyRLH 2kqpZXgRXncYbBvROqUAUQkgwEcZb1pJ9jajPV5g3qzu5yP6TkoI1a0fxVAByJLp bHSk9/r54rH56sHZelrsUHietkcKRV49bq/GPyQrwFcj1drO40LtvOwOFfQnqUNP 7LnAavCyXpSWBbyAU9tJKQSMHH8jvxG2dP5FvwH6bXLYEas1MoXZtruXfROmtX1V JhY8wtXa3iKVbtuJFhVpWVYz+OimEn4AEDxB6DuviCkaySbtqX6fobsadJb1Z9ev pCUx4oHixqtndcNZc1dKyfKh1Q5QecQ5pNSdv/FuPsZvj/T4cDa1maVOHNzfCwjj RiwTc6XvfTL98nmw =F2cE -----END PGP SIGNATURE-----
