New upstream release (7.8p1)

Closes: #907534
author: Colin Watson <cjwatson@debian.org> 2018-08-24 12:49:36 +0100
committer: Colin Watson <cjwatson@debian.org> 2018-08-30 00:57:27 +0100
commit: 816386e17654ca36834bebbf351419e460fad8f6 (patch)
tree: 3dc79d831cb73bc25b92f5a4d18f8e328c0c570a /debian/changelog
parent: 3e6f76c7039d3df22b1d0a3a5f30150efb09b69d (diff)
parent: 16a47fc4b04977a14f44dd433c8da1499fa80671 (diff)
1 files changed, 103 insertions, 2 deletions
diff --git a/debian/changelog b/debian/changelog
index bef0cb443..c3502c25a 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,5 +1,106 @@
-openssh (1:7.7p1-5) UNRELEASED; urgency=medium
+openssh (1:7.8p1-1) UNRELEASED; urgency=medium
+  * New upstream release (https://www.openssh.com/txt/release-7.8, closes:
+    #907534):
+    - ssh-keygen(1): Write OpenSSH format private keys by default instead of
+      using OpenSSL's PEM format (closes: #905407).  The OpenSSH format,
+      supported in OpenSSH releases since 2014 and described in the
+      PROTOCOL.key file in the source distribution, offers substantially
+      better protection against offline password guessing and supports key
+      comments in private keys.  If necessary, it is possible to write old
+      PEM-style keys by adding "-m PEM" to ssh-keygen's arguments when
+      generating or updating a key.
+    - sshd(8): Remove internal support for S/Key multiple factor
+      authentication.  S/Key may still be used via PAM or BSD auth.
+    - ssh(1): Remove vestigial support for running ssh(1) as setuid.  This
+      used to be required for hostbased authentication and the (long gone)
+      rhosts-style authentication, but has not been necessary for a long
+      time.  Attempting to execute ssh as a setuid binary, or with uid !=
+      effective uid will now yield a fatal error at runtime.
+    - sshd(8): The semantics of PubkeyAcceptedKeyTypes and the similar
+      HostbasedAcceptedKeyTypes options have changed.  These now specify
+      signature algorithms that are accepted for their respective
+      authentication mechanism, where previously they specified accepted key
+      types.  This distinction matters when using the RSA/SHA2 signature
+      algorithms "rsa-sha2-256", "rsa-sha2-512" and their certificate
+      counterparts.  Configurations that override these options but omit
+      these algorithm names may cause unexpected authentication failures (no
+      action is required for configurations that accept the default for
+      these options).
+    - sshd(8): The precedence of session environment variables has changed.
+      ~/.ssh/environment and environment="..." options in authorized_keys
+      files can no longer override SSH_* variables set implicitly by sshd.
+    - ssh(1)/sshd(8): The default IPQoS used by ssh/sshd has changed.  They
+      will now use DSCP AF21 for interactive traffic and CS1 for bulk.  For
+      a detailed rationale, please see the commit message:
+      https://cvsweb.openbsd.org/src/usr.bin/ssh/readconf.c#rev1.284
+    - ssh(1)/sshd(8): Add new signature algorithms "rsa-sha2-256-cert-
+      v01@openssh.com" and "rsa-sha2-512-cert-v01@openssh.com" to explicitly
+      force use of RSA/SHA2 signatures in authentication.
+    - sshd(8): Extend the PermitUserEnvironment option to accept a whitelist
+      of environment variable names in addition to global "yes" or "no"
+      settings.
+    - sshd(8): Add a PermitListen directive to sshd_config(5) and a
+      corresponding permitlisten= authorized_keys option that control which
+      listen addresses and port numbers may be used by remote forwarding
+      (ssh -R ...).
+    - sshd(8): Add some countermeasures against timing attacks used for
+      account validation/enumeration.  sshd will enforce a minimum time or
+      each failed authentication attempt consisting of a global 5ms minimum
+      plus an additional per-user 0-4ms delay derived from a host secret.
+    - sshd(8): Add a SetEnv directive to allow an administrator to
+      explicitly specify environment variables in sshd_config.  Variables
+      set by SetEnv override the default and client-specified environment.
+    - ssh(1): Add a SetEnv directive to request that the server sets an
+      environment variable in the session.  Similar to the existing SendEnv
+      option, these variables are set subject to server configuration.
+    - ssh(1): Allow "SendEnv -PATTERN" to clear environment variables
+      previously marked for sending to the server (closes: #573316).
+    - ssh(1)/sshd(8): Make UID available as a %-expansion everywhere that
+      the username is available currently.
+    - ssh(1): Allow setting ProxyJump=none to disable ProxyJump
+      functionality.
+    - sshd(8): Avoid observable differences in request parsing that could be
+      used to determine whether a target user is valid.
+    - ssh(1)/sshd(8): Fix some memory leaks.
+    - ssh(1): Fix a pwent clobber (introduced in openssh-7.7) that could
+      occur during key loading, manifesting as crash on some platforms.
+    - sshd_config(5): Clarify documentation for AuthenticationMethods
+      option.
+    - ssh(1): Ensure that the public key algorithm sent in a public key
+      SSH_MSG_USERAUTH_REQUEST matches the content of the signature blob.
+      Previously, these could be inconsistent when a legacy or non-OpenSSH
+      ssh-agent returned a RSA/SHA1 signature when asked to make a RSA/SHA2
+      signature.
+    - sshd(8): Fix failures to read authorized_keys caused by faulty
+      supplemental group caching.
+    - scp(1): Apply umask to directories, fixing potential mkdir/chmod race
+      when copying directory trees.
+    - ssh-keygen(1): Return correct exit code when searching for and hashing
+      known_hosts entries in a single operation.
+    - ssh(1): Prefer the ssh binary pointed to via argv[0] to $PATH when
+      re-executing ssh for ProxyJump.
+    - sshd(8): Do not ban PTY allocation when a sshd session is restricted
+      because the user password is expired as it breaks password change
+      dialog.
+    - ssh(1)/sshd(8): Fix error reporting from select() failures.
+    - ssh(1): Improve documentation for -w (tunnel) flag, emphasising that
+      -w implicitly sets Tunnel=point-to-point.
+    - ssh-agent(1): Implement EMFILE mitigation for ssh-agent.  ssh-agent
+      will no longer spin when its file descriptor limit is exceeded.
+    - ssh(1)/sshd(8): Disable SSH2_MSG_DEBUG messages for Twisted Conch
+      clients.  Twisted Conch versions that lack a version number in their
+      identification strings will mishandle these messages when running on
+      Python 2.x (https://twistedmatrix.com/trac/ticket/9422).
+    - sftp(1): Notify user immediately when underlying ssh process dies
+      expectedly.
+    - ssh(1)/sshd(8): Fix tunnel forwarding; regression in 7.7 release.
+    - ssh-agent(1): Don't kill ssh-agent's listening socket entirely if it
+      fails to accept(2) a connection.
+    - ssh(1): Add some missing options in the configuration dump output (ssh
+      -G).
+    - sshd(8): Expose details of completed authentication to PAM auth
+      modules via SSH_AUTH_INFO_0 in the PAM environment.
  * Switch debian/watch to HTTPS.
 -- Colin Watson <cjwatson@debian.org>  Fri, 24 Aug 2018 10:13:03 +0100
author	Colin Watson <cjwatson@debian.org>	2018-08-24 12:49:36 +0100
committer	Colin Watson <cjwatson@debian.org>	2018-08-30 00:57:27 +0100
commit	816386e17654ca36834bebbf351419e460fad8f6 (patch)
tree	3dc79d831cb73bc25b92f5a4d18f8e328c0c570a /debian/changelog
parent	3e6f76c7039d3df22b1d0a3a5f30150efb09b69d (diff)
parent	16a47fc4b04977a14f44dd433c8da1499fa80671 (diff)

diff --git a/debian/changelog b/debian/changelog index bef0cb443..c3502c25a 100644 --- a/debian/changelog +++ b/debian/changelog
@@ -1,5 +1,106 @@
1	openssh (1:7.7p1-5) UNRELEASED; urgency=medium	1	openssh (1:7.8p1-1) UNRELEASED; urgency=medium
2		2
		3	* New upstream release (https://www.openssh.com/txt/release-7.8, closes:
		4	#907534):
		5	- ssh-keygen(1): Write OpenSSH format private keys by default instead of
		6	using OpenSSL's PEM format (closes: #905407). The OpenSSH format,
		7	supported in OpenSSH releases since 2014 and described in the
		8	PROTOCOL.key file in the source distribution, offers substantially
		9	better protection against offline password guessing and supports key
		10	comments in private keys. If necessary, it is possible to write old
		11	PEM-style keys by adding "-m PEM" to ssh-keygen's arguments when
		12	generating or updating a key.
		13	- sshd(8): Remove internal support for S/Key multiple factor
		14	authentication. S/Key may still be used via PAM or BSD auth.
		15	- ssh(1): Remove vestigial support for running ssh(1) as setuid. This
		16	used to be required for hostbased authentication and the (long gone)
		17	rhosts-style authentication, but has not been necessary for a long
		18	time. Attempting to execute ssh as a setuid binary, or with uid !=
		19	effective uid will now yield a fatal error at runtime.
		20	- sshd(8): The semantics of PubkeyAcceptedKeyTypes and the similar
		21	HostbasedAcceptedKeyTypes options have changed. These now specify
		22	signature algorithms that are accepted for their respective
		23	authentication mechanism, where previously they specified accepted key
		24	types. This distinction matters when using the RSA/SHA2 signature
		25	algorithms "rsa-sha2-256", "rsa-sha2-512" and their certificate
		26	counterparts. Configurations that override these options but omit
		27	these algorithm names may cause unexpected authentication failures (no
		28	action is required for configurations that accept the default for
		29	these options).
		30	- sshd(8): The precedence of session environment variables has changed.
		31	~/.ssh/environment and environment="..." options in authorized_keys
		32	files can no longer override SSH_* variables set implicitly by sshd.
		33	- ssh(1)/sshd(8): The default IPQoS used by ssh/sshd has changed. They
		34	will now use DSCP AF21 for interactive traffic and CS1 for bulk. For
		35	a detailed rationale, please see the commit message:
		36	https://cvsweb.openbsd.org/src/usr.bin/ssh/readconf.c#rev1.284
		37	- ssh(1)/sshd(8): Add new signature algorithms "rsa-sha2-256-cert-
		38	v01@openssh.com" and "rsa-sha2-512-cert-v01@openssh.com" to explicitly
		39	force use of RSA/SHA2 signatures in authentication.
		40	- sshd(8): Extend the PermitUserEnvironment option to accept a whitelist
		41	of environment variable names in addition to global "yes" or "no"
		42	settings.
		43	- sshd(8): Add a PermitListen directive to sshd_config(5) and a
		44	corresponding permitlisten= authorized_keys option that control which
		45	listen addresses and port numbers may be used by remote forwarding
		46	(ssh -R ...).
		47	- sshd(8): Add some countermeasures against timing attacks used for
		48	account validation/enumeration. sshd will enforce a minimum time or
		49	each failed authentication attempt consisting of a global 5ms minimum
		50	plus an additional per-user 0-4ms delay derived from a host secret.
		51	- sshd(8): Add a SetEnv directive to allow an administrator to
		52	explicitly specify environment variables in sshd_config. Variables
		53	set by SetEnv override the default and client-specified environment.
		54	- ssh(1): Add a SetEnv directive to request that the server sets an
		55	environment variable in the session. Similar to the existing SendEnv
		56	option, these variables are set subject to server configuration.
		57	- ssh(1): Allow "SendEnv -PATTERN" to clear environment variables
		58	previously marked for sending to the server (closes: #573316).
		59	- ssh(1)/sshd(8): Make UID available as a %-expansion everywhere that
		60	the username is available currently.
		61	- ssh(1): Allow setting ProxyJump=none to disable ProxyJump
		62	functionality.
		63	- sshd(8): Avoid observable differences in request parsing that could be
		64	used to determine whether a target user is valid.
		65	- ssh(1)/sshd(8): Fix some memory leaks.
		66	- ssh(1): Fix a pwent clobber (introduced in openssh-7.7) that could
		67	occur during key loading, manifesting as crash on some platforms.
		68	- sshd_config(5): Clarify documentation for AuthenticationMethods
		69	option.
		70	- ssh(1): Ensure that the public key algorithm sent in a public key
		71	SSH_MSG_USERAUTH_REQUEST matches the content of the signature blob.
		72	Previously, these could be inconsistent when a legacy or non-OpenSSH
		73	ssh-agent returned a RSA/SHA1 signature when asked to make a RSA/SHA2
		74	signature.
		75	- sshd(8): Fix failures to read authorized_keys caused by faulty
		76	supplemental group caching.
		77	- scp(1): Apply umask to directories, fixing potential mkdir/chmod race
		78	when copying directory trees.
		79	- ssh-keygen(1): Return correct exit code when searching for and hashing
		80	known_hosts entries in a single operation.
		81	- ssh(1): Prefer the ssh binary pointed to via argv[0] to $PATH when
		82	re-executing ssh for ProxyJump.
		83	- sshd(8): Do not ban PTY allocation when a sshd session is restricted
		84	because the user password is expired as it breaks password change
		85	dialog.
		86	- ssh(1)/sshd(8): Fix error reporting from select() failures.
		87	- ssh(1): Improve documentation for -w (tunnel) flag, emphasising that
		88	-w implicitly sets Tunnel=point-to-point.
		89	- ssh-agent(1): Implement EMFILE mitigation for ssh-agent. ssh-agent
		90	will no longer spin when its file descriptor limit is exceeded.
		91	- ssh(1)/sshd(8): Disable SSH2_MSG_DEBUG messages for Twisted Conch
		92	clients. Twisted Conch versions that lack a version number in their
		93	identification strings will mishandle these messages when running on
		94	Python 2.x (https://twistedmatrix.com/trac/ticket/9422).
		95	- sftp(1): Notify user immediately when underlying ssh process dies
		96	expectedly.
		97	- ssh(1)/sshd(8): Fix tunnel forwarding; regression in 7.7 release.
		98	- ssh-agent(1): Don't kill ssh-agent's listening socket entirely if it
		99	fails to accept(2) a connection.
		100	- ssh(1): Add some missing options in the configuration dump output (ssh
		101	-G).
		102	- sshd(8): Expose details of completed authentication to PAM auth
		103	modules via SSH_AUTH_INFO_0 in the PAM environment.
3	* Switch debian/watch to HTTPS.	104	* Switch debian/watch to HTTPS.
4		105
5	-- Colin Watson <cjwatson@debian.org> Fri, 24 Aug 2018 10:13:03 +0100	106	-- Colin Watson <cjwatson@debian.org> Fri, 24 Aug 2018 10:13:03 +0100