1 files changed, 81 insertions, 3 deletions

diff --git a/debian/changelog b/debian/changelog
index 69cbf0b4e..ab75bf2a7 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,8 +1,86 @@
-openssh (1:8.2p1-5) UNRELEASED; urgency=medium
+openssh (1:8.3p1-1) UNRELEASED; urgency=medium
 
   * Fix or suppress various shellcheck errors under debian/.
-
- -- Colin Watson <cjwatson@debian.org>  Sat, 23 May 2020 12:46:19 +0100
+  * New upstream release (https://www.openssh.com/txt/release-8.3):
+    - [SECURITY] scp(1): when receiving files, scp(1) could become
+      desynchronised if a utimes(2) system call failed.  This could allow
+      file contents to be interpreted as file metadata and thereby permit an
+      adversary to craft a file system that, when copied with scp(1) in a
+      configuration that caused utimes(2) to fail (e.g. under a SELinux
+      policy or syscall sandbox), transferred different file names and
+      contents to the actual file system layout.
+    - sftp(1): reject an argument of "-1" in the same way as ssh(1) and
+      scp(1) do instead of accepting and silently ignoring it.
+    - sshd(8): make IgnoreRhosts a tri-state option: "yes" to ignore
+      rhosts/shosts, "no" to allow rhosts/shosts or (new) "shosts-only" to
+      allow .shosts files but not .rhosts.
+    - sshd(8): allow the IgnoreRhosts directive to appear anywhere in a
+      sshd_config, not just before any Match blocks.
+    - ssh(1): add %TOKEN percent expansion for the LocalForward and
+      RemoteForward keywords when used for Unix domain socket forwarding.
+    - all: allow loading public keys from the unencrypted envelope of a
+      private key file if no corresponding public key file is present.
+    - ssh(1), sshd(8): prefer to use chacha20 from libcrypto where possible
+      instead of the (slower) portable C implementation included in OpenSSH.
+    - ssh-keygen(1): add ability to dump the contents of a binary key
+      revocation list via "ssh-keygen -lQf /path".
+    - ssh(1): fix IdentitiesOnly=yes to also apply to keys loaded from a
+      PKCS11Provider.
+    - ssh-keygen(1): avoid NULL dereference when trying to convert an
+      invalid RFC4716 private key.
+    - scp(1): when performing remote-to-remote copies using "scp -3", start
+      the second ssh(1) channel with BatchMode=yes enabled to avoid
+      confusing and non-deterministic ordering of prompts.
+    - ssh(1), ssh-keygen(1): when signing a challenge using a FIDO token,
+      perform hashing of the message to be signed in the middleware layer
+      rather than in OpenSSH code.  This permits the use of security key
+      middlewares that perform the hashing implicitly, such as Windows
+      Hello.
+    - ssh(1): fix incorrect error message for "too many known hosts files."
+    - ssh(1): make failures when establishing "Tunnel" forwarding terminate
+      the connection when ExitOnForwardFailure is enabled.
+    - ssh-keygen(1): fix printing of fingerprints on private keys and add a
+      regression test for same.
+    - sshd(8): document order of checking AuthorizedKeysFile (first) and
+      AuthorizedKeysCommand (subsequently, if the file doesn't match).
+    - sshd(8): document that /etc/hosts.equiv and /etc/shosts.equiv are not
+      considered for HostbasedAuthentication when the target user is root.
+    - ssh(1), ssh-keygen(1): fix NULL dereference in private certificate key
+      parsing.
+    - ssh(1), sshd(8): more consistency between sets of %TOKENS are accepted
+      in various configuration options.
+    - ssh(1), ssh-keygen(1): improve error messages for some common PKCS#11
+      C_Login failure cases.
+    - ssh(1), sshd(8): make error messages for problems during SSH banner
+      exchange consistent with other SSH transport-layer error messages and
+      ensure they include the relevant IP addresses.
+    - ssh-keygen(1), ssh-add(1): when downloading FIDO2 resident keys from a
+      token, don't prompt for a PIN until the token has told us that it
+      needs one.  Avoids double-prompting on devices that implement
+      on-device authentication (closes: #932071).
+    - sshd(8), ssh-keygen(1): no-touch-required FIDO certificate option
+      should be an extension, not a critical option.
+    - ssh(1), ssh-keygen(1), ssh-add(1): offer a better error message when
+      trying to use a FIDO key function and SecurityKeyProvider is empty.
+    - ssh-add(1), ssh-agent(8): ensure that a key lifetime fits within the
+      values allowed by the wire format (u32).  Prevents integer wraparound
+      of the timeout values.
+    - ssh(1): detect and prevent trivial configuration loops when using
+      ProxyJump. bz#3057.
+    - On platforms that do not support setting process-wide routing domains
+      (all excepting OpenBSD at present), fail to accept a configuration
+      attempts to set one at process start time rather than fatally erroring
+      at run time.
+    - Fix theoretical infinite loop in the glob(3) replacement
+      implementation.
+  * Update GSSAPI key exchange patch from
+    https://github.com/openssh-gsskex/openssh-gsskex:
+    - Fix connection through ProxyJump in combination with "GSSAPITrustDNS
+      yes".
+    - Enable SHA2-based GSSAPI key exchange methods by default as RFC 8732
+      was published.
+
+ -- Colin Watson <cjwatson@debian.org>  Sun, 07 Jun 2020 10:25:54 +0100
 
 openssh (1:8.2p1-4) unstable; urgency=medium