1 files changed, 68 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog
index 29fd1f72b..4363b82ef 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,71 @@
+openssh (1:6.8p1-1) UNRELEASED; urgency=medium
+  * New upstream release (http://www.openssh.com/txt/release-6.8):
+    - sshd(8): UseDNS now defaults to 'no'.  Configurations that match
+      against the client host name (via sshd_config or authorized_keys) may
+      need to re-enable it or convert to matching against addresses.
+    - Add FingerprintHash option to ssh(1) and sshd(8), and equivalent
+      command-line flags to the other tools to control algorithm used for
+      key fingerprints.  The default changes from MD5 to SHA256 and format
+      from hex to base64.
+      Fingerprints now have the hash algorithm prepended.  An example of the
+      new format: SHA256:mVPwvezndPv/ARoIadVY98vAC0g+P/5633yTC4d/wXE
+      Please note that visual host keys will also be different.
+    - ssh(1), sshd(8): Experimental host key rotation support.  Add a
+      protocol extension for a server to inform a client of all its
+      available host keys after authentication has completed.  The client
+      may record the keys in known_hosts, allowing it to upgrade to better
+      host key algorithms and a server to gracefully rotate its keys.
+      The client side of this is controlled by a UpdateHostkeys config
+      option (default off).
+    - ssh(1): Add a ssh_config HostbasedKeyType option to control which host
+      public key types are tried during host-based authentication.
+    - ssh(1), sshd(8): Fix connection-killing host key mismatch errors when
+      sshd offers multiple ECDSA keys of different lengths.
+    - ssh(1): When host name canonicalisation is enabled, try to parse host
+      names as addresses before looking them up for canonicalisation.  Fixes
+      bz#2074 and avoids needless DNS lookups in some cases.
+    - ssh(1), ssh-keysign(8): Make ed25519 keys work for host based
+      authentication.
+    - sshd(8): SSH protocol v.1 workaround for the Meyer, et al,
+      Bleichenbacher Side Channel Attack.  Fake up a bignum key before RSA
+      decryption.
+    - sshd(8): Remember which public keys have been used for authentication
+      and refuse to accept previously-used keys.  This allows
+      AuthenticationMethods=publickey,publickey to require that users
+      authenticate using two _different_ public keys.
+    - sshd(8): add sshd_config HostbasedAcceptedKeyTypes and
+      PubkeyAcceptedKeyTypes options to allow sshd to control what public
+      key types will be accepted (closes: #481133).  Currently defaults to
+      all.
+    - sshd(8): Don't count partial authentication success as a failure
+      against MaxAuthTries.
+    - ssh(1): Add RevokedHostKeys option for the client to allow text-file
+      or KRL-based revocation of host keys.
+    - ssh-keygen(1), sshd(8): Permit KRLs that revoke certificates by serial
+      number or key ID without scoping to a particular CA.
+    - ssh(1): Add a "Match canonical" criteria that allows ssh_config Match
+      blocks to trigger only in the second config pass.
+    - ssh(1): Add a -G option to ssh that causes it to parse its
+      configuration and dump the result to stdout, similar to "sshd -T".
+    - ssh(1): Allow Match criteria to be negated. E.g. "Match !host".
+    - ssh-keyscan(1): ssh-keyscan has been made much more robust against
+      servers that hang or violate the SSH protocol (closes: #241119).
+    - ssh(1), ssh-keygen(1): Fix regression bz#2306: Key path names were
+      being lost as comment fields (closes: #787776).
+    - ssh(1): Allow ssh_config Port options set in the second config parse
+      phase to be applied (they were being ignored; closes: #774369).
+    - ssh(1): Tweak config re-parsing with host canonicalisation - make the
+      second pass through the config files always run when host name
+      canonicalisation is enabled (and not whenever the host name changes)
+    - ssh(1): Fix passing of wildcard forward bind addresses when connection
+      multiplexing is in use.
+    - ssh-keygen(1): Fix broken private key conversion from non-OpenSSH
+      formats.
+    - ssh-keygen(1): Fix KRL generation bug when multiple CAs are in use.
+ -- Colin Watson <cjwatson@debian.org>  Wed, 19 Aug 2015 15:19:54 +0100
 openssh (1:6.7p1-6) unstable; urgency=medium
  [ Martin Pitt ]

diff --git a/debian/changelog b/debian/changelog index 29fd1f72b..4363b82ef 100644 --- a/debian/changelog +++ b/debian/changelog
@@ -1,3 +1,71 @@
		1	openssh (1:6.8p1-1) UNRELEASED; urgency=medium
		2
		3	* New upstream release (http://www.openssh.com/txt/release-6.8):
		4	- sshd(8): UseDNS now defaults to 'no'. Configurations that match
		5	against the client host name (via sshd_config or authorized_keys) may
		6	need to re-enable it or convert to matching against addresses.
		7	- Add FingerprintHash option to ssh(1) and sshd(8), and equivalent
		8	command-line flags to the other tools to control algorithm used for
		9	key fingerprints. The default changes from MD5 to SHA256 and format
		10	from hex to base64.
		11	Fingerprints now have the hash algorithm prepended. An example of the
		12	new format: SHA256:mVPwvezndPv/ARoIadVY98vAC0g+P/5633yTC4d/wXE
		13	Please note that visual host keys will also be different.
		14	- ssh(1), sshd(8): Experimental host key rotation support. Add a
		15	protocol extension for a server to inform a client of all its
		16	available host keys after authentication has completed. The client
		17	may record the keys in known_hosts, allowing it to upgrade to better
		18	host key algorithms and a server to gracefully rotate its keys.
		19	The client side of this is controlled by a UpdateHostkeys config
		20	option (default off).
		21	- ssh(1): Add a ssh_config HostbasedKeyType option to control which host
		22	public key types are tried during host-based authentication.
		23	- ssh(1), sshd(8): Fix connection-killing host key mismatch errors when
		24	sshd offers multiple ECDSA keys of different lengths.
		25	- ssh(1): When host name canonicalisation is enabled, try to parse host
		26	names as addresses before looking them up for canonicalisation. Fixes
		27	bz#2074 and avoids needless DNS lookups in some cases.
		28	- ssh(1), ssh-keysign(8): Make ed25519 keys work for host based
		29	authentication.
		30	- sshd(8): SSH protocol v.1 workaround for the Meyer, et al,
		31	Bleichenbacher Side Channel Attack. Fake up a bignum key before RSA
		32	decryption.
		33	- sshd(8): Remember which public keys have been used for authentication
		34	and refuse to accept previously-used keys. This allows
		35	AuthenticationMethods=publickey,publickey to require that users
		36	authenticate using two _different_ public keys.
		37	- sshd(8): add sshd_config HostbasedAcceptedKeyTypes and
		38	PubkeyAcceptedKeyTypes options to allow sshd to control what public
		39	key types will be accepted (closes: #481133). Currently defaults to
		40	all.
		41	- sshd(8): Don't count partial authentication success as a failure
		42	against MaxAuthTries.
		43	- ssh(1): Add RevokedHostKeys option for the client to allow text-file
		44	or KRL-based revocation of host keys.
		45	- ssh-keygen(1), sshd(8): Permit KRLs that revoke certificates by serial
		46	number or key ID without scoping to a particular CA.
		47	- ssh(1): Add a "Match canonical" criteria that allows ssh_config Match
		48	blocks to trigger only in the second config pass.
		49	- ssh(1): Add a -G option to ssh that causes it to parse its
		50	configuration and dump the result to stdout, similar to "sshd -T".
		51	- ssh(1): Allow Match criteria to be negated. E.g. "Match !host".
		52	- ssh-keyscan(1): ssh-keyscan has been made much more robust against
		53	servers that hang or violate the SSH protocol (closes: #241119).
		54	- ssh(1), ssh-keygen(1): Fix regression bz#2306: Key path names were
		55	being lost as comment fields (closes: #787776).
		56	- ssh(1): Allow ssh_config Port options set in the second config parse
		57	phase to be applied (they were being ignored; closes: #774369).
		58	- ssh(1): Tweak config re-parsing with host canonicalisation - make the
		59	second pass through the config files always run when host name
		60	canonicalisation is enabled (and not whenever the host name changes)
		61	- ssh(1): Fix passing of wildcard forward bind addresses when connection
		62	multiplexing is in use.
		63	- ssh-keygen(1): Fix broken private key conversion from non-OpenSSH
		64	formats.
		65	- ssh-keygen(1): Fix KRL generation bug when multiple CAs are in use.
		66
		67	-- Colin Watson <cjwatson@debian.org> Wed, 19 Aug 2015 15:19:54 +0100
		68
1	openssh (1:6.7p1-6) unstable; urgency=medium	69	openssh (1:6.7p1-6) unstable; urgency=medium
2		70
3	[ Martin Pitt ]	71	[ Martin Pitt ]