diff options
Diffstat (limited to 'debian/changelog')
| -rw-r--r-- | debian/changelog | 80 |
1 files changed, 80 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog index 58b1f45e2..9f799969b 100644 --- a/debian/changelog +++ b/debian/changelog | |||
| @@ -1,3 +1,83 @@ | |||
| 1 | openssh (1:8.1p1-1) UNRELEASED; urgency=medium | ||
| 2 | |||
| 3 | * New upstream release (https://www.openssh.com/txt/release-8.1): | ||
| 4 | - ssh(1), sshd(8), ssh-agent(1): Add protection for private keys at rest | ||
| 5 | in RAM against speculation and memory side-channel attacks like | ||
| 6 | Spectre, Meltdown and Rambleed. This release encrypts private keys | ||
| 7 | when they are not in use with a symmetric key that is derived from a | ||
| 8 | relatively large "prekey" consisting of random data (currently 16KB). | ||
| 9 | - ssh(1): Allow %n to be expanded in ProxyCommand strings. | ||
| 10 | - ssh(1), sshd(8): Allow prepending a list of algorithms to the default | ||
| 11 | set by starting the list with the '^' character, e.g. | ||
| 12 | "HostKeyAlgorithms ^ssh-ed25519". | ||
| 13 | - ssh-keygen(1): Add an experimental lightweight signature and | ||
| 14 | verification ability. Signatures may be made using regular ssh keys | ||
| 15 | held on disk or stored in a ssh-agent and verified against an | ||
| 16 | authorized_keys-like list of allowed keys. Signatures embed a | ||
| 17 | namespace that prevents confusion and attacks between different usage | ||
| 18 | domains (e.g. files vs email). | ||
| 19 | - ssh-keygen(1): Print key comment when extracting public key from a | ||
| 20 | private key. | ||
| 21 | - ssh-keygen(1): Accept the verbose flag when searching for host keys in | ||
| 22 | known hosts (i.e. "ssh-keygen -vF host") to print the matching host's | ||
| 23 | random-art signature too. | ||
| 24 | - All: Support PKCS8 as an optional format for storage of private keys | ||
| 25 | to disk. The OpenSSH native key format remains the default, but PKCS8 | ||
| 26 | is a superior format to PEM if interoperability with non-OpenSSH | ||
| 27 | software is required, as it may use a less insecure key derivation | ||
| 28 | function than PEM's. | ||
| 29 | - ssh(1): If a PKCS#11 token returns no keys then try to login and | ||
| 30 | refetch them. | ||
| 31 | - ssh(1): Produce a useful error message if the user's shell is set | ||
| 32 | incorrectly during "match exec" processing. | ||
| 33 | - sftp(1): Allow the maximum uint32 value for the argument passed to -b | ||
| 34 | which allows better error messages from later validation. | ||
| 35 | - ssh-keyscan(1): Include SHA2-variant RSA key algorithms in KEX | ||
| 36 | proposal; allows ssh-keyscan to harvest keys from servers that disable | ||
| 37 | old SHA1 ssh-rsa. | ||
| 38 | - sftp(1): Print explicit "not modified" message if a file was requested | ||
| 39 | for resumed download but was considered already complete. | ||
| 40 | - sftp(1): Fix a typo and make <esc><right> move right to the closest | ||
| 41 | end of a word just like <esc><left> moves left to the closest | ||
| 42 | beginning of a word. | ||
| 43 | - sshd(8): Cap the number of permitopen/permitlisten directives allowed | ||
| 44 | to appear on a single authorized_keys line. | ||
| 45 | - All: Fix a number of memory leaks (one-off or on exit paths). | ||
| 46 | - ssh(1), sshd(8): Check for convtime() refusing to accept times that | ||
| 47 | resolve to LONG_MAX. | ||
| 48 | - ssh(1): Slightly more instructive error message when the user | ||
| 49 | specifies multiple -J options on the command-line (closes: #929669). | ||
| 50 | - ssh-agent(1): Process agent requests for RSA certificate private keys | ||
| 51 | using correct signature algorithm when requested. | ||
| 52 | - sftp(1): Check for user@host when parsing sftp target. This allows | ||
| 53 | user@[1.2.3.4] to work without a path. | ||
| 54 | - sshd(8): Enlarge format buffer size for certificate serial number so | ||
| 55 | the log message can record any 64-bit integer without truncation. | ||
| 56 | - sshd(8): For PermitOpen violations add the remote host and port to be | ||
| 57 | able to more easily ascertain the source of the request. Add the same | ||
| 58 | logging for PermitListen violations which were not previously logged | ||
| 59 | at all. | ||
| 60 | - scp(1), sftp(1): Use the correct POSIX format style for left | ||
| 61 | justification for the transfer progress meter. | ||
| 62 | - sshd(8): When examining a configuration using sshd -T, assume any | ||
| 63 | attribute not provided by -C does not match, which allows it to work | ||
| 64 | when sshd_config contains a Match directive with or without -C. | ||
| 65 | - ssh(1), ssh-keygen(1): Downgrade PKCS#11 "provider returned no slots" | ||
| 66 | warning from log level error to debug. This is common when attempting | ||
| 67 | to enumerate keys on smartcard readers with no cards plugged in. | ||
| 68 | - ssh(1), ssh-keygen(1): Do not unconditionally log in to PKCS#11 | ||
| 69 | tokens. Avoids spurious PIN prompts for keys not selected for | ||
| 70 | authentication in ssh(1) and when listing public keys available in a | ||
| 71 | token using ssh-keygen(1). | ||
| 72 | - ssh(1), sshd(8): Fix typo that prevented detection of Linux VRF. | ||
| 73 | - sshd(8): In the Linux seccomp-bpf sandbox, allow mprotect(2) with | ||
| 74 | PROT_(READ|WRITE|NONE) only. This syscall is used by some hardened | ||
| 75 | heap allocators. | ||
| 76 | - sshd(8): In the Linux seccomp-bpf sandbox, allow the s390-specific | ||
| 77 | ioctl for ECC hardware support. | ||
| 78 | |||
| 79 | -- Colin Watson <cjwatson@debian.org> Wed, 09 Oct 2019 23:18:42 +0100 | ||
| 80 | |||
| 1 | openssh (1:8.0p1-7) unstable; urgency=medium | 81 | openssh (1:8.0p1-7) unstable; urgency=medium |
| 2 | 82 | ||
| 3 | [ Daniel Kahn Gillmor ] | 83 | [ Daniel Kahn Gillmor ] |