libgit2 (0.27.7+dfsg.1-0.2+deb10u1) buster-security; urgency=medium

  Previous versions of libgit's ssh backend did by default NOT perform
  certificate checking if the caller did not explicitly provide a
  certificate check callback and so may be subjected to a
  man-in-the-middle attack. (CVE-2023-22742)

  libgit will also check server keys against ~/.ssh/known_hosts, but
  as an limitation of Debian 10's libssh2 validation can only succeed if
  the used HostKeyAlgorithm was ssh-dss or ssh-rsa. Otherwise libgit
  will provide the error "invalid or unknown remote ssh hostkey".

  In this case remove the known_host entry for this server and configure
  the ssh client to limit the HostKeyAlgorithms to supported types by adding

    Host <IP or hostname of the git server>
       HostKeyAlgorithms ssh-dss,ssh-rsa

  to ~/.ssh/config for the specific server and re-add the known_hosts
  entry by e.g manually connecting to it.

 -- Tobias Frost <tobi@debian.org>  Thi, 23 Feb 2023 21:01:45 +0100
