New upstream release (7.7p1)

author: Colin Watson <cjwatson@debian.org> 2018-04-03 08:20:28 +0100
committer: Colin Watson <cjwatson@debian.org> 2018-04-03 08:57:25 +0100
commit: a0b2dce9bf518f561bbb5070c0fb0c38f49035dd (patch)
tree: 24298b823e93d4e6efe13f48f1512707ebd625f8 /debian/changelog
parent: 9d4942dc192b6f1888c9ab73a512dd9b197b956c (diff)
parent: 76aa43d2298f322f0371b74462418d0461537131 (diff)
1 files changed, 89 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog
index 68b8167af..9646ee994 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,92 @@
+openssh (1:7.7p1-1) UNRELEASED; urgency=medium
+  * New upstream release (https://www.openssh.com/txt/release-7.7):
+    - ssh(1)/sshd(8): Drop compatibility support for some very old SSH
+      implementations, including ssh.com <=2.* and OpenSSH <= 3.*.  These
+      versions were all released in or before 2001 and predate the final SSH
+      RFCs.  The support in question isn't necessary for RFC-compliant SSH
+      implementations.
+    - Add experimental support for PQC XMSS keys (Extended Hash-Based
+      Signatures).
+    - sshd(8): Add an "rdomain" criterion for the sshd_config Match keyword
+      to allow conditional configuration that depends on which routing
+      domain a connection was received on.
+    - sshd_config(5): Add an optional rdomain qualifier to the ListenAddress
+      directive to allow listening on different routing domains.
+    - sshd(8): Add "expiry-time" option for authorized_keys files to allow
+      for expiring keys.
+    - ssh(1): Add a BindInterface option to allow binding the outgoing
+      connection to an interface's address (basically a more usable
+      BindAddress; closes: #289592).
+    - ssh(1): Expose device allocated for tun/tap forwarding via a new %T
+      expansion for LocalCommand.  This allows LocalCommand to be used to
+      prepare the interface.
+    - sshd(8): Expose the device allocated for tun/tap forwarding via a new
+      SSH_TUNNEL environment variable.  This allows automatic setup of the
+      interface and surrounding network configuration automatically on the
+      server.
+    - ssh(1)/scp(1)/sftp(1): Add URI support to ssh, sftp and scp, e.g.
+      ssh://user@host or sftp://user@host/path.  Additional connection
+      parameters described in draft-ietf-secsh-scp-sftp-ssh-uri-04 are not
+      implemented since the ssh fingerprint format in the draft uses the
+      deprecated MD5 hash with no way to specify any other algorithm.
+    - ssh-keygen(1): Allow certificate validity intervals that specify only
+      a start or stop time (instead of both or neither).
+    - sftp(1): Allow "cd" and "lcd" commands with no explicit path argument.
+      lcd will change to the local user's home directory as usual.  cd will
+      change to the starting directory for session (because the protocol
+      offers no way to obtain the remote user's home directory).
+    - sshd(8): When doing a config test with sshd -T, only require the
+      attributes that are actually used in Match criteria rather than (an
+      incomplete list of) all criteria.
+    - ssh(1)/sshd(8): More strictly check signature types during key
+      exchange against what was negotiated.  Prevents downgrade of RSA
+      signatures made with SHA-256/512 to SHA-1.
+    - sshd(8): Fix support for client that advertise a protocol version of
+      "1.99" (indicating that they are prepared to accept both SSHv1 and
+      SSHv2).  This was broken in OpenSSH 7.6 during the removal of SSHv1
+      support.
+    - ssh(1): Warn when the agent returns a ssh-rsa (SHA1) signature when a
+      rsa-sha2-256/512 signature was requested.  This condition is possible
+      when an old or non-OpenSSH agent is in use.
+    - ssh-agent(1): Fix regression introduced in 7.6 that caused ssh-agent
+      to fatally exit if presented an invalid signature request message.
+    - sshd_config(5): Accept yes/no flag options case-insensitively, as has
+      been the case in ssh_config(5) for a long time (LP: #1656557).
+    - ssh(1): Improve error reporting for failures during connection.  Under
+      some circumstances misleading errors were being shown.
+    - ssh-keyscan(1): Add -D option to allow printing of results directly in
+      SSHFP format.
+    - ssh(1): Compatibility fix for some servers that erroneously drop the
+      connection when the IUTF8 (RFC8160) option is sent.
+    - scp(1): Disable RemoteCommand and RequestTTY in the ssh session
+      started by scp (sftp was already doing this).
+    - ssh-keygen(1): Refuse to create a certificate with an unusable number
+      of principals.
+    - ssh-keygen(1): Fatally exit if ssh-keygen is unable to write all the
+      public key during key generation.  Previously it would silently ignore
+      errors writing the comment and terminating newline.
+    - ssh(1): Do not modify hostname arguments that are addresses by
+      automatically forcing them to lower-case.  Instead canonicalise them
+      jo resolve ambiguities (e.g. ::0001 => ::1) before they are matched
+      against known_hosts.
+    - ssh(1): Don't accept junk after "yes" or "no" responses to hostkey
+      prompts.
+    - sftp(1): Have sftp print a warning about shell cleanliness when
+      decoding the first packet fails, which is usually caused by shells
+      polluting stdout of non-interactive startups.
+    - ssh(1)/sshd(8): Switch timers in packet code from using wall-clock
+      time to monotonic time, allowing the packet layer to better function
+      over a clock step and avoiding possible integer overflows during
+      steps.
+    - sshd(8): Correctly detect MIPS ABI in use at configure time.  Fixes
+      sandbox violations on some environments.
+    - Build and link with "retpoline" flags when available to mitigate the
+      "branch target injection" style (variant 2) of the Spectre
+      branch-prediction vulnerability.
+ -- Colin Watson <cjwatson@debian.org>  Tue, 03 Apr 2018 08:33:10 +0100
 openssh (1:7.6p1-5) unstable; urgency=medium
  * Explicitly build-depend on pkg-config, rather than implicitly
author	Colin Watson <cjwatson@debian.org>	2018-04-03 08:20:28 +0100
committer	Colin Watson <cjwatson@debian.org>	2018-04-03 08:57:25 +0100
commit	a0b2dce9bf518f561bbb5070c0fb0c38f49035dd (patch)
tree	24298b823e93d4e6efe13f48f1512707ebd625f8 /debian/changelog
parent	9d4942dc192b6f1888c9ab73a512dd9b197b956c (diff)
parent	76aa43d2298f322f0371b74462418d0461537131 (diff)

diff --git a/debian/changelog b/debian/changelog index 68b8167af..9646ee994 100644 --- a/debian/changelog +++ b/debian/changelog
@@ -1,3 +1,92 @@
		1	openssh (1:7.7p1-1) UNRELEASED; urgency=medium
		2
		3	* New upstream release (https://www.openssh.com/txt/release-7.7):
		4	- ssh(1)/sshd(8): Drop compatibility support for some very old SSH
		5	implementations, including ssh.com <=2.* and OpenSSH <= 3.*. These
		6	versions were all released in or before 2001 and predate the final SSH
		7	RFCs. The support in question isn't necessary for RFC-compliant SSH
		8	implementations.
		9	- Add experimental support for PQC XMSS keys (Extended Hash-Based
		10	Signatures).
		11	- sshd(8): Add an "rdomain" criterion for the sshd_config Match keyword
		12	to allow conditional configuration that depends on which routing
		13	domain a connection was received on.
		14	- sshd_config(5): Add an optional rdomain qualifier to the ListenAddress
		15	directive to allow listening on different routing domains.
		16	- sshd(8): Add "expiry-time" option for authorized_keys files to allow
		17	for expiring keys.
		18	- ssh(1): Add a BindInterface option to allow binding the outgoing
		19	connection to an interface's address (basically a more usable
		20	BindAddress; closes: #289592).
		21	- ssh(1): Expose device allocated for tun/tap forwarding via a new %T
		22	expansion for LocalCommand. This allows LocalCommand to be used to
		23	prepare the interface.
		24	- sshd(8): Expose the device allocated for tun/tap forwarding via a new
		25	SSH_TUNNEL environment variable. This allows automatic setup of the
		26	interface and surrounding network configuration automatically on the
		27	server.
		28	- ssh(1)/scp(1)/sftp(1): Add URI support to ssh, sftp and scp, e.g.
		29	ssh://user@host or sftp://user@host/path. Additional connection
		30	parameters described in draft-ietf-secsh-scp-sftp-ssh-uri-04 are not
		31	implemented since the ssh fingerprint format in the draft uses the
		32	deprecated MD5 hash with no way to specify any other algorithm.
		33	- ssh-keygen(1): Allow certificate validity intervals that specify only
		34	a start or stop time (instead of both or neither).
		35	- sftp(1): Allow "cd" and "lcd" commands with no explicit path argument.
		36	lcd will change to the local user's home directory as usual. cd will
		37	change to the starting directory for session (because the protocol
		38	offers no way to obtain the remote user's home directory).
		39	- sshd(8): When doing a config test with sshd -T, only require the
		40	attributes that are actually used in Match criteria rather than (an
		41	incomplete list of) all criteria.
		42	- ssh(1)/sshd(8): More strictly check signature types during key
		43	exchange against what was negotiated. Prevents downgrade of RSA
		44	signatures made with SHA-256/512 to SHA-1.
		45	- sshd(8): Fix support for client that advertise a protocol version of
		46	"1.99" (indicating that they are prepared to accept both SSHv1 and
		47	SSHv2). This was broken in OpenSSH 7.6 during the removal of SSHv1
		48	support.
		49	- ssh(1): Warn when the agent returns a ssh-rsa (SHA1) signature when a
		50	rsa-sha2-256/512 signature was requested. This condition is possible
		51	when an old or non-OpenSSH agent is in use.
		52	- ssh-agent(1): Fix regression introduced in 7.6 that caused ssh-agent
		53	to fatally exit if presented an invalid signature request message.
		54	- sshd_config(5): Accept yes/no flag options case-insensitively, as has
		55	been the case in ssh_config(5) for a long time (LP: #1656557).
		56	- ssh(1): Improve error reporting for failures during connection. Under
		57	some circumstances misleading errors were being shown.
		58	- ssh-keyscan(1): Add -D option to allow printing of results directly in
		59	SSHFP format.
		60	- ssh(1): Compatibility fix for some servers that erroneously drop the
		61	connection when the IUTF8 (RFC8160) option is sent.
		62	- scp(1): Disable RemoteCommand and RequestTTY in the ssh session
		63	started by scp (sftp was already doing this).
		64	- ssh-keygen(1): Refuse to create a certificate with an unusable number
		65	of principals.
		66	- ssh-keygen(1): Fatally exit if ssh-keygen is unable to write all the
		67	public key during key generation. Previously it would silently ignore
		68	errors writing the comment and terminating newline.
		69	- ssh(1): Do not modify hostname arguments that are addresses by
		70	automatically forcing them to lower-case. Instead canonicalise them
		71	jo resolve ambiguities (e.g. ::0001 => ::1) before they are matched
		72	against known_hosts.
		73	- ssh(1): Don't accept junk after "yes" or "no" responses to hostkey
		74	prompts.
		75	- sftp(1): Have sftp print a warning about shell cleanliness when
		76	decoding the first packet fails, which is usually caused by shells
		77	polluting stdout of non-interactive startups.
		78	- ssh(1)/sshd(8): Switch timers in packet code from using wall-clock
		79	time to monotonic time, allowing the packet layer to better function
		80	over a clock step and avoiding possible integer overflows during
		81	steps.
		82	- sshd(8): Correctly detect MIPS ABI in use at configure time. Fixes
		83	sandbox violations on some environments.
		84	- Build and link with "retpoline" flags when available to mitigate the
		85	"branch target injection" style (variant 2) of the Spectre
		86	branch-prediction vulnerability.
		87
		88	-- Colin Watson <cjwatson@debian.org> Tue, 03 Apr 2018 08:33:10 +0100
		89
1	openssh (1:7.6p1-5) unstable; urgency=medium	90	openssh (1:7.6p1-5) unstable; urgency=medium
2		91
3	* Explicitly build-depend on pkg-config, rather than implicitly	92	* Explicitly build-depend on pkg-config, rather than implicitly