1 files changed, 52 insertions, 2 deletions
diff --git a/debian/changelog b/debian/changelog
index dc9c82813..234cc9191 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,6 +1,56 @@
-openssh (1:7.1p2-3) UNRELEASED; urgency=medium
+openssh (1:7.2p1-1) UNRELEASED; urgency=medium
+  * New upstream release (http://www.openssh.com/txt/release-7.2):
+    - This release disables a number of legacy cryptographic algorithms by
+      default in ssh:
+      + Several ciphers blowfish-cbc, cast128-cbc, all arcfour variants and
+        the rijndael-cbc aliases for AES.
+      + MD5-based and truncated HMAC algorithms.
+      These algorithms are already disabled by default in sshd.
+    - ssh(1), sshd(8): Remove unfinished and unused roaming code (was
+      already forcibly disabled in OpenSSH 7.1p2).
+    - ssh(1): Eliminate fallback from untrusted X11 forwarding to trusted
+      forwarding when the X server disables the SECURITY extension.
+    - ssh(1), sshd(8): Increase the minimum modulus size supported for
+      diffie-hellman-group-exchange to 2048 bits.
+    - sshd(8): Pre-auth sandboxing is now enabled by default (previous
+      releases enabled it for new installations via sshd_config).
+    - all: Add support for RSA signatures using SHA-256/512 hash algorithms
+      based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt.
+    - ssh(1): Add an AddKeysToAgent client option which can be set to 'yes',
+      'no', 'ask', or 'confirm', and defaults to 'no'.  When enabled, a
+      private key that is used during authentication will be added to
+      ssh-agent if it is running (with confirmation enabled if set to
+      'confirm').
+    - sshd(8): Add a new authorized_keys option "restrict" that includes all
+      current and future key restrictions (no-*-forwarding, etc.).  Also add
+      permissive versions of the existing restrictions, e.g.  "no-pty" ->
+      "pty".  This simplifies the task of setting up restricted keys and
+      ensures they are maximally-restricted, regardless of any permissions
+      we might implement in the future.
+    - ssh(1): Add ssh_config CertificateFile option to explicitly list
+      certificates.
+    - ssh-keygen(1): Allow ssh-keygen to change the key comment for all
+      supported formats (closes: #811125).
+    - ssh-keygen(1): Allow fingerprinting from standard input, e.g.
+      "ssh-keygen -lf -" (closes: #509058).
+    - ssh-keygen(1): Allow fingerprinting multiple public keys in a file,
+      e.g. "ssh-keygen -lf ~/.ssh/authorized_keys".
+    - sshd(8): Support "none" as an argument for sshd_config Foreground and
+      ChrootDirectory.  Useful inside Match blocks to override a global
+      default.
+    - ssh-keygen(1): Support multiple certificates (one per line) and
+      reading from standard input (using "-f -") for "ssh-keygen -L"
+    - ssh-keyscan(1): Add "ssh-keyscan -c ..." flag to allow fetching
+      certificates instead of plain keys.
+    - ssh(1): Better handle anchored FQDNs (e.g. 'cvs.openbsd.org.') in
+      hostname canonicalisation - treat them as already canonical and remove
+      the trailing '.' before matching ssh_config.
+    - sftp(1): Existing destination directories should not terminate
+      recursive uploads (regression in OpenSSH 6.8; LP: #1553378).
  * Use HTTPS for Vcs-* URLs, and link to cgit rather than gitweb.
+  * Restore slogin symlinks for compatibility, although they were removed
+    upstream.
 -- Colin Watson <cjwatson@debian.org>  Wed, 27 Jan 2016 13:04:38 +0000

diff --git a/debian/changelog b/debian/changelog index dc9c82813..234cc9191 100644 --- a/debian/changelog +++ b/debian/changelog
@@ -1,6 +1,56 @@
1	openssh (1:7.1p2-3) UNRELEASED; urgency=medium	1	openssh (1:7.2p1-1) UNRELEASED; urgency=medium
2		2
		3	* New upstream release (http://www.openssh.com/txt/release-7.2):
		4	- This release disables a number of legacy cryptographic algorithms by
		5	default in ssh:
		6	+ Several ciphers blowfish-cbc, cast128-cbc, all arcfour variants and
		7	the rijndael-cbc aliases for AES.
		8	+ MD5-based and truncated HMAC algorithms.
		9	These algorithms are already disabled by default in sshd.
		10	- ssh(1), sshd(8): Remove unfinished and unused roaming code (was
		11	already forcibly disabled in OpenSSH 7.1p2).
		12	- ssh(1): Eliminate fallback from untrusted X11 forwarding to trusted
		13	forwarding when the X server disables the SECURITY extension.
		14	- ssh(1), sshd(8): Increase the minimum modulus size supported for
		15	diffie-hellman-group-exchange to 2048 bits.
		16	- sshd(8): Pre-auth sandboxing is now enabled by default (previous
		17	releases enabled it for new installations via sshd_config).
		18	- all: Add support for RSA signatures using SHA-256/512 hash algorithms
		19	based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt.
		20	- ssh(1): Add an AddKeysToAgent client option which can be set to 'yes',
		21	'no', 'ask', or 'confirm', and defaults to 'no'. When enabled, a
		22	private key that is used during authentication will be added to
		23	ssh-agent if it is running (with confirmation enabled if set to
		24	'confirm').
		25	- sshd(8): Add a new authorized_keys option "restrict" that includes all
		26	current and future key restrictions (no-*-forwarding, etc.). Also add
		27	permissive versions of the existing restrictions, e.g. "no-pty" ->
		28	"pty". This simplifies the task of setting up restricted keys and
		29	ensures they are maximally-restricted, regardless of any permissions
		30	we might implement in the future.
		31	- ssh(1): Add ssh_config CertificateFile option to explicitly list
		32	certificates.
		33	- ssh-keygen(1): Allow ssh-keygen to change the key comment for all
		34	supported formats (closes: #811125).
		35	- ssh-keygen(1): Allow fingerprinting from standard input, e.g.
		36	"ssh-keygen -lf -" (closes: #509058).
		37	- ssh-keygen(1): Allow fingerprinting multiple public keys in a file,
		38	e.g. "ssh-keygen -lf ~/.ssh/authorized_keys".
		39	- sshd(8): Support "none" as an argument for sshd_config Foreground and
		40	ChrootDirectory. Useful inside Match blocks to override a global
		41	default.
		42	- ssh-keygen(1): Support multiple certificates (one per line) and
		43	reading from standard input (using "-f -") for "ssh-keygen -L"
		44	- ssh-keyscan(1): Add "ssh-keyscan -c ..." flag to allow fetching
		45	certificates instead of plain keys.
		46	- ssh(1): Better handle anchored FQDNs (e.g. 'cvs.openbsd.org.') in
		47	hostname canonicalisation - treat them as already canonical and remove
		48	the trailing '.' before matching ssh_config.
		49	- sftp(1): Existing destination directories should not terminate
		50	recursive uploads (regression in OpenSSH 6.8; LP: #1553378).
3	* Use HTTPS for Vcs-* URLs, and link to cgit rather than gitweb.	51	* Use HTTPS for Vcs-* URLs, and link to cgit rather than gitweb.
		52	* Restore slogin symlinks for compatibility, although they were removed
		53	upstream.
4		54
5	-- Colin Watson <cjwatson@debian.org> Wed, 27 Jan 2016 13:04:38 +0000	55	-- Colin Watson <cjwatson@debian.org> Wed, 27 Jan 2016 13:04:38 +0000
6		56