1 files changed, 99 insertions, 0 deletions
diff --git a/debian/NEWS b/debian/NEWS
new file mode 100644
index 000000000..abbfcfcd0
--- /dev/null
+++ b/debian/NEWS
@@ -0,0 +1,99 @@
+openssh (1:7.2p1-1) UNRELEASED; urgency=medium
+  OpenSSH 7.2 disables a number of legacy cryptographic algorithms by
+  default in ssh:
+   * Several ciphers blowfish-cbc, cast128-cbc, all arcfour variants and the
+     rijndael-cbc aliases for AES.
+   * MD5-based and truncated HMAC algorithms.
+  These algorithms are already disabled by default in sshd.
+ -- Colin Watson <cjwatson@debian.org>  Mon, 29 Feb 2016 12:37:44 +0000
+openssh (1:7.1p1-2) unstable; urgency=medium
+  OpenSSH 7.0 disables several pieces of weak, legacy, and/or unsafe
+  cryptography.
+   * Support for the legacy SSH version 1 protocol is disabled by default at
+     compile time.  Note that this also means that the Cipher keyword in
+     ssh_config(5) is effectively no longer usable; use Ciphers instead for
+     protocol 2.  The openssh-client-ssh1 package includes "ssh1", "scp1",
+     and "ssh-keygen1" binaries which you can use if you have no alternative
+     way to connect to an outdated SSH1-only server; please contact the
+     server administrator or system vendor in such cases and ask them to
+     upgrade.
+   * Support for the 1024-bit diffie-hellman-group1-sha1 key exchange is
+     disabled by default at run-time.  It may be re-enabled using the
+     instructions at http://www.openssh.com/legacy.html
+   * Support for ssh-dss, ssh-dss-cert-* host and user keys is disabled by
+     default at run-time.  These may be re-enabled using the instructions at
+     http://www.openssh.com/legacy.html
+   * Support for the legacy v00 cert format has been removed.
+  Future releases will retire more legacy cryptography, including:
+   * Refusing all RSA keys smaller than 1024 bits (the current minimum is
+     768 bits).
+   * Several ciphers will be disabled by default: blowfish-cbc, cast128-cbc,
+     all arcfour variants, and the rijndael-cbc aliases for AES.
+   * MD5-based HMAC algorithms will be disabled by default.
+ -- Colin Watson <cjwatson@debian.org>  Tue, 08 Dec 2015 15:33:08 +0000
+openssh (1:6.7p1-5) unstable; urgency=medium
+  openssh-server 1:6.7p1-4 changed the default setting of AcceptEnv to list
+  a number of specific LC_FOO variables rather than the wildcard LC_*.  I
+  have since been persuaded that this was a bad idea and have reverted it,
+  but it is difficult to automatically undo the change to
+  /etc/ssh/sshd_config without compounding the problem (that of modifying
+  configuration that some users did not want to be modified) further.  Most
+  users who upgraded via version 1:6.7p1-4 should restore the previous value
+  of "AcceptEnv LANG LC_*" in /etc/ssh/sshd_config.
+ -- Colin Watson <cjwatson@debian.org>  Sun, 22 Mar 2015 23:09:32 +0000
+openssh (1:5.4p1-2) unstable; urgency=low
+  Smartcard support is now available using PKCS#11 tokens.  If you were
+  previously using an unofficial build of Debian's OpenSSH package with
+  OpenSC-based smartcard support added, then note that commands like
+  'ssh-add -s 0' will no longer work; you need to use 'ssh-add -s
+  /usr/lib/opensc-pkcs11.so' instead.
+ -- Colin Watson <cjwatson@debian.org>  Sat, 10 Apr 2010 01:08:59 +0100
+openssh (1:3.8.1p1-9) experimental; urgency=low
+  The ssh package has been split into openssh-client and openssh-server. If
+  you had previously requested that the sshd server should not be run, then
+  that request will still be honoured. However, the recommended approach is
+  now to remove the openssh-server package if you do not want to run sshd.
+  You can remove the old /etc/ssh/sshd_not_to_be_run marker file after doing
+  that.
+ -- Colin Watson <cjwatson@debian.org>  Mon,  2 Aug 2004 20:48:54 +0100
+openssh (1:3.5p1-1) unstable; urgency=low
+  This version of OpenSSH disables the environment option for public keys by
+  default, in order to avoid certain attacks (for example, LD_PRELOAD). If
+  you are using this option in an authorized_keys file, beware that the keys
+  in question will no longer work until the option is removed.
+  To re-enable this option, set "PermitUserEnvironment yes" in
+  /etc/ssh/sshd_config after the upgrade is complete, taking note of the
+  warning in the sshd_config(5) manual page.
+ -- Colin Watson <cjwatson@debian.org>  Sat, 26 Oct 2002 19:41:51 +0100
+openssh (1:3.0.1p1-1) unstable; urgency=high
+  As of version 3, OpenSSH no longer uses separate files for ssh1 and ssh2
+  keys. This means the authorized_keys2 and known_hosts2 files are no longer
+  needed. They will still be read in order to maintain backward
+  compatibility.
+ -- Matthew Vernon <matthew@debian.org>  Thu, 28 Nov 2001 17:43:01 +0000

diff --git a/debian/NEWS b/debian/NEWS new file mode 100644 index 000000000..abbfcfcd0 --- /dev/null +++ b/debian/NEWS
@@ -0,0 +1,99 @@
	1	openssh (1:7.2p1-1) UNRELEASED; urgency=medium
	2
	3	OpenSSH 7.2 disables a number of legacy cryptographic algorithms by
	4	default in ssh:
	5
	6	* Several ciphers blowfish-cbc, cast128-cbc, all arcfour variants and the
	7	rijndael-cbc aliases for AES.
	8	* MD5-based and truncated HMAC algorithms.
	9
	10	These algorithms are already disabled by default in sshd.
	11
	12	-- Colin Watson <cjwatson@debian.org> Mon, 29 Feb 2016 12:37:44 +0000
	13
	14	openssh (1:7.1p1-2) unstable; urgency=medium
	15
	16	OpenSSH 7.0 disables several pieces of weak, legacy, and/or unsafe
	17	cryptography.
	18
	19	* Support for the legacy SSH version 1 protocol is disabled by default at
	20	compile time. Note that this also means that the Cipher keyword in
	21	ssh_config(5) is effectively no longer usable; use Ciphers instead for
	22	protocol 2. The openssh-client-ssh1 package includes "ssh1", "scp1",
	23	and "ssh-keygen1" binaries which you can use if you have no alternative
	24	way to connect to an outdated SSH1-only server; please contact the
	25	server administrator or system vendor in such cases and ask them to
	26	upgrade.
	27	* Support for the 1024-bit diffie-hellman-group1-sha1 key exchange is
	28	disabled by default at run-time. It may be re-enabled using the
	29	instructions at http://www.openssh.com/legacy.html
	30	* Support for ssh-dss, ssh-dss-cert-* host and user keys is disabled by
	31	default at run-time. These may be re-enabled using the instructions at
	32	http://www.openssh.com/legacy.html
	33	* Support for the legacy v00 cert format has been removed.
	34
	35	Future releases will retire more legacy cryptography, including:
	36
	37	* Refusing all RSA keys smaller than 1024 bits (the current minimum is
	38	768 bits).
	39	* Several ciphers will be disabled by default: blowfish-cbc, cast128-cbc,
	40	all arcfour variants, and the rijndael-cbc aliases for AES.
	41	* MD5-based HMAC algorithms will be disabled by default.
	42
	43	-- Colin Watson <cjwatson@debian.org> Tue, 08 Dec 2015 15:33:08 +0000
	44
	45	openssh (1:6.7p1-5) unstable; urgency=medium
	46
	47	openssh-server 1:6.7p1-4 changed the default setting of AcceptEnv to list
	48	a number of specific LC_FOO variables rather than the wildcard LC_*. I
	49	have since been persuaded that this was a bad idea and have reverted it,
	50	but it is difficult to automatically undo the change to
	51	/etc/ssh/sshd_config without compounding the problem (that of modifying
	52	configuration that some users did not want to be modified) further. Most
	53	users who upgraded via version 1:6.7p1-4 should restore the previous value
	54	of "AcceptEnv LANG LC_*" in /etc/ssh/sshd_config.
	55
	56	-- Colin Watson <cjwatson@debian.org> Sun, 22 Mar 2015 23:09:32 +0000
	57
	58	openssh (1:5.4p1-2) unstable; urgency=low
	59
	60	Smartcard support is now available using PKCS#11 tokens. If you were
	61	previously using an unofficial build of Debian's OpenSSH package with
	62	OpenSC-based smartcard support added, then note that commands like
	63	'ssh-add -s 0' will no longer work; you need to use 'ssh-add -s
	64	/usr/lib/opensc-pkcs11.so' instead.
	65
	66	-- Colin Watson <cjwatson@debian.org> Sat, 10 Apr 2010 01:08:59 +0100
	67
	68	openssh (1:3.8.1p1-9) experimental; urgency=low
	69
	70	The ssh package has been split into openssh-client and openssh-server. If
	71	you had previously requested that the sshd server should not be run, then
	72	that request will still be honoured. However, the recommended approach is
	73	now to remove the openssh-server package if you do not want to run sshd.
	74	You can remove the old /etc/ssh/sshd_not_to_be_run marker file after doing
	75	that.
	76
	77	-- Colin Watson <cjwatson@debian.org> Mon, 2 Aug 2004 20:48:54 +0100
	78
	79	openssh (1:3.5p1-1) unstable; urgency=low
	80
	81	This version of OpenSSH disables the environment option for public keys by
	82	default, in order to avoid certain attacks (for example, LD_PRELOAD). If
	83	you are using this option in an authorized_keys file, beware that the keys
	84	in question will no longer work until the option is removed.
	85
	86	To re-enable this option, set "PermitUserEnvironment yes" in
	87	/etc/ssh/sshd_config after the upgrade is complete, taking note of the
	88	warning in the sshd_config(5) manual page.
	89
	90	-- Colin Watson <cjwatson@debian.org> Sat, 26 Oct 2002 19:41:51 +0100
	91
	92	openssh (1:3.0.1p1-1) unstable; urgency=high
	93
	94	As of version 3, OpenSSH no longer uses separate files for ssh1 and ssh2
	95	keys. This means the authorized_keys2 and known_hosts2 files are no longer
	96	needed. They will still be read in order to maintain backward
	97	compatibility.
	98
	99	-- Matthew Vernon <matthew@debian.org> Thu, 28 Nov 2001 17:43:01 +0000