diff options
author | Colin Watson <cjwatson@debian.org> | 2015-08-19 14:23:51 +0100 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2015-08-19 16:48:11 +0100 |
commit | 0f0841b2d28b7463267d4d91577e72e3340a1d3a (patch) | |
tree | ba55fcd2b6e2cc22b30f5afb561dbb3da4c8b6c7 /debian/changelog | |
parent | f2a5f5dae656759efb0b76c3d94890b65c197a02 (diff) | |
parent | 8698446b972003b63dfe5dcbdb86acfe986afb85 (diff) |
New upstream release (6.8p1).
Diffstat (limited to 'debian/changelog')
-rw-r--r-- | debian/changelog | 68 |
1 files changed, 68 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog index 29fd1f72b..4363b82ef 100644 --- a/debian/changelog +++ b/debian/changelog | |||
@@ -1,3 +1,71 @@ | |||
1 | openssh (1:6.8p1-1) UNRELEASED; urgency=medium | ||
2 | |||
3 | * New upstream release (http://www.openssh.com/txt/release-6.8): | ||
4 | - sshd(8): UseDNS now defaults to 'no'. Configurations that match | ||
5 | against the client host name (via sshd_config or authorized_keys) may | ||
6 | need to re-enable it or convert to matching against addresses. | ||
7 | - Add FingerprintHash option to ssh(1) and sshd(8), and equivalent | ||
8 | command-line flags to the other tools to control algorithm used for | ||
9 | key fingerprints. The default changes from MD5 to SHA256 and format | ||
10 | from hex to base64. | ||
11 | Fingerprints now have the hash algorithm prepended. An example of the | ||
12 | new format: SHA256:mVPwvezndPv/ARoIadVY98vAC0g+P/5633yTC4d/wXE | ||
13 | Please note that visual host keys will also be different. | ||
14 | - ssh(1), sshd(8): Experimental host key rotation support. Add a | ||
15 | protocol extension for a server to inform a client of all its | ||
16 | available host keys after authentication has completed. The client | ||
17 | may record the keys in known_hosts, allowing it to upgrade to better | ||
18 | host key algorithms and a server to gracefully rotate its keys. | ||
19 | The client side of this is controlled by a UpdateHostkeys config | ||
20 | option (default off). | ||
21 | - ssh(1): Add a ssh_config HostbasedKeyType option to control which host | ||
22 | public key types are tried during host-based authentication. | ||
23 | - ssh(1), sshd(8): Fix connection-killing host key mismatch errors when | ||
24 | sshd offers multiple ECDSA keys of different lengths. | ||
25 | - ssh(1): When host name canonicalisation is enabled, try to parse host | ||
26 | names as addresses before looking them up for canonicalisation. Fixes | ||
27 | bz#2074 and avoids needless DNS lookups in some cases. | ||
28 | - ssh(1), ssh-keysign(8): Make ed25519 keys work for host based | ||
29 | authentication. | ||
30 | - sshd(8): SSH protocol v.1 workaround for the Meyer, et al, | ||
31 | Bleichenbacher Side Channel Attack. Fake up a bignum key before RSA | ||
32 | decryption. | ||
33 | - sshd(8): Remember which public keys have been used for authentication | ||
34 | and refuse to accept previously-used keys. This allows | ||
35 | AuthenticationMethods=publickey,publickey to require that users | ||
36 | authenticate using two _different_ public keys. | ||
37 | - sshd(8): add sshd_config HostbasedAcceptedKeyTypes and | ||
38 | PubkeyAcceptedKeyTypes options to allow sshd to control what public | ||
39 | key types will be accepted (closes: #481133). Currently defaults to | ||
40 | all. | ||
41 | - sshd(8): Don't count partial authentication success as a failure | ||
42 | against MaxAuthTries. | ||
43 | - ssh(1): Add RevokedHostKeys option for the client to allow text-file | ||
44 | or KRL-based revocation of host keys. | ||
45 | - ssh-keygen(1), sshd(8): Permit KRLs that revoke certificates by serial | ||
46 | number or key ID without scoping to a particular CA. | ||
47 | - ssh(1): Add a "Match canonical" criteria that allows ssh_config Match | ||
48 | blocks to trigger only in the second config pass. | ||
49 | - ssh(1): Add a -G option to ssh that causes it to parse its | ||
50 | configuration and dump the result to stdout, similar to "sshd -T". | ||
51 | - ssh(1): Allow Match criteria to be negated. E.g. "Match !host". | ||
52 | - ssh-keyscan(1): ssh-keyscan has been made much more robust against | ||
53 | servers that hang or violate the SSH protocol (closes: #241119). | ||
54 | - ssh(1), ssh-keygen(1): Fix regression bz#2306: Key path names were | ||
55 | being lost as comment fields (closes: #787776). | ||
56 | - ssh(1): Allow ssh_config Port options set in the second config parse | ||
57 | phase to be applied (they were being ignored; closes: #774369). | ||
58 | - ssh(1): Tweak config re-parsing with host canonicalisation - make the | ||
59 | second pass through the config files always run when host name | ||
60 | canonicalisation is enabled (and not whenever the host name changes) | ||
61 | - ssh(1): Fix passing of wildcard forward bind addresses when connection | ||
62 | multiplexing is in use. | ||
63 | - ssh-keygen(1): Fix broken private key conversion from non-OpenSSH | ||
64 | formats. | ||
65 | - ssh-keygen(1): Fix KRL generation bug when multiple CAs are in use. | ||
66 | |||
67 | -- Colin Watson <cjwatson@debian.org> Wed, 19 Aug 2015 15:19:54 +0100 | ||
68 | |||
1 | openssh (1:6.7p1-6) unstable; urgency=medium | 69 | openssh (1:6.7p1-6) unstable; urgency=medium |
2 | 70 | ||
3 | [ Martin Pitt ] | 71 | [ Martin Pitt ] |