Ubuntu
libssh2 package

Fix CVE-2019-13115

  1. Focal (20.04)
  2. Bug #1968334
Bug #1968334 reported by Giovanni Vecchi
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libssh2 (Ubuntu)
Fix Released
Undecided
Unassigned
Bionic
New
Undecided
Unassigned
Focal
New
Undecided
Unassigned

Bug Description

As per CVE-2019-13115 (https://ubuntu.com/security/CVE-2019-13115) and GitHub security protocol improvement (https://github.blog/2021-09-01-improving-git-protocol-security-github/), libssh2 should be upgraded at least to 1.9.0: when it will be done at least for LTS versions?

Revision history for this message
Alex Murray (alexmurray) wrote :

As per https://wiki.ubuntu.com/SecurityTeam/FAQ#Versions in Ubuntu we do not generally upgrade software package versions to fix security vulnerabilityies - instead we backport patches to fix the issue directly on the existing version of the package in the respective Ubuntu release. So libssh2 will not be upgraded to fix this CVE.

Revision history for this message
Alex Murray (alexmurray) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

tags: added: community-security
Revision history for this message
Giovanni Vecchi (g.vecchi) wrote : Re: libssh2 upgrade

Dear Alex,

thanks for your confirmation, but I'm not able to coordinate a bug fix.
How to ask for a backport in order to take advantage of new features and be able to connect to github throught libgit2 and other Git clients?

Thanks

Revision history for this message
Alex Murray (alexmurray) wrote :

To request a backport you could try https://wiki.ubuntu.com/UbuntuBackports

Seth Arnold (seth-arnold)
information type: Private Security → Public Security
Revision history for this message
Giovanni Vecchi (g.vecchi) wrote :

I'm unable to maintain a backported package: I will wait for 22.04 release.
This bug can be archived.
Thanks

Simon Chopin (schopin)
summary: - libssh2 upgrade
+ Fix CVE-2019-13115 in Focal
Changed in libssh2 (Ubuntu):
status: New → Triaged
status: Triaged → Confirmed
William Wilson (jawn-smith)
tags: added: foundations-triage-discuss
Simon Chopin (schopin)
Changed in libssh2 (Ubuntu):
status: Confirmed → Fix Released
Benjamin Drung (bdrung)
summary: - Fix CVE-2019-13115 in Focal
+ Fix CVE-2019-13115
Simon Chopin (schopin)
tags: removed: foundations-triage-discuss
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.