Merge openssh from Debian unstable for l-series
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| openssh (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
Bug Description
Scheduled-For: ubuntu-later
Upstream: tbd
Debian: 1:9.0p1-1
Ubuntu: 1:9.0p1-1ubuntu7
### New Debian Changes ###
openssh (1:9.0p1-1) unstable; urgency=medium
* New upstream release (https:/
- scp(1): Use the SFTP protocol by default (closes: #144579, #204546,
#327019). This changes scp's quoting semantics by no longer performing
wildcard expansion using the remote shell, and (with some server
versions) no longer expanding ~user paths. The -O option is available
to use the old protocol. See NEWS.Debian for more details.
- ssh(1), sshd(8): use the hybrid Streamlined NTRU Prime + x25519 key
exchange method by default ('<email address hidden>').
The NTRU algorithm is believed to resist attacks enabled by future
quantum computers and is paired with the X25519 ECDH key exchange (the
previous default) as a backstop against any weaknesses in NTRU Prime
that may be discovered in the future. The combination ensures that the
hybrid exchange offers at least as good security as the status quo.
- sftp-server(8): support the 'copy-data' extension to allow server-
side copying of files/data, following the design in
draft-
- sftp(1): add a 'cp' command to allow the sftp client to perform
server-side file copies.
- ssh(1), sshd(8): upstream: fix poll(2) spin when a channel's output fd
closes without data in the channel buffer (closes: #1007822).
- sshd(8): pack pollfd array in server listen/accept loop. Could cause
the server to hang/spin when MaxStartups > RLIMIT_NOFILE.
- ssh-keygen(1): avoid NULL deref via the find-principals and
check-
- scp(1): fix a memory leak in argument processing.
- sshd(8): don't try to resolve ListenAddress directives in the sshd
re-exec path. They are unused after re-exec and parsing errors
(possible for example if the host's network configuration changed)
could prevent connections from being accepted.
- sshd(8): when refusing a public key authentication request from a
client for using an unapproved or unsupported signature algorithm
include the algorithm name in the log message to make debugging
easier.
- ssh(1), sshd(8): Fix possible integer underflow in scan_scaled(3)
parsing of K/M/G/etc quantities.
- sshd(8): default to not using sandbox when cross compiling. On most
systems poll(2) does not work when the number of FDs is reduced with
setrlimit, so assume it doesn't when cross compiling and we can't run
the test.
* Remove obsolete FAQ, removed from openssh.com in 2016.
-- Colin Watson <email address hidden> Sat, 09 Apr 2022 14:14:10 +0100
openssh (1:8.9p1-3) unstable; urgency=medium
* Allow ppoll_time64 in seccomp filter (closes: #1006445).
-- Colin Watson <email address hidden> Fri, 25 Feb 2022 23:30:49 +0000
openssh (1:8.9p1-2) unstable; urgency=medium
* Improve detection of -fzero-
-- Colin Watson <email address hidden> Thu, 24 Feb 2022 16:09:56 +0000
openssh (1:8.9p1-1) unstable; urgency=medium
* New upstream release (https:/
- sshd(8): fix an integer overflow in the user authentication path that,
in conjunction with other logic errors, could have yielded
unauthent
- sshd(8), portable OpenSSH only: this release removes in-built support
for MD5-hashed passwords.
- ssh(1), sshd(8), ssh-add(1), ssh-agent(1): add a system for
restricting forwarding and use of keys added to ssh-agent(1).
- ssh(1), sshd(8): add the <email address hidden> hybrid
ECDH/x25519 + Streamlined NTRU Prime post-quantum KEX to the default
KEXAlgorithms list (after the ECDH methods but before the prime-group
DH ones). The next release of OpenSSH is likely to make this key
exchange the default method.
- ssh-keygen(1): when downloading resident keys from a FIDO token, pass
back the user ID that was used when the key was created and append it
to the filename the key is written to (if it is not the default).
Avoids keys being clobbered if the user created multiple resident keys
with the same application string but different user IDs.
- ssh-keygen(1), ssh(1), ssh-agent(1): better handling for FIDO keys on
tokens that provide user verification (UV) on the device itself,
including biometric keys, avoiding unnecessary PIN prompts.
- ssh-keygen(1): add 'ssh-keygen -Y match-principals' operation to
perform matching of principals names against an allowed signers file.
To be used towards a TOFU model for SSH signatures in git.
- ssh-add(1), ssh-agent(1): allow pin-required FIDO keys to be added to
ssh-agent(1). $SSH_ASKPASS will be used to request the PIN at
authentic
- ssh-keygen(1): allow selection of hash at sshsig signing time (either
sha512 (default) or sha256).
- ssh(1), sshd(8): read network data directly to the packet input buffer
instead indirectly via a small stack buffer. Provides a modest
performance improvement.
- ssh(1), sshd(8): read data directly to the channel input buffer,
providing a similar modest performance improvement.
- ssh(1): extend the PubkeyAuthentic
accept yes|no|
protocol extensions used to implement agent-restricted keys.
- sshd(8): document that CASignatureAlgo
PubkeyAut
- sshd(8): fix possible string truncation when constructing paths to
.
### Old Ubuntu Delta ###
openssh (1:9.0p1-1ubuntu7) kinetic; urgency=medium
* Update list of stock sshd_config checksums to include those from
jammy and kinetic.
* Add a workaround for LP: #1990863 (now fixed in livecd-rootfs) to
avoid spurious ucf prompts on upgrade.
* Move /run/sshd creation out of the systemd unit to a tmpfile config
so that sshd can be run manually if necessary without having to create
this directory by hand. LP: #1991283.
[ Nick Rosbrook ]
* debian/
non-default Port is used in /etc/ssh/
-- Steve Langasek <email address hidden> Mon, 26 Sep 2022 21:55:14 +0000
openssh (1:9.0p1-1ubuntu6) kinetic; urgency=medium
* Fix syntax error in postinst :/
-- Steve Langasek <email address hidden> Fri, 23 Sep 2022 19:51:32 +0000
openssh (1:9.0p1-1ubuntu5) kinetic; urgency=medium
* Correctly handle the case of new installs, and correctly apply systemd
unit overrides on upgrade from existing kinetic systems.
-- Steve Langasek <email address hidden> Fri, 23 Sep 2022 19:45:18 +0000
openssh (1:9.0p1-1ubuntu4) kinetic; urgency=medium
* Don't migrate users to socket activation if multiple ListenAddresses
might make sshd unreliable on boot.
* Fix regexp bug that prevented proper migration of IPv6 address settings.
-- Steve Langasek <email address hidden> Fri, 23 Sep 2022 19:35:37 +0000
openssh (1:9.0p1-1ubuntu3) kinetic; urgency=medium
* Document in the default sshd_config file the changes in behavior
triggered by use of socket-based activation.
-- Steve Langasek <email address hidden> Fri, 26 Aug 2022 00:40:11 +0000
openssh (1:9.0p1-1ubuntu2) kinetic; urgency=medium
* Fix manpage to not claim socket-based activation is the default on
Debian!
-- Steve Langasek <email address hidden> Fri, 26 Aug 2022 00:21:42 +0000
openssh (1:9.0p1-1ubuntu1) kinetic; urgency=medium
* debian/
socket activation.
* debian/
activation by default.
* debian/rules: rejigger dh_installsystemd invocations so ssh.service and
ssh.socket don't fight.
* debian/
to systemd socket options on upgrade.
* debian/
* debian/
sshd_config(5) that ListenAddress and Port no longer work.
* debian/
debconf warning about possible service failure with multiple
ListenAddress settings.
-- Steve Langasek <email address hidden> Fri, 19 Aug 2022 20:43:16 +0000
| Changed in openssh (Ubuntu): | |
| status: | New → Incomplete |
| Bryce Harrington (bryce) wrote | #1 |
| Changed in openssh (Ubuntu): | |
| status: | Incomplete → New |
| Changed in openssh (Ubuntu): | |
| status: | New → Invalid |
There is a 9.1 release available for merge now
openssh | 1:9.0p1-1ubuntu7 | kinetic
openssh | 1:9.0p1-1ubuntu7 | lunar
openssh | 1:9.0p1-1ubuntu7.1 | kinetic-updates
openssh | 1:9.0p1-1ubuntu8 | lunar-proposed
openssh | 1:9.1p1-1 | unstable
openssh | 1:9.1p1-1 | unstable-debug