Re: libssh security announcements

[Jakub Jelen <jjelen@xxxxxxxxxx>]

Hi Rolf,
Right now, all the advisories are based on the following template we have
in our security process. But other people might follow it differently at
times (or even same people at different times):

https://www.libssh.org/development/security-process/

I agree that the version field is quite important so I would agree that
having this field in some fixed format would help. So the simplest thing I
can think of would be adjusting the template to help us make it more
predictable with something like:

== Versions:    libssh >= X.Y.Z;  < A.B.C

Regarding the JSON format, I am not much fan of that as it makes it harder
both to read and to write for humans. Is this CVE schema used by the
parties working with the CVEs? Would it make the creation and updating the
advisories easier?

Most of the CVEs are straightforward, but some of the CVEs though affect
either just the server, the client, some depend on the
cryptographic backend (OpenSSL, libgcrypt, mbedtls), which we figured out
that is easiest to describe in words

> Which brings me to libssh-2025-gex.txt in this directory[2][3]. Should I
see
> this as independent vulnerability description without CVE id or is this
part
> of any other issue?

This was something where we wanted to attribute the reporters, but there
was really no weakness. We were just not following protocol strictly in
this specific case. We could justify a CVE for this so we ended up with
just local advisory. Similarly we have some large audits here and not all
of the findings got to CVE (but I thought we were putting them in
advisories list, but probably not and they ended up just in the changelogs):

https://www.libssh.org/security/audit/

Best regards,
Jakub


On Tue, Sep 23, 2025 at 4:19 PM Rolf Eike Beer <eb@xxxxxxxxx> wrote:

> Hi all,
>
> I recently came across your collection of security announcements at
>
>   https://www.libssh.org/security/advisories/
>
> We look to get such information directly from the projects, as this is
> usually
> more accurate and often way faster than using the NVD data - which for
> example
> has not published any version information regarding CVE-2025-8277 yet,
> neither
> has cve.org regarding vanilla libssh versions.
>
> When looking through your list of advisories I noticed that this is a nice
> writeup for a human audience, but automated handling would be hard as e.g.
> the
> version information are not easily available as well. The information is
> usually in the advisory, but the "Versions:" line has inconsistent format,
> e.g. compare CVE-2025-5449[1] to the more recent issues. And the earlier
> issues sometimes don't even list the fix version in those lines at all.
>
> Would it be possible to come up with a version formatting that is
> consistent
> in all files and that is machine readable as well? Just in case you want
> to
> stretch this to the limit, there is also a completely machine (but less
> human)
> readable format for those entries, as documented at:
>
>   https://github.com/CVEProject/cve-schema
>
> Which brings me to libssh-2025-gex.txt in this directory[2][3]. Should I
> see
> this as independent vulnerability description without CVE id or is this
> part
> of any other issue?
>
> Thanks for your work.
>
> Regards,
>
> Eike
>
> 1) unrelated nitpick: "s/ on on / on /" for this one.
> 2) another nitpick: this is served without charset specification by your
> webserver, so the Umlauts in the reporter names are broken.
> 3) $VERSIONS appears in the text body, I suspect this should have been
> replaced with version numbers before publishing.
> --
> Rolf Eike Beer
>
> emlix GmbH
> Headquarters: Berliner Str. 12, 37073 Göttingen, Germany
> Phone +49 (0)551 30664-0, e-mail info@xxxxxxxxx
> District Court of Göttingen, Registry Number HR B 3160
> Managing Directors: Heike Jordan, Dr. Uwe Kracke
> VAT ID No. DE 205 198 055
> Office Berlin: Panoramastr. 1, 10178 Berlin, Germany
> Office Bonn: Bachstr. 6, 53115 Bonn, Germany
> http://www.emlix.com
>
> emlix - your embedded Linux partner