-
openssh (1:9.0p1-1ubuntu8.7) lunar-security; urgency=medium
* SECURITY UPDATE: incomplete PKCS#11 destination constraints
- debian/patches/CVE-2023-51384.patch: apply destination constraints to
all p11 keys in ssh-agent.c.
- CVE-2023-51384
* SECURITY UPDATE: command injection via shell metacharacters
- debian/patches/CVE-2023-51385.patch: ban user/hostnames with most
shell metacharacters in ssh.c.
- CVE-2023-51385
-- Marc Deslauriers <email address hidden> Tue, 02 Jan 2024 11:45:12 -0500
-
openssh (1:9.0p1-1ubuntu8.6) lunar-security; urgency=medium
* SECURITY UPDATE: Prefix truncation attack on BPP
- debian/patches/CVE-2023-48795.patch: implement "strict key exchange"
in PROTOCOL, kex.c, kex.h, packet.c, sshconnect2.c, sshd.c.
- CVE-2023-48795
* SECURITY UPDATE: smartcard constraints not added to agent
- debian/patches/CVE-2023-28531.patch: include destination constraints
for smartcard keys too in authfd.c.
- CVE-2023-28531
-- Marc Deslauriers <email address hidden> Mon, 18 Dec 2023 11:00:34 -0500
-
openssh (1:9.0p1-1ubuntu8.5) lunar; urgency=medium
* d/p/fix-authorized-principals-command.patch: Fix the situation where
sshd ignores AuthorizedPrincipalsCommand if AuthorizedKeysCommand
is also set by checking if the value pointed to by the pointer
'charptr' is NULL. (LP: #2031942)
-- Michal Maloszewski <email address hidden> Thu, 24 Aug 2023 15:52:47 +0200
-
openssh (1:9.0p1-1ubuntu8.4) lunar-security; urgency=medium
* SECURITY UPDATE: remote code execution relating to PKCS#11 providers
- debian/patches/CVE-2023-38408-1.patch: terminate process if requested
to load a PKCS#11 provider that isn't a PKCS#11 provider in
ssh-pkcs11.c.
- debian/patches/CVE-2023-38408-2.patch: disallow remote addition of
FIDO/PKCS11 provider in ssh-agent.1, ssh-agent.c.
- debian/patches/CVE-2023-38408-3.patch: ensure FIDO/PKCS11 libraries
contain expected symbols in misc.c, misc.h, ssh-pkcs11.c, ssh-sk.c.
- CVE-2023-38408
-- Marc Deslauriers <email address hidden> Wed, 19 Jul 2023 15:40:25 -0400
-
openssh (1:9.0p1-1ubuntu8.2) lunar; urgency=medium
* debian/patches/systemd-socket-activation.patch: do not leak sockets in
child process. Follow-up fix for LP: #2011458.
-- Nick Rosbrook <email address hidden> Fri, 26 May 2023 10:44:48 -0400
-
openssh (1:9.0p1-1ubuntu8.1) lunar; urgency=medium
* debian/patches/systemd-socket-activation.patch: Fix re-execution behavior
(LP: #2011458):
- Remove FD_CLOEXEC on fds passed by systemd to prevent automatic closing
when sshd re-executes.
- Do not manually close fds passed by systemd when re-executing.
- Only call sd_listen_fds() once, and only in the parent process.
- Check the LISTEN_FDS environment variable to get the number of fds
passed by systemd when re-executing as a child process.
* debian/tests/systemd-socket-activation: Add autopkgtest for systemd socket
activation functionality.
-- Nick Rosbrook <email address hidden> Fri, 31 Mar 2023 12:44:32 -0400
-
openssh (1:9.0p1-1ubuntu8) lunar; urgency=medium
* debian/openssh-server.postinst: Fix handling of ListenAddress when a port
is specified (LP: #1993478):
- Strip port before converting hostnames to numerical addresses.
- Only append ports when the ListenAddress does not already specify a
port.
- Revert socket migration on upgrade if a previous version did the
migration when it should not have.
* debian/openssh-server.postinst: Ignore empty directory failure from rmdir
when skipping socket migration (LP: #1995294).
-- Nick Rosbrook <email address hidden> Tue, 25 Oct 2022 11:57:43 -0400
-
openssh (1:9.0p1-1ubuntu7) kinetic; urgency=medium
* Update list of stock sshd_config checksums to include those from
jammy and kinetic.
* Add a workaround for LP: #1990863 (now fixed in livecd-rootfs) to
avoid spurious ucf prompts on upgrade.
* Move /run/sshd creation out of the systemd unit to a tmpfile config
so that sshd can be run manually if necessary without having to create
this directory by hand. LP: #1991283.
[ Nick Rosbrook ]
* debian/openssh-server.postinst: Fix addresses.conf generation when only
non-default Port is used in /etc/ssh/sshd_config (LP: #1991199).
-- Steve Langasek <email address hidden> Mon, 26 Sep 2022 21:55:14 +0000