Change log for openssh package in Debian
151 → 214 of 214 results | First • Previous • Next • Last |
openssh (1:6.6p1-1) unstable; urgency=medium [ Colin Watson ] * Apply various warning-suppression and regression-test fixes to gssapi.patch from Damien Miller. * New upstream release (http://www.openssh.com/txt/release-6.6, LP: #1298280): - CVE-2014-2532: sshd(8): when using environment passing with an sshd_config(5) AcceptEnv pattern with a wildcard, OpenSSH prior to 6.6 could be tricked into accepting any environment variable that contains the characters before the wildcard character. * Re-enable btmp logging, as its permissions were fixed a long time ago in response to #370050 (closes: #341883). * Change to "PermitRootLogin without-password" for new installations, and ask a debconf question when upgrading systems with "PermitRootLogin yes" from previous versions (closes: #298138). * Debconf translations: - Danish (thanks, Joe Hansen). - Portuguese (thanks, Américo Monteiro). - Russian (thanks, Yuri Kozlov; closes: #742308). - Swedish (thanks, Andreas Rönnquist). - Japanese (thanks, victory). - German (thanks, Stephan Beck; closes: #742541). - Italian (thanks, Beatrice Torracca). * Don't start ssh-agent from the Upstart user session job if something like Xsession has already done so (based on work by Bruno Vasselle; LP: #1244736). [ Matthew Vernon ] * CVE-2014-2653: Fix failure to check SSHFP records if server presents a certificate (bug reported by me, patch by upstream's Damien Miller; thanks also to Mark Wooding for his help in fixing this) (Closes: #742513) -- Colin Watson <email address hidden> Fri, 28 Mar 2014 18:04:41 +0000
Available diffs
- diff from 1:6.5p1-6 to 1:6.6p1-1 (95.1 KiB)
openssh (1:6.5p1-6) unstable; urgency=medium * Fix Breaks/Replaces versions of openssh-sftp-server on openssh-server (thanks, Axel Beckert). -- Colin Watson <email address hidden> Thu, 06 Mar 2014 16:18:44 +0000
Available diffs
- diff from 1:6.5p1-4 to 1:6.5p1-6 (2.0 KiB)
openssh (1:6.5p1-5) unstable; urgency=medium [ Colin Watson ] * Add Alias=sshd.service to systemd ssh.service file, to match "Provides: sshd" in the sysvinit script (thanks, Michael Biebl). * Add Before=ssh.service to systemd ssh.socket file, since otherwise nothing guarantees that ssh.service has stopped before ssh.socket starts (thanks, Uoti Urpala). [ Axel Beckert ] * Split sftp-server into its own package to allow it to also be used by other SSH server implementations like dropbear (closes: #504290). -- Colin Watson <email address hidden> Wed, 05 Mar 2014 13:53:08 +0000
openssh (1:6.5p1-4) unstable; urgency=medium * Configure --without-hardening on hppa, to work around http://gcc.gnu.org/bugzilla/show_bug.cgi?id=60155 (closes: #738798). * Amend "Running sshd from inittab" instructions in README.Debian to recommend 'update-rc.d ssh disable', rather than manual removal of rc*.d symlinks that won't work with dependency-based sysv-rc. * Remove code related to non-dependency-based sysv-rc ordering, since that is no longer supported. * Apply patch from https://bugzilla.mindrot.org/show_bug.cgi?id=2200 to fix getsockname errors when using "ssh -W" (closes: #738693). -- Colin Watson <email address hidden> Sat, 15 Feb 2014 02:19:36 +0000
Available diffs
- diff from 1:6.5p1-3 to 1:6.5p1-4 (2.1 KiB)
openssh (1:6.5p1-3) unstable; urgency=medium * Clarify socket activation mode in README.Debian, as suggested by Uoti Urpala. * Stop claiming that "Protocol 2" is a Debian-specific default; this has been upstream's default since 5.4p1. * Avoid stdout noise from which(1) on purge of openssh-client. * Fix sysvinit->systemd transition code to cope with still-running sysvinit jobs being considered active by systemd (thanks, Uoti Urpala and Michael Biebl). * Bump guard version for sysvinit->systemd transition to 1:6.5p1-3; we may have got it wrong before, and it's fairly harmless to repeat it. * Remove tests for whether /dev/null is a character device from the Upstart job and the systemd service files; it's there to avoid a confusing failure mode in daemon(), but with modern init systems we use the -D option to suppress daemonisation anyway. * Refer to /usr/share/common-licenses/GPL-2 in debian/copyright (for the Debian patch) rather than plain GPL. * Drop some very old Conflicts and Replaces (ssh (<< 1:3.8.1p1-9), rsh-client (<< 0.16.1-1), ssh-krb5 (<< 1:4.3p2-7), ssh-nonfree (<< 2), and openssh-client (<< 1:3.8.1p1-11)). These all relate to pre-etch versions, for which we no longer have maintainer script code, and per policy they would have to become Breaks nowadays anyway. * Policy version 3.9.5. * Drop unnecessary -1 in zlib1g Build-Depends version. * Tweak dh_systemd_enable invocations to avoid lots of error noise. -- Colin Watson <email address hidden> Wed, 12 Feb 2014 13:10:08 +0000
Available diffs
- diff from 1:6.5p1-2 to 1:6.5p1-3 (4.0 KiB)
openssh (1:6.5p1-2) unstable; urgency=medium * Only enable ssh.service for systemd, not both ssh.service and ssh.socket. Thanks to Michael Biebl for spotting this. * Backport upstream patch to unbreak case-sensitive matching of ssh_config (closes: #738619). -- Colin Watson <email address hidden> Tue, 11 Feb 2014 11:28:35 +0000
Available diffs
- diff from 1:6.5p1-1 to 1:6.5p1-2 (1.7 KiB)
openssh (1:6.5p1-1) unstable; urgency=medium * New upstream release (http://www.openssh.com/txt/release-6.5, LP: #1275068): - ssh(1): Add support for client-side hostname canonicalisation using a set of DNS suffixes and rules in ssh_config(5). This allows unqualified names to be canonicalised to fully-qualified domain names to eliminate ambiguity when looking up keys in known_hosts or checking host certificate names (closes: #115286). * Switch to git; adjust Vcs-* fields. * Convert to git-dpm, and drop source package documentation associated with the old bzr/quilt patch handling workflow. * Drop ssh-vulnkey and the associated ssh/ssh-add/sshd integration code, leaving only basic configuration file compatibility, since it has been nearly six years since the original vulnerability and this code is not likely to be of much value any more (closes: #481853, #570651). See https://lists.debian.org/debian-devel/2013/09/msg00240.html for my full reasoning. * Add OpenPGP signature checking configuration to watch file (thanks, Daniel Kahn Gillmor; closes: #732441). * Add the pam_keyinit session module, to create a new session keyring on login (closes: #734816). * Incorporate default path changes from shadow 1:4.0.18.1-8, removing /usr/bin/X11 (closes: #644521). * Generate ED25519 host keys on fresh installations. Upgraders who wish to add such host keys should manually add 'HostKey /etc/ssh/ssh_host_ed25519_key' to /etc/ssh/sshd_config and run 'ssh-keygen -q -f /etc/ssh/ssh_host_ed25519_key -N "" -t ed25519'. * Drop long-obsolete "SSH now uses protocol 2 by default" section from README.Debian. * Add systemd support (thanks, Sven Joachim; closes: #676830). -- Colin Watson <email address hidden> Mon, 10 Feb 2014 14:58:26 +0000
Available diffs
- diff from 1:6.4p1-2 to 1:6.5p1-1 (314.2 KiB)
openssh (1:6.4p1-2) unstable; urgency=high * Increase ServerKeyBits value in package-generated sshd_config to 1024 (closes: #727622, LP: #1244272). * Restore patch to disable OpenSSL version check (closes: #732940). -- Colin Watson <email address hidden> Mon, 23 Dec 2013 10:44:04 +0000
Available diffs
- diff from 1:6.4p1-1 to 1:6.4p1-2 (1.5 KiB)
Superseded in sid-release |
openssh (1:6.4p1-1.1) unstable; urgency=medium * Non-maintainer upload. * Adjust check for openssl version (Closes: #732940) -- Kurt Roeckx <email address hidden> Mon, 23 Dec 2013 10:33:59 +0100
openssh (1:6.4p1-1) unstable; urgency=high * New upstream release. Important changes: - 6.3/6.3p1 (http://www.openssh.com/txt/release-6.3): + sftp(1): add support for resuming partial downloads using the "reget" command and on the sftp commandline or on the "get" commandline using the "-a" (append) option (closes: #158590). + ssh(1): add an "IgnoreUnknown" configuration option to selectively suppress errors arising from unknown configuration directives (closes: #436052). + sftp(1): update progressmeter when data is acknowledged, not when it's sent (partially addresses #708372). + ssh(1): do not fatally exit when attempting to cleanup multiplexing- created channels that are incompletely opened (closes: #651357). - 6.4/6.4p1 (http://www.openssh.com/txt/release-6.4): + CVE-2013-4548: sshd(8): fix a memory corruption problem triggered during rekeying when an AES-GCM cipher is selected (closes: #729029). Full details of the vulnerability are available at: http://www.openssh.com/txt/gcmrekey.adv * When running under Upstart, only consider the daemon started once it is ready to accept connections (by raising SIGSTOP at that point and using "expect stop"). -- Colin Watson <email address hidden> Sat, 09 Nov 2013 18:24:16 +0000
Available diffs
Superseded in squeeze-release |
openssh (1:5.5p1-6+squeeze4) stable; urgency=low * CVE-2011-5000: Fix potential int overflow when using gssapi-with-mac authentation. -- Colin Watson <email address hidden> Sun, 03 Mar 2013 14:14:03 +0000
openssh (1:6.2p2-6) unstable; urgency=low * Update config.guess and config.sub automatically at build time. dh_autoreconf does not take care of that by default because openssh does not use automake. -- Colin Watson <email address hidden> Tue, 02 Jul 2013 22:54:49 +0100
Available diffs
- diff from 1:6.2p2-5 to 1:6.2p2-6 (871 bytes)
openssh (1:6.2p2-5) unstable; urgency=low [ Colin Watson ] * Document consequences of ssh-agent being setgid in ssh-agent(1); see #711623. * Use 'set -e' rather than '#! /bin/sh -e' in maintainer scripts and ssh-argv0. [ Yolanda Robla ] * debian/rules: Include real distribution in SSH_EXTRAVERSION instead of hardcoding Debian (LP: #1195342). -- Colin Watson <email address hidden> Thu, 27 Jun 2013 15:24:14 +0100
Available diffs
- diff from 1:6.2p2-4 to 1:6.2p2-5 (1.7 KiB)
openssh (1:6.2p2-4) unstable; urgency=low * Fix non-portable shell in ssh-copy-id (closes: #711162). * Rebuild against debhelper 9.20130604 with fixed dependencies for invoke-rc.d and Upstart jobs (closes: #711159, #711364). * Set SELinux context on private host keys as well as public host keys (closes: #687436). -- Colin Watson <email address hidden> Thu, 06 Jun 2013 17:06:31 +0100
Available diffs
- diff from 1:6.2p2-3 to 1:6.2p2-4 (1014 bytes)
openssh (1:6.2p2-3) unstable; urgency=low * If the running init daemon is Upstart, then, on the first upgrade to this version, check whether sysvinit is still managing sshd; if so, manually stop it so that it can be restarted under upstart. We do this near the end of the postinst, so it shouldn't result in any appreciable extra window where sshd is not running during upgrade. -- Colin Watson <email address hidden> Wed, 22 May 2013 17:42:10 +0100
Available diffs
- diff from 1:6.2p2-1 to 1:6.2p2-3 (87.2 KiB)
openssh (1:6.2p2-1) unstable; urgency=low * New upstream release (http://www.openssh.com/txt/release-6.2p2): - Only warn for missing identity files that were explicitly specified (closes: #708275). - Fix bug in contributed contrib/ssh-copy-id script that could result in "rm *" being called on mktemp failure (closes: #708419). -- Colin Watson <email address hidden> Thu, 16 May 2013 14:05:06 +0100
Available diffs
- diff from 1:6.2p1-3 to 1:6.2p2-1 (8.6 KiB)
openssh (1:6.2p1-3) unstable; urgency=low * Renumber Debian-specific additions to enum monitor_reqtype so that they fit within a single byte (thanks, Jason Conti; LP: #1179202). -- Colin Watson <email address hidden> Mon, 13 May 2013 10:56:04 +0100
Available diffs
- diff from 1:6.2p1-2 to 1:6.2p1-3 (1.1 KiB)
openssh (1:6.2p1-2) unstable; urgency=low * Fix build failure on Ubuntu: - Include openbsd-compat/sys-queue.h from consolekit.c. - Fix consolekit mismerges in monitor.c and monitor_wrap.c. -- Colin Watson <email address hidden> Thu, 09 May 2013 09:45:57 +0100
Available diffs
- diff from 1:6.1p1-4 to 1:6.2p1-2 (139.7 KiB)
- diff from 1:6.2p1-1 to 1:6.2p1-2 (1.2 KiB)
openssh (1:6.2p1-1) unstable; urgency=low * New upstream release (http://www.openssh.com/txt/release-6.2). - Add support for multiple required authentication in SSH protocol 2 via an AuthenticationMethods option (closes: #195716). - Fix Sophie Germain formula in moduli(5) (closes: #698612). - Update ssh-copy-id to Phil Hands' greatly revised version (closes: #99785, #322228, #620428; LP: #518883, #835901, #1074798). * Use dh-autoreconf. -- Colin Watson <email address hidden> Tue, 07 May 2013 11:48:16 +0100
Deleted in experimental-release (Reason: None provided.) |
openssh (1:6.1p1-4) experimental; urgency=low [ Gunnar Hjalmarsson ] * debian/openssh-server.sshd.pam: Explicitly state that ~/.pam_environment should be read, and move the pam_env calls from "auth" to "session" so that it's also read when $HOME is encrypted (LP: #952185). [ Stéphane Graber ] * Add ssh-agent upstart user job. This implements something similar to the 90x11-common_ssh-agent Xsession script. That is, start ssh-agent and set the appropriate environment variables (closes: #703906). -- Colin Watson <email address hidden> Mon, 25 Mar 2013 16:58:04 +0000
Available diffs
- diff from 1:6.1p1-3 to 1:6.1p1-4 (1.4 KiB)
Superseded in squeeze-release |
openssh (1:5.5p1-6+squeeze3) stable; urgency=low * CVE-2010-5107: Improve DoS resistance by changing default of MaxStartups to 10:30:100 (closes: #700102). -- Colin Watson <email address hidden> Fri, 08 Feb 2013 21:39:15 +0000
Superseded in experimental-release |
openssh (1:6.1p1-3) experimental; urgency=low * Give ssh and ssh-krb5 versioned dependencies on openssh-client and openssh-server, to try to reduce confusion when people run 'apt-get install ssh' or similar and expect that to upgrade everything relevant. * CVE-2010-5107: Improve DoS resistance by changing default of MaxStartups to 10:30:100 (closes: #700102). -- Colin Watson <email address hidden> Fri, 08 Feb 2013 21:07:31 +0000
Available diffs
- diff from 1:6.1p1-2 to 1:6.1p1-3 (1.7 KiB)
openssh (1:6.0p1-4) unstable; urgency=low * CVE-2010-5107: Improve DoS resistance by changing default of MaxStartups to 10:30:100 (closes: #700102). -- Colin Watson <email address hidden> Fri, 08 Feb 2013 21:27:00 +0000
Superseded in experimental-release |
openssh (1:6.1p1-2) experimental; urgency=low * Use xz compression for binary packages. * Merge from Ubuntu: - Add support for registering ConsoleKit sessions on login. (This is currently enabled only when building for Ubuntu.) - Drop openssh-blacklist and openssh-blacklist-extra to Suggests. It's been long enough since the relevant vulnerability that we shouldn't need these installed by default nowadays. - Add an Upstart job (not currently used by default in Debian). - Add mention of ssh-keygen in ssh connect warning (Scott Moser). - Install apport hooks. * Only build with -j if DEB_BUILD_OPTIONS=parallel=* is used (closes: #694282). -- Colin Watson <email address hidden> Mon, 26 Nov 2012 16:39:07 +0000
Available diffs
Superseded in experimental-release |
openssh (1:6.1p1-1) experimental; urgency=low * New upstream release (http://www.openssh.com/txt/release-6.1). - Enable pre-auth sandboxing by default for new installs. - Allow "PermitOpen none" to refuse all port-forwarding requests (closes: #543683). -- Colin Watson <email address hidden> Fri, 07 Sep 2012 00:22:44 +0100
openssh (1:6.0p1-3) unstable; urgency=low * debconf template translations: - Add Indonesian (thanks, Andika Triwidada; closes: #681670). * Call restorecon on copied ~/.ssh/authorized_keys if possible, since some SELinux policies require this (closes: #658675). * Add ncurses-term to openssh-server's Recommends, since it's often needed to support unusual terminal emulators on clients (closes: #675362). -- Colin Watson <email address hidden> Fri, 24 Aug 2012 06:55:36 +0100
Superseded in wheezy-release |
Superseded in sid-release |
Superseded in wheezy-release |
Superseded in sid-release |
openssh (1:6.0p1-2) unstable; urgency=low * Tighten libssl1.0.0 and libcrypto1.0.0-udeb dependencies to the current "fix" version at build time (closes: #678661). -- Colin Watson <email address hidden> Sun, 24 Jun 2012 12:16:06 +0100
openssh (1:6.0p1-1) unstable; urgency=low [ Roger Leigh ] * Display dynamic part of MOTD from /run/motd.dynamic, if it exists (closes: #669699). [ Colin Watson ] * Update OpenSSH FAQ to revision 1.113, fixing missing line break (closes: #669667). * New upstream release (closes: #671010, http://www.openssh.org/txt/release-6.0). - Fix IPQoS not being set on non-mapped v4-in-v6 addressed connections (closes: #643312, #650512, #671075). - Add a new privilege separation sandbox implementation for Linux's new seccomp sandbox, automatically enabled on platforms that support it. (Note: privilege separation sandboxing is still experimental.) * Fix a bashism in configure's seccomp_filter check. * Add a sandbox fallback mechanism, so that behaviour on Linux depends on whether the running system's kernel has seccomp_filter support, not the build system's kernel (forwarded upstream as https://bugzilla.mindrot.org/show_bug.cgi?id=2011). -- Colin Watson <email address hidden> Sat, 26 May 2012 13:48:14 +0100
Superseded in squeeze-release |
openssh (1:5.5p1-6+squeeze2) stable; urgency=high * CVE-2012-0814: Don't send the actual forced command in a debug message, which allowed remote authenticated users to obtain potentially sensitive information by reading these messages (closes: #657445). -- Colin Watson <email address hidden> Mon, 20 Feb 2012 02:23:55 +0000
openssh (1:5.9p1-5) unstable; urgency=low * Use dpkg-buildflags, including for hardening support; drop use of hardening-includes. * Fix cross-building: - Allow using a cross-architecture pkg-config. - Pass default LDFLAGS to contrib/Makefile. - Allow dh_strip to strip gnome-ssh-askpass, rather than calling 'install -s'. -- Colin Watson <email address hidden> Mon, 02 Apr 2012 11:20:33 +0100
openssh (1:5.9p1-4) unstable; urgency=low * Disable OpenSSL version check again, as its SONAME is sufficient nowadays (closes: #664383). -- Colin Watson <email address hidden> Mon, 19 Mar 2012 11:06:30 +0000
openssh (1:5.9p1-3) unstable; urgency=low * debconf template translations: - Update Polish (thanks, Michał Kułach; closes: #659829). * Ignore errors writing to console in init script (closes: #546743). * Move ssh-krb5 to Section: oldlibs. -- Colin Watson <email address hidden> Fri, 24 Feb 2012 08:56:18 +0000
openssh (1:5.9p1-2) unstable; urgency=low * Mark openssh-client and openssh-server as Multi-Arch: foreign. -- Colin Watson <email address hidden> Wed, 09 Nov 2011 02:06:48 +0000
Superseded in squeeze-release |
openssh (1:5.5p1-6+squeeze1) stable; urgency=low * Quieten logs when multiple from= restrictions are used in different authorized_keys lines for the same key; it's still not ideal, but at least you'll only get one log entry per key (closes: #630606). -- Colin Watson <email address hidden> Thu, 28 Jul 2011 16:43:48 +0000
openssh (1:5.9p1-1) unstable; urgency=low * New upstream release (http://www.openssh.org/txt/release-5.9). - Introduce sandboxing of the pre-auth privsep child using an optional sshd_config(5) "UsePrivilegeSeparation=sandbox" mode that enables mandatory restrictions on the syscalls the privsep child can perform. - Add new SHA256-based HMAC transport integrity modes from http://www.ietf.org/id/draft-dbider-sha2-mac-for-ssh-02.txt. - The pre-authentication sshd(8) privilege separation slave process now logs via a socket shared with the master process, avoiding the need to maintain /dev/log inside the chroot (closes: #75043, #429243, #599240). - ssh(1) now warns when a server refuses X11 forwarding (closes: #504757). - sshd_config(5)'s AuthorizedKeysFile now accepts multiple paths, separated by whitespace (closes: #76312). The authorized_keys2 fallback is deprecated but documented (closes: #560156). - ssh(1) and sshd(8): set IPv6 traffic class from IPQoS, as well as IPv4 ToS/DSCP (closes: #498297). - ssh-add(1) now accepts keys piped from standard input. E.g. "ssh-add - < /path/to/key" (closes: #229124). - Clean up lost-passphrase text in ssh-keygen(1) (closes: #444691). - Say "required" rather than "recommended" in unprotected-private-key warning (LP: #663455). * Update OpenSSH FAQ to revision 1.112. -- Colin Watson <email address hidden> Wed, 07 Sep 2011 23:46:00 +0100
openssh (1:5.8p1-7) unstable; urgency=low * Only recommend ssh-import-id when built on Ubuntu (closes: #635887). * Use 'dpkg-vendor --derives-from Ubuntu' to detect Ubuntu systems rather than 'lsb_release -is' so that Ubuntu derivatives behave the same way as Ubuntu itself. -- Colin Watson <email address hidden> Fri, 29 Jul 2011 14:27:52 +0100
openssh (1:5.8p1-6) unstable; urgency=low * openssh-client and openssh-server Suggests: monkeysphere. * Quieten logs when multiple from= restrictions are used in different authorized_keys lines for the same key; it's still not ideal, but at least you'll only get one log entry per key (closes: #630606). * Merge from Ubuntu (Dustin Kirkland): - openssh-server Recommends: ssh-import-id (no-op in Debian since that package doesn't exist there, but this reduces the Ubuntu delta). -- Colin Watson <email address hidden> Thu, 28 Jul 2011 17:10:18 +0100
openssh (1:5.8p1-5) unstable; urgency=low * Drop openssh-server's dependency on openssh-blacklist to a recommendation (closes: #622604). * Update Vcs-* fields and README.source for Alioth changes. * Backport from upstream: - Make hostbased auth with ECDSA keys work correctly (closes: #633368). -- Colin Watson <email address hidden> Sun, 24 Jul 2011 11:06:47 +0100
openssh (1:5.8p1-4) unstable; urgency=low * Drop hardcoded dependencies on libssl0.9.8 and libcrypto0.9.8-udeb, since the required minimum versions are rather old now anyway and openssl has bumped its SONAME (thanks, Julien Cristau; closes: #620828). * Remove unreachable code from openssh-server.postinst. -- Colin Watson <email address hidden> Mon, 04 Apr 2011 15:56:18 +0100
openssh (1:5.8p1-3) unstable; urgency=low * Correct ssh-keygen instruction in the changelog for 1:5.7p1-1 (thanks, Joel Stanley). * Allow ssh-add to read from FIFOs (thanks, Daniel Kahn Gillmor; closes: #614897). -- Colin Watson <email address hidden> Fri, 18 Mar 2011 16:42:42 +0000
openssh (1:5.8p1-2) unstable; urgency=low * Upload to unstable. -- Colin Watson <email address hidden> Tue, 08 Feb 2011 10:59:17 +0000
Deleted in experimental-release (Reason: None provided.) |
openssh (1:5.8p1-1) experimental; urgency=low * New upstream release (http://www.openssh.org/txt/release-5.8): - Fix stack information leak in legacy certificate signing (http://www.openssh.com/txt/legacy-cert.adv). -- Colin Watson <email address hidden> Sat, 05 Feb 2011 11:13:11 +0000
Superseded in experimental-release |
openssh (1:5.7p1-2) experimental; urgency=low * Fix crash in ssh_selinux_setfscreatecon when SELinux is disabled (LP: #708571). -- Colin Watson <email address hidden> Thu, 27 Jan 2011 12:14:17 +0000
Superseded in experimental-release |
openssh (1:5.7p1-1) experimental; urgency=low * New upstream release (http://www.openssh.org/txt/release-5.7): - Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys. - sftp(1)/sftp-server(8): add a protocol extension to support a hard link operation. It is available through the "ln" command in the client. The old "ln" behaviour of creating a symlink is available using its "-s" option or through the preexisting "symlink" command. - scp(1): Add a new -3 option to scp: Copies between two remote hosts are transferred through the local host (closes: #508613). - ssh(1): "atomically" create the listening mux socket by binding it on a temporary name and then linking it into position after listen() has succeeded. This allows the mux clients to determine that the server socket is either ready or stale without races (closes: #454784). Stale server sockets are now automatically removed (closes: #523250). - ssh(1): install a SIGCHLD handler to reap expired child process (closes: #594687). - ssh(1)/ssh-agent(1): honour $TMPDIR for client xauth and ssh-agent temporary directories (closes: #357469, although only if you arrange for ssh-agent to actually see $TMPDIR since the setgid bit will cause it to be stripped off). * Update to current GSSAPI patch from http://www.sxw.org.uk/computing/patches/openssh-5.7p1-gsskex-all-20110125.patch: - Add GSSAPIServerIdentity option. * Generate ECDSA host keys on fresh installations. Upgraders who wish to add such host keys should manually add 'HostKey /etc/ssh/ssh_host_ecdsa_key' to /etc/ssh/sshd_config and run 'ssh-keygen -q -f /etc/ssh/sshd_config -N "" -t ecdsa'. * Build-depend on libssl-dev (>= 0.9.8g) to ensure sufficient ECC support. * Backport SELinux build fix from CVS. * Rearrange selinux-role.patch so that it links properly given this SELinux build fix. -- Colin Watson <email address hidden> Wed, 26 Jan 2011 23:48:02 +0000
Superseded in experimental-release |
openssh (1:5.6p1-3) experimental; urgency=low * Drop override for desktop-file-but-no-dh_desktop-call, which Lintian no longer issues. * Merge 1:5.5p1-6. -- Colin Watson <email address hidden> Thu, 30 Dec 2010 11:48:00 +0000
openssh (1:5.5p1-6) unstable; urgency=low * Touch /var/run/sshd/.placeholder in the preinst so that /var/run/sshd, which is intentionally no longer shipped in the openssh-server package due to /var/run often being a temporary directory, is not removed on upgrade (closes: #575582). -- Colin Watson <email address hidden> Sun, 26 Dec 2010 18:09:29 +0000
Superseded in experimental-release |
openssh (1:5.6p1-2) experimental; urgency=low * Backport upstream patch to install a SIGCHLD handler to reap expired ssh child processes, preventing lots of zombies when using ControlPersist (closes: #594687). -- Colin Watson <email address hidden> Tue, 26 Oct 2010 14:46:40 +0100
Superseded in experimental-release |
openssh (1:5.6p1-1) experimental; urgency=low * New upstream release (http://www.openssh.com/txt/release-5.6): - Added a ControlPersist option to ssh_config(5) that automatically starts a background ssh(1) multiplex master when connecting. This connection can stay alive indefinitely, or can be set to automatically close after a user-specified duration of inactivity (closes: #335697, #350898, #454787, #500573, #550262). - Support AuthorizedKeysFile, AuthorizedPrincipalsFile, HostbasedUsesNameFromPacketOnly, and PermitTunnel in sshd_config(5) Match blocks (closes: #549858). - sftp(1): fix ls in working directories that contain globbing characters in their pathnames (LP: #530714). -- Colin Watson <email address hidden> Tue, 24 Aug 2010 00:37:54 +0100
openssh (1:5.5p1-5) unstable; urgency=low * Use an architecture wildcard for libselinux1-dev (closes: #591740). * debconf template translations: - Update Danish (thanks, Joe Hansen; closes: #592800). -- Colin Watson <email address hidden> Mon, 23 Aug 2010 22:59:03 +0100
openssh (1:5.5p1-4) unstable; urgency=low [ Sebastian Andrzej Siewior ] * Add powerpcspe to architecture list for libselinux1-dev build-dependency (closes: #579843). [ Colin Watson ] * Allow ~/.ssh/authorized_keys and other secure files to be group-writable, provided that the group in question contains only the file's owner; this extends a patch previously applied to ~/.ssh/config (closes: #581919). * Check primary group memberships as well as supplementary group memberships, and only allow group-writability by groups with exactly one member, as zero-member groups are typically used by setgid binaries rather than being user-private groups (closes: #581697). -- Colin Watson <email address hidden> Sat, 22 May 2010 23:37:20 +0100
openssh (1:5.5p1-3) unstable; urgency=low * Discard error messages while checking whether rsh, rlogin, and rcp alternatives exist (closes: #579285). * Drop IDEA key check; I don't think it works properly any more due to textual changes in error output, it's only relevant for direct upgrades from truly ancient versions, and it breaks upgrades if /etc/ssh/ssh_host_key can't be loaded (closes: #579570). -- Colin Watson <email address hidden> Wed, 28 Apr 2010 22:12:47 +0100
openssh (1:5.4p1-2) unstable; urgency=low * Borrow patch from Fedora to add DNSSEC support: if glibc 2.11 is installed, the host key is published in an SSHFP RR secured with DNSSEC, and VerifyHostKeyDNS=yes, then ssh will no longer prompt for host key verification (closes: #572049). * Convert to dh(1), and use dh_installdocs --link-doc. * Drop lpia support, since Ubuntu no longer supports this architecture. * Use dh_install more effectively. * Add a NEWS.Debian entry about changes in smartcard support relative to previous unofficial builds (closes: #231472). -- Colin Watson <email address hidden> Sat, 10 Apr 2010 01:08:59 +0100
openssh (1:5.4p1-1) unstable; urgency=low * New upstream release (LP: #535029). - After a transition period of about 10 years, this release disables SSH protocol 1 by default. Clients and servers that need to use the legacy protocol must explicitly enable it in ssh_config / sshd_config or on the command-line. - Remove the libsectok/OpenSC-based smartcard code and add support for PKCS#11 tokens. This support is enabled by default in the Debian packaging, since it now doesn't involve additional library dependencies (closes: #231472, LP: #16918). - Add support for certificate authentication of users and hosts using a new, minimal OpenSSH certificate format (closes: #482806). - Added a 'netcat mode' to ssh(1): "ssh -W host:port ...". - Add the ability to revoke keys in sshd(8) and ssh(1). (For the Debian package, this overlaps with the key blacklisting facility added in openssh 1:4.7p1-9, but with different file formats and slightly different scopes; for the moment, I've roughly merged the two.) - Various multiplexing improvements, including support for requesting port-forwardings via the multiplex protocol (closes: #360151). - Allow setting an explicit umask on the sftp-server(8) commandline to override whatever default the user has (closes: #496843). - Many sftp client improvements, including tab-completion, more options, and recursive transfer support for get/put (LP: #33378). The old mget/mput commands never worked properly and have been removed (closes: #270399, #428082). - Do not prompt for a passphrase if we fail to open a keyfile, and log the reason why the open failed to debug (closes: #431538). - Prevent sftp from crashing when given a "-" without a command. Also, allow whitespace to follow a "-" (closes: #531561). * Fix 'debian/rules quilt-setup' to avoid writing .orig files if some patches apply with offsets. * Include debian/ssh-askpass-gnome.png in the Debian tarball now that we're using a source format that permits this, rather than messing around with uudecode. * Drop compatibility with the old gssapi mechanism used in ssh-krb5 << 3.8.1p1-1. Simon Wilkinson refused this patch since the old gssapi mechanism was removed due to a serious security hole, and since these versions of ssh-krb5 are no longer security-supported by Debian I don't think there's any point keeping client compatibility for them. * Fix substitution of ETC_PAM_D_SSH, following the rename in 1:4.7p1-4. * Hardcode the location of xauth to /usr/bin/xauth rather than /usr/bin/X11/xauth (thanks, Aron Griffis; closes: #575725, LP: #8440). xauth no longer depends on x11-common, so we're no longer guaranteed to have the /usr/bin/X11 symlink available. I was taking advantage of the /usr/bin/X11 symlink to smooth X's move to /usr/bin, but this is far enough in the past now that it's probably safe to just use /usr/bin. * Remove SSHD_OOM_ADJUST configuration. sshd now unconditionally makes itself non-OOM-killable, and doesn't require configuration to avoid log spam in virtualisation containers (closes: #555625). * Drop Debian-specific removal of OpenSSL version check. Upstream ignores the two patchlevel nybbles now, which is sufficient to address the original reason this change was introduced, and it appears that any change in the major/minor/fix nybbles would involve a new libssl package name. (We'd still lose if the status nybble were ever changed, but that would mean somebody had packaged a development/beta version rather than a proper release, which doesn't appear to be normal practice.) * Drop most of our "LogLevel SILENT" (-qq) patch. This was originally introduced to match the behaviour of non-free SSH, in which -q does not suppress fatal errors, but matching the behaviour of OpenSSH upstream is much more important nowadays. We no longer document that -q does not suppress fatal errors (closes: #280609). Migrate "LogLevel SILENT" to "LogLevel QUIET" in sshd_config on upgrade. * Policy version 3.8.4: - Add a Homepage field. -- Colin Watson <email address hidden> Tue, 06 Apr 2010 22:38:31 +0100
openssh (1:5.3p1-3) unstable; urgency=low * Convert to source format 3.0 (quilt). * Update README.source to match, and add a 'quilt-setup' target to debian/rules for the benefit of those checking out the package from revision control. * All patches are now maintained separately and tagged according to DEP-3. * Add GSSAPIStoreCredentialsOnRekey to 'sshd -T' configuration dump. * Remove documentation of building for Debian 3.0 in README.Debian. Support for this was removed in 1:4.7p1-2. * Remove obsolete header from README.Debian dating from when people expected non-free SSH. * Update copyright years for GSSAPI patch. -- Colin Watson <email address hidden> Sun, 28 Feb 2010 01:35:53 +0000
openssh (1:5.3p1-2) unstable; urgency=low * Link with -Wl,--as-needed (closes: #560155). * Install upstream sshd_config as an example (closes: #415008). * Use dh_lintian. * Honour DEB_BUILD_OPTIONS=nocheck. -- Colin Watson <email address hidden> Mon, 22 Feb 2010 12:43:24 +0000
openssh (1:5.3p1-1) unstable; urgency=low * New upstream release. * Update to GSSAPI patch from http://www.sxw.org.uk/computing/patches/openssh-5.3p1-gsskex-all-20100124.patch. * Backport from upstream: - Do not fall back to adding keys without contraints (ssh-add -c / -t ...) when the agent refuses the constrained add request. This was a useful migration measure back in 2002 when constraints were new, but just adds risk now (LP: #209447). * Drop change from 1:3.8p1-3 to avoid setresuid() and setresgid() system calls. This only applied to Linux 2.2, which it's no longer feasible to run anyway (see 1:5.2p1-2 changelog). -- Colin Watson <email address hidden> Tue, 26 Jan 2010 11:55:29 +0000
openssh (1:5.2p1-2) unstable; urgency=low [ Colin Watson ] * Backport from upstream: - After sshd receives a SIGHUP, ignore subsequent HUPs while sshd re-execs itself. Prevents two HUPs in quick succession from resulting in sshd dying (LP: #497781). - Output a debug if we can't open an existing keyfile (LP: #505301). * Use host compiler for ssh-askpass-gnome when cross-compiling. * Don't run tests when cross-compiling. * Drop change from 1:3.6.1p2-5 to disable cmsg_type check for file descriptor passing when running on Linux 2.0. The previous stable release of Debian dropped support for Linux 2.4, let alone 2.0, so this very likely has no remaining users depending on it. [ Kees Cook ] * Implement DebianBanner server configuration flag that can be set to "no" to allow sshd to run without the Debian-specific extra version in the initial protocol handshake (closes: #562048). -- Colin Watson <email address hidden> Sat, 16 Jan 2010 01:28:58 +0000
openssh (1:5.2p1-1) unstable; urgency=low * New upstream release (closes: #536182). Yes, I know 5.3p1 has been out for a while, but there's no GSSAPI patch available for it yet. - Change the default cipher order to prefer the AES CTR modes and the revised "arcfour256" mode to CBC mode ciphers that are susceptible to CPNI-957037 "Plaintext Recovery Attack Against SSH". - Add countermeasures to mitigate CPNI-957037-style attacks against the SSH protocol's use of CBC-mode ciphers. Upon detection of an invalid packet length or Message Authentication Code, ssh/sshd will continue reading up to the maximum supported packet length rather than immediately terminating the connection. This eliminates most of the known differences in behaviour that leaked information about the plaintext of injected data which formed the basis of this attack (closes: #506115, LP: #379329). - ForceCommand directive now accepts commandline arguments for the internal-sftp server (closes: #524423, LP: #362511). - Add AllowAgentForwarding to available Match keywords list (closes: #540623). - Make ssh(1) send the correct channel number for SSH2_MSG_CHANNEL_SUCCESS and SSH2_MSG_CHANNEL_FAILURE messages to avoid triggering 'Non-public channel' error messages on sshd(8) in openssh-5.1. - Avoid printing 'Non-public channel' warnings in sshd(8), since the ssh(1) has sent incorrect channel numbers since ~2004 (this reverts a behaviour introduced in openssh-5.1; closes: #496017). - Disable nonfunctional ssh(1) ~C escape handler in multiplex slave connections (closes: #507541). - Fix "whitepsace" typo in ssh_config(5) (closes: #514313, LP: #303835). * Update to GSSAPI patch from http://www.sxw.org.uk/computing/patches/openssh-5.2p1-gsskex-all-20090726.patch, including cascading credentials support (LP: #416958). * Use x11.pc when compiling/linking gnome-ssh-askpass2 (closes: #555951). * Moved to bzr.debian.org; add Vcs-Bzr and Vcs-Browser control fields. * Add debian/README.source with instructions on bzr handling. * Make ChrootDirectory work with SELinux (thanks, Russell Coker; closes: #556644). * Initialise sc to NULL in ssh_selinux_getctxbyname (thanks, Václav Ovsík; closes: #498684). * Don't duplicate backslashes when displaying server banner (thanks, Michał Górny; closes: #505378, LP: #425346). * Use hardening-includes for hardening logic (thanks, Kees Cook; closes: #561887). * Update OpenSSH FAQ to revision 1.110. * Remove ssh/new_config, only needed for direct upgrades from potato which are no longer particularly feasible anyway (closes: #420682). * Cope with insserv reordering of init script links. * Remove init script stop link in rc1, as killprocs handles it already. * Adjust short descriptions to avoid relying on previous experience with rsh, based on suggestions from Reuben Thomas (closes: #512198). * Remove manual page references to login.conf, which aren't applicable on non-BSD systems (closes: #154434). * Remove/adjust manual page references to BSD-specific /etc/rc (closes: #513417). * Refer to sshd_config(5) rather than sshd(8) in postinst-written /etc/ssh/sshd_config, and add UsePAM commentary from upstream-shipped configuration file (closes: #415008, although unfortunately this will only be conveniently visible on new installations). * Include URL to OpenBSD's ssl(8) in ssh(1), since I don't see a better source for the same information among Debian's manual pages (closes: #530692, LP: #456660). -- Colin Watson <email address hidden> Mon, 04 Jan 2010 13:23:35 +0000
openssh (1:5.1p1-8) unstable; urgency=low * Build with just -fPIC on mips/mipsel, not -fPIE as well (thanks, LIU Qi; closes: #538313). * Build-depend on libselinux1-dev on sh4 too (thanks, Nobuhiro Iwamatsu; closes: #547103). * Fix grammar in if-up script (closes: #549128). * Pass $SSHD_OPTS when checking configuration too (thanks, "sobtwmxt"; closes: #548662). -- Colin Watson <email address hidden> Mon, 05 Oct 2009 13:30:49 +0100
openssh (1:5.1p1-7) unstable; urgency=low * Update config.guess and config.sub from autotools-dev 20090611.1 (closes: #538301). * Set umask to 022 in the init script as well as postinsts (closes: #539030). * Add ${misc:Depends} to keep Lintian happy. * Use 'which' rather than 'type' in maintainer scripts. * Upgrade to debhelper v7. -- Colin Watson <email address hidden> Fri, 31 Jul 2009 16:28:10 +0100
openssh (1:5.1p1-6) unstable; urgency=low * Open /proc/self/oom_adj with O_RDONLY or O_WRONLY as necessary, rather than O_RDWR. * Disable OOM adjustment for vserver/OpenVZ (thanks, Karl Chen; closes: #511771). * Add ufw integration (thanks, Didier Roche; see https://wiki.ubuntu.com/UbuntuFirewall#Integrating%20UFW%20with%20Packages; LP: #261884). * Add a comment above PermitRootLogin in sshd_config pointing to README.Debian. * Check if delgroup is present in openssh-client.postrm (closes: #530501). * Build with -fPIC on mips/mipsel (thanks, Luk Claes; closes: #531942). * Remove /var/run/sshd from openssh-server package; it will be created at run-time before starting the server. * Use invoke-rc.d in openssh-server's if-up script. -- Colin Watson <email address hidden> Fri, 05 Jun 2009 11:56:03 +0100
openssh (1:5.1p1-5) unstable; urgency=low * Backport from upstream CVS (Markus Friedl): - packet_disconnect() on padding error, too. Should reduce the success probability for the CPNI-957037 Plaintext Recovery Attack to 2^-18. * Check that /var/run/sshd.pid exists and that the process ID listed there corresponds to sshd before running '/etc/init.d/ssh reload' from if-up script; SIGHUP is racy if called at boot before sshd has a chance to install its signal handler, but fortunately the pid file is written after that which lets us avoid the race (closes: #502444). * While the above is a valuable sanity-check, it turns out that it doesn't really fix the bug (thanks to Kevin Price for testing), so for the meantime we'll just use '/etc/init.d/ssh restart', even though it is unfortunately heavyweight. -- Colin Watson <email address hidden> Wed, 14 Jan 2009 00:34:08 +0000
openssh (1:5.1p1-4) unstable; urgency=low * ssh-copy-id: Strip trailing colons from hostname (closes: #226172, LP: #249706; thanks to Karl Goetz for nudging this along; forwarded upstream as https://bugzilla.mindrot.org/show_bug.cgi?id=1530). * Backport from upstream CVS (Markus Friedl): - Only send eow and no-more-sessions requests to openssh 5 and newer; fixes interop problems with broken ssh v2 implementations (closes: #495917). * Fix double-free when failing to parse a forwarding specification given using ~C (closes: #505330; forwarded upstream as https://bugzilla.mindrot.org/show_bug.cgi?id=1539). -- Colin Watson <email address hidden> Sun, 23 Nov 2008 14:46:10 +0000
openssh (1:5.1p1-3) unstable; urgency=low * Remove unnecessary ssh-vulnkey output in non-verbose mode when no compromised or unknown keys were found (closes: #496495). * Configure with --disable-strip; dh_strip will deal with stripping binaries and will honour DEB_BUILD_OPTIONS (thanks, Bernhard R. Link; closes: #498681). * Fix handling of zero-length server banners (thanks, Tomas Mraz; closes: #497026). -- Colin Watson <email address hidden> Tue, 30 Sep 2008 23:09:58 +0100
151 → 214 of 214 results | First • Previous • Next • Last |