diff options
author | Colin Watson <cjwatson@debian.org> | 2020-06-07 10:19:24 +0100 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2020-06-07 11:03:12 +0100 |
commit | 30337f8b66c66af6b368d1e3c789e75f1247176c (patch) | |
tree | 17e0b8652fea31c04faa19ffc4cd088552ee473a /debian/changelog | |
parent | aef2be11c5ea90bc66e774923e6570213e54c195 (diff) | |
parent | 39b8d128ef980a410bb1ea0ee80e95ac9fff59c3 (diff) |
New upstream release (8.3p1)
Also update GSSAPI key exchange patch from
https://github.com/openssh-gsskex/openssh-gsskex.
Diffstat (limited to 'debian/changelog')
-rw-r--r-- | debian/changelog | 84 |
1 files changed, 81 insertions, 3 deletions
diff --git a/debian/changelog b/debian/changelog index 69cbf0b4e..ab75bf2a7 100644 --- a/debian/changelog +++ b/debian/changelog | |||
@@ -1,8 +1,86 @@ | |||
1 | openssh (1:8.2p1-5) UNRELEASED; urgency=medium | 1 | openssh (1:8.3p1-1) UNRELEASED; urgency=medium |
2 | 2 | ||
3 | * Fix or suppress various shellcheck errors under debian/. | 3 | * Fix or suppress various shellcheck errors under debian/. |
4 | 4 | * New upstream release (https://www.openssh.com/txt/release-8.3): | |
5 | -- Colin Watson <cjwatson@debian.org> Sat, 23 May 2020 12:46:19 +0100 | 5 | - [SECURITY] scp(1): when receiving files, scp(1) could become |
6 | desynchronised if a utimes(2) system call failed. This could allow | ||
7 | file contents to be interpreted as file metadata and thereby permit an | ||
8 | adversary to craft a file system that, when copied with scp(1) in a | ||
9 | configuration that caused utimes(2) to fail (e.g. under a SELinux | ||
10 | policy or syscall sandbox), transferred different file names and | ||
11 | contents to the actual file system layout. | ||
12 | - sftp(1): reject an argument of "-1" in the same way as ssh(1) and | ||
13 | scp(1) do instead of accepting and silently ignoring it. | ||
14 | - sshd(8): make IgnoreRhosts a tri-state option: "yes" to ignore | ||
15 | rhosts/shosts, "no" to allow rhosts/shosts or (new) "shosts-only" to | ||
16 | allow .shosts files but not .rhosts. | ||
17 | - sshd(8): allow the IgnoreRhosts directive to appear anywhere in a | ||
18 | sshd_config, not just before any Match blocks. | ||
19 | - ssh(1): add %TOKEN percent expansion for the LocalForward and | ||
20 | RemoteForward keywords when used for Unix domain socket forwarding. | ||
21 | - all: allow loading public keys from the unencrypted envelope of a | ||
22 | private key file if no corresponding public key file is present. | ||
23 | - ssh(1), sshd(8): prefer to use chacha20 from libcrypto where possible | ||
24 | instead of the (slower) portable C implementation included in OpenSSH. | ||
25 | - ssh-keygen(1): add ability to dump the contents of a binary key | ||
26 | revocation list via "ssh-keygen -lQf /path". | ||
27 | - ssh(1): fix IdentitiesOnly=yes to also apply to keys loaded from a | ||
28 | PKCS11Provider. | ||
29 | - ssh-keygen(1): avoid NULL dereference when trying to convert an | ||
30 | invalid RFC4716 private key. | ||
31 | - scp(1): when performing remote-to-remote copies using "scp -3", start | ||
32 | the second ssh(1) channel with BatchMode=yes enabled to avoid | ||
33 | confusing and non-deterministic ordering of prompts. | ||
34 | - ssh(1), ssh-keygen(1): when signing a challenge using a FIDO token, | ||
35 | perform hashing of the message to be signed in the middleware layer | ||
36 | rather than in OpenSSH code. This permits the use of security key | ||
37 | middlewares that perform the hashing implicitly, such as Windows | ||
38 | Hello. | ||
39 | - ssh(1): fix incorrect error message for "too many known hosts files." | ||
40 | - ssh(1): make failures when establishing "Tunnel" forwarding terminate | ||
41 | the connection when ExitOnForwardFailure is enabled. | ||
42 | - ssh-keygen(1): fix printing of fingerprints on private keys and add a | ||
43 | regression test for same. | ||
44 | - sshd(8): document order of checking AuthorizedKeysFile (first) and | ||
45 | AuthorizedKeysCommand (subsequently, if the file doesn't match). | ||
46 | - sshd(8): document that /etc/hosts.equiv and /etc/shosts.equiv are not | ||
47 | considered for HostbasedAuthentication when the target user is root. | ||
48 | - ssh(1), ssh-keygen(1): fix NULL dereference in private certificate key | ||
49 | parsing. | ||
50 | - ssh(1), sshd(8): more consistency between sets of %TOKENS are accepted | ||
51 | in various configuration options. | ||
52 | - ssh(1), ssh-keygen(1): improve error messages for some common PKCS#11 | ||
53 | C_Login failure cases. | ||
54 | - ssh(1), sshd(8): make error messages for problems during SSH banner | ||
55 | exchange consistent with other SSH transport-layer error messages and | ||
56 | ensure they include the relevant IP addresses. | ||
57 | - ssh-keygen(1), ssh-add(1): when downloading FIDO2 resident keys from a | ||
58 | token, don't prompt for a PIN until the token has told us that it | ||
59 | needs one. Avoids double-prompting on devices that implement | ||
60 | on-device authentication (closes: #932071). | ||
61 | - sshd(8), ssh-keygen(1): no-touch-required FIDO certificate option | ||
62 | should be an extension, not a critical option. | ||
63 | - ssh(1), ssh-keygen(1), ssh-add(1): offer a better error message when | ||
64 | trying to use a FIDO key function and SecurityKeyProvider is empty. | ||
65 | - ssh-add(1), ssh-agent(8): ensure that a key lifetime fits within the | ||
66 | values allowed by the wire format (u32). Prevents integer wraparound | ||
67 | of the timeout values. | ||
68 | - ssh(1): detect and prevent trivial configuration loops when using | ||
69 | ProxyJump. bz#3057. | ||
70 | - On platforms that do not support setting process-wide routing domains | ||
71 | (all excepting OpenBSD at present), fail to accept a configuration | ||
72 | attempts to set one at process start time rather than fatally erroring | ||
73 | at run time. | ||
74 | - Fix theoretical infinite loop in the glob(3) replacement | ||
75 | implementation. | ||
76 | * Update GSSAPI key exchange patch from | ||
77 | https://github.com/openssh-gsskex/openssh-gsskex: | ||
78 | - Fix connection through ProxyJump in combination with "GSSAPITrustDNS | ||
79 | yes". | ||
80 | - Enable SHA2-based GSSAPI key exchange methods by default as RFC 8732 | ||
81 | was published. | ||
82 | |||
83 | -- Colin Watson <cjwatson@debian.org> Sun, 07 Jun 2020 10:25:54 +0100 | ||
6 | 84 | ||
7 | openssh (1:8.2p1-4) unstable; urgency=medium | 85 | openssh (1:8.2p1-4) unstable; urgency=medium |
8 | 86 | ||