Path: csiph.com!fu-berlin.de!bofh.it!news.nic.it!robomod
From: Andreas Tille <andreas@an3as.eu>
Newsgroups: linux.debian.bugs.dist,linux.debian.maint.java
Subject: Bug#1059294: trilead-ssh2: CVE-2023-48795
Date: Tue, 18 Feb 2025 17:30:01 +0100
Message-ID: <KhyDT-aIt-21@gated-at.bofh.it>
References: <HNN8t-fjnQ-7@gated-at.bofh.it>
X-Original-To: 1059294@bugs.debian.org, debian-java@lists.debian.org
X-Mailbox-Line: From debian-bugs-dist-request@lists.debian.org  Tue Feb 18 16:24:07 2025
Old-Return-Path: <debbugs@buxtehude.debian.org>
X-Spam-Flag: NO
X-Spam-Score: -3.751
Reply-To: Andreas Tille <andreas@an3as.eu>, 1059294@bugs.debian.org
Resent-To: debian-bugs-dist@lists.debian.org
Resent-Cc: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
X-Debian-Pr-Message: followup 1059294
X-Debian-Pr-Package: src:trilead-ssh2
X-Debian-Pr-Keywords: upstream security
X-Debian-Pr-Source: trilead-ssh2
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
X-Debian-Message: from BTS
X-Mailing-List: <debian-bugs-dist@lists.debian.org> archive/latest/1887872
List-ID: <debian-bugs-dist.lists.debian.org>
List-URL: <https://lists.debian.org/debian-bugs-dist/>
Approved: robomod@news.nic.it
Lines: 27
Organization: linux.* mail to news gateway
Sender: robomod@news.nic.it
X-Original-Cc: Package Salvaging Team <team+salvage@tracker.debian.org>
X-Original-Date: Tue, 18 Feb 2025 17:21:55 +0100
X-Original-Message-ID: <Z7Szo92NoyKWf6og@an3as.eu>
X-Original-References: <ZYWEGQnz45nEkj2A@pisco.westfalen.local>
Xref: csiph.com linux.debian.bugs.dist:1233880 linux.debian.maint.java:12930

Hi,

since trilead-ssh2 came up as a candidate for the Bug of the Day[1].  I
realised the watch file was outdated and pointed it to Github where a
long series of newer releases was tagged.  Unfortunately the version
string is a bit unfortunate and we might need an epoch most probably.
I found some workaround without this for the moment but I'd recommend
to find a better solution.

Upstream does *not* mention CVE-2023-48795 inside the code and the Git
log. However, the log mentions CVE-2021-22569 - so its probably worth
uploading the latest version anyway and ping upstream about
CVE-2023-48795.

Unfortunately its not that simple to build the new upstream version.  As
you can see in Salsa CI[2] it seems we need two new Build-Depends.  Thus
for the moment I simply updated the metadata of the package and hope
someone else will catch up from here.

Kind regards
    Andreas.

[1] https://salsa.debian.org/tille/tiny_qa_tools/-/wikis/Tiny-QA-tasks#bug-of-the-day
[2] https://salsa.debian.org/java-team/trilead-ssh2/-/jobs/7114202#L1665

-- 
https://fam-tille.de