-
openssh (1:7.9p1-10+deb10u2) buster; urgency=medium
* Apply upstream patch to deny (non-fatally) ipc in the seccomp sandbox,
fixing failures with OpenSSL 1.1.1d and Linux < 3.19 on some
architectures (closes: #946242). Note that this also drops the previous
change to allow ipc on s390, since upstream has security concerns with
that and it doesn't currently seem to be needed.
-- Colin Watson <email address hidden> Fri, 31 Jan 2020 20:55:34 +0000
-
openssh (1:7.9p1-10+deb10u1) buster-security; urgency=high
* Apply upstream patch to deny (non-fatally) shmget/shmat/shmdt in preauth
privsep child, coping with changes in OpenSSL 1.1.1d that broke OpenSSH
on Linux kernels before 3.19 (closes: #941663).
-- Colin Watson <email address hidden> Sun, 06 Oct 2019 19:18:07 +0100
-
openssh (1:7.9p1-10) unstable; urgency=medium
* Temporarily revert IPQoS defaults to pre-7.8 values until issues with
"iptables -m tos" and VMware have been fixed (closes: #923879, #926229;
LP: #1822370).
-- Colin Watson <email address hidden> Mon, 08 Apr 2019 11:13:04 +0100
-
openssh (1:7.9p1-9) unstable; urgency=medium
* Apply upstream patch to make scp handle shell-style brace expansions
when checking that filenames sent by the server match what the client
requested (closes: #923486).
-- Colin Watson <email address hidden> Fri, 01 Mar 2019 12:23:36 +0000
-
openssh (1:7.9p1-6) unstable; urgency=medium
* CVE-2019-6109: Apply upstream patches to sanitize scp filenames via
snmprintf (closes: #793412).
* CVE-2019-6111: Apply upstream patch to check in scp client that
filenames sent during remote->local directory copies satisfy the
wildcard specified by the user.
-- Colin Watson <email address hidden> Fri, 08 Feb 2019 16:26:35 +0000
-
openssh (1:7.9p1-5) unstable; urgency=high
* Move /etc/ssh/moduli to openssh-server, since it's reasonably large and
only used by sshd (closes: #858050).
* Drop obsolete alternate build-dependency on libssl1.0-dev (closes:
#917342).
* CVE-2018-20685: Apply upstream scp patch to disallow empty incoming
filename or ones that refer to the current directory (closes: #919101).
-- Colin Watson <email address hidden> Sun, 13 Jan 2019 11:22:45 +0000
-
openssh (1:7.9p1-4) unstable; urgency=medium
* Fix Ubuntu detection in debian/rules, since the documentation comment
for dpkg_vendor_derives_from is wrong (thanks, Jeremy Bicha; see
#913816).
-- Colin Watson <email address hidden> Fri, 16 Nov 2018 11:27:28 +0000
-
openssh (1:7.9p1-1) unstable; urgency=medium
* New upstream release (https://www.openssh.com/txt/release-7.9):
- ssh(1), sshd(8): allow most port numbers to be specified using service
names from getservbyname(3) (typically /etc/services; closes:
#177406).
- ssh(1): allow the IdentityAgent configuration directive to accept
environment variable names. This supports the use of multiple agent
sockets without needing to use fixed paths.
- sshd(8): support signalling sessions via the SSH protocol. A limited
subset of signals is supported and only for login or command sessions
(i.e. not subsystems) that were not subject to a forced command via
authorized_keys or sshd_config.
- ssh(1): support "ssh -Q sig" to list supported signature options.
Also "ssh -Q help" to show the full set of supported queries.
- ssh(1), sshd(8): add a CASignatureAlgorithms option for the client and
server configs to allow control over which signature formats are
allowed for CAs to sign certificates. For example, this allows
banning CAs that sign certificates using the RSA-SHA1 signature
algorithm.
- sshd(8), ssh-keygen(1): allow key revocation lists (KRLs) to revoke
keys specified by SHA256 hash.
- ssh-keygen(1): allow creation of key revocation lists directly from
base64-encoded SHA256 fingerprints. This supports revoking keys using
only the information contained in sshd(8) authentication log messages.
- ssh(1), ssh-keygen(1): avoid spurious "invalid format" errors when
attempting to load PEM private keys while using an incorrect
passphrase.
- sshd(8): when a channel closed message is received from a client,
close the stderr file descriptor at the same time stdout is closed.
This avoids stuck processes if they were waiting for stderr to close
and were insensitive to stdin/out closing (closes: #844494).
- ssh(1): allow ForwardX11Timeout=0 to disable the untrusted X11
forwarding timeout and support X11 forwarding indefinitely.
Previously the behaviour of ForwardX11Timeout=0 was undefined.
- sshd(8): when compiled with GSSAPI support, cache supported method
OIDs regardless of whether GSSAPI authentication is enabled in the
main section of sshd_config. This avoids sandbox violations if GSSAPI
authentication was later enabled in a Match block.
- sshd(8): do not fail closed when configured with a text key revocation
list that contains a too-short key.
- ssh(1): treat connections with ProxyJump specified the same as ones
with a ProxyCommand set with regards to hostname canonicalisation
(i.e. don't try to canonicalise the hostname unless
CanonicalizeHostname is set to 'always').
- ssh(1): fix regression in OpenSSH 7.8 that could prevent public-key
authentication using certificates hosted in a ssh-agent(1) or against
sshd(8) from OpenSSH <7.8 (LP: #1790963).
- All: support building against the openssl-1.1 API (releases 1.1.0g and
later). The openssl-1.0 API will remain supported at least until
OpenSSL terminates security patch support for that API version
(closes: #828475).
- sshd(8): allow the futex(2) syscall in the Linux seccomp sandbox;
apparently required by some glibc/OpenSSL combinations.
* Remove dh_builddeb override to use xz compression; this has been the
default since dpkg 1.17.0.
* Simplify debian/rules using /usr/share/dpkg/default.mk.
* Remove /etc/network/if-up.d/openssh-server, as it causes more problems
than it solves (thanks, Christian Ehrhardt, Andreas Hasenack, and David
Britton; closes: #789532, LP: #1037738, #1674330, #1718227). Add an
"if-up hook removed" section to README.Debian documenting the corner
case that may need configuration adjustments.
-- Colin Watson <email address hidden> Sun, 21 Oct 2018 10:39:24 +0100
-
openssh (1:7.8p1-1) unstable; urgency=medium
* New upstream release (https://www.openssh.com/txt/release-7.8, closes:
#907534):
- ssh-keygen(1): Write OpenSSH format private keys by default instead of
using OpenSSL's PEM format (closes: #905407). The OpenSSH format,
supported in OpenSSH releases since 2014 and described in the
PROTOCOL.key file in the source distribution, offers substantially
better protection against offline password guessing and supports key
comments in private keys. If necessary, it is possible to write old
PEM-style keys by adding "-m PEM" to ssh-keygen's arguments when
generating or updating a key.
- sshd(8): Remove internal support for S/Key multiple factor
authentication. S/Key may still be used via PAM or BSD auth.
- ssh(1): Remove vestigial support for running ssh(1) as setuid. This
used to be required for hostbased authentication and the (long gone)
rhosts-style authentication, but has not been necessary for a long
time. Attempting to execute ssh as a setuid binary, or with uid !=
effective uid will now yield a fatal error at runtime.
- sshd(8): The semantics of PubkeyAcceptedKeyTypes and the similar
HostbasedAcceptedKeyTypes options have changed. These now specify
signature algorithms that are accepted for their respective
authentication mechanism, where previously they specified accepted key
types. This distinction matters when using the RSA/SHA2 signature
algorithms "rsa-sha2-256", "rsa-sha2-512" and their certificate
counterparts. Configurations that override these options but omit
these algorithm names may cause unexpected authentication failures (no
action is required for configurations that accept the default for
these options).
- sshd(8): The precedence of session environment variables has changed.
~/.ssh/environment and environment="..." options in authorized_keys
files can no longer override SSH_* variables set implicitly by sshd.
- ssh(1)/sshd(8): The default IPQoS used by ssh/sshd has changed. They
will now use DSCP AF21 for interactive traffic and CS1 for bulk. For
a detailed rationale, please see the commit message:
https://cvsweb.openbsd.org/src/usr.bin/ssh/readconf.c#rev1.284
- ssh(1)/sshd(8): Add new signature algorithms "rsa-sha2-256-cert-
<email address hidden>" and "<email address hidden>" to explicitly
force use of RSA/SHA2 signatures in authentication.
- sshd(8): Extend the PermitUserEnvironment option to accept a whitelist
of environment variable names in addition to global "yes" or "no"
settings.
- sshd(8): Add a PermitListen directive to sshd_config(5) and a
corresponding permitlisten= authorized_keys option that control which
listen addresses and port numbers may be used by remote forwarding
(ssh -R ...).
- sshd(8): Add some countermeasures against timing attacks used for
account validation/enumeration. sshd will enforce a minimum time or
each failed authentication attempt consisting of a global 5ms minimum
plus an additional per-user 0-4ms delay derived from a host secret.
- sshd(8): Add a SetEnv directive to allow an administrator to
explicitly specify environment variables in sshd_config. Variables
set by SetEnv override the default and client-specified environment.
- ssh(1): Add a SetEnv directive to request that the server sets an
environment variable in the session. Similar to the existing SendEnv
option, these variables are set subject to server configuration.
- ssh(1): Allow "SendEnv -PATTERN" to clear environment variables
previously marked for sending to the server (closes: #573316).
- ssh(1)/sshd(8): Make UID available as a %-expansion everywhere that
the username is available currently.
- ssh(1): Allow setting ProxyJump=none to disable ProxyJump
functionality.
- sshd(8): Avoid observable differences in request parsing that could be
used to determine whether a target user is valid.
- ssh(1)/sshd(8): Fix some memory leaks.
- ssh(1): Fix a pwent clobber (introduced in openssh-7.7) that could
occur during key loading, manifesting as crash on some platforms.
- sshd_config(5): Clarify documentation for AuthenticationMethods
option.
- ssh(1): Ensure that the public key algorithm sent in a public key
SSH_MSG_USERAUTH_REQUEST matches the content of the signature blob.
Previously, these could be inconsistent when a legacy or non-OpenSSH
ssh-agent returned a RSA/SHA1 signature when asked to make a RSA/SHA2
signature.
- sshd(8): Fix failures to read authorized_keys caused by faulty
supplemental group caching.
- scp(1): Apply umask to directories, fixing potential mkdir/chmod race
when copying directory trees.
- ssh-keygen(1): Return correct exit code when searching for and hashing
known_hosts entries in a single operation.
- ssh(1): Prefer the ssh binary pointed to via argv[0] to $PATH when
re-executing ssh for ProxyJump.
- sshd(8): Do not ban PTY allocation when a sshd session is restricted
because the user password is expired as it breaks password change
dialog.
- ssh(1)/sshd(8): Fix error reporting from select() failures.
- ssh(1): Improve documentation for -w (tunnel) flag, emphasising that
-w implicitly sets Tunnel=point-to-point.
- ssh-agent(1): Implement EMFILE mitigation for ssh-agent. ssh-agent
will no longer spin when its file descriptor limit is exceeded.
- ssh(1)/sshd(8): Disable SSH2_MSG_DEBUG messages for Twisted Conch
clients. Twisted Conch versions that lack a version number in their
identification strings will mishandle these messages when running on
Python 2.x (https://twistedmatrix.com/trac/ticket/9422).
- sftp(1): Notify user immediately when underlying ssh process dies
expectedly.
- ssh(1)/sshd(8): Fix tunnel forwarding; regression in 7.7 release.
- ssh-agent(1): Don't kill ssh-agent's listening socket entirely if it
fails to accept(2) a connection.
- ssh(1): Add some missing options in the configuration dump output (ssh
-G).
- sshd(8): Expose details of completed authentication to PAM auth
modules via SSH_AUTH_INFO_0 in the PAM environment.
* Switch debian/watch to HTTPS.
* Temporarily work around https://twistedmatrix.com/trac/ticket/9515 in
regression tests.
-- Colin Watson <email address hidden> Thu, 30 Aug 2018 15:35:27 +0100
-
openssh (1:7.7p1-4) unstable; urgency=high
* Apply upstream patch to delay bailout for invalid authenticating user
until after the packet containing the request has been fully parsed
(closes: #906236).
-- Colin Watson <email address hidden> Fri, 17 Aug 2018 14:09:32 +0100
-
openssh (1:7.7p1-3) unstable; urgency=medium
[ Colin Watson ]
* Adjust git-dpm tagging configuration.
* Remove no-longer-used Lintian overrides from openssh-server and ssh.
* Add Documentation keys to ssh-agent.service, ssh.service, and
ssh@.service.
[ Juri Grabowski ]
* Add rescue.target with ssh support.
[ Christian Ehrhardt ]
* Fix unintentional restriction of authorized keys environment options
to be alphanumeric (closes: #903474, LP: #1771011).
-- Colin Watson <email address hidden> Tue, 10 Jul 2018 16:07:16 +0100
-
openssh (1:7.7p1-2) unstable; urgency=medium
* Fix parsing of DebianBanner option (closes: #894730).
-- Colin Watson <email address hidden> Wed, 04 Apr 2018 00:47:29 +0100
-
openssh (1:7.6p1-4) unstable; urgency=medium
* Move VCS to salsa.debian.org.
* Add a preseeding-only openssh-server/password-authentication debconf
template that can be used to disable password authentication (closes:
#878945).
-- Colin Watson <email address hidden> Sat, 10 Feb 2018 02:31:46 +0000
-
openssh (1:7.6p1-3) unstable; urgency=medium
[ Colin Watson ]
* Remove the decade-old ssh-krb5 transitional package; upgrades of
openssh-server will preserve existing configuration, and new
installations should just enable GSSAPIAuthentication and
GSSAPIKeyExchange in sshd_config (closes: #878626).
* Support the "noudeb" build profile.
* Fix putty-transfer regression test.
[ Anders Kaseorg ]
* debian/systemd/ssh-agent.service: Add missing dbus dependency.
[ Jason Duerstock ]
* Add a "pkg.openssh.nognome" build profile, which disables building the
ssh-askpass-gnome binary package and avoids the build-dependency on
libgtk-3-dev (closes: #883819).
-- Colin Watson <email address hidden> Tue, 16 Jan 2018 17:41:08 +0000
-
openssh (1:7.6p1-2) unstable; urgency=medium
* Apply upstream patch to fix PermitOpen argument handling.
-- Colin Watson <email address hidden> Sat, 07 Oct 2017 13:44:13 +0100
-
openssh (1:7.5p1-10) unstable; urgency=medium
* Tell haveged to create the pid file we expect.
* Give up and use systemctl to start haveged if running under systemd;
this shouldn't be necessary, but I can't seem to get things working in
the Ubuntu autopkgtest environment otherwise.
-- Colin Watson <email address hidden> Fri, 01 Sep 2017 11:17:19 +0100
-
openssh (1:7.5p1-5) unstable; urgency=medium
* Upload to unstable.
* Fix syntax error in debian/copyright.
-- Colin Watson <email address hidden> Sun, 18 Jun 2017 12:08:42 +0100
-
openssh (1:7.4p1-10+deb9u4) stretch-security; urgency=high
* Non-maintainer upload by the Security Team
* CVE-2018-15473: fix username enumeration issue, initially reported
by Dariusz Tytko and Michal Sajdak (Closes: #906236)
-- Sebastien Delafond <email address hidden> Tue, 21 Aug 2018 05:14:18 +0200
-
openssh (1:7.4p1-10+deb9u3) stretch; urgency=medium
* CVE-2017-15906: sftp-server(8): In read-only mode, sftp-server was
incorrectly permitting creation of zero-length files. Reported by Michal
Zalewski.
-- Colin Watson <email address hidden> Thu, 01 Mar 2018 15:17:53 +0000
-
openssh (1:7.4p1-10+deb9u2) stretch; urgency=medium
* Test configuration before starting or reloading sshd under systemd
(closes: #865770).
* Adjust compatibility patterns for WinSCP to correctly identify versions
that implement only the legacy DH group exchange scheme (closes:
#877800).
* Make "--" before the hostname terminate argument processing after the
hostname too (closes: #873201).
-- Colin Watson <email address hidden> Sat, 18 Nov 2017 09:37:22 +0000
-
openssh (1:7.4p1-10+deb9u1) stretch; urgency=medium
* Fix incoming compression statistics (thanks, Russell Coker; closes:
#797964).
-- Colin Watson <email address hidden> Sun, 18 Jun 2017 01:11:26 +0100
-
openssh (1:7.4p1-10) unstable; urgency=medium
* Move privilege separation directory and PID file from /var/run/ to /run/
(closes: #760422, #856825).
* Unbreak Unix domain socket forwarding for root (closes: #858252).
-- Colin Watson <email address hidden> Thu, 30 Mar 2017 11:19:04 +0100