Debian
openssh package

openssh 1:9.6p1-1 source package in Debian

Changelog

openssh (1:9.6p1-1) unstable; urgency=medium

  * Use single quotes in suggested ssh-keygen commands (closes: #1057835).
  * Debconf translations:
    - Catalan (thanks, Pablo Huguet; closes: #1049995).
  * New upstream release (https://www.openssh.com/releasenotes.html#9.6p1):
    - [CVE-2023-48795] ssh(1), sshd(8): implement protocol extensions to
      thwart the so-called "Terrapin attack" discovered by Fabian Bäumer,
      Marcus Brinkmann and Jörg Schwenk. This attack allows a MITM to effect
      a limited break of the integrity of the early encrypted SSH transport
      protocol by sending extra messages prior to the commencement of
      encryption, and deleting an equal number of consecutive messages
      immediately after encryption starts. A peer SSH client/server would
      not be able to detect that messages were deleted.
    - [SECURITY] ssh-agent(1): when adding PKCS#11-hosted private keys while
      specifying destination constraints, if the PKCS#11 token returned
      multiple keys then only the first key had the constraints applied. Use
      of regular private keys, FIDO tokens and unconstrained keys are
      unaffected.
    - [SECURITY] ssh(1): if an invalid user or hostname that contained shell
      metacharacters was passed to ssh(1), and a ProxyCommand, LocalCommand
      directive or "match exec" predicate referenced the user or hostname
      via %u, %h or similar expansion token, then an attacker who could
      supply arbitrary user/hostnames to ssh(1) could potentially perform
      command injection depending on what quoting was present in the
      user-supplied ssh_config(5) directive. OpenSSH 9.6 now bans most shell
      metacharacters from user and hostnames supplied via the command-line.
    - ssh(1), sshd(8): the RFC4254 connection/channels protocol provides a
      TCP-like window mechanism that limits the amount of data that can be
      sent without acceptance from the peer. In cases where this limit was
      exceeded by a non-conforming peer SSH implementation, ssh(1)/sshd(8)
      previously discarded the extra data. From OpenSSH 9.6, ssh(1)/sshd(8)
      will now terminate the connection if a peer exceeds the window limit
      by more than a small grace factor. This change should have no effect
      of SSH implementations that follow the specification.
    - ssh(1): add a %j token that expands to the configured ProxyJump
      hostname (or the empty string if this option is not being used) that
      can be used in a number of ssh_config(5) keywords.
    - ssh(1): add ChannelTimeout support to the client, mirroring the same
      option in the server and allowing ssh(1) to terminate quiescent
      channels.
    - ssh(1), sshd(8), ssh-add(1), ssh-keygen(1): add support for reading
      ED25519 private keys in PEM PKCS8 format. Previously only the OpenSSH
      private key format was supported.
    - ssh(1), sshd(8): introduce a protocol extension to allow renegotiation
      of acceptable signature algorithms for public key authentication after
      the server has learned the username being used for authentication.
      This allows varying sshd_config(5) PubkeyAcceptedAlgorithms in a
      "Match user" block.
    - ssh-add(1), ssh-agent(1): add an agent protocol extension to allow
      specifying certificates when loading PKCS#11 keys. This allows the use
      of certificates backed by PKCS#11 private keys in all OpenSSH tools
      that support ssh-agent(1). Previously only ssh(1) supported this
      use-case.
    - ssh(1): when deciding whether to enable the keystroke timing
      obfuscation, enable it only if a channel with a TTY is active.
    - ssh(1): switch mainloop from poll(3) to ppoll(3) and mask signals
      before checking flags set in signal handler. Avoids potential race
      condition between signaling ssh to exit and polling.
    - ssh(1): when connecting to a destination with both the AddressFamily
      and CanonicalizeHostname directives in use, the AddressFamily
      directive could be ignored.
    - sftp(1): correct handling of the <email address hidden> option when the
      server returned an unexpected message.
    - ssh(1): release GSS OIDs only at end of authentication, avoiding
      unnecessary init/cleanup cycles.
    - ssh_config(5): mention "none" is a valid argument to IdentityFile in
      the manual.
    - scp(1): improved debugging for paths from the server rejected for not
      matching the client's glob(3) pattern in old SCP/RCP protocol mode.
    - ssh-agent(1): refuse signing operations on destination-constrained
      keys if a previous session-bind operation has failed. This may prevent
      a fail-open situation in future if a user uses a mismatched ssh(1)
      client and ssh-agent(1) where the client supports a key type that the
      agent does not support.
  * debian/run-tests: Supply absolute paths to tools.
  * debian/run-tests: Enable interop tests for Dropbear.

 -- Colin Watson <email address hidden>  Mon, 18 Dec 2023 22:35:25 +0000

Upload details

Uploaded by:
Debian OpenSSH Maintainers
Uploaded to:
Sid
Original maintainer:
Debian OpenSSH Maintainers
Architectures:
any all
Section:
net
Urgency:
Medium Urgency

See full publishing history Publishing

Series Pocket Published Component Section

Builds

Downloads

File Size SHA-256 Checksum
openssh_9.6p1-1.dsc 3.3 KiB a41c76ab7a4a9859911a9544649dbff4d2e2f488ebdda4d716e20b0fbd5f3208
openssh_9.6p1.orig.tar.gz 1.8 MiB 910211c07255a8c5ad654391b40ee59800710dd8119dd5362de09385aa7a777c
openssh_9.6p1.orig.tar.gz.asc 833 bytes 9b1e931cbc811f02e91f7eacd55f8211cc45dade11975462f4b0dcdad29927aa
openssh_9.6p1-1.debian.tar.xz 183.2 KiB 4acec5879df194b4ff45d821a32a97a3bcfc1df70cb6bfa5cc82b41487d94dc9

No changes file available.

Binary packages built by this source