* New upstream release (LP: #535029).

  - After a transition period of about 10 years, this release disables SSH
    protocol 1 by default.  Clients and servers that need to use the
    legacy protocol must explicitly enable it in ssh_config / sshd_config
    or on the command-line.
  - Remove the libsectok/OpenSC-based smartcard code and add support for
    PKCS#11 tokens.  This support is enabled by default in the Debian
    packaging, since it now doesn't involve additional library
    dependencies (closes: #231472, LP: #16918).
  - Add support for certificate authentication of users and hosts using a
    new, minimal OpenSSH certificate format (closes: #482806).
  - Added a 'netcat mode' to ssh(1): "ssh -W host:port ...".
  - Add the ability to revoke keys in sshd(8) and ssh(1).  (For the Debian
    package, this overlaps with the key blacklisting facility added in
    openssh 1:4.7p1-9, but with different file formats and slightly
    different scopes; for the moment, I've roughly merged the two.)
  - Various multiplexing improvements, including support for requesting
    port-forwardings via the multiplex protocol (closes: #360151).
  - Allow setting an explicit umask on the sftp-server(8) commandline to
    override whatever default the user has (closes: #496843).
  - Many sftp client improvements, including tab-completion, more options,
    and recursive transfer support for get/put (LP: #33378).  The old
    mget/mput commands never worked properly and have been removed
    (closes: #270399, #428082).
  - Do not prompt for a passphrase if we fail to open a keyfile, and log
    the reason why the open failed to debug (closes: #431538).
  - Prevent sftp from crashing when given a "-" without a command.  Also,
    allow whitespace to follow a "-" (closes: #531561).

1 files changed, 12 insertions, 11 deletions

diff --git a/debian/patches/selinux-role.patch b/debian/patches/selinux-role.patch
index ab343b083..8a7e7c687 100644
--- a/debian/patches/selinux-role.patch
+++ b/debian/patches/selinux-role.patch
@@ -186,7 +186,7 @@ Index: b/monitor_wrap.c
  {
         Buffer m;
  
-@@ -291,11 +291,29 @@
+@@ -291,12 +291,30 @@
         buffer_init(&m);
         buffer_put_cstring(&m, service);
         buffer_put_cstring(&m, style ? style : "");
@@ -196,7 +196,7 @@ Index: b/monitor_wrap.c
  
         buffer_free(&m);
  }
-+
+ 
 +/* Inform the privileged process about role */
 +
 +void
@@ -213,9 +213,10 @@ Index: b/monitor_wrap.c
 +
 +       buffer_free(&m);
 +}
- 
++
  /* Do the password authentication */
  int
+ mm_auth_password(Authctxt *authctxt, char *password)
 Index: b/monitor_wrap.h
 ===================================================================
 --- a/monitor_wrap.h
@@ -234,20 +235,20 @@ Index: b/openbsd-compat/port-linux.c
 ===================================================================
 --- a/openbsd-compat/port-linux.c
 +++ b/openbsd-compat/port-linux.c
-@@ -28,6 +28,12 @@
+@@ -29,6 +29,12 @@
  #include <string.h>
+ #include <stdio.h>
  
- #ifdef WITH_SELINUX
++#ifdef WITH_SELINUX
 +#include "key.h"
 +#include "hostfile.h"
 +#include "auth.h"
-+#ifdef HAVE_GETSEUSERBYNAME
-+#include "xmalloc.h"
 +#endif
++
  #include "log.h"
+ #include "xmalloc.h"
  #include "port-linux.h"
- 
-@@ -35,6 +41,8 @@
+@@ -38,6 +44,8 @@
  #include <selinux/flask.h>
  #include <selinux/get_context_list.h>
  
@@ -256,7 +257,7 @@ Index: b/openbsd-compat/port-linux.c
  /* Wrapper around is_selinux_enabled() to log its return value once only */
  int
  ssh_selinux_enabled(void)
-@@ -53,8 +61,8 @@
+@@ -56,8 +64,8 @@
  static security_context_t
  ssh_selinux_getctxbyname(char *pwname)
  {
@@ -267,7 +268,7 @@ Index: b/openbsd-compat/port-linux.c
         int r;
  
  #ifdef HAVE_GETSEUSERBYNAME
-@@ -64,11 +72,20 @@
+@@ -67,11 +75,20 @@
         sename = pwname;
         lvl = NULL;
  #endif