7 files changed, 69 insertions, 0 deletions
diff --git a/debian/patches/config-guess-sub.patch b/debian/patches/config-guess-sub.patch
index d5c016b87..b0a0ada81 100644
--- a/debian/patches/config-guess-sub.patch
+++ b/debian/patches/config-guess-sub.patch
@@ -1,3 +1,8 @@
+Description: Update config.guess and config.sub from autotools-dev 20090611.1
+From: Bradley Smith <bradsmith@debian.org>
+Bug-Debian: http://bugs.debian.org/538301
+Last-Update: 2010-02-27
 Index: b/config.guess
 ===================================================================
 --- a/config.guess
diff --git a/debian/patches/keepalive-extensions.patch b/debian/patches/keepalive-extensions.patch
index cb9c2823c..1bfc9c798 100644
--- a/debian/patches/keepalive-extensions.patch
+++ b/debian/patches/keepalive-extensions.patch
@@ -1,3 +1,19 @@
+Description: Various keepalive extensions
+ Add compatibility aliases for ProtocolKeepAlives and SetupTimeOut,
+ supported in previous versions of Debian's OpenSSH package but since
+ superseded by ServerAliveInterval.  (We're probably stuck with this bit for
+ compatibility.)
+ .
+ In batch mode, default ServerAliveInterval to five minutes.
+ .
+ Adjust documentation to match and to give some more advice on use of
+ keepalives.
+Author: Richard Kettlewell <rjk@greenend.org.uk>
+Author: Ian Jackson <ian@chiark.greenend.org.uk>
+Author: Matthew Vernon <matthew@debian.org>
+Author: Colin Watson <cjwatson@debian.org>
+Last-Update: 2010-02-27
 Index: b/readconf.c
 ===================================================================
 --- a/readconf.c
diff --git a/debian/patches/selinux-autoconf.patch b/debian/patches/selinux-autoconf.patch
index 934f885c8..9ac4cd435 100644
--- a/debian/patches/selinux-autoconf.patch
+++ b/debian/patches/selinux-autoconf.patch
@@ -1,3 +1,16 @@
+Description: Fix seusers detection at configure time
+ configure didn't add -lselinux to LIBS before it checked for the existence
+ of getseuserbyname and get_default_context_with_level.  This resulted in
+ seusers configuration not being handled correctly.  Most policies use the
+ seusers feature, and without it login security contexts will not be
+ correct.
+Author: Caleb Case <calebcase@gmail.com>
+Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1713
+Bug-Debian: http://bugs.debian.org/465614
+Bug-Ubuntu: https://bugs.launchpad.net/bugs/188136
+Reviewed-by: Colin Watson <cjwatson@debian.org>
+Last-Update: 2010-02-27
 Index: b/configure
 ===================================================================
 --- a/configure
diff --git a/debian/patches/selinux-fix-chroot-directory.patch b/debian/patches/selinux-fix-chroot-directory.patch
index a69ded59b..5c7c3c4a9 100644
--- a/debian/patches/selinux-fix-chroot-directory.patch
+++ b/debian/patches/selinux-fix-chroot-directory.patch
@@ -1,3 +1,12 @@
+Description: Make ChrootDirectory work with SELinux
+ After chroot() is called the SE Linux context setting won't work unless
+ /selinux and /proc are mounted in the chroot environment.  Even worse, if
+ the user has control over the chroot environment then they may be able to
+ control the context that they get (I haven't verified this).
+Author: Russell Coker <russell@coker.com.au>
+Bug-Debian: http://bugs.debian.org/556644
+Last-Update: 2010-02-27
 Index: b/session.c
 ===================================================================
 --- a/session.c
diff --git a/debian/patches/selinux-role.patch b/debian/patches/selinux-role.patch
index 5e2a9ecb6..ab343b083 100644
--- a/debian/patches/selinux-role.patch
+++ b/debian/patches/selinux-role.patch
@@ -1,3 +1,12 @@
+Description: Handle SELinux authorisation roles
+ Rejected upstream due to discomfort with magic usernames; a better approach
+ will need an SSH protocol change.  In the meantime, this came from Debian's
+ SELinux maintainer, so we'll keep it until we have something better.
+Author: Manoj Srivastava <srivasta@debian.org>
+Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641
+Bug-Debian: http://bugs.debian.org/394795
+Last-Update: 2010-02-27
 Index: b/auth.h
 ===================================================================
 --- a/auth.h
diff --git a/debian/patches/ssh-vulnkey.patch b/debian/patches/ssh-vulnkey.patch
index 3e4e96493..b33315677 100644
--- a/debian/patches/ssh-vulnkey.patch
+++ b/debian/patches/ssh-vulnkey.patch
@@ -1,3 +1,15 @@
+Description: Reject vulnerable keys to mitigate Debian OpenSSL flaw
+ In 2008, Debian (and derived distributions such as Ubuntu) shipped an
+ OpenSSL package with a flawed random number generator, causing OpenSSH to
+ generate only a very limited set of keys which were subject to private half
+ precomputation.  To mitigate this, this patch checks key authentications
+ against a blacklist of known-vulnerable keys, and adds a new ssh-vulnkey
+ program which can be used to explicitly check keys against that blacklist.
+ See CVE-2008-0166.
+Author: Colin Watson <cjwatson@ubuntu.com>
+Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1469
+Last-Update: 2010-02-27
 Index: b/Makefile.in
 ===================================================================
 --- a/Makefile.in
diff --git a/debian/patches/ssh1-keepalive.patch b/debian/patches/ssh1-keepalive.patch
index 37b8052eb..c82563033 100644
--- a/debian/patches/ssh1-keepalive.patch
+++ b/debian/patches/ssh1-keepalive.patch
@@ -1,3 +1,8 @@
+Description: Partial server keep-alive implementation for SSH1
+Author: Colin Watson <cjwatson@debian.org>
+Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1712
+Last-Update: 2010-02-27
 Index: b/clientloop.c
 ===================================================================
 --- a/clientloop.c

diff --git a/debian/patches/config-guess-sub.patch b/debian/patches/config-guess-sub.patch index d5c016b87..b0a0ada81 100644 --- a/debian/patches/config-guess-sub.patch +++ b/debian/patches/config-guess-sub.patch
@@ -1,3 +1,8 @@
		1	Description: Update config.guess and config.sub from autotools-dev 20090611.1
		2	From: Bradley Smith <bradsmith@debian.org>
		3	Bug-Debian: http://bugs.debian.org/538301
		4	Last-Update: 2010-02-27
		5
1	Index: b/config.guess	6	Index: b/config.guess
2	===================================================================	7	===================================================================
3	--- a/config.guess	8	--- a/config.guess


diff --git a/debian/patches/keepalive-extensions.patch b/debian/patches/keepalive-extensions.patch index cb9c2823c..1bfc9c798 100644 --- a/debian/patches/keepalive-extensions.patch +++ b/debian/patches/keepalive-extensions.patch
@@ -1,3 +1,19 @@
		1	Description: Various keepalive extensions
		2	Add compatibility aliases for ProtocolKeepAlives and SetupTimeOut,
		3	supported in previous versions of Debian's OpenSSH package but since
		4	superseded by ServerAliveInterval. (We're probably stuck with this bit for
		5	compatibility.)
		6	.
		7	In batch mode, default ServerAliveInterval to five minutes.
		8	.
		9	Adjust documentation to match and to give some more advice on use of
		10	keepalives.
		11	Author: Richard Kettlewell <rjk@greenend.org.uk>
		12	Author: Ian Jackson <ian@chiark.greenend.org.uk>
		13	Author: Matthew Vernon <matthew@debian.org>
		14	Author: Colin Watson <cjwatson@debian.org>
		15	Last-Update: 2010-02-27
		16
1	Index: b/readconf.c	17	Index: b/readconf.c
2	===================================================================	18	===================================================================
3	--- a/readconf.c	19	--- a/readconf.c


diff --git a/debian/patches/selinux-autoconf.patch b/debian/patches/selinux-autoconf.patch index 934f885c8..9ac4cd435 100644 --- a/debian/patches/selinux-autoconf.patch +++ b/debian/patches/selinux-autoconf.patch
@@ -1,3 +1,16 @@
		1	Description: Fix seusers detection at configure time
		2	configure didn't add -lselinux to LIBS before it checked for the existence
		3	of getseuserbyname and get_default_context_with_level. This resulted in
		4	seusers configuration not being handled correctly. Most policies use the
		5	seusers feature, and without it login security contexts will not be
		6	correct.
		7	Author: Caleb Case <calebcase@gmail.com>
		8	Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1713
		9	Bug-Debian: http://bugs.debian.org/465614
		10	Bug-Ubuntu: https://bugs.launchpad.net/bugs/188136
		11	Reviewed-by: Colin Watson <cjwatson@debian.org>
		12	Last-Update: 2010-02-27
		13
1	Index: b/configure	14	Index: b/configure
2	===================================================================	15	===================================================================
3	--- a/configure	16	--- a/configure


diff --git a/debian/patches/selinux-fix-chroot-directory.patch b/debian/patches/selinux-fix-chroot-directory.patch index a69ded59b..5c7c3c4a9 100644 --- a/debian/patches/selinux-fix-chroot-directory.patch +++ b/debian/patches/selinux-fix-chroot-directory.patch
@@ -1,3 +1,12 @@
		1	Description: Make ChrootDirectory work with SELinux
		2	After chroot() is called the SE Linux context setting won't work unless
		3	/selinux and /proc are mounted in the chroot environment. Even worse, if
		4	the user has control over the chroot environment then they may be able to
		5	control the context that they get (I haven't verified this).
		6	Author: Russell Coker <russell@coker.com.au>
		7	Bug-Debian: http://bugs.debian.org/556644
		8	Last-Update: 2010-02-27
		9
1	Index: b/session.c	10	Index: b/session.c
2	===================================================================	11	===================================================================
3	--- a/session.c	12	--- a/session.c


diff --git a/debian/patches/selinux-role.patch b/debian/patches/selinux-role.patch index 5e2a9ecb6..ab343b083 100644 --- a/debian/patches/selinux-role.patch +++ b/debian/patches/selinux-role.patch
@@ -1,3 +1,12 @@
		1	Description: Handle SELinux authorisation roles
		2	Rejected upstream due to discomfort with magic usernames; a better approach
		3	will need an SSH protocol change. In the meantime, this came from Debian's
		4	SELinux maintainer, so we'll keep it until we have something better.
		5	Author: Manoj Srivastava <srivasta@debian.org>
		6	Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641
		7	Bug-Debian: http://bugs.debian.org/394795
		8	Last-Update: 2010-02-27
		9
1	Index: b/auth.h	10	Index: b/auth.h
2	===================================================================	11	===================================================================
3	--- a/auth.h	12	--- a/auth.h


diff --git a/debian/patches/ssh-vulnkey.patch b/debian/patches/ssh-vulnkey.patch index 3e4e96493..b33315677 100644 --- a/debian/patches/ssh-vulnkey.patch +++ b/debian/patches/ssh-vulnkey.patch
@@ -1,3 +1,15 @@
		1	Description: Reject vulnerable keys to mitigate Debian OpenSSL flaw
		2	In 2008, Debian (and derived distributions such as Ubuntu) shipped an
		3	OpenSSL package with a flawed random number generator, causing OpenSSH to
		4	generate only a very limited set of keys which were subject to private half
		5	precomputation. To mitigate this, this patch checks key authentications
		6	against a blacklist of known-vulnerable keys, and adds a new ssh-vulnkey
		7	program which can be used to explicitly check keys against that blacklist.
		8	See CVE-2008-0166.
		9	Author: Colin Watson <cjwatson@ubuntu.com>
		10	Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1469
		11	Last-Update: 2010-02-27
		12
1	Index: b/Makefile.in	13	Index: b/Makefile.in
2	===================================================================	14	===================================================================
3	--- a/Makefile.in	15	--- a/Makefile.in


diff --git a/debian/patches/ssh1-keepalive.patch b/debian/patches/ssh1-keepalive.patch index 37b8052eb..c82563033 100644 --- a/debian/patches/ssh1-keepalive.patch +++ b/debian/patches/ssh1-keepalive.patch
@@ -1,3 +1,8 @@
		1	Description: Partial server keep-alive implementation for SSH1
		2	Author: Colin Watson <cjwatson@debian.org>
		3	Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1712
		4	Last-Update: 2010-02-27
		5
1	Index: b/clientloop.c	6	Index: b/clientloop.c
2	===================================================================	7	===================================================================
3	--- a/clientloop.c	8	--- a/clientloop.c