Format: 1.8 Date: Sun, 07 Jun 2020 13:44:04 +0100 Source: openssh Binary: openssh-client openssh-client-udeb openssh-server openssh-server-udeb openssh-sftp-server openssh-tests ssh-askpass-gnome Architecture: arm64 arm64_translations Version: 1:8.3p1-1 Distribution: groovy-proposed Urgency: medium Maintainer: Launchpad Build Daemon Changed-By: Colin Watson Description: openssh-client - secure shell (SSH) client, for secure access to remote machines openssh-client-udeb - secure shell client for the Debian installer (udeb) openssh-server - secure shell (SSH) server, for secure access from remote machines openssh-server-udeb - secure shell server for the Debian installer (udeb) openssh-sftp-server - secure shell (SSH) sftp server module, for SFTP access from remot openssh-tests - OpenSSH regression tests ssh-askpass-gnome - interactive X program to prompt users for a passphrase for ssh-ad Closes: 932071 962035 Launchpad-Bugs-Fixed: 1876320 Changes: openssh (1:8.3p1-1) unstable; urgency=medium . * New upstream release (https://www.openssh.com/txt/release-8.3): - [SECURITY] scp(1): when receiving files, scp(1) could become desynchronised if a utimes(2) system call failed. This could allow file contents to be interpreted as file metadata and thereby permit an adversary to craft a file system that, when copied with scp(1) in a configuration that caused utimes(2) to fail (e.g. under a SELinux policy or syscall sandbox), transferred different file names and contents to the actual file system layout. - sftp(1): reject an argument of "-1" in the same way as ssh(1) and scp(1) do instead of accepting and silently ignoring it. - sshd(8): make IgnoreRhosts a tri-state option: "yes" to ignore rhosts/shosts, "no" to allow rhosts/shosts or (new) "shosts-only" to allow .shosts files but not .rhosts. - sshd(8): allow the IgnoreRhosts directive to appear anywhere in a sshd_config, not just before any Match blocks. - ssh(1): add %TOKEN percent expansion for the LocalForward and RemoteForward keywords when used for Unix domain socket forwarding. - all: allow loading public keys from the unencrypted envelope of a private key file if no corresponding public key file is present. - ssh(1), sshd(8): prefer to use chacha20 from libcrypto where possible instead of the (slower) portable C implementation included in OpenSSH. - ssh-keygen(1): add ability to dump the contents of a binary key revocation list via "ssh-keygen -lQf /path". - ssh(1): fix IdentitiesOnly=yes to also apply to keys loaded from a PKCS11Provider. - ssh-keygen(1): avoid NULL dereference when trying to convert an invalid RFC4716 private key. - scp(1): when performing remote-to-remote copies using "scp -3", start the second ssh(1) channel with BatchMode=yes enabled to avoid confusing and non-deterministic ordering of prompts. - ssh(1), ssh-keygen(1): when signing a challenge using a FIDO token, perform hashing of the message to be signed in the middleware layer rather than in OpenSSH code. This permits the use of security key middlewares that perform the hashing implicitly, such as Windows Hello. - ssh(1): fix incorrect error message for "too many known hosts files." - ssh(1): make failures when establishing "Tunnel" forwarding terminate the connection when ExitOnForwardFailure is enabled. - ssh-keygen(1): fix printing of fingerprints on private keys and add a regression test for same. - sshd(8): document order of checking AuthorizedKeysFile (first) and AuthorizedKeysCommand (subsequently, if the file doesn't match). - sshd(8): document that /etc/hosts.equiv and /etc/shosts.equiv are not considered for HostbasedAuthentication when the target user is root. - ssh(1), ssh-keygen(1): fix NULL dereference in private certificate key parsing. - ssh(1), sshd(8): more consistency between sets of %TOKENS are accepted in various configuration options. - ssh(1), ssh-keygen(1): improve error messages for some common PKCS#11 C_Login failure cases. - ssh(1), sshd(8): make error messages for problems during SSH banner exchange consistent with other SSH transport-layer error messages and ensure they include the relevant IP addresses. - ssh-keygen(1), ssh-add(1): when downloading FIDO2 resident keys from a token, don't prompt for a PIN until the token has told us that it needs one. Avoids double-prompting on devices that implement on-device authentication (closes: #932071). - sshd(8), ssh-keygen(1): no-touch-required FIDO certificate option should be an extension, not a critical option. - ssh(1), ssh-keygen(1), ssh-add(1): offer a better error message when trying to use a FIDO key function and SecurityKeyProvider is empty. - ssh-add(1), ssh-agent(8): ensure that a key lifetime fits within the values allowed by the wire format (u32). Prevents integer wraparound of the timeout values. - ssh(1): detect and prevent trivial configuration loops when using ProxyJump. bz#3057. - On platforms that do not support setting process-wide routing domains (all excepting OpenBSD at present), fail to accept a configuration attempts to set one at process start time rather than fatally erroring at run time. - Fix theoretical infinite loop in the glob(3) replacement implementation. * Update GSSAPI key exchange patch from https://github.com/openssh-gsskex/openssh-gsskex: - Fix connection through ProxyJump in combination with "GSSAPITrustDNS yes". - Enable SHA2-based GSSAPI key exchange methods by default as RFC 8732 was published. * Fix or suppress various shellcheck errors under debian/. * Use AUTOPKGTEST_TMP rather than the deprecated ADTTMP. * Apply upstream patch to fix the handling of Port directives after Include (closes: #962035, LP: #1876320). Checksums-Sha1: 2e9a047f6b329d57635f7465ca2db68b5c657b51 3942108 openssh-client-dbgsym_8.3p1-1_arm64.ddeb effebe388b8dc256b208ee069ca07839da0fa1ba 279876 openssh-client-udeb_8.3p1-1_arm64.udeb eeb275c7e042b458ee56afa36b6352ee01e7eed2 639052 openssh-client_8.3p1-1_arm64.deb ad6a561390dc892e3821f561b3746d88991a598d 1080580 openssh-server-dbgsym_8.3p1-1_arm64.ddeb c369a00f233110c5742e4d4ea18f7b973e03b4d6 303064 openssh-server-udeb_8.3p1-1_arm64.udeb 8428ab54a0c5d389d407d5c40eef8d1c7a7f3592 356092 openssh-server_8.3p1-1_arm64.deb 17f39fa2e7e29715184142dc635aa3ce24984488 164060 openssh-sftp-server-dbgsym_8.3p1-1_arm64.ddeb 2752088921719cf945af8092f25c375ed69b5ead 48424 openssh-sftp-server_8.3p1-1_arm64.deb f3b7d19fc8c3920e0d4ddb438fb2730b6cf2587f 2387336 openssh-tests-dbgsym_8.3p1-1_arm64.ddeb c996bf68b9c38898173c18c80bd284a14b8364ac 634928 openssh-tests_8.3p1-1_arm64.deb 02986ce01226ad20f5c887ce475fa493d6bd931d 17729 openssh_8.3p1-1_arm64.buildinfo c1ae3823d18ec12bd4bf7f6c5d50d5ef595fc6be 8413 openssh_8.3p1-1_arm64_translations.tar.gz 935a2250fa90b98be4b9ac1d79ccd4a2d7d57fce 13008 ssh-askpass-gnome-dbgsym_8.3p1-1_arm64.ddeb d578fdd7119736cda70c3c562ebb3114cd2dad42 17092 ssh-askpass-gnome_8.3p1-1_arm64.deb Checksums-Sha256: b2b59023fff6f1f222d5f9716c84a4c321612a63c53030f7a2e28b5b80e7c515 3942108 openssh-client-dbgsym_8.3p1-1_arm64.ddeb c1776125d2b35f221c0641eeff422fb856dc55a3f6f101831a258392b31822b6 279876 openssh-client-udeb_8.3p1-1_arm64.udeb 898f7f18d102f26b81c170eedd43d04faabd7f630ef9c6d4b36ae3184bbee68b 639052 openssh-client_8.3p1-1_arm64.deb e13aa36490f77c3828a7fca5a60596bca6117a23b39e83bc19eaa526503189c8 1080580 openssh-server-dbgsym_8.3p1-1_arm64.ddeb 00288e7296201a07f92638b6d6a20eadc8aedadb01d04f83bc73dd5d13b888d7 303064 openssh-server-udeb_8.3p1-1_arm64.udeb 4dce3a2b8168f94e2ec661a4553cb0b0f618ce538398c1a8d5b1ee706090a2ef 356092 openssh-server_8.3p1-1_arm64.deb fa3b2eb45dd29431e37cda291a0906c59d4f8bd7bce62db6a1d4ff785c100d04 164060 openssh-sftp-server-dbgsym_8.3p1-1_arm64.ddeb deeb3359e0f4bc23901a4936388562b671b3379450512b55fc2fb1aad412f0b8 48424 openssh-sftp-server_8.3p1-1_arm64.deb 39f9e15f36c912fdec1e29e191183a464853f8aa28dcf2b8688b2c5a9006246c 2387336 openssh-tests-dbgsym_8.3p1-1_arm64.ddeb dbd37a9595f8a543782b270cd4d6d25a0938be6609ddd2cc0a5956bdb64c3f4c 634928 openssh-tests_8.3p1-1_arm64.deb a2374253b5721ac40e8e679a1809ca22af71780d0993376caacafc37bd054c8b 17729 openssh_8.3p1-1_arm64.buildinfo 9c114e48d3ac609941d7a5a31d53a63bbdc5f9cc2d3e85785ec528c2b2ef996a 8413 openssh_8.3p1-1_arm64_translations.tar.gz a4dfa5ea41a3d25531c3c71977a3e3f1fd6416df24d2a06776e4305a6fce7583 13008 ssh-askpass-gnome-dbgsym_8.3p1-1_arm64.ddeb 848d5fae67a19975fbec652b9665d14fc7e9ea45e261dfcb80f1c447ab5949ed 17092 ssh-askpass-gnome_8.3p1-1_arm64.deb Files: 3ac9be1197151a1535038517a217d3cf 3942108 debug optional openssh-client-dbgsym_8.3p1-1_arm64.ddeb 347869156e131c238c7ecac370cc1c94 279876 debian-installer optional openssh-client-udeb_8.3p1-1_arm64.udeb 9f12aa50311856e4bd5a2522dbba4096 639052 net standard openssh-client_8.3p1-1_arm64.deb 9162d6bd068e6c4e06603c004c382b78 1080580 debug optional openssh-server-dbgsym_8.3p1-1_arm64.ddeb db673dbe34f846c187064a164f100ee0 303064 debian-installer optional openssh-server-udeb_8.3p1-1_arm64.udeb b67adbe909578902fd3ea8f56596c63d 356092 net optional openssh-server_8.3p1-1_arm64.deb 0f5e0c5bc6f5cb4bf313e2685a860bcd 164060 debug optional openssh-sftp-server-dbgsym_8.3p1-1_arm64.ddeb 6f9334a46ad8e36aa0d94614de592b3e 48424 net optional openssh-sftp-server_8.3p1-1_arm64.deb 38fc99a5f5356b297e0268d9f07d9758 2387336 debug optional openssh-tests-dbgsym_8.3p1-1_arm64.ddeb e800cb448593c122d4ed2b13551572a4 634928 net optional openssh-tests_8.3p1-1_arm64.deb d7c889726c9f1a5c6da81244c20fbe0d 17729 net standard openssh_8.3p1-1_arm64.buildinfo 857e00ba09ddfb3ad57306979a40281b 8413 raw-translations - openssh_8.3p1-1_arm64_translations.tar.gz 28abe6025bf08b31745bc97adf8ac67e 13008 debug optional ssh-askpass-gnome-dbgsym_8.3p1-1_arm64.ddeb 51978e01ee07265e21fb8bd2d90455b7 17092 gnome optional ssh-askpass-gnome_8.3p1-1_arm64.deb