[ubuntu/focal-proposed] libssh 0.9.0-1ubuntu5 (Accepted)

Marc Deslauriers marc.deslauriers at ubuntu.com
Wed Dec 11 15:00:13 UTC 2019 

libssh (0.9.0-1ubuntu5) focal; urgency=medium

  * SECURITY UPDATE: unsanitized location in scp could lead to unwanted
    command execution
    - debian/patches/CVE-2019-14889-1.patch: add tests for SCP client in
      tests/client/CMakeLists.txt, tests/client/torture_scp.c.
    - debian/patches/CVE-2019-14889-2.patch: reformat code in scp/scp.c.
    - debian/patches/CVE-2019-14889-3.patch: log SCP warnings received from
      the server in src/scp.c.
    - debian/patches/CVE-2019-14889-4.patch: add function to quote file
      names in include/libssh/misc.h, src/misc.c.
    - debian/patches/CVE-2019-14889-5.patch: add unit tests for
      ssh_quote_file_name() in tests/unittests/torture_misc.c.
    - debian/patches/CVE-2019-14889-6.patch: don't allow file path longer
      than 32kb in src/scp.c.
    - debian/patches/CVE-2019-14889-7.patch: quote location to be used on
      shell in src/scp.c.
    - CVE-2019-14889

Date: Wed, 11 Dec 2019 09:48:38 -0500
Changed-By: Marc Deslauriers <marc.deslauriers at ubuntu.com>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
https://launchpad.net/ubuntu/+source/libssh/0.9.0-1ubuntu5
-------------- next part --------------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 11 Dec 2019 09:48:38 -0500
Source: libssh
Architecture: source
Version: 0.9.0-1ubuntu5
Distribution: focal
Urgency: medium
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Marc Deslauriers <marc.deslauriers at ubuntu.com>
Changes:
 libssh (0.9.0-1ubuntu5) focal; urgency=medium
 .
   * SECURITY UPDATE: unsanitized location in scp could lead to unwanted
     command execution
     - debian/patches/CVE-2019-14889-1.patch: add tests for SCP client in
       tests/client/CMakeLists.txt, tests/client/torture_scp.c.
     - debian/patches/CVE-2019-14889-2.patch: reformat code in scp/scp.c.
     - debian/patches/CVE-2019-14889-3.patch: log SCP warnings received from
       the server in src/scp.c.
     - debian/patches/CVE-2019-14889-4.patch: add function to quote file
       names in include/libssh/misc.h, src/misc.c.
     - debian/patches/CVE-2019-14889-5.patch: add unit tests for
       ssh_quote_file_name() in tests/unittests/torture_misc.c.
     - debian/patches/CVE-2019-14889-6.patch: don't allow file path longer
       than 32kb in src/scp.c.
     - debian/patches/CVE-2019-14889-7.patch: quote location to be used on
       shell in src/scp.c.
     - CVE-2019-14889
Checksums-Sha1:
 88898b6eb17a83a8900eabf58d2a4cbcce87f72d 2530 libssh_0.9.0-1ubuntu5.dsc
 2f167aa97bf3ffd2486e8fce7c3479407b411bb5 37924 libssh_0.9.0-1ubuntu5.debian.tar.xz
 c6c60b81d7a7ce036728331d91c5ebdf76704f34 8043 libssh_0.9.0-1ubuntu5_source.buildinfo
Checksums-Sha256:
 f1dfe8beea41c82c3f7aab10fad0074a5b2b503f88ee3a1159c6c96417fbf79b 2530 libssh_0.9.0-1ubuntu5.dsc
 9f95e62446289df0f47370b5e00e6784fde17c476b6aa439b553494c1adc0210 37924 libssh_0.9.0-1ubuntu5.debian.tar.xz
 6a2bece41c9a9dd454f1caa22fa2ebcfa9e49b465696c90cfd689858aca33874 8043 libssh_0.9.0-1ubuntu5_source.buildinfo
Files:
 9d68c290018a24164ef7566f64a4cab7 2530 libs optional libssh_0.9.0-1ubuntu5.dsc
 8c742d19162a17e80a12ddfa61872071 37924 libs optional libssh_0.9.0-1ubuntu5.debian.tar.xz
 ddf11fa2167a06bac8bb4689b9924bb3 8043 libs optional libssh_0.9.0-1ubuntu5_source.buildinfo
Original-Maintainer: Laurent Bigonville <bigon at debian.org>

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAl3xA4sACgkQZWnYVadE
vpPokA//SbNi5B2NgeZlAC+DWAqT3GcNd36X8p0UOp7WhjZbr5elR9HvbOQLwe6u
pK7dU7PKVvo3KeMr2Y2bLVp0wVWow+97OTuIzL52AaD5hjaFup+H6QPy/yYAcYG9
BUzHYS2PIPoHSnWtCrinDca7eMLLxKurYxlpkktj+wzipqIxlGc7K7Yj7i7Yq1j5
3kQWP3kZsj7qekuVEuUE42H6700EhAANhLXNG5VbUIull/aVoQ01AbjRHwl2ZenB
TI1JRXDzHDowYwno/oqXCd/+DnMiTeEMisB5PwFs69CqUozBXTE3fZbltcq5RYQ6
aXfZtCmSaY24Yr6avZSvuDuNCm7kYbhGreUugryvtFoIReMmlG5k4e77Q2LxZL1p
TVdVrA44U7ZXTStoakV3ivCJTqq8g+VMb1Gba5PKHHqYwOz7qHTuEzjp5HMQdFaJ
y5YXdK3nNaxmcScpGGaPww5UL5gFu9mHFyRzqA4E3rI9ip1pbP5aUEkCpb9eEUJ3
68Jp/Crh3xptQ2IzWl3RvsEgw3j/s150+qtEpzwHL56UuKdQSpKFmQSYJYapFzsV
8xMt4/Y6nbcVtI4OzgclF96F9W9htrIbm7w9/iRgRn3HKfsM2GJi/6XiKLf24wZk
/lW6y+RGv09GfBcdsPH7Jx+qtQoD8V9ynFlhUtDC56se1Vt1GU4=
=UxXv
-----END PGP SIGNATURE-----

More information about the Focal-changes mailing list