Debian Long Term Support work 2021 December


Work done this month:
  • Worked on libssh2
      • The patch from jessie solving CVE-2019-17498 applies cleanly but it does not build. The reason is that it is using functions introduced by other patches from the jessie version.
        • additional-bounds-checks-in-diffie_hellman_sha1.patch introduces libssh2_get_string
        • CVE-2019-3859-3+CVE-2019-13115.patch introduces libssh2_get_u32
      • A problem here is that CVE-2019-3859 was solved in a different way for stretch, but this can probably be solved by extracting those new functions from the patches above and introduce that as a separate fix.
      • Anton took over from here after me reporting the status and how far I had analyzed it.