diff options
author | Colin Watson <cjwatson@debian.org> | 2018-04-03 08:20:28 +0100 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2018-04-03 08:57:25 +0100 |
commit | a0b2dce9bf518f561bbb5070c0fb0c38f49035dd (patch) | |
tree | 24298b823e93d4e6efe13f48f1512707ebd625f8 /debian/changelog | |
parent | 9d4942dc192b6f1888c9ab73a512dd9b197b956c (diff) | |
parent | 76aa43d2298f322f0371b74462418d0461537131 (diff) |
New upstream release (7.7p1)
Diffstat (limited to 'debian/changelog')
-rw-r--r-- | debian/changelog | 89 |
1 files changed, 89 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog index 68b8167af..9646ee994 100644 --- a/debian/changelog +++ b/debian/changelog | |||
@@ -1,3 +1,92 @@ | |||
1 | openssh (1:7.7p1-1) UNRELEASED; urgency=medium | ||
2 | |||
3 | * New upstream release (https://www.openssh.com/txt/release-7.7): | ||
4 | - ssh(1)/sshd(8): Drop compatibility support for some very old SSH | ||
5 | implementations, including ssh.com <=2.* and OpenSSH <= 3.*. These | ||
6 | versions were all released in or before 2001 and predate the final SSH | ||
7 | RFCs. The support in question isn't necessary for RFC-compliant SSH | ||
8 | implementations. | ||
9 | - Add experimental support for PQC XMSS keys (Extended Hash-Based | ||
10 | Signatures). | ||
11 | - sshd(8): Add an "rdomain" criterion for the sshd_config Match keyword | ||
12 | to allow conditional configuration that depends on which routing | ||
13 | domain a connection was received on. | ||
14 | - sshd_config(5): Add an optional rdomain qualifier to the ListenAddress | ||
15 | directive to allow listening on different routing domains. | ||
16 | - sshd(8): Add "expiry-time" option for authorized_keys files to allow | ||
17 | for expiring keys. | ||
18 | - ssh(1): Add a BindInterface option to allow binding the outgoing | ||
19 | connection to an interface's address (basically a more usable | ||
20 | BindAddress; closes: #289592). | ||
21 | - ssh(1): Expose device allocated for tun/tap forwarding via a new %T | ||
22 | expansion for LocalCommand. This allows LocalCommand to be used to | ||
23 | prepare the interface. | ||
24 | - sshd(8): Expose the device allocated for tun/tap forwarding via a new | ||
25 | SSH_TUNNEL environment variable. This allows automatic setup of the | ||
26 | interface and surrounding network configuration automatically on the | ||
27 | server. | ||
28 | - ssh(1)/scp(1)/sftp(1): Add URI support to ssh, sftp and scp, e.g. | ||
29 | ssh://user@host or sftp://user@host/path. Additional connection | ||
30 | parameters described in draft-ietf-secsh-scp-sftp-ssh-uri-04 are not | ||
31 | implemented since the ssh fingerprint format in the draft uses the | ||
32 | deprecated MD5 hash with no way to specify any other algorithm. | ||
33 | - ssh-keygen(1): Allow certificate validity intervals that specify only | ||
34 | a start or stop time (instead of both or neither). | ||
35 | - sftp(1): Allow "cd" and "lcd" commands with no explicit path argument. | ||
36 | lcd will change to the local user's home directory as usual. cd will | ||
37 | change to the starting directory for session (because the protocol | ||
38 | offers no way to obtain the remote user's home directory). | ||
39 | - sshd(8): When doing a config test with sshd -T, only require the | ||
40 | attributes that are actually used in Match criteria rather than (an | ||
41 | incomplete list of) all criteria. | ||
42 | - ssh(1)/sshd(8): More strictly check signature types during key | ||
43 | exchange against what was negotiated. Prevents downgrade of RSA | ||
44 | signatures made with SHA-256/512 to SHA-1. | ||
45 | - sshd(8): Fix support for client that advertise a protocol version of | ||
46 | "1.99" (indicating that they are prepared to accept both SSHv1 and | ||
47 | SSHv2). This was broken in OpenSSH 7.6 during the removal of SSHv1 | ||
48 | support. | ||
49 | - ssh(1): Warn when the agent returns a ssh-rsa (SHA1) signature when a | ||
50 | rsa-sha2-256/512 signature was requested. This condition is possible | ||
51 | when an old or non-OpenSSH agent is in use. | ||
52 | - ssh-agent(1): Fix regression introduced in 7.6 that caused ssh-agent | ||
53 | to fatally exit if presented an invalid signature request message. | ||
54 | - sshd_config(5): Accept yes/no flag options case-insensitively, as has | ||
55 | been the case in ssh_config(5) for a long time (LP: #1656557). | ||
56 | - ssh(1): Improve error reporting for failures during connection. Under | ||
57 | some circumstances misleading errors were being shown. | ||
58 | - ssh-keyscan(1): Add -D option to allow printing of results directly in | ||
59 | SSHFP format. | ||
60 | - ssh(1): Compatibility fix for some servers that erroneously drop the | ||
61 | connection when the IUTF8 (RFC8160) option is sent. | ||
62 | - scp(1): Disable RemoteCommand and RequestTTY in the ssh session | ||
63 | started by scp (sftp was already doing this). | ||
64 | - ssh-keygen(1): Refuse to create a certificate with an unusable number | ||
65 | of principals. | ||
66 | - ssh-keygen(1): Fatally exit if ssh-keygen is unable to write all the | ||
67 | public key during key generation. Previously it would silently ignore | ||
68 | errors writing the comment and terminating newline. | ||
69 | - ssh(1): Do not modify hostname arguments that are addresses by | ||
70 | automatically forcing them to lower-case. Instead canonicalise them | ||
71 | jo resolve ambiguities (e.g. ::0001 => ::1) before they are matched | ||
72 | against known_hosts. | ||
73 | - ssh(1): Don't accept junk after "yes" or "no" responses to hostkey | ||
74 | prompts. | ||
75 | - sftp(1): Have sftp print a warning about shell cleanliness when | ||
76 | decoding the first packet fails, which is usually caused by shells | ||
77 | polluting stdout of non-interactive startups. | ||
78 | - ssh(1)/sshd(8): Switch timers in packet code from using wall-clock | ||
79 | time to monotonic time, allowing the packet layer to better function | ||
80 | over a clock step and avoiding possible integer overflows during | ||
81 | steps. | ||
82 | - sshd(8): Correctly detect MIPS ABI in use at configure time. Fixes | ||
83 | sandbox violations on some environments. | ||
84 | - Build and link with "retpoline" flags when available to mitigate the | ||
85 | "branch target injection" style (variant 2) of the Spectre | ||
86 | branch-prediction vulnerability. | ||
87 | |||
88 | -- Colin Watson <cjwatson@debian.org> Tue, 03 Apr 2018 08:33:10 +0100 | ||
89 | |||
1 | openssh (1:7.6p1-5) unstable; urgency=medium | 90 | openssh (1:7.6p1-5) unstable; urgency=medium |
2 | 91 | ||
3 | * Explicitly build-depend on pkg-config, rather than implicitly | 92 | * Explicitly build-depend on pkg-config, rather than implicitly |