diff options
author | Colin Watson <cjwatson@debian.org> | 2018-08-24 12:49:36 +0100 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2018-08-30 00:57:27 +0100 |
commit | 816386e17654ca36834bebbf351419e460fad8f6 (patch) | |
tree | 3dc79d831cb73bc25b92f5a4d18f8e328c0c570a /debian/changelog | |
parent | 3e6f76c7039d3df22b1d0a3a5f30150efb09b69d (diff) | |
parent | 16a47fc4b04977a14f44dd433c8da1499fa80671 (diff) |
New upstream release (7.8p1)
Closes: #907534
Diffstat (limited to 'debian/changelog')
-rw-r--r-- | debian/changelog | 105 |
1 files changed, 103 insertions, 2 deletions
diff --git a/debian/changelog b/debian/changelog index bef0cb443..c3502c25a 100644 --- a/debian/changelog +++ b/debian/changelog | |||
@@ -1,5 +1,106 @@ | |||
1 | openssh (1:7.7p1-5) UNRELEASED; urgency=medium | 1 | openssh (1:7.8p1-1) UNRELEASED; urgency=medium |
2 | 2 | ||
3 | * New upstream release (https://www.openssh.com/txt/release-7.8, closes: | ||
4 | #907534): | ||
5 | - ssh-keygen(1): Write OpenSSH format private keys by default instead of | ||
6 | using OpenSSL's PEM format (closes: #905407). The OpenSSH format, | ||
7 | supported in OpenSSH releases since 2014 and described in the | ||
8 | PROTOCOL.key file in the source distribution, offers substantially | ||
9 | better protection against offline password guessing and supports key | ||
10 | comments in private keys. If necessary, it is possible to write old | ||
11 | PEM-style keys by adding "-m PEM" to ssh-keygen's arguments when | ||
12 | generating or updating a key. | ||
13 | - sshd(8): Remove internal support for S/Key multiple factor | ||
14 | authentication. S/Key may still be used via PAM or BSD auth. | ||
15 | - ssh(1): Remove vestigial support for running ssh(1) as setuid. This | ||
16 | used to be required for hostbased authentication and the (long gone) | ||
17 | rhosts-style authentication, but has not been necessary for a long | ||
18 | time. Attempting to execute ssh as a setuid binary, or with uid != | ||
19 | effective uid will now yield a fatal error at runtime. | ||
20 | - sshd(8): The semantics of PubkeyAcceptedKeyTypes and the similar | ||
21 | HostbasedAcceptedKeyTypes options have changed. These now specify | ||
22 | signature algorithms that are accepted for their respective | ||
23 | authentication mechanism, where previously they specified accepted key | ||
24 | types. This distinction matters when using the RSA/SHA2 signature | ||
25 | algorithms "rsa-sha2-256", "rsa-sha2-512" and their certificate | ||
26 | counterparts. Configurations that override these options but omit | ||
27 | these algorithm names may cause unexpected authentication failures (no | ||
28 | action is required for configurations that accept the default for | ||
29 | these options). | ||
30 | - sshd(8): The precedence of session environment variables has changed. | ||
31 | ~/.ssh/environment and environment="..." options in authorized_keys | ||
32 | files can no longer override SSH_* variables set implicitly by sshd. | ||
33 | - ssh(1)/sshd(8): The default IPQoS used by ssh/sshd has changed. They | ||
34 | will now use DSCP AF21 for interactive traffic and CS1 for bulk. For | ||
35 | a detailed rationale, please see the commit message: | ||
36 | https://cvsweb.openbsd.org/src/usr.bin/ssh/readconf.c#rev1.284 | ||
37 | - ssh(1)/sshd(8): Add new signature algorithms "rsa-sha2-256-cert- | ||
38 | v01@openssh.com" and "rsa-sha2-512-cert-v01@openssh.com" to explicitly | ||
39 | force use of RSA/SHA2 signatures in authentication. | ||
40 | - sshd(8): Extend the PermitUserEnvironment option to accept a whitelist | ||
41 | of environment variable names in addition to global "yes" or "no" | ||
42 | settings. | ||
43 | - sshd(8): Add a PermitListen directive to sshd_config(5) and a | ||
44 | corresponding permitlisten= authorized_keys option that control which | ||
45 | listen addresses and port numbers may be used by remote forwarding | ||
46 | (ssh -R ...). | ||
47 | - sshd(8): Add some countermeasures against timing attacks used for | ||
48 | account validation/enumeration. sshd will enforce a minimum time or | ||
49 | each failed authentication attempt consisting of a global 5ms minimum | ||
50 | plus an additional per-user 0-4ms delay derived from a host secret. | ||
51 | - sshd(8): Add a SetEnv directive to allow an administrator to | ||
52 | explicitly specify environment variables in sshd_config. Variables | ||
53 | set by SetEnv override the default and client-specified environment. | ||
54 | - ssh(1): Add a SetEnv directive to request that the server sets an | ||
55 | environment variable in the session. Similar to the existing SendEnv | ||
56 | option, these variables are set subject to server configuration. | ||
57 | - ssh(1): Allow "SendEnv -PATTERN" to clear environment variables | ||
58 | previously marked for sending to the server (closes: #573316). | ||
59 | - ssh(1)/sshd(8): Make UID available as a %-expansion everywhere that | ||
60 | the username is available currently. | ||
61 | - ssh(1): Allow setting ProxyJump=none to disable ProxyJump | ||
62 | functionality. | ||
63 | - sshd(8): Avoid observable differences in request parsing that could be | ||
64 | used to determine whether a target user is valid. | ||
65 | - ssh(1)/sshd(8): Fix some memory leaks. | ||
66 | - ssh(1): Fix a pwent clobber (introduced in openssh-7.7) that could | ||
67 | occur during key loading, manifesting as crash on some platforms. | ||
68 | - sshd_config(5): Clarify documentation for AuthenticationMethods | ||
69 | option. | ||
70 | - ssh(1): Ensure that the public key algorithm sent in a public key | ||
71 | SSH_MSG_USERAUTH_REQUEST matches the content of the signature blob. | ||
72 | Previously, these could be inconsistent when a legacy or non-OpenSSH | ||
73 | ssh-agent returned a RSA/SHA1 signature when asked to make a RSA/SHA2 | ||
74 | signature. | ||
75 | - sshd(8): Fix failures to read authorized_keys caused by faulty | ||
76 | supplemental group caching. | ||
77 | - scp(1): Apply umask to directories, fixing potential mkdir/chmod race | ||
78 | when copying directory trees. | ||
79 | - ssh-keygen(1): Return correct exit code when searching for and hashing | ||
80 | known_hosts entries in a single operation. | ||
81 | - ssh(1): Prefer the ssh binary pointed to via argv[0] to $PATH when | ||
82 | re-executing ssh for ProxyJump. | ||
83 | - sshd(8): Do not ban PTY allocation when a sshd session is restricted | ||
84 | because the user password is expired as it breaks password change | ||
85 | dialog. | ||
86 | - ssh(1)/sshd(8): Fix error reporting from select() failures. | ||
87 | - ssh(1): Improve documentation for -w (tunnel) flag, emphasising that | ||
88 | -w implicitly sets Tunnel=point-to-point. | ||
89 | - ssh-agent(1): Implement EMFILE mitigation for ssh-agent. ssh-agent | ||
90 | will no longer spin when its file descriptor limit is exceeded. | ||
91 | - ssh(1)/sshd(8): Disable SSH2_MSG_DEBUG messages for Twisted Conch | ||
92 | clients. Twisted Conch versions that lack a version number in their | ||
93 | identification strings will mishandle these messages when running on | ||
94 | Python 2.x (https://twistedmatrix.com/trac/ticket/9422). | ||
95 | - sftp(1): Notify user immediately when underlying ssh process dies | ||
96 | expectedly. | ||
97 | - ssh(1)/sshd(8): Fix tunnel forwarding; regression in 7.7 release. | ||
98 | - ssh-agent(1): Don't kill ssh-agent's listening socket entirely if it | ||
99 | fails to accept(2) a connection. | ||
100 | - ssh(1): Add some missing options in the configuration dump output (ssh | ||
101 | -G). | ||
102 | - sshd(8): Expose details of completed authentication to PAM auth | ||
103 | modules via SSH_AUTH_INFO_0 in the PAM environment. | ||
3 | * Switch debian/watch to HTTPS. | 104 | * Switch debian/watch to HTTPS. |
4 | 105 | ||
5 | -- Colin Watson <cjwatson@debian.org> Fri, 24 Aug 2018 10:13:03 +0100 | 106 | -- Colin Watson <cjwatson@debian.org> Fri, 24 Aug 2018 10:13:03 +0100 |