diff options
Diffstat (limited to 'debian/changelog')
-rw-r--r-- | debian/changelog | 81 |
1 files changed, 81 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog index 7be0100c2..9202f5e3a 100644 --- a/debian/changelog +++ b/debian/changelog | |||
@@ -1,3 +1,84 @@ | |||
1 | openssh (1:7.5p1-1) UNRELEASED; urgency=medium | ||
2 | |||
3 | * New upstream release (https://www.openssh.com/txt/release-7.5): | ||
4 | - SECURITY: ssh(1), sshd(8): Fix weakness in CBC padding oracle | ||
5 | countermeasures that allowed a variant of the attack fixed in OpenSSH | ||
6 | 7.3 to proceed. Note that the OpenSSH client disables CBC ciphers by | ||
7 | default, sshd offers them as lowest-preference options and will remove | ||
8 | them by default entirely in the next release. | ||
9 | - This release deprecates the sshd_config UsePrivilegeSeparation option, | ||
10 | thereby making privilege separation mandatory (closes: #407754). | ||
11 | - The format of several log messages emitted by the packet code has | ||
12 | changed to include additional information about the user and their | ||
13 | authentication state. Software that monitors ssh/sshd logs may need | ||
14 | to account for these changes. | ||
15 | - ssh(1), sshd(8): Support "=-" syntax to easily remove methods from | ||
16 | algorithm lists, e.g. Ciphers=-*cbc. | ||
17 | - sshd(1): Fix NULL dereference crash when key exchange start messages | ||
18 | are sent out of sequence. | ||
19 | - ssh(1), sshd(8): Allow form-feed characters to appear in configuration | ||
20 | files. | ||
21 | - sshd(8): Fix regression in OpenSSH 7.4 support for the server-sig-algs | ||
22 | extension, where SHA2 RSA signature methods were not being correctly | ||
23 | advertised. | ||
24 | - ssh(1), ssh-keygen(1): Fix a number of case-sensitivity bugs in | ||
25 | known_hosts processing. | ||
26 | - ssh(1): Allow ssh to use certificates accompanied by a private key | ||
27 | file but no corresponding plain *.pub public key. | ||
28 | - ssh(1): When updating hostkeys using the UpdateHostKeys option, accept | ||
29 | RSA keys if HostkeyAlgorithms contains any RSA keytype. Previously, | ||
30 | ssh could ignore RSA keys when only the ssh-rsa-sha2-* methods were | ||
31 | enabled in HostkeyAlgorithms and not the old ssh-rsa method. | ||
32 | - ssh(1): Detect and report excessively long configuration file lines. | ||
33 | - Merge a number of fixes found by Coverity and reported via Redhat and | ||
34 | FreeBSD. Includes fixes for some memory and file descriptor leaks in | ||
35 | error paths. | ||
36 | - ssh(1), sshd(8): When logging long messages to stderr, don't truncate | ||
37 | "\r\n" if the length of the message exceeds the buffer. | ||
38 | - ssh(1): Fully quote [host]:port in generated ProxyJump/-J command- | ||
39 | line; avoid confusion over IPv6 addresses and shells that treat square | ||
40 | bracket characters specially. | ||
41 | - Fix various fallout and sharp edges caused by removing SSH protocol 1 | ||
42 | support from the server, including the server banner string being | ||
43 | incorrectly terminated with only \n (instead of \r\n), confusing error | ||
44 | messages from ssh-keyscan, and a segfault in sshd if protocol v.1 was | ||
45 | enabled for the client and sshd_config contained references to legacy | ||
46 | keys. | ||
47 | - ssh(1), sshd(8): Free fd_set on connection timeout. | ||
48 | - sftp(1): Fix division by zero crash in "df" output when server returns | ||
49 | zero total filesystem blocks/inodes. | ||
50 | - ssh(1), ssh-add(1), ssh-keygen(1), sshd(8): Translate OpenSSL errors | ||
51 | encountered during key loading to more meaningful error codes. | ||
52 | - ssh-keygen(1): Sanitise escape sequences in key comments sent to | ||
53 | printf but preserve valid UTF-8 when the locale supports it. | ||
54 | - ssh(1), sshd(8): Return reason for port forwarding failures where | ||
55 | feasible rather than always "administratively prohibited". | ||
56 | - sshd(8): Fix deadlock when AuthorizedKeysCommand or | ||
57 | AuthorizedPrincipalsCommand produces a lot of output and a key is | ||
58 | matched early. | ||
59 | - ssh(1): Fix typo in ~C error message for bad port forward | ||
60 | cancellation. | ||
61 | - ssh(1): Show a useful error message when included config files can't | ||
62 | be opened. | ||
63 | - sshd_config(5): Repair accidentally-deleted mention of %k token in | ||
64 | AuthorizedKeysCommand. | ||
65 | - sshd(8): Remove vestiges of previously removed LOGIN_PROGRAM. | ||
66 | - ssh-agent(1): Relax PKCS#11 whitelist to include libexec and common | ||
67 | 32-bit compatibility library directories. | ||
68 | - sftp-client(1): Fix non-exploitable integer overflow in SSH2_FXP_NAME | ||
69 | response handling. | ||
70 | - ssh-agent(1): Fix regression in 7.4 of deleting PKCS#11-hosted keys. | ||
71 | It was not possible to delete them except by specifying their full | ||
72 | physical path. | ||
73 | - sshd(8): Avoid sandbox errors for Linux S390 systems using an ICA | ||
74 | crypto coprocessor. | ||
75 | - sshd(8): Fix non-exploitable weakness in seccomp-bpf sandbox arg | ||
76 | inspection. | ||
77 | - ssh-keygen(1), ssh(1), sftp(1): Fix output truncation for various that | ||
78 | contain non-printable characters where the codeset in use is ASCII. | ||
79 | |||
80 | -- Colin Watson <cjwatson@debian.org> Sun, 02 Apr 2017 01:31:21 +0100 | ||
81 | |||
1 | openssh (1:7.4p1-10) unstable; urgency=medium | 82 | openssh (1:7.4p1-10) unstable; urgency=medium |
2 | 83 | ||
3 | * Move privilege separation directory and PID file from /var/run/ to /run/ | 84 | * Move privilege separation directory and PID file from /var/run/ to /run/ |