diff options
| author | Colin Watson <cjwatson@debian.org> | 2007-12-24 10:29:57 +0000 |
|---|---|---|
| committer | Colin Watson <cjwatson@debian.org> | 2007-12-24 10:29:57 +0000 |
| commit | c3e531b12b2335b7fa5a6bcc9a309d3c523ff64b (patch) | |
| tree | b72c0867348e7e7914d64af6fc5e25c728922e03 /debian/changelog | |
| parent | 6b222fdf3cb54c11a446df38e027fe7acf2220cb (diff) | |
| parent | 70847d299887abb96f8703ca99db6d817b78960e (diff) | |
* New upstream release (closes: #453367).
- CVE-2007-4752: Prevent ssh(1) from using a trusted X11 cookie if
creation of an untrusted cookie fails; found and fixed by Jan Pechanec
(closes: #444738).
- sshd(8) in new installations defaults to SSH Protocol 2 only. Existing
installations are unchanged.
- The SSH channel window size has been increased, and both ssh(1)
sshd(8) now send window updates more aggressively. These improves
performance on high-BDP (Bandwidth Delay Product) networks.
- ssh(1) and sshd(8) now preserve MAC contexts between packets, which
saves 2 hash calls per packet and results in 12-16% speedup for
arcfour256/hmac-md5.
- A new MAC algorithm has been added, UMAC-64 (RFC4418) as
"umac-64@openssh.com". UMAC-64 has been measured to be approximately
20% faster than HMAC-MD5.
- Failure to establish a ssh(1) TunnelForward is now treated as a fatal
error when the ExitOnForwardFailure option is set.
- ssh(1) returns a sensible exit status if the control master goes away
without passing the full exit status.
- When using a ProxyCommand in ssh(1), set the outgoing hostname with
gethostname(2), allowing hostbased authentication to work.
- Make scp(1) skip FIFOs rather than hanging (closes: #246774).
- Encode non-printing characters in scp(1) filenames. These could cause
copies to be aborted with a "protocol error".
- Handle SIGINT in sshd(8) privilege separation child process to ensure
that wtmp and lastlog records are correctly updated.
- Report GSSAPI mechanism in errors, for libraries that support multiple
mechanisms.
- Improve documentation for ssh-add(1)'s -d option.
- Rearrange and tidy GSSAPI code, removing server-only code being linked
into the client.
- Delay execution of ssh(1)'s LocalCommand until after all forwardings
have been established.
- In scp(1), do not truncate non-regular files.
- Improve exit message from ControlMaster clients.
- Prevent sftp-server(8) from reading until it runs out of buffer space,
whereupon it would exit with a fatal error (closes: #365541).
- pam_end() was not being called if authentication failed
(closes: #405041).
- Manual page datestamps updated (closes: #433181).
Diffstat (limited to 'debian/changelog')
| -rw-r--r-- | debian/changelog | 45 |
1 files changed, 45 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog index 43dc83046..a027912ca 100644 --- a/debian/changelog +++ b/debian/changelog | |||
| @@ -1,3 +1,48 @@ | |||
| 1 | openssh (1:4.7p1-1) UNRELEASED; urgency=low | ||
| 2 | |||
| 3 | * New upstream release (closes: #453367). | ||
| 4 | - CVE-2007-4752: Prevent ssh(1) from using a trusted X11 cookie if | ||
| 5 | creation of an untrusted cookie fails; found and fixed by Jan Pechanec | ||
| 6 | (closes: #444738). | ||
| 7 | - sshd(8) in new installations defaults to SSH Protocol 2 only. Existing | ||
| 8 | installations are unchanged. | ||
| 9 | - The SSH channel window size has been increased, and both ssh(1) | ||
| 10 | sshd(8) now send window updates more aggressively. These improves | ||
| 11 | performance on high-BDP (Bandwidth Delay Product) networks. | ||
| 12 | - ssh(1) and sshd(8) now preserve MAC contexts between packets, which | ||
| 13 | saves 2 hash calls per packet and results in 12-16% speedup for | ||
| 14 | arcfour256/hmac-md5. | ||
| 15 | - A new MAC algorithm has been added, UMAC-64 (RFC4418) as | ||
| 16 | "umac-64@openssh.com". UMAC-64 has been measured to be approximately | ||
| 17 | 20% faster than HMAC-MD5. | ||
| 18 | - Failure to establish a ssh(1) TunnelForward is now treated as a fatal | ||
| 19 | error when the ExitOnForwardFailure option is set. | ||
| 20 | - ssh(1) returns a sensible exit status if the control master goes away | ||
| 21 | without passing the full exit status. | ||
| 22 | - When using a ProxyCommand in ssh(1), set the outgoing hostname with | ||
| 23 | gethostname(2), allowing hostbased authentication to work. | ||
| 24 | - Make scp(1) skip FIFOs rather than hanging (closes: #246774). | ||
| 25 | - Encode non-printing characters in scp(1) filenames. These could cause | ||
| 26 | copies to be aborted with a "protocol error". | ||
| 27 | - Handle SIGINT in sshd(8) privilege separation child process to ensure | ||
| 28 | that wtmp and lastlog records are correctly updated. | ||
| 29 | - Report GSSAPI mechanism in errors, for libraries that support multiple | ||
| 30 | mechanisms. | ||
| 31 | - Improve documentation for ssh-add(1)'s -d option. | ||
| 32 | - Rearrange and tidy GSSAPI code, removing server-only code being linked | ||
| 33 | into the client. | ||
| 34 | - Delay execution of ssh(1)'s LocalCommand until after all forwardings | ||
| 35 | have been established. | ||
| 36 | - In scp(1), do not truncate non-regular files. | ||
| 37 | - Improve exit message from ControlMaster clients. | ||
| 38 | - Prevent sftp-server(8) from reading until it runs out of buffer space, | ||
| 39 | whereupon it would exit with a fatal error (closes: #365541). | ||
| 40 | - pam_end() was not being called if authentication failed | ||
| 41 | (closes: #405041). | ||
| 42 | - Manual page datestamps updated (closes: #433181). | ||
| 43 | |||
| 44 | -- Colin Watson <cjwatson@debian.org> Sun, 23 Dec 2007 12:53:46 +0000 | ||
| 45 | |||
| 1 | openssh (1:4.6p1-7) unstable; urgency=low | 46 | openssh (1:4.6p1-7) unstable; urgency=low |
| 2 | 47 | ||
| 3 | * Don't build PIE executables on m68k (closes: #451192). | 48 | * Don't build PIE executables on m68k (closes: #451192). |