Change log for openssh package in Debian

openssh (1:6.5p1-6) unstable; urgency=medium


  * Fix Breaks/Replaces versions of openssh-sftp-server on openssh-server
    (thanks, Axel Beckert).

 -- Colin Watson <email address hidden>  Thu, 06 Mar 2014 16:18:44 +0000

Available diffs

• diff from 1:6.5p1-4 to 1:6.5p1-6 (2.0 KiB)

openssh (1:6.5p1-5) unstable; urgency=medium


  [ Colin Watson ]
  * Add Alias=sshd.service to systemd ssh.service file, to match "Provides:
    sshd" in the sysvinit script (thanks, Michael Biebl).
  * Add Before=ssh.service to systemd ssh.socket file, since otherwise
    nothing guarantees that ssh.service has stopped before ssh.socket starts
    (thanks, Uoti Urpala).

  [ Axel Beckert ]
  * Split sftp-server into its own package to allow it to also be used by
    other SSH server implementations like dropbear (closes: #504290).

 -- Colin Watson <email address hidden>  Wed, 05 Mar 2014 13:53:08 +0000

openssh (1:6.5p1-4) unstable; urgency=medium


  * Configure --without-hardening on hppa, to work around
    http://gcc.gnu.org/bugzilla/show_bug.cgi?id=60155 (closes: #738798).
  * Amend "Running sshd from inittab" instructions in README.Debian to
    recommend 'update-rc.d ssh disable', rather than manual removal of rc*.d
    symlinks that won't work with dependency-based sysv-rc.
  * Remove code related to non-dependency-based sysv-rc ordering, since that
    is no longer supported.
  * Apply patch from https://bugzilla.mindrot.org/show_bug.cgi?id=2200 to
    fix getsockname errors when using "ssh -W" (closes: #738693).

 -- Colin Watson <email address hidden>  Sat, 15 Feb 2014 02:19:36 +0000

Available diffs

• diff from 1:6.5p1-3 to 1:6.5p1-4 (2.1 KiB)

openssh (1:6.5p1-3) unstable; urgency=medium


  * Clarify socket activation mode in README.Debian, as suggested by Uoti
    Urpala.
  * Stop claiming that "Protocol 2" is a Debian-specific default; this has
    been upstream's default since 5.4p1.
  * Avoid stdout noise from which(1) on purge of openssh-client.
  * Fix sysvinit->systemd transition code to cope with still-running
    sysvinit jobs being considered active by systemd (thanks, Uoti Urpala
    and Michael Biebl).
  * Bump guard version for sysvinit->systemd transition to 1:6.5p1-3; we may
    have got it wrong before, and it's fairly harmless to repeat it.
  * Remove tests for whether /dev/null is a character device from the
    Upstart job and the systemd service files; it's there to avoid a
    confusing failure mode in daemon(), but with modern init systems we use
    the -D option to suppress daemonisation anyway.
  * Refer to /usr/share/common-licenses/GPL-2 in debian/copyright (for the
    Debian patch) rather than plain GPL.
  * Drop some very old Conflicts and Replaces (ssh (<< 1:3.8.1p1-9),
    rsh-client (<< 0.16.1-1), ssh-krb5 (<< 1:4.3p2-7), ssh-nonfree (<< 2),
    and openssh-client (<< 1:3.8.1p1-11)).  These all relate to pre-etch
    versions, for which we no longer have maintainer script code, and per
    policy they would have to become Breaks nowadays anyway.
  * Policy version 3.9.5.
  * Drop unnecessary -1 in zlib1g Build-Depends version.
  * Tweak dh_systemd_enable invocations to avoid lots of error noise.

 -- Colin Watson <email address hidden>  Wed, 12 Feb 2014 13:10:08 +0000

Available diffs

• diff from 1:6.5p1-2 to 1:6.5p1-3 (4.0 KiB)

openssh (1:6.5p1-2) unstable; urgency=medium


  * Only enable ssh.service for systemd, not both ssh.service and
    ssh.socket.  Thanks to Michael Biebl for spotting this.
  * Backport upstream patch to unbreak case-sensitive matching of ssh_config
    (closes: #738619).

 -- Colin Watson <email address hidden>  Tue, 11 Feb 2014 11:28:35 +0000

Available diffs

• diff from 1:6.5p1-1 to 1:6.5p1-2 (1.7 KiB)

openssh (1:6.5p1-1) unstable; urgency=medium


  * New upstream release (http://www.openssh.com/txt/release-6.5,
    LP: #1275068):
    - ssh(1): Add support for client-side hostname canonicalisation using a
      set of DNS suffixes and rules in ssh_config(5).  This allows
      unqualified names to be canonicalised to fully-qualified domain names
      to eliminate ambiguity when looking up keys in known_hosts or checking
      host certificate names (closes: #115286).
  * Switch to git; adjust Vcs-* fields.
  * Convert to git-dpm, and drop source package documentation associated
    with the old bzr/quilt patch handling workflow.
  * Drop ssh-vulnkey and the associated ssh/ssh-add/sshd integration code,
    leaving only basic configuration file compatibility, since it has been
    nearly six years since the original vulnerability and this code is not
    likely to be of much value any more (closes: #481853, #570651).  See
    https://lists.debian.org/debian-devel/2013/09/msg00240.html for my full
    reasoning.
  * Add OpenPGP signature checking configuration to watch file (thanks,
    Daniel Kahn Gillmor; closes: #732441).
  * Add the pam_keyinit session module, to create a new session keyring on
    login (closes: #734816).
  * Incorporate default path changes from shadow 1:4.0.18.1-8, removing
    /usr/bin/X11 (closes: #644521).
  * Generate ED25519 host keys on fresh installations.  Upgraders who wish
    to add such host keys should manually add 'HostKey
    /etc/ssh/ssh_host_ed25519_key' to /etc/ssh/sshd_config and run
    'ssh-keygen -q -f /etc/ssh/ssh_host_ed25519_key -N "" -t ed25519'.
  * Drop long-obsolete "SSH now uses protocol 2 by default" section from
    README.Debian.
  * Add systemd support (thanks, Sven Joachim; closes: #676830).

 -- Colin Watson <email address hidden>  Mon, 10 Feb 2014 14:58:26 +0000

Available diffs

• diff from 1:6.4p1-2 to 1:6.5p1-1 (314.2 KiB)

openssh (1:6.4p1-2) unstable; urgency=high


  * Increase ServerKeyBits value in package-generated sshd_config to 1024
    (closes: #727622, LP: #1244272).
  * Restore patch to disable OpenSSL version check (closes: #732940).

 -- Colin Watson <email address hidden>  Mon, 23 Dec 2013 10:44:04 +0000

Available diffs

• diff from 1:6.4p1-1 to 1:6.4p1-2 (1.5 KiB)

openssh (1:6.4p1-1.1) unstable; urgency=medium


  * Non-maintainer upload.
  * Adjust check for openssl version (Closes: #732940)

 -- Kurt Roeckx <email address hidden>  Mon, 23 Dec 2013 10:33:59 +0100

openssh (1:6.4p1-1) unstable; urgency=high


  * New upstream release.  Important changes:
    - 6.3/6.3p1 (http://www.openssh.com/txt/release-6.3):
      + sftp(1): add support for resuming partial downloads using the
        "reget" command and on the sftp commandline or on the "get"
        commandline using the "-a" (append) option (closes: #158590).
      + ssh(1): add an "IgnoreUnknown" configuration option to selectively
        suppress errors arising from unknown configuration directives
        (closes: #436052).
      + sftp(1): update progressmeter when data is acknowledged, not when
        it's sent (partially addresses #708372).
      + ssh(1): do not fatally exit when attempting to cleanup multiplexing-
        created channels that are incompletely opened (closes: #651357).
    - 6.4/6.4p1 (http://www.openssh.com/txt/release-6.4):
      + CVE-2013-4548: sshd(8): fix a memory corruption problem triggered
        during rekeying when an AES-GCM cipher is selected (closes:
        #729029).  Full details of the vulnerability are available at:
        http://www.openssh.com/txt/gcmrekey.adv
  * When running under Upstart, only consider the daemon started once it is
    ready to accept connections (by raising SIGSTOP at that point and using
    "expect stop").

 -- Colin Watson <email address hidden>  Sat, 09 Nov 2013 18:24:16 +0000

Available diffs

• diff from 1:6.2p2-6ubuntu1 (in Ubuntu) to 1:6.4p1-1 (177.5 KiB)

openssh (1:5.5p1-6+squeeze4) stable; urgency=low


  * CVE-2011-5000: Fix potential int overflow when using gssapi-with-mac
    authentation.

 -- Colin Watson <email address hidden>  Sun, 03 Mar 2013 14:14:03 +0000

openssh (1:6.2p2-6) unstable; urgency=low


  * Update config.guess and config.sub automatically at build time.
    dh_autoreconf does not take care of that by default because openssh does
    not use automake.

 -- Colin Watson <email address hidden>  Tue, 02 Jul 2013 22:54:49 +0100

Available diffs

• diff from 1:6.2p2-5 to 1:6.2p2-6 (871 bytes)

openssh (1:6.2p2-5) unstable; urgency=low


  [ Colin Watson ]
  * Document consequences of ssh-agent being setgid in ssh-agent(1); see
    #711623.
  * Use 'set -e' rather than '#! /bin/sh -e' in maintainer scripts and
    ssh-argv0.

  [ Yolanda Robla ]
  * debian/rules: Include real distribution in SSH_EXTRAVERSION instead of
    hardcoding Debian (LP: #1195342).

 -- Colin Watson <email address hidden>  Thu, 27 Jun 2013 15:24:14 +0100

Available diffs

• diff from 1:6.2p2-4 to 1:6.2p2-5 (1.7 KiB)

openssh (1:6.2p2-4) unstable; urgency=low


  * Fix non-portable shell in ssh-copy-id (closes: #711162).
  * Rebuild against debhelper 9.20130604 with fixed dependencies for
    invoke-rc.d and Upstart jobs (closes: #711159, #711364).
  * Set SELinux context on private host keys as well as public host keys
    (closes: #687436).

 -- Colin Watson <email address hidden>  Thu, 06 Jun 2013 17:06:31 +0100

Available diffs

• diff from 1:6.2p2-3 to 1:6.2p2-4 (1014 bytes)

openssh (1:6.2p2-3) unstable; urgency=low


  * If the running init daemon is Upstart, then, on the first upgrade to
    this version, check whether sysvinit is still managing sshd; if so,
    manually stop it so that it can be restarted under upstart.  We do this
    near the end of the postinst, so it shouldn't result in any appreciable
    extra window where sshd is not running during upgrade.

 -- Colin Watson <email address hidden>  Wed, 22 May 2013 17:42:10 +0100

Available diffs

• diff from 1:6.2p2-1 to 1:6.2p2-3 (87.2 KiB)

openssh (1:6.2p2-1) unstable; urgency=low


  * New upstream release (http://www.openssh.com/txt/release-6.2p2):
    - Only warn for missing identity files that were explicitly specified
      (closes: #708275).
    - Fix bug in contributed contrib/ssh-copy-id script that could result in
      "rm *" being called on mktemp failure (closes: #708419).

 -- Colin Watson <email address hidden>  Thu, 16 May 2013 14:05:06 +0100

Available diffs

• diff from 1:6.2p1-3 to 1:6.2p2-1 (8.6 KiB)

openssh (1:6.2p1-3) unstable; urgency=low


  * Renumber Debian-specific additions to enum monitor_reqtype so that they
    fit within a single byte (thanks, Jason Conti; LP: #1179202).

 -- Colin Watson <email address hidden>  Mon, 13 May 2013 10:56:04 +0100

Available diffs

• diff from 1:6.2p1-2 to 1:6.2p1-3 (1.1 KiB)

openssh (1:6.2p1-2) unstable; urgency=low


  * Fix build failure on Ubuntu:
    - Include openbsd-compat/sys-queue.h from consolekit.c.
    - Fix consolekit mismerges in monitor.c and monitor_wrap.c.

 -- Colin Watson <email address hidden>  Thu, 09 May 2013 09:45:57 +0100

Available diffs

• diff from 1:6.1p1-4 to 1:6.2p1-2 (139.7 KiB)
• diff from 1:6.2p1-1 to 1:6.2p1-2 (1.2 KiB)

openssh (1:6.2p1-1) unstable; urgency=low


  * New upstream release (http://www.openssh.com/txt/release-6.2).
    - Add support for multiple required authentication in SSH protocol 2 via
      an AuthenticationMethods option (closes: #195716).
    - Fix Sophie Germain formula in moduli(5) (closes: #698612).
    - Update ssh-copy-id to Phil Hands' greatly revised version (closes:
      #99785, #322228, #620428; LP: #518883, #835901, #1074798).
  * Use dh-autoreconf.

 -- Colin Watson <email address hidden>  Tue, 07 May 2013 11:48:16 +0100

openssh (1:6.1p1-4) experimental; urgency=low


  [ Gunnar Hjalmarsson ]
  * debian/openssh-server.sshd.pam: Explicitly state that ~/.pam_environment
    should be read, and move the pam_env calls from "auth" to "session" so
    that it's also read when $HOME is encrypted (LP: #952185).

  [ Stéphane Graber ]
  * Add ssh-agent upstart user job.  This implements something similar to
    the 90x11-common_ssh-agent Xsession script.  That is, start ssh-agent
    and set the appropriate environment variables (closes: #703906).

 -- Colin Watson <email address hidden>  Mon, 25 Mar 2013 16:58:04 +0000

Available diffs

• diff from 1:6.1p1-3 to 1:6.1p1-4 (1.4 KiB)

openssh (1:5.5p1-6+squeeze3) stable; urgency=low


  * CVE-2010-5107: Improve DoS resistance by changing default of MaxStartups
    to 10:30:100 (closes: #700102).

 -- Colin Watson <email address hidden>  Fri, 08 Feb 2013 21:39:15 +0000

openssh (1:6.1p1-3) experimental; urgency=low


  * Give ssh and ssh-krb5 versioned dependencies on openssh-client and
    openssh-server, to try to reduce confusion when people run 'apt-get
    install ssh' or similar and expect that to upgrade everything relevant.
  * CVE-2010-5107: Improve DoS resistance by changing default of MaxStartups
    to 10:30:100 (closes: #700102).

 -- Colin Watson <email address hidden>  Fri, 08 Feb 2013 21:07:31 +0000

Available diffs

• diff from 1:6.1p1-2 to 1:6.1p1-3 (1.7 KiB)

openssh (1:6.0p1-4) unstable; urgency=low


  * CVE-2010-5107: Improve DoS resistance by changing default of MaxStartups
    to 10:30:100 (closes: #700102).

 -- Colin Watson <email address hidden>  Fri, 08 Feb 2013 21:27:00 +0000

openssh (1:6.1p1-2) experimental; urgency=low


  * Use xz compression for binary packages.
  * Merge from Ubuntu:
    - Add support for registering ConsoleKit sessions on login.  (This is
      currently enabled only when building for Ubuntu.)
    - Drop openssh-blacklist and openssh-blacklist-extra to Suggests.  It's
      been long enough since the relevant vulnerability that we shouldn't
      need these installed by default nowadays.
    - Add an Upstart job (not currently used by default in Debian).
    - Add mention of ssh-keygen in ssh connect warning (Scott Moser).
    - Install apport hooks.
  * Only build with -j if DEB_BUILD_OPTIONS=parallel=* is used (closes:
    #694282).

 -- Colin Watson <email address hidden>  Mon, 26 Nov 2012 16:39:07 +0000

Available diffs

• diff from 1:6.1p1-1ubuntu1 (in Ubuntu) to 1:6.1p1-2 (18.0 KiB)

openssh (1:6.1p1-1) experimental; urgency=low


  * New upstream release (http://www.openssh.com/txt/release-6.1).
    - Enable pre-auth sandboxing by default for new installs.
    - Allow "PermitOpen none" to refuse all port-forwarding requests
      (closes: #543683).

 -- Colin Watson <email address hidden>  Fri, 07 Sep 2012 00:22:44 +0100

openssh (1:6.0p1-3) unstable; urgency=low


  * debconf template translations:
    - Add Indonesian (thanks, Andika Triwidada; closes: #681670).
  * Call restorecon on copied ~/.ssh/authorized_keys if possible, since some
    SELinux policies require this (closes: #658675).
  * Add ncurses-term to openssh-server's Recommends, since it's often needed
    to support unusual terminal emulators on clients (closes: #675362).

 -- Colin Watson <email address hidden>  Fri, 24 Aug 2012 06:55:36 +0100

openssh (1:6.0p1-2) unstable; urgency=low


  * Tighten libssl1.0.0 and libcrypto1.0.0-udeb dependencies to the current
    "fix" version at build time (closes: #678661).

 -- Colin Watson <email address hidden>  Sun, 24 Jun 2012 12:16:06 +0100

openssh (1:6.0p1-1) unstable; urgency=low


  [ Roger Leigh ]
  * Display dynamic part of MOTD from /run/motd.dynamic, if it exists
    (closes: #669699).

  [ Colin Watson ]
  * Update OpenSSH FAQ to revision 1.113, fixing missing line break (closes:
    #669667).
  * New upstream release (closes: #671010,
    http://www.openssh.org/txt/release-6.0).
    - Fix IPQoS not being set on non-mapped v4-in-v6 addressed connections
      (closes: #643312, #650512, #671075).
    - Add a new privilege separation sandbox implementation for Linux's new
      seccomp sandbox, automatically enabled on platforms that support it.
      (Note: privilege separation sandboxing is still experimental.)
  * Fix a bashism in configure's seccomp_filter check.
  * Add a sandbox fallback mechanism, so that behaviour on Linux depends on
    whether the running system's kernel has seccomp_filter support, not the
    build system's kernel (forwarded upstream as
    https://bugzilla.mindrot.org/show_bug.cgi?id=2011).

 -- Colin Watson <email address hidden>  Sat, 26 May 2012 13:48:14 +0100

openssh (1:5.5p1-6+squeeze2) stable; urgency=high


  * CVE-2012-0814: Don't send the actual forced command in a debug message,
    which allowed remote authenticated users to obtain potentially sensitive
    information by reading these messages (closes: #657445).

 -- Colin Watson <email address hidden>  Mon, 20 Feb 2012 02:23:55 +0000

openssh (1:5.9p1-5) unstable; urgency=low


  * Use dpkg-buildflags, including for hardening support; drop use of
    hardening-includes.
  * Fix cross-building:
    - Allow using a cross-architecture pkg-config.
    - Pass default LDFLAGS to contrib/Makefile.
    - Allow dh_strip to strip gnome-ssh-askpass, rather than calling
      'install -s'.

 -- Colin Watson <email address hidden>  Mon, 02 Apr 2012 11:20:33 +0100

openssh (1:5.9p1-4) unstable; urgency=low


  * Disable OpenSSL version check again, as its SONAME is sufficient
    nowadays (closes: #664383).

 -- Colin Watson <email address hidden>  Mon, 19 Mar 2012 11:06:30 +0000

openssh (1:5.9p1-3) unstable; urgency=low


  * debconf template translations:
    - Update Polish (thanks, Michał Kułach; closes: #659829).
  * Ignore errors writing to console in init script (closes: #546743).
  * Move ssh-krb5 to Section: oldlibs.

 -- Colin Watson <email address hidden>  Fri, 24 Feb 2012 08:56:18 +0000

openssh (1:5.9p1-2) unstable; urgency=low


  * Mark openssh-client and openssh-server as Multi-Arch: foreign.

 -- Colin Watson <email address hidden>  Wed, 09 Nov 2011 02:06:48 +0000

openssh (1:5.5p1-6+squeeze1) stable; urgency=low


  * Quieten logs when multiple from= restrictions are used in different
    authorized_keys lines for the same key; it's still not ideal, but at
    least you'll only get one log entry per key (closes: #630606).

 -- Colin Watson <email address hidden>  Thu, 28 Jul 2011 16:43:48 +0000

openssh (1:5.9p1-1) unstable; urgency=low


  * New upstream release (http://www.openssh.org/txt/release-5.9).
    - Introduce sandboxing of the pre-auth privsep child using an optional
      sshd_config(5) "UsePrivilegeSeparation=sandbox" mode that enables
      mandatory restrictions on the syscalls the privsep child can perform.
    - Add new SHA256-based HMAC transport integrity modes from
      http://www.ietf.org/id/draft-dbider-sha2-mac-for-ssh-02.txt.
    - The pre-authentication sshd(8) privilege separation slave process now
      logs via a socket shared with the master process, avoiding the need to
      maintain /dev/log inside the chroot (closes: #75043, #429243,
      #599240).
    - ssh(1) now warns when a server refuses X11 forwarding (closes:
      #504757).
    - sshd_config(5)'s AuthorizedKeysFile now accepts multiple paths,
      separated by whitespace (closes: #76312).  The authorized_keys2
      fallback is deprecated but documented (closes: #560156).
    - ssh(1) and sshd(8): set IPv6 traffic class from IPQoS, as well as IPv4
      ToS/DSCP (closes: #498297).
    - ssh-add(1) now accepts keys piped from standard input.  E.g. "ssh-add
      - < /path/to/key" (closes: #229124).
    - Clean up lost-passphrase text in ssh-keygen(1) (closes: #444691).
    - Say "required" rather than "recommended" in unprotected-private-key
      warning (LP: #663455).
  * Update OpenSSH FAQ to revision 1.112.

 -- Colin Watson <email address hidden>  Wed, 07 Sep 2011 23:46:00 +0100

openssh (1:5.8p1-7) unstable; urgency=low
  * Only recommend ssh-import-id when built on Ubuntu (closes: #635887).  * Use 'dpkg-vendor --derives-from Ubuntu' to detect Ubuntu systems rather    than 'lsb_release -is' so that Ubuntu derivatives behave the same way as    Ubuntu itself. -- Colin Watson <email address hidden>  Fri, 29 Jul 2011 14:27:52 +0100

openssh (1:5.8p1-6) unstable; urgency=low
  * openssh-client and openssh-server Suggests: monkeysphere.  * Quieten logs when multiple from= restrictions are used in different    authorized_keys lines for the same key; it's still not ideal, but at    least you'll only get one log entry per key (closes: #630606).  * Merge from Ubuntu (Dustin Kirkland):    - openssh-server Recommends: ssh-import-id (no-op in Debian since that      package doesn't exist there, but this reduces the Ubuntu delta). -- Colin Watson <email address hidden>  Thu, 28 Jul 2011 17:10:18 +0100

openssh (1:5.8p1-5) unstable; urgency=low
  * Drop openssh-server's dependency on openssh-blacklist to a    recommendation (closes: #622604).  * Update Vcs-* fields and README.source for Alioth changes.  * Backport from upstream:    - Make hostbased auth with ECDSA keys work correctly (closes: #633368). -- Colin Watson <email address hidden>  Sun, 24 Jul 2011 11:06:47 +0100

openssh (1:5.8p1-4) unstable; urgency=low
  * Drop hardcoded dependencies on libssl0.9.8 and libcrypto0.9.8-udeb,    since the required minimum versions are rather old now anyway and    openssl has bumped its SONAME (thanks, Julien Cristau; closes: #620828).  * Remove unreachable code from openssh-server.postinst. -- Colin Watson <email address hidden>  Mon, 04 Apr 2011 15:56:18 +0100

openssh (1:5.8p1-3) unstable; urgency=low
  * Correct ssh-keygen instruction in the changelog for 1:5.7p1-1 (thanks,    Joel Stanley).  * Allow ssh-add to read from FIFOs (thanks, Daniel Kahn Gillmor; closes:    #614897). -- Colin Watson <email address hidden>  Fri, 18 Mar 2011 16:42:42 +0000

openssh (1:5.8p1-2) unstable; urgency=low
  * Upload to unstable. -- Colin Watson <email address hidden>  Tue, 08 Feb 2011 10:59:17 +0000

openssh (1:5.8p1-1) experimental; urgency=low
  * New upstream release (http://www.openssh.org/txt/release-5.8):    - Fix stack information leak in legacy certificate signing      (http://www.openssh.com/txt/legacy-cert.adv). -- Colin Watson <email address hidden>  Sat, 05 Feb 2011 11:13:11 +0000

openssh (1:5.7p1-2) experimental; urgency=low
  * Fix crash in ssh_selinux_setfscreatecon when SELinux is disabled    (LP: #708571). -- Colin Watson <email address hidden>  Thu, 27 Jan 2011 12:14:17 +0000

openssh (1:5.7p1-1) experimental; urgency=low
  * New upstream release (http://www.openssh.org/txt/release-5.7):    - Implement Elliptic Curve Cryptography modes for key exchange (ECDH)      and host/user keys (ECDSA) as specified by RFC5656.  ECDH and ECDSA      offer better performance than plain DH and DSA at the same equivalent      symmetric key length, as well as much shorter keys.    - sftp(1)/sftp-server(8): add a protocol extension to support a hard      link operation.  It is available through the "ln" command in the      client.  The old "ln" behaviour of creating a symlink is available      using its "-s" option or through the preexisting "symlink" command.    - scp(1): Add a new -3 option to scp: Copies between two remote hosts      are transferred through the local host (closes: #508613).    - ssh(1): "atomically" create the listening mux socket by binding it on      a temporary name and then linking it into position after listen() has      succeeded.  This allows the mux clients to determine that the server      socket is either ready or stale without races (closes: #454784).      Stale server sockets are now automatically removed (closes: #523250).    - ssh(1): install a SIGCHLD handler to reap expired child process      (closes: #594687).    - ssh(1)/ssh-agent(1): honour $TMPDIR for client xauth and ssh-agent      temporary directories (closes: #357469, although only if you arrange      for ssh-agent to actually see $TMPDIR since the setgid bit will cause      it to be stripped off).  * Update to current GSSAPI patch from    http://www.sxw.org.uk/computing/patches/openssh-5.7p1-gsskex-all-20110125.patch:    - Add GSSAPIServerIdentity option.  * Generate ECDSA host keys on fresh installations.  Upgraders who wish to    add such host keys should manually add 'HostKey    /etc/ssh/ssh_host_ecdsa_key' to /etc/ssh/sshd_config and run 'ssh-keygen    -q -f /etc/ssh/sshd_config -N "" -t ecdsa'.  * Build-depend on libssl-dev (>= 0.9.8g) to ensure sufficient ECC support.  * Backport SELinux build fix from CVS.  * Rearrange selinux-role.patch so that it links properly given this    SELinux build fix. -- Colin Watson <email address hidden>  Wed, 26 Jan 2011 23:48:02 +0000

openssh (1:5.6p1-3) experimental; urgency=low
  * Drop override for desktop-file-but-no-dh_desktop-call, which Lintian no    longer issues.  * Merge 1:5.5p1-6. -- Colin Watson <email address hidden>  Thu, 30 Dec 2010 11:48:00 +0000

openssh (1:5.5p1-6) unstable; urgency=low
  * Touch /var/run/sshd/.placeholder in the preinst so that /var/run/sshd,    which is intentionally no longer shipped in the openssh-server package    due to /var/run often being a temporary directory, is not removed on    upgrade (closes: #575582). -- Colin Watson <email address hidden>  Sun, 26 Dec 2010 18:09:29 +0000

openssh (1:5.6p1-2) experimental; urgency=low


  * Backport upstream patch to install a SIGCHLD handler to reap expired ssh
    child processes, preventing lots of zombies when using ControlPersist
    (closes: #594687).

 -- Colin Watson <email address hidden>  Tue, 26 Oct 2010 14:46:40 +0100

openssh (1:5.6p1-1) experimental; urgency=low


  * New upstream release (http://www.openssh.com/txt/release-5.6):
    - Added a ControlPersist option to ssh_config(5) that automatically
      starts a background ssh(1) multiplex master when connecting.  This
      connection can stay alive indefinitely, or can be set to automatically
      close after a user-specified duration of inactivity (closes: #335697,
      #350898, #454787, #500573, #550262).
    - Support AuthorizedKeysFile, AuthorizedPrincipalsFile,
      HostbasedUsesNameFromPacketOnly, and PermitTunnel in sshd_config(5)
      Match blocks (closes: #549858).
    - sftp(1): fix ls in working directories that contain globbing
      characters in their pathnames (LP: #530714).

 -- Colin Watson <email address hidden>  Tue, 24 Aug 2010 00:37:54 +0100

openssh (1:5.5p1-5) unstable; urgency=low


  * Use an architecture wildcard for libselinux1-dev (closes: #591740).
  * debconf template translations:
    - Update Danish (thanks, Joe Hansen; closes: #592800).

 -- Colin Watson <email address hidden>  Mon, 23 Aug 2010 22:59:03 +0100

openssh (1:5.5p1-4) unstable; urgency=low


  [ Sebastian Andrzej Siewior ]
  * Add powerpcspe to architecture list for libselinux1-dev build-dependency
    (closes: #579843).

  [ Colin Watson ]
  * Allow ~/.ssh/authorized_keys and other secure files to be
    group-writable, provided that the group in question contains only the
    file's owner; this extends a patch previously applied to ~/.ssh/config
    (closes: #581919).
  * Check primary group memberships as well as supplementary group
    memberships, and only allow group-writability by groups with exactly one
    member, as zero-member groups are typically used by setgid binaries
    rather than being user-private groups (closes: #581697).

 -- Colin Watson <email address hidden>  Sat, 22 May 2010 23:37:20 +0100

openssh (1:5.5p1-3) unstable; urgency=low


  * Discard error messages while checking whether rsh, rlogin, and rcp
    alternatives exist (closes: #579285).
  * Drop IDEA key check; I don't think it works properly any more due to
    textual changes in error output, it's only relevant for direct upgrades
    from truly ancient versions, and it breaks upgrades if
    /etc/ssh/ssh_host_key can't be loaded (closes: #579570).

 -- Colin Watson <email address hidden>  Wed, 28 Apr 2010 22:12:47 +0100

openssh (1:5.4p1-2) unstable; urgency=low


  * Borrow patch from Fedora to add DNSSEC support: if glibc 2.11 is
    installed, the host key is published in an SSHFP RR secured with DNSSEC,
    and VerifyHostKeyDNS=yes, then ssh will no longer prompt for host key
    verification (closes: #572049).
  * Convert to dh(1), and use dh_installdocs --link-doc.
  * Drop lpia support, since Ubuntu no longer supports this architecture.
  * Use dh_install more effectively.
  * Add a NEWS.Debian entry about changes in smartcard support relative to
    previous unofficial builds (closes: #231472).

 -- Colin Watson <email address hidden>  Sat, 10 Apr 2010 01:08:59 +0100

openssh (1:5.4p1-1) unstable; urgency=low


  * New upstream release (LP: #535029).
    - After a transition period of about 10 years, this release disables SSH
      protocol 1 by default.  Clients and servers that need to use the
      legacy protocol must explicitly enable it in ssh_config / sshd_config
      or on the command-line.
    - Remove the libsectok/OpenSC-based smartcard code and add support for
      PKCS#11 tokens.  This support is enabled by default in the Debian
      packaging, since it now doesn't involve additional library
      dependencies (closes: #231472, LP: #16918).
    - Add support for certificate authentication of users and hosts using a
      new, minimal OpenSSH certificate format (closes: #482806).
    - Added a 'netcat mode' to ssh(1): "ssh -W host:port ...".
    - Add the ability to revoke keys in sshd(8) and ssh(1).  (For the Debian
      package, this overlaps with the key blacklisting facility added in
      openssh 1:4.7p1-9, but with different file formats and slightly
      different scopes; for the moment, I've roughly merged the two.)
    - Various multiplexing improvements, including support for requesting
      port-forwardings via the multiplex protocol (closes: #360151).
    - Allow setting an explicit umask on the sftp-server(8) commandline to
      override whatever default the user has (closes: #496843).
    - Many sftp client improvements, including tab-completion, more options,
      and recursive transfer support for get/put (LP: #33378).  The old
      mget/mput commands never worked properly and have been removed
      (closes: #270399, #428082).
    - Do not prompt for a passphrase if we fail to open a keyfile, and log
      the reason why the open failed to debug (closes: #431538).
    - Prevent sftp from crashing when given a "-" without a command.  Also,
      allow whitespace to follow a "-" (closes: #531561).

  * Fix 'debian/rules quilt-setup' to avoid writing .orig files if some
    patches apply with offsets.
  * Include debian/ssh-askpass-gnome.png in the Debian tarball now that
    we're using a source format that permits this, rather than messing
    around with uudecode.
  * Drop compatibility with the old gssapi mechanism used in ssh-krb5 <<
    3.8.1p1-1.  Simon Wilkinson refused this patch since the old gssapi
    mechanism was removed due to a serious security hole, and since these
    versions of ssh-krb5 are no longer security-supported by Debian I don't
    think there's any point keeping client compatibility for them.
  * Fix substitution of ETC_PAM_D_SSH, following the rename in 1:4.7p1-4.
  * Hardcode the location of xauth to /usr/bin/xauth rather than
    /usr/bin/X11/xauth (thanks, Aron Griffis; closes: #575725, LP: #8440).
    xauth no longer depends on x11-common, so we're no longer guaranteed to
    have the /usr/bin/X11 symlink available.  I was taking advantage of the
    /usr/bin/X11 symlink to smooth X's move to /usr/bin, but this is far
    enough in the past now that it's probably safe to just use /usr/bin.
  * Remove SSHD_OOM_ADJUST configuration.  sshd now unconditionally makes
    itself non-OOM-killable, and doesn't require configuration to avoid log
    spam in virtualisation containers (closes: #555625).
  * Drop Debian-specific removal of OpenSSL version check.  Upstream ignores
    the two patchlevel nybbles now, which is sufficient to address the
    original reason this change was introduced, and it appears that any
    change in the major/minor/fix nybbles would involve a new libssl package
    name.  (We'd still lose if the status nybble were ever changed, but that
    would mean somebody had packaged a development/beta version rather than
    a proper release, which doesn't appear to be normal practice.)
  * Drop most of our "LogLevel SILENT" (-qq) patch.  This was originally
    introduced to match the behaviour of non-free SSH, in which -q does not
    suppress fatal errors, but matching the behaviour of OpenSSH upstream is
    much more important nowadays.  We no longer document that -q does not
    suppress fatal errors (closes: #280609).  Migrate "LogLevel SILENT" to
    "LogLevel QUIET" in sshd_config on upgrade.
  * Policy version 3.8.4:
    - Add a Homepage field.

 -- Colin Watson <email address hidden>  Tue, 06 Apr 2010 22:38:31 +0100

openssh (1:5.3p1-3) unstable; urgency=low


  * Convert to source format 3.0 (quilt).
  * Update README.source to match, and add a 'quilt-setup' target to
    debian/rules for the benefit of those checking out the package from
    revision control.
  * All patches are now maintained separately and tagged according to DEP-3.
  * Add GSSAPIStoreCredentialsOnRekey to 'sshd -T' configuration dump.
  * Remove documentation of building for Debian 3.0 in README.Debian.
    Support for this was removed in 1:4.7p1-2.
  * Remove obsolete header from README.Debian dating from when people
    expected non-free SSH.
  * Update copyright years for GSSAPI patch.

 -- Colin Watson <email address hidden>  Sun, 28 Feb 2010 01:35:53 +0000

openssh (1:5.3p1-2) unstable; urgency=low


  * Link with -Wl,--as-needed (closes: #560155).
  * Install upstream sshd_config as an example (closes: #415008).
  * Use dh_lintian.
  * Honour DEB_BUILD_OPTIONS=nocheck.

 -- Colin Watson <email address hidden>  Mon, 22 Feb 2010 12:43:24 +0000

openssh (1:5.3p1-1) unstable; urgency=low


  * New upstream release.
  * Update to GSSAPI patch from
    http://www.sxw.org.uk/computing/patches/openssh-5.3p1-gsskex-all-20100124.patch.
  * Backport from upstream:
    - Do not fall back to adding keys without contraints (ssh-add -c / -t
      ...) when the agent refuses the constrained add request. This was a
      useful migration measure back in 2002 when constraints were new, but
      just adds risk now (LP: #209447).
  * Drop change from 1:3.8p1-3 to avoid setresuid() and setresgid() system
    calls.  This only applied to Linux 2.2, which it's no longer feasible to
    run anyway (see 1:5.2p1-2 changelog).

 -- Colin Watson <email address hidden>  Tue, 26 Jan 2010 11:55:29 +0000

openssh (1:5.2p1-2) unstable; urgency=low


  [ Colin Watson ]
  * Backport from upstream:
    - After sshd receives a SIGHUP, ignore subsequent HUPs while sshd
      re-execs itself.  Prevents two HUPs in quick succession from resulting
      in sshd dying (LP: #497781).
    - Output a debug if we can't open an existing keyfile (LP: #505301).
  * Use host compiler for ssh-askpass-gnome when cross-compiling.
  * Don't run tests when cross-compiling.
  * Drop change from 1:3.6.1p2-5 to disable cmsg_type check for file
    descriptor passing when running on Linux 2.0.  The previous stable
    release of Debian dropped support for Linux 2.4, let alone 2.0, so this
    very likely has no remaining users depending on it.

  [ Kees Cook ]
  * Implement DebianBanner server configuration flag that can be set to "no"
    to allow sshd to run without the Debian-specific extra version in the
    initial protocol handshake (closes: #562048).

 -- Colin Watson <email address hidden>  Sat, 16 Jan 2010 01:28:58 +0000

openssh (1:5.2p1-1) unstable; urgency=low


  * New upstream release (closes: #536182). Yes, I know 5.3p1 has been out
    for a while, but there's no GSSAPI patch available for it yet.
    - Change the default cipher order to prefer the AES CTR modes and the
      revised "arcfour256" mode to CBC mode ciphers that are susceptible to
      CPNI-957037 "Plaintext Recovery Attack Against SSH".
    - Add countermeasures to mitigate CPNI-957037-style attacks against the
      SSH protocol's use of CBC-mode ciphers. Upon detection of an invalid
      packet length or Message Authentication Code, ssh/sshd will continue
      reading up to the maximum supported packet length rather than
      immediately terminating the connection. This eliminates most of the
      known differences in behaviour that leaked information about the
      plaintext of injected data which formed the basis of this attack
      (closes: #506115, LP: #379329).
    - ForceCommand directive now accepts commandline arguments for the
      internal-sftp server (closes: #524423, LP: #362511).
    - Add AllowAgentForwarding to available Match keywords list (closes:
      #540623).
    - Make ssh(1) send the correct channel number for
      SSH2_MSG_CHANNEL_SUCCESS and SSH2_MSG_CHANNEL_FAILURE messages to
      avoid triggering 'Non-public channel' error messages on sshd(8) in
      openssh-5.1.
    - Avoid printing 'Non-public channel' warnings in sshd(8), since the
      ssh(1) has sent incorrect channel numbers since ~2004 (this reverts a
      behaviour introduced in openssh-5.1; closes: #496017).
    - Disable nonfunctional ssh(1) ~C escape handler in multiplex slave
      connections (closes: #507541).
    - Fix "whitepsace" typo in ssh_config(5) (closes: #514313, LP: #303835).
  * Update to GSSAPI patch from
    http://www.sxw.org.uk/computing/patches/openssh-5.2p1-gsskex-all-20090726.patch,
    including cascading credentials support (LP: #416958).
  * Use x11.pc when compiling/linking gnome-ssh-askpass2 (closes: #555951).
  * Moved to bzr.debian.org; add Vcs-Bzr and Vcs-Browser control fields.
  * Add debian/README.source with instructions on bzr handling.
  * Make ChrootDirectory work with SELinux (thanks, Russell Coker; closes:
    #556644).
  * Initialise sc to NULL in ssh_selinux_getctxbyname (thanks, Václav Ovsík;
    closes: #498684).
  * Don't duplicate backslashes when displaying server banner (thanks,
    Michał Górny; closes: #505378, LP: #425346).
  * Use hardening-includes for hardening logic (thanks, Kees Cook; closes:
    #561887).
  * Update OpenSSH FAQ to revision 1.110.
  * Remove ssh/new_config, only needed for direct upgrades from potato which
    are no longer particularly feasible anyway (closes: #420682).
  * Cope with insserv reordering of init script links.
  * Remove init script stop link in rc1, as killprocs handles it already.
  * Adjust short descriptions to avoid relying on previous experience with
    rsh, based on suggestions from Reuben Thomas (closes: #512198).
  * Remove manual page references to login.conf, which aren't applicable on
    non-BSD systems (closes: #154434).
  * Remove/adjust manual page references to BSD-specific /etc/rc (closes:
    #513417).
  * Refer to sshd_config(5) rather than sshd(8) in postinst-written
    /etc/ssh/sshd_config, and add UsePAM commentary from upstream-shipped
    configuration file (closes: #415008, although unfortunately this will
    only be conveniently visible on new installations).
  * Include URL to OpenBSD's ssl(8) in ssh(1), since I don't see a better
    source for the same information among Debian's manual pages (closes:
    #530692, LP: #456660).

 -- Colin Watson <email address hidden>  Mon, 04 Jan 2010 13:23:35 +0000

openssh (1:5.1p1-8) unstable; urgency=low


  * Build with just -fPIC on mips/mipsel, not -fPIE as well (thanks, LIU Qi;
    closes: #538313).
  * Build-depend on libselinux1-dev on sh4 too (thanks, Nobuhiro Iwamatsu;
    closes: #547103).
  * Fix grammar in if-up script (closes: #549128).
  * Pass $SSHD_OPTS when checking configuration too (thanks, "sobtwmxt";
    closes: #548662).

 -- Colin Watson <email address hidden>  Mon, 05 Oct 2009 13:30:49 +0100

openssh (1:5.1p1-7) unstable; urgency=low


  * Update config.guess and config.sub from autotools-dev 20090611.1
    (closes: #538301).
  * Set umask to 022 in the init script as well as postinsts (closes:
    #539030).
  * Add ${misc:Depends} to keep Lintian happy.
  * Use 'which' rather than 'type' in maintainer scripts.
  * Upgrade to debhelper v7.

 -- Colin Watson <email address hidden>  Fri, 31 Jul 2009 16:28:10 +0100

openssh (1:5.1p1-6) unstable; urgency=low


  * Open /proc/self/oom_adj with O_RDONLY or O_WRONLY as necessary, rather
    than O_RDWR.
  * Disable OOM adjustment for vserver/OpenVZ (thanks, Karl Chen; closes:
    #511771).
  * Add ufw integration (thanks, Didier Roche; see
    https://wiki.ubuntu.com/UbuntuFirewall#Integrating%20UFW%20with%20Packages;
    LP: #261884).
  * Add a comment above PermitRootLogin in sshd_config pointing to
    README.Debian.
  * Check if delgroup is present in openssh-client.postrm (closes: #530501).
  * Build with -fPIC on mips/mipsel (thanks, Luk Claes; closes: #531942).
  * Remove /var/run/sshd from openssh-server package; it will be created at
    run-time before starting the server.
  * Use invoke-rc.d in openssh-server's if-up script.

 -- Colin Watson <email address hidden>  Fri, 05 Jun 2009 11:56:03 +0100

openssh (1:5.1p1-5) unstable; urgency=low


  * Backport from upstream CVS (Markus Friedl):
    - packet_disconnect() on padding error, too. Should reduce the success
      probability for the CPNI-957037 Plaintext Recovery Attack to 2^-18.
  * Check that /var/run/sshd.pid exists and that the process ID listed there
    corresponds to sshd before running '/etc/init.d/ssh reload' from if-up
    script; SIGHUP is racy if called at boot before sshd has a chance to
    install its signal handler, but fortunately the pid file is written
    after that which lets us avoid the race (closes: #502444).
  * While the above is a valuable sanity-check, it turns out that it doesn't
    really fix the bug (thanks to Kevin Price for testing), so for the
    meantime we'll just use '/etc/init.d/ssh restart', even though it is
    unfortunately heavyweight.

 -- Colin Watson <email address hidden>  Wed, 14 Jan 2009 00:34:08 +0000

openssh (1:5.1p1-4) unstable; urgency=low


  * ssh-copy-id: Strip trailing colons from hostname (closes: #226172,
    LP: #249706; thanks to Karl Goetz for nudging this along; forwarded
    upstream as https://bugzilla.mindrot.org/show_bug.cgi?id=1530).
  * Backport from upstream CVS (Markus Friedl):
    - Only send eow and no-more-sessions requests to openssh 5 and newer;
      fixes interop problems with broken ssh v2 implementations (closes:
      #495917).
  * Fix double-free when failing to parse a forwarding specification given
    using ~C (closes: #505330; forwarded upstream as
    https://bugzilla.mindrot.org/show_bug.cgi?id=1539).

 -- Colin Watson <email address hidden>  Sun, 23 Nov 2008 14:46:10 +0000

openssh (1:5.1p1-3) unstable; urgency=low


  * Remove unnecessary ssh-vulnkey output in non-verbose mode when no
    compromised or unknown keys were found (closes: #496495).
  * Configure with --disable-strip; dh_strip will deal with stripping
    binaries and will honour DEB_BUILD_OPTIONS (thanks, Bernhard R. Link;
    closes: #498681).
  * Fix handling of zero-length server banners (thanks, Tomas Mraz; closes:
    #497026).

 -- Colin Watson <email address hidden>  Tue, 30 Sep 2008 23:09:58 +0100