Change logs for openssh source package in Bionic

  • openssh (1:7.6p1-4ubuntu0.3) bionic-security; urgency=medium
      * SECURITY UPDATE: Incomplete fix for CVE-2019-6111
        - debian/patches/CVE-2019-6111-2.patch: add another fix to the filename
          check in scp.c.
        - CVE-2019-6111
      * Fixed inverted CVE numbers in patch filenames and in previous
     -- Marc Deslauriers <email address hidden>  Mon, 04 Mar 2019 07:17:51 -0500
  • openssh (1:7.6p1-4ubuntu0.2) bionic-security; urgency=medium
      * SECURITY UPDATE: access restrictions bypass in scp
        - debian/patches/CVE-2018-20685.patch: disallow empty filenames
          or ones that refer to the current directory in scp.c.
        - CVE-2018-20685
      * SECURITY UPDATE: scp client spoofing via object name
        - debian/patches/CVE-2019-6109.patch: make sure the filenames match
          the wildcard specified by the user, and add new flag to relax the new
          restrictions in scp.c, scp.1.
        - CVE-2019-6109
      * SECURITY UPDATE: scp client missing received object name validation
        - debian/patches/CVE-2019-6111-1.patch: sanitize scp filenames via
          snmprintf in atomicio.c, progressmeter.c, progressmeter.h,
          scp.c, sftp-client.c.
        - debian/patches/CVE-2019-6111-2.patch: force progressmeter updates in
          progressmeter.c, progressmeter.h, scp.c, sftp-client.c.
        - CVE-2019-6111
     -- Marc Deslauriers <email address hidden>  Thu, 31 Jan 2019 08:58:34 -0500
  • openssh (1:7.6p1-4ubuntu0.1) bionic-security; urgency=medium
      [ Ryan Finnie ]
      * SECURITY UPDATE: OpenSSH User Enumeration Vulnerability (LP: #1794629)
        - debian/patches/CVE-2018-15473.patch: delay bailout for invalid
          authenticating user until after the packet containing the request
          has been fully parsed.
        - CVE-2018-15473
     -- <email address hidden> (Leonidas S. Barbosa)  Mon, 05 Nov 2018 08:51:29 -0300
  • openssh (1:7.6p1-4) unstable; urgency=medium
      * Move VCS to
      * Add a preseeding-only openssh-server/password-authentication debconf
        template that can be used to disable password authentication (closes:
     -- Colin Watson <email address hidden>  Sat, 10 Feb 2018 02:31:46 +0000
  • openssh (1:7.6p1-3) unstable; urgency=medium
      [ Colin Watson ]
      * Remove the decade-old ssh-krb5 transitional package; upgrades of
        openssh-server will preserve existing configuration, and new
        installations should just enable GSSAPIAuthentication and
        GSSAPIKeyExchange in sshd_config (closes: #878626).
      * Support the "noudeb" build profile.
      * Fix putty-transfer regression test.
      [ Anders Kaseorg ]
      * debian/systemd/ssh-agent.service: Add missing dbus dependency.
      [ Jason Duerstock ]
      * Add a "pkg.openssh.nognome" build profile, which disables building the
        ssh-askpass-gnome binary package and avoids the build-dependency on
        libgtk-3-dev (closes: #883819).
     -- Colin Watson <email address hidden>  Tue, 16 Jan 2018 17:41:08 +0000
  • openssh (1:7.6p1-2) unstable; urgency=medium
      * Apply upstream patch to fix PermitOpen argument handling.
     -- Colin Watson <email address hidden>  Sat, 07 Oct 2017 13:44:13 +0100
  • openssh (1:7.5p1-10) unstable; urgency=medium
      * Tell haveged to create the pid file we expect.
      * Give up and use systemctl to start haveged if running under systemd;
        this shouldn't be necessary, but I can't seem to get things working in
        the Ubuntu autopkgtest environment otherwise.
     -- Colin Watson <email address hidden>  Fri, 01 Sep 2017 11:17:19 +0100