summaryrefslogtreecommitdiff
path: root/debian/changelog
diff options
context:
space:
mode:
Diffstat (limited to 'debian/changelog')
-rw-r--r--debian/changelog81
1 files changed, 81 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog
index 7be0100c2..9202f5e3a 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,84 @@
1openssh (1:7.5p1-1) UNRELEASED; urgency=medium
2
3 * New upstream release (https://www.openssh.com/txt/release-7.5):
4 - SECURITY: ssh(1), sshd(8): Fix weakness in CBC padding oracle
5 countermeasures that allowed a variant of the attack fixed in OpenSSH
6 7.3 to proceed. Note that the OpenSSH client disables CBC ciphers by
7 default, sshd offers them as lowest-preference options and will remove
8 them by default entirely in the next release.
9 - This release deprecates the sshd_config UsePrivilegeSeparation option,
10 thereby making privilege separation mandatory (closes: #407754).
11 - The format of several log messages emitted by the packet code has
12 changed to include additional information about the user and their
13 authentication state. Software that monitors ssh/sshd logs may need
14 to account for these changes.
15 - ssh(1), sshd(8): Support "=-" syntax to easily remove methods from
16 algorithm lists, e.g. Ciphers=-*cbc.
17 - sshd(1): Fix NULL dereference crash when key exchange start messages
18 are sent out of sequence.
19 - ssh(1), sshd(8): Allow form-feed characters to appear in configuration
20 files.
21 - sshd(8): Fix regression in OpenSSH 7.4 support for the server-sig-algs
22 extension, where SHA2 RSA signature methods were not being correctly
23 advertised.
24 - ssh(1), ssh-keygen(1): Fix a number of case-sensitivity bugs in
25 known_hosts processing.
26 - ssh(1): Allow ssh to use certificates accompanied by a private key
27 file but no corresponding plain *.pub public key.
28 - ssh(1): When updating hostkeys using the UpdateHostKeys option, accept
29 RSA keys if HostkeyAlgorithms contains any RSA keytype. Previously,
30 ssh could ignore RSA keys when only the ssh-rsa-sha2-* methods were
31 enabled in HostkeyAlgorithms and not the old ssh-rsa method.
32 - ssh(1): Detect and report excessively long configuration file lines.
33 - Merge a number of fixes found by Coverity and reported via Redhat and
34 FreeBSD. Includes fixes for some memory and file descriptor leaks in
35 error paths.
36 - ssh(1), sshd(8): When logging long messages to stderr, don't truncate
37 "\r\n" if the length of the message exceeds the buffer.
38 - ssh(1): Fully quote [host]:port in generated ProxyJump/-J command-
39 line; avoid confusion over IPv6 addresses and shells that treat square
40 bracket characters specially.
41 - Fix various fallout and sharp edges caused by removing SSH protocol 1
42 support from the server, including the server banner string being
43 incorrectly terminated with only \n (instead of \r\n), confusing error
44 messages from ssh-keyscan, and a segfault in sshd if protocol v.1 was
45 enabled for the client and sshd_config contained references to legacy
46 keys.
47 - ssh(1), sshd(8): Free fd_set on connection timeout.
48 - sftp(1): Fix division by zero crash in "df" output when server returns
49 zero total filesystem blocks/inodes.
50 - ssh(1), ssh-add(1), ssh-keygen(1), sshd(8): Translate OpenSSL errors
51 encountered during key loading to more meaningful error codes.
52 - ssh-keygen(1): Sanitise escape sequences in key comments sent to
53 printf but preserve valid UTF-8 when the locale supports it.
54 - ssh(1), sshd(8): Return reason for port forwarding failures where
55 feasible rather than always "administratively prohibited".
56 - sshd(8): Fix deadlock when AuthorizedKeysCommand or
57 AuthorizedPrincipalsCommand produces a lot of output and a key is
58 matched early.
59 - ssh(1): Fix typo in ~C error message for bad port forward
60 cancellation.
61 - ssh(1): Show a useful error message when included config files can't
62 be opened.
63 - sshd_config(5): Repair accidentally-deleted mention of %k token in
64 AuthorizedKeysCommand.
65 - sshd(8): Remove vestiges of previously removed LOGIN_PROGRAM.
66 - ssh-agent(1): Relax PKCS#11 whitelist to include libexec and common
67 32-bit compatibility library directories.
68 - sftp-client(1): Fix non-exploitable integer overflow in SSH2_FXP_NAME
69 response handling.
70 - ssh-agent(1): Fix regression in 7.4 of deleting PKCS#11-hosted keys.
71 It was not possible to delete them except by specifying their full
72 physical path.
73 - sshd(8): Avoid sandbox errors for Linux S390 systems using an ICA
74 crypto coprocessor.
75 - sshd(8): Fix non-exploitable weakness in seccomp-bpf sandbox arg
76 inspection.
77 - ssh-keygen(1), ssh(1), sftp(1): Fix output truncation for various that
78 contain non-printable characters where the codeset in use is ASCII.
79
80 -- Colin Watson <cjwatson@debian.org> Sun, 02 Apr 2017 01:31:21 +0100
81
1openssh (1:7.4p1-10) unstable; urgency=medium 82openssh (1:7.4p1-10) unstable; urgency=medium
2 83
3 * Move privilege separation directory and PID file from /var/run/ to /run/ 84 * Move privilege separation directory and PID file from /var/run/ to /run/