New upstream release (8.1p1)

author: Colin Watson <cjwatson@debian.org> 2019-10-09 22:59:48 +0100
committer: Colin Watson <cjwatson@debian.org> 2019-10-09 23:39:39 +0100
commit: 767ee84d3465b6d244a9108de5c167a9ab866df9 (patch)
tree: 69b14ef6a62d7f133298a21d2ad6046f130b7801 /debian/changelog
parent: ddeaf9ee7d5c6612b88f1c4a83fc6fbccb93bf60 (diff)
parent: efef12825b9582c1710da3b7e50135870963d4f4 (diff)
1 files changed, 80 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog
index 58b1f45e2..9f799969b 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,83 @@
+openssh (1:8.1p1-1) UNRELEASED; urgency=medium
+  * New upstream release (https://www.openssh.com/txt/release-8.1):
+    - ssh(1), sshd(8), ssh-agent(1): Add protection for private keys at rest
+      in RAM against speculation and memory side-channel attacks like
+      Spectre, Meltdown and Rambleed.  This release encrypts private keys
+      when they are not in use with a symmetric key that is derived from a
+      relatively large "prekey" consisting of random data (currently 16KB).
+    - ssh(1): Allow %n to be expanded in ProxyCommand strings.
+    - ssh(1), sshd(8): Allow prepending a list of algorithms to the default
+      set by starting the list with the '^' character, e.g.
+      "HostKeyAlgorithms ^ssh-ed25519".
+    - ssh-keygen(1): Add an experimental lightweight signature and
+      verification ability.  Signatures may be made using regular ssh keys
+      held on disk or stored in a ssh-agent and verified against an
+      authorized_keys-like list of allowed keys.  Signatures embed a
+      namespace that prevents confusion and attacks between different usage
+      domains (e.g. files vs email).
+    - ssh-keygen(1): Print key comment when extracting public key from a
+      private key.
+    - ssh-keygen(1): Accept the verbose flag when searching for host keys in
+      known hosts (i.e. "ssh-keygen -vF host") to print the matching host's
+      random-art signature too.
+    - All: Support PKCS8 as an optional format for storage of private keys
+      to disk.  The OpenSSH native key format remains the default, but PKCS8
+      is a superior format to PEM if interoperability with non-OpenSSH
+      software is required, as it may use a less insecure key derivation
+      function than PEM's.
+    - ssh(1): If a PKCS#11 token returns no keys then try to login and
+      refetch them.
+    - ssh(1): Produce a useful error message if the user's shell is set
+      incorrectly during "match exec" processing.
+    - sftp(1): Allow the maximum uint32 value for the argument passed to -b
+      which allows better error messages from later validation.
+    - ssh-keyscan(1): Include SHA2-variant RSA key algorithms in KEX
+      proposal; allows ssh-keyscan to harvest keys from servers that disable
+      old SHA1 ssh-rsa.
+    - sftp(1): Print explicit "not modified" message if a file was requested
+      for resumed download but was considered already complete.
+    - sftp(1): Fix a typo and make <esc><right> move right to the closest
+      end of a word just like <esc><left> moves left to the closest
+      beginning of a word.
+    - sshd(8): Cap the number of permitopen/permitlisten directives allowed
+      to appear on a single authorized_keys line.
+    - All: Fix a number of memory leaks (one-off or on exit paths).
+    - ssh(1), sshd(8): Check for convtime() refusing to accept times that
+      resolve to LONG_MAX.
+    - ssh(1): Slightly more instructive error message when the user
+      specifies multiple -J options on the command-line (closes: #929669).
+    - ssh-agent(1): Process agent requests for RSA certificate private keys
+      using correct signature algorithm when requested.
+    - sftp(1): Check for user@host when parsing sftp target.  This allows
+      user@[1.2.3.4] to work without a path.
+    - sshd(8): Enlarge format buffer size for certificate serial number so
+      the log message can record any 64-bit integer without truncation.
+    - sshd(8): For PermitOpen violations add the remote host and port to be
+      able to more easily ascertain the source of the request.  Add the same
+      logging for PermitListen violations which were not previously logged
+      at all.
+    - scp(1), sftp(1): Use the correct POSIX format style for left
+      justification for the transfer progress meter.
+    - sshd(8): When examining a configuration using sshd -T, assume any
+      attribute not provided by -C does not match, which allows it to work
+      when sshd_config contains a Match directive with or without -C.
+    - ssh(1), ssh-keygen(1): Downgrade PKCS#11 "provider returned no slots"
+      warning from log level error to debug.  This is common when attempting
+      to enumerate keys on smartcard readers with no cards plugged in.
+    - ssh(1), ssh-keygen(1): Do not unconditionally log in to PKCS#11
+      tokens.  Avoids spurious PIN prompts for keys not selected for
+      authentication in ssh(1) and when listing public keys available in a
+      token using ssh-keygen(1).
+    - ssh(1), sshd(8): Fix typo that prevented detection of Linux VRF.
+    - sshd(8): In the Linux seccomp-bpf sandbox, allow mprotect(2) with
+      PROT_(READ|WRITE|NONE) only.  This syscall is used by some hardened
+      heap allocators.
+    - sshd(8): In the Linux seccomp-bpf sandbox, allow the s390-specific
+      ioctl for ECC hardware support.
+ -- Colin Watson <cjwatson@debian.org>  Wed, 09 Oct 2019 23:18:42 +0100
 openssh (1:8.0p1-7) unstable; urgency=medium
  [ Daniel Kahn Gillmor ]
author	Colin Watson <cjwatson@debian.org>	2019-10-09 22:59:48 +0100
committer	Colin Watson <cjwatson@debian.org>	2019-10-09 23:39:39 +0100
commit	767ee84d3465b6d244a9108de5c167a9ab866df9 (patch)
tree	69b14ef6a62d7f133298a21d2ad6046f130b7801 /debian/changelog
parent	ddeaf9ee7d5c6612b88f1c4a83fc6fbccb93bf60 (diff)
parent	efef12825b9582c1710da3b7e50135870963d4f4 (diff)

diff --git a/debian/changelog b/debian/changelog index 58b1f45e2..9f799969b 100644 --- a/debian/changelog +++ b/debian/changelog
@@ -1,3 +1,83 @@
		1	openssh (1:8.1p1-1) UNRELEASED; urgency=medium
		2
		3	* New upstream release (https://www.openssh.com/txt/release-8.1):
		4	- ssh(1), sshd(8), ssh-agent(1): Add protection for private keys at rest
		5	in RAM against speculation and memory side-channel attacks like
		6	Spectre, Meltdown and Rambleed. This release encrypts private keys
		7	when they are not in use with a symmetric key that is derived from a
		8	relatively large "prekey" consisting of random data (currently 16KB).
		9	- ssh(1): Allow %n to be expanded in ProxyCommand strings.
		10	- ssh(1), sshd(8): Allow prepending a list of algorithms to the default
		11	set by starting the list with the '^' character, e.g.
		12	"HostKeyAlgorithms ^ssh-ed25519".
		13	- ssh-keygen(1): Add an experimental lightweight signature and
		14	verification ability. Signatures may be made using regular ssh keys
		15	held on disk or stored in a ssh-agent and verified against an
		16	authorized_keys-like list of allowed keys. Signatures embed a
		17	namespace that prevents confusion and attacks between different usage
		18	domains (e.g. files vs email).
		19	- ssh-keygen(1): Print key comment when extracting public key from a
		20	private key.
		21	- ssh-keygen(1): Accept the verbose flag when searching for host keys in
		22	known hosts (i.e. "ssh-keygen -vF host") to print the matching host's
		23	random-art signature too.
		24	- All: Support PKCS8 as an optional format for storage of private keys
		25	to disk. The OpenSSH native key format remains the default, but PKCS8
		26	is a superior format to PEM if interoperability with non-OpenSSH
		27	software is required, as it may use a less insecure key derivation
		28	function than PEM's.
		29	- ssh(1): If a PKCS#11 token returns no keys then try to login and
		30	refetch them.
		31	- ssh(1): Produce a useful error message if the user's shell is set
		32	incorrectly during "match exec" processing.
		33	- sftp(1): Allow the maximum uint32 value for the argument passed to -b
		34	which allows better error messages from later validation.
		35	- ssh-keyscan(1): Include SHA2-variant RSA key algorithms in KEX
		36	proposal; allows ssh-keyscan to harvest keys from servers that disable
		37	old SHA1 ssh-rsa.
		38	- sftp(1): Print explicit "not modified" message if a file was requested
		39	for resumed download but was considered already complete.
		40	- sftp(1): Fix a typo and make <esc><right> move right to the closest
		41	end of a word just like <esc><left> moves left to the closest
		42	beginning of a word.
		43	- sshd(8): Cap the number of permitopen/permitlisten directives allowed
		44	to appear on a single authorized_keys line.
		45	- All: Fix a number of memory leaks (one-off or on exit paths).
		46	- ssh(1), sshd(8): Check for convtime() refusing to accept times that
		47	resolve to LONG_MAX.
		48	- ssh(1): Slightly more instructive error message when the user
		49	specifies multiple -J options on the command-line (closes: #929669).
		50	- ssh-agent(1): Process agent requests for RSA certificate private keys
		51	using correct signature algorithm when requested.
		52	- sftp(1): Check for user@host when parsing sftp target. This allows
		53	user@[1.2.3.4] to work without a path.
		54	- sshd(8): Enlarge format buffer size for certificate serial number so
		55	the log message can record any 64-bit integer without truncation.
		56	- sshd(8): For PermitOpen violations add the remote host and port to be
		57	able to more easily ascertain the source of the request. Add the same
		58	logging for PermitListen violations which were not previously logged
		59	at all.
		60	- scp(1), sftp(1): Use the correct POSIX format style for left
		61	justification for the transfer progress meter.
		62	- sshd(8): When examining a configuration using sshd -T, assume any
		63	attribute not provided by -C does not match, which allows it to work
		64	when sshd_config contains a Match directive with or without -C.
		65	- ssh(1), ssh-keygen(1): Downgrade PKCS#11 "provider returned no slots"
		66	warning from log level error to debug. This is common when attempting
		67	to enumerate keys on smartcard readers with no cards plugged in.
		68	- ssh(1), ssh-keygen(1): Do not unconditionally log in to PKCS#11
		69	tokens. Avoids spurious PIN prompts for keys not selected for
		70	authentication in ssh(1) and when listing public keys available in a
		71	token using ssh-keygen(1).
		72	- ssh(1), sshd(8): Fix typo that prevented detection of Linux VRF.
		73	- sshd(8): In the Linux seccomp-bpf sandbox, allow mprotect(2) with
		74	PROT_(READ\|WRITE\|NONE) only. This syscall is used by some hardened
		75	heap allocators.
		76	- sshd(8): In the Linux seccomp-bpf sandbox, allow the s390-specific
		77	ioctl for ECC hardware support.
		78
		79	-- Colin Watson <cjwatson@debian.org> Wed, 09 Oct 2019 23:18:42 +0100
		80
1	openssh (1:8.0p1-7) unstable; urgency=medium	81	openssh (1:8.0p1-7) unstable; urgency=medium
2		82
3	[ Daniel Kahn Gillmor ]	83	[ Daniel Kahn Gillmor ]