New upstream release (7.9p1)

1 files changed, 57 insertions, 0 deletions

diff --git a/debian/changelog b/debian/changelog
index 64e1145c4..68fb28bb3 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,60 @@
+openssh (1:7.9p1-1) UNRELEASED; urgency=medium
+
+  * New upstream release (https://www.openssh.com/txt/release-7.9):
+    - ssh(1), sshd(8): allow most port numbers to be specified using service
+      names from getservbyname(3) (typically /etc/services; closes:
+      #177406).
+    - ssh(1): allow the IdentityAgent configuration directive to accept
+      environment variable names.  This supports the use of multiple agent
+      sockets without needing to use fixed paths.
+    - sshd(8): support signalling sessions via the SSH protocol.  A limited
+      subset of signals is supported and only for login or command sessions
+      (i.e. not subsystems) that were not subject to a forced command via
+      authorized_keys or sshd_config.
+    - ssh(1): support "ssh -Q sig" to list supported signature options.
+      Also "ssh -Q help" to show the full set of supported queries.
+    - ssh(1), sshd(8): add a CASignatureAlgorithms option for the client and
+      server configs to allow control over which signature formats are
+      allowed for CAs to sign certificates.  For example, this allows
+      banning CAs that sign certificates using the RSA-SHA1 signature
+      algorithm.
+    - sshd(8), ssh-keygen(1): allow key revocation lists (KRLs) to revoke
+      keys specified by SHA256 hash.
+    - ssh-keygen(1): allow creation of key revocation lists directly from
+      base64-encoded SHA256 fingerprints.  This supports revoking keys using
+      only the information contained in sshd(8) authentication log messages.
+    - ssh(1), ssh-keygen(1): avoid spurious "invalid format" errors when
+      attempting to load PEM private keys while using an incorrect
+      passphrase.
+    - sshd(8): when a channel closed message is received from a client,
+      close the stderr file descriptor at the same time stdout is closed.
+      This avoids stuck processes if they were waiting for stderr to close
+      and were insensitive to stdin/out closing (closes: #844494).
+    - ssh(1): allow ForwardX11Timeout=0 to disable the untrusted X11
+      forwarding timeout and support X11 forwarding indefinitely.
+      Previously the behaviour of ForwardX11Timeout=0 was undefined.
+    - sshd(8): when compiled with GSSAPI support, cache supported method
+      OIDs regardless of whether GSSAPI authentication is enabled in the
+      main section of sshd_config.  This avoids sandbox violations if GSSAPI
+      authentication was later enabled in a Match block.
+    - sshd(8): do not fail closed when configured with a text key revocation
+      list that contains a too-short key.
+    - ssh(1): treat connections with ProxyJump specified the same as ones
+      with a ProxyCommand set with regards to hostname canonicalisation
+      (i.e. don't try to canonicalise the hostname unless
+      CanonicalizeHostname is set to 'always').
+    - ssh(1): fix regression in OpenSSH 7.8 that could prevent public-key
+      authentication using certificates hosted in a ssh-agent(1) or against
+      sshd(8) from OpenSSH <7.8 (LP: #1790963).
+    - All: support building against the openssl-1.1 API (releases 1.1.0g and
+      later).  The openssl-1.0 API will remain supported at least until
+      OpenSSL terminates security patch support for that API version
+      (closes: #828475).
+    - sshd(8): allow the futex(2) syscall in the Linux seccomp sandbox;
+      apparently required by some glibc/OpenSSL combinations.
+
+ -- Colin Watson <cjwatson@debian.org>  Fri, 19 Oct 2018 21:34:47 +0100
+
 openssh (1:7.8p1-1) unstable; urgency=medium
 
   * New upstream release (https://www.openssh.com/txt/release-7.8, closes: