diff options
| author | Colin Watson <cjwatson@debian.org> | 2017-10-04 11:23:58 +0100 |
|---|---|---|
| committer | Colin Watson <cjwatson@debian.org> | 2017-10-05 23:58:12 +0100 |
| commit | 0556ea972b15607b7e13ff31bc05840881c91dd3 (patch) | |
| tree | d6b8d48062d0278b5ae0eeff42d0e9afa9f26860 /debian/changelog | |
| parent | db2122d97eb1ecdd8d99b7bf79b0dd2b5addfd92 (diff) | |
| parent | 801a62eedaaf47b20dbf4b426dc3e084bf0c8d49 (diff) | |
New upstream release (7.6p1)
Diffstat (limited to 'debian/changelog')
| -rw-r--r-- | debian/changelog | 103 |
1 files changed, 103 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog index baa28dff7..14eeaedd8 100644 --- a/debian/changelog +++ b/debian/changelog | |||
| @@ -1,3 +1,106 @@ | |||
| 1 | openssh (1:7.6p1-1) UNRELEASED; urgency=medium | ||
| 2 | |||
| 3 | * New upstream release (https://www.openssh.com/txt/release-7.6): | ||
| 4 | - SECURITY: sftp-server(8): In read-only mode, sftp-server was | ||
| 5 | incorrectly permitting creation of zero-length files. Reported by | ||
| 6 | Michal Zalewski. | ||
| 7 | - ssh(1): Delete SSH protocol version 1 support, associated | ||
| 8 | configuration options and documentation (LP: #1584321). | ||
| 9 | - ssh(1)/sshd(8): Remove support for the hmac-ripemd160 MAC. | ||
| 10 | - ssh(1)/sshd(8): Remove support for the arcfour, blowfish and CAST | ||
| 11 | ciphers. | ||
| 12 | - Refuse RSA keys <1024 bits in length and improve reporting for keys | ||
| 13 | that do not meet this requirement. | ||
| 14 | - ssh(1): Do not offer CBC ciphers by default. | ||
| 15 | - ssh(1): Add RemoteCommand option to specify a command in the ssh | ||
| 16 | config file instead of giving it on the client's command line. This | ||
| 17 | allows the configuration file to specify the command that will be | ||
| 18 | executed on the remote host. | ||
| 19 | - sshd(8): Add ExposeAuthInfo option that enables writing details of the | ||
| 20 | authentication methods used (including public keys where applicable) | ||
| 21 | to a file that is exposed via a $SSH_USER_AUTH environment variable in | ||
| 22 | the subsequent session. | ||
| 23 | - ssh(1): Add support for reverse dynamic forwarding. In this mode, ssh | ||
| 24 | will act as a SOCKS4/5 proxy and forward connections to destinations | ||
| 25 | requested by the remote SOCKS client. This mode is requested using | ||
| 26 | extended syntax for the -R and RemoteForward options and, because it | ||
| 27 | is implemented solely at the client, does not require the server be | ||
| 28 | updated to be supported. | ||
| 29 | - sshd(8): Allow LogLevel directive in sshd_config Match blocks. | ||
| 30 | - ssh-keygen(1): Allow inclusion of arbitrary string or flag certificate | ||
| 31 | extensions and critical options. | ||
| 32 | - ssh-keygen(1): Allow ssh-keygen to use a key held in ssh-agent as a CA | ||
| 33 | when signing certificates. | ||
| 34 | - ssh(1)/sshd(8): Allow IPQoS=none in ssh/sshd to not set an explicit | ||
| 35 | ToS/DSCP value and just use the operating system default. | ||
| 36 | - ssh-add(1): Add -q option to make ssh-add quiet on success. | ||
| 37 | - ssh(1): Expand the StrictHostKeyChecking option with two new settings. | ||
| 38 | The first "accept-new" will automatically accept hitherto-unseen keys | ||
| 39 | but will refuse connections for changed or invalid hostkeys. This is | ||
| 40 | a safer subset of the current behaviour of StrictHostKeyChecking=no. | ||
| 41 | The second setting "off", is a synonym for the current behaviour of | ||
| 42 | StrictHostKeyChecking=no: accept new host keys, and continue | ||
| 43 | connection for hosts with incorrect hostkeys. A future release will | ||
| 44 | change the meaning of StrictHostKeyChecking=no to the behaviour of | ||
| 45 | "accept-new". | ||
| 46 | - ssh(1): Add SyslogFacility option to ssh(1) matching the equivalent | ||
| 47 | option in sshd(8). | ||
| 48 | - ssh(1): Use HostKeyAlias if specified instead of hostname for matching | ||
| 49 | host certificate principal names. | ||
| 50 | - sftp(1): Implement sorting for globbed ls. | ||
| 51 | - ssh(1): Add a user@host prefix to client's "Permission denied" | ||
| 52 | messages, useful in particular when using "stacked" connections (e.g. | ||
| 53 | ssh -J) where it's not clear which host is denying. | ||
| 54 | - ssh(1): Accept unknown EXT_INFO extension values that contain \0 | ||
| 55 | characters. These are legal, but would previously cause fatal | ||
| 56 | connection errors if received. | ||
| 57 | - sftp(1): Print '?' instead of incorrect link count (that the protocol | ||
| 58 | doesn't provide) for remote listings. | ||
| 59 | - ssh(1): Return failure rather than fatal() for more cases during | ||
| 60 | session multiplexing negotiations. Causes the session to fall back to | ||
| 61 | a non-mux connection if they occur. | ||
| 62 | - ssh(1): Mention that the server may send debug messages to explain | ||
| 63 | public key authentication problems under some circumstances. | ||
| 64 | - Translate OpenSSL error codes to better report incorrect passphrase | ||
| 65 | errors when loading private keys. | ||
| 66 | - sshd(8): Adjust compatibility patterns for WinSCP to correctly | ||
| 67 | identify versions that implement only the legacy DH group exchange | ||
| 68 | scheme (closes: #877800). | ||
| 69 | - ssh(1): Print the "Killed by signal 1" message only at LogLevel | ||
| 70 | verbose so that it is not shown at the default level; prevents it from | ||
| 71 | appearing during ssh -J and equivalent ProxyCommand configs. | ||
| 72 | - ssh-keygen(1): When generating all hostkeys (ssh-keygen -A), clobber | ||
| 73 | existing keys if they exist but are zero length. Zero-length keys | ||
| 74 | could previously be made if ssh-keygen failed or was interrupted part | ||
| 75 | way through generating them. | ||
| 76 | - ssh-keyscan(1): Avoid double-close() on file descriptors. | ||
| 77 | - sshd(8): Avoid reliance on shared use of pointers shared between | ||
| 78 | monitor and child sshd processes. | ||
| 79 | - sshd_config(8): Document available AuthenticationMethods. | ||
| 80 | - ssh(1): Avoid truncation in some login prompts. | ||
| 81 | - ssh(1): Make "--" before the hostname terminate argument processing | ||
| 82 | after the hostname too (closes: #873201). | ||
| 83 | - ssh-keygen(1): Switch from aes256-cbc to aes256-ctr for encrypting | ||
| 84 | new-style private keys. | ||
| 85 | - ssh(1): Warn and do not attempt to use keys when the public and | ||
| 86 | private halves do not match. | ||
| 87 | - sftp(1): Don't print verbose error message when ssh disconnects from | ||
| 88 | under sftp. | ||
| 89 | - sshd(8): Fix keepalive scheduling problem: prevent activity on a | ||
| 90 | forwarded port from preventing the keepalive from being sent. | ||
| 91 | - sshd(8): When started without root privileges, don't require the | ||
| 92 | privilege separation user or path to exist. | ||
| 93 | - ssh(1)/sshd(8): Correctness fix for channels implementation: accept | ||
| 94 | channel IDs greater than 0x7FFFFFFF. | ||
| 95 | - sshd(8): Expose list of completed authentication methods to PAM via | ||
| 96 | the SSH_AUTH_INFO_0 PAM environment variable. | ||
| 97 | - ssh(1)/sshd(8): Fix several problems in the tun/tap forwarding code, | ||
| 98 | mostly to do with host/network byte order confusion. | ||
| 99 | - sshd(8): Avoid Linux seccomp violations on ppc64le over the socketcall | ||
| 100 | syscall. | ||
| 101 | |||
| 102 | -- Colin Watson <cjwatson@debian.org> Wed, 04 Oct 2017 12:34:34 +0100 | ||
| 103 | |||
| 1 | openssh (1:7.5p1-10) unstable; urgency=medium | 104 | openssh (1:7.5p1-10) unstable; urgency=medium |
| 2 | 105 | ||
| 3 | * Tell haveged to create the pid file we expect. | 106 | * Tell haveged to create the pid file we expect. |