1 files changed, 113 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog
index 627124b96..5a180a84c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,116 @@
+openssh (1:7.7p1-3) UNRELEASED; urgency=medium
+  [ Colin Watson ]
+  * Adjust git-dpm tagging configuration.
+  [ Juri Grabowski ]
+  * Add rescue.target with ssh support.
+ -- Colin Watson <cjwatson@debian.org>  Sat, 16 Jun 2018 12:42:36 +0100
+openssh (1:7.7p1-2) unstable; urgency=medium
+  * Fix parsing of DebianBanner option (closes: #894730).
+ -- Colin Watson <cjwatson@debian.org>  Wed, 04 Apr 2018 00:47:29 +0100
+openssh (1:7.7p1-1) unstable; urgency=medium
+  * New upstream release (https://www.openssh.com/txt/release-7.7):
+    - ssh(1)/sshd(8): Drop compatibility support for some very old SSH
+      implementations, including ssh.com <=2.* and OpenSSH <= 3.*.  These
+      versions were all released in or before 2001 and predate the final SSH
+      RFCs.  The support in question isn't necessary for RFC-compliant SSH
+      implementations.
+    - Add experimental support for PQC XMSS keys (Extended Hash-Based
+      Signatures).
+    - sshd(8): Add an "rdomain" criterion for the sshd_config Match keyword
+      to allow conditional configuration that depends on which routing
+      domain a connection was received on.
+    - sshd_config(5): Add an optional rdomain qualifier to the ListenAddress
+      directive to allow listening on different routing domains.
+    - sshd(8): Add "expiry-time" option for authorized_keys files to allow
+      for expiring keys.
+    - ssh(1): Add a BindInterface option to allow binding the outgoing
+      connection to an interface's address (basically a more usable
+      BindAddress; closes: #289592).
+    - ssh(1): Expose device allocated for tun/tap forwarding via a new %T
+      expansion for LocalCommand.  This allows LocalCommand to be used to
+      prepare the interface.
+    - sshd(8): Expose the device allocated for tun/tap forwarding via a new
+      SSH_TUNNEL environment variable.  This allows automatic setup of the
+      interface and surrounding network configuration automatically on the
+      server.
+    - ssh(1)/scp(1)/sftp(1): Add URI support to ssh, sftp and scp, e.g.
+      ssh://user@host or sftp://user@host/path.  Additional connection
+      parameters described in draft-ietf-secsh-scp-sftp-ssh-uri-04 are not
+      implemented since the ssh fingerprint format in the draft uses the
+      deprecated MD5 hash with no way to specify any other algorithm.
+    - ssh-keygen(1): Allow certificate validity intervals that specify only
+      a start or stop time (instead of both or neither).
+    - sftp(1): Allow "cd" and "lcd" commands with no explicit path argument.
+      lcd will change to the local user's home directory as usual.  cd will
+      change to the starting directory for session (because the protocol
+      offers no way to obtain the remote user's home directory).
+    - sshd(8): When doing a config test with sshd -T, only require the
+      attributes that are actually used in Match criteria rather than (an
+      incomplete list of) all criteria.
+    - ssh(1)/sshd(8): More strictly check signature types during key
+      exchange against what was negotiated.  Prevents downgrade of RSA
+      signatures made with SHA-256/512 to SHA-1.
+    - sshd(8): Fix support for client that advertise a protocol version of
+      "1.99" (indicating that they are prepared to accept both SSHv1 and
+      SSHv2).  This was broken in OpenSSH 7.6 during the removal of SSHv1
+      support.
+    - ssh(1): Warn when the agent returns a ssh-rsa (SHA1) signature when a
+      rsa-sha2-256/512 signature was requested.  This condition is possible
+      when an old or non-OpenSSH agent is in use.
+    - ssh-agent(1): Fix regression introduced in 7.6 that caused ssh-agent
+      to fatally exit if presented an invalid signature request message.
+    - sshd_config(5): Accept yes/no flag options case-insensitively, as has
+      been the case in ssh_config(5) for a long time (LP: #1656557).
+    - ssh(1): Improve error reporting for failures during connection.  Under
+      some circumstances misleading errors were being shown.
+    - ssh-keyscan(1): Add -D option to allow printing of results directly in
+      SSHFP format.
+    - ssh(1): Compatibility fix for some servers that erroneously drop the
+      connection when the IUTF8 (RFC8160) option is sent.
+    - scp(1): Disable RemoteCommand and RequestTTY in the ssh session
+      started by scp (sftp was already doing this).
+    - ssh-keygen(1): Refuse to create a certificate with an unusable number
+      of principals.
+    - ssh-keygen(1): Fatally exit if ssh-keygen is unable to write all the
+      public key during key generation.  Previously it would silently ignore
+      errors writing the comment and terminating newline.
+    - ssh(1): Do not modify hostname arguments that are addresses by
+      automatically forcing them to lower-case.  Instead canonicalise them
+      jo resolve ambiguities (e.g. ::0001 => ::1) before they are matched
+      against known_hosts.
+    - ssh(1): Don't accept junk after "yes" or "no" responses to hostkey
+      prompts.
+    - sftp(1): Have sftp print a warning about shell cleanliness when
+      decoding the first packet fails, which is usually caused by shells
+      polluting stdout of non-interactive startups.
+    - ssh(1)/sshd(8): Switch timers in packet code from using wall-clock
+      time to monotonic time, allowing the packet layer to better function
+      over a clock step and avoiding possible integer overflows during
+      steps.
+    - sshd(8): Correctly detect MIPS ABI in use at configure time.  Fixes
+      sandbox violations on some environments.
+    - Build and link with "retpoline" flags when available to mitigate the
+      "branch target injection" style (variant 2) of the Spectre
+      branch-prediction vulnerability.
+ -- Colin Watson <cjwatson@debian.org>  Tue, 03 Apr 2018 12:40:24 +0100
+openssh (1:7.6p1-5) unstable; urgency=medium
+  * Explicitly build-depend on pkg-config, rather than implicitly
+    build-depending on it via libgtk-3-dev (thanks, Aurelien Jarno; closes:
+    #894558).
+ -- Colin Watson <cjwatson@debian.org>  Sun, 01 Apr 2018 21:37:19 +0100
 openssh (1:7.6p1-4) unstable; urgency=medium
  * Move VCS to salsa.debian.org.

diff --git a/debian/changelog b/debian/changelog index 627124b96..5a180a84c 100644 --- a/debian/changelog +++ b/debian/changelog
@@ -1,3 +1,116 @@
		1	openssh (1:7.7p1-3) UNRELEASED; urgency=medium
		2
		3	[ Colin Watson ]
		4	* Adjust git-dpm tagging configuration.
		5
		6	[ Juri Grabowski ]
		7	* Add rescue.target with ssh support.
		8
		9	-- Colin Watson <cjwatson@debian.org> Sat, 16 Jun 2018 12:42:36 +0100
		10
		11	openssh (1:7.7p1-2) unstable; urgency=medium
		12
		13	* Fix parsing of DebianBanner option (closes: #894730).
		14
		15	-- Colin Watson <cjwatson@debian.org> Wed, 04 Apr 2018 00:47:29 +0100
		16
		17	openssh (1:7.7p1-1) unstable; urgency=medium
		18
		19	* New upstream release (https://www.openssh.com/txt/release-7.7):
		20	- ssh(1)/sshd(8): Drop compatibility support for some very old SSH
		21	implementations, including ssh.com <=2.* and OpenSSH <= 3.*. These
		22	versions were all released in or before 2001 and predate the final SSH
		23	RFCs. The support in question isn't necessary for RFC-compliant SSH
		24	implementations.
		25	- Add experimental support for PQC XMSS keys (Extended Hash-Based
		26	Signatures).
		27	- sshd(8): Add an "rdomain" criterion for the sshd_config Match keyword
		28	to allow conditional configuration that depends on which routing
		29	domain a connection was received on.
		30	- sshd_config(5): Add an optional rdomain qualifier to the ListenAddress
		31	directive to allow listening on different routing domains.
		32	- sshd(8): Add "expiry-time" option for authorized_keys files to allow
		33	for expiring keys.
		34	- ssh(1): Add a BindInterface option to allow binding the outgoing
		35	connection to an interface's address (basically a more usable
		36	BindAddress; closes: #289592).
		37	- ssh(1): Expose device allocated for tun/tap forwarding via a new %T
		38	expansion for LocalCommand. This allows LocalCommand to be used to
		39	prepare the interface.
		40	- sshd(8): Expose the device allocated for tun/tap forwarding via a new
		41	SSH_TUNNEL environment variable. This allows automatic setup of the
		42	interface and surrounding network configuration automatically on the
		43	server.
		44	- ssh(1)/scp(1)/sftp(1): Add URI support to ssh, sftp and scp, e.g.
		45	ssh://user@host or sftp://user@host/path. Additional connection
		46	parameters described in draft-ietf-secsh-scp-sftp-ssh-uri-04 are not
		47	implemented since the ssh fingerprint format in the draft uses the
		48	deprecated MD5 hash with no way to specify any other algorithm.
		49	- ssh-keygen(1): Allow certificate validity intervals that specify only
		50	a start or stop time (instead of both or neither).
		51	- sftp(1): Allow "cd" and "lcd" commands with no explicit path argument.
		52	lcd will change to the local user's home directory as usual. cd will
		53	change to the starting directory for session (because the protocol
		54	offers no way to obtain the remote user's home directory).
		55	- sshd(8): When doing a config test with sshd -T, only require the
		56	attributes that are actually used in Match criteria rather than (an
		57	incomplete list of) all criteria.
		58	- ssh(1)/sshd(8): More strictly check signature types during key
		59	exchange against what was negotiated. Prevents downgrade of RSA
		60	signatures made with SHA-256/512 to SHA-1.
		61	- sshd(8): Fix support for client that advertise a protocol version of
		62	"1.99" (indicating that they are prepared to accept both SSHv1 and
		63	SSHv2). This was broken in OpenSSH 7.6 during the removal of SSHv1
		64	support.
		65	- ssh(1): Warn when the agent returns a ssh-rsa (SHA1) signature when a
		66	rsa-sha2-256/512 signature was requested. This condition is possible
		67	when an old or non-OpenSSH agent is in use.
		68	- ssh-agent(1): Fix regression introduced in 7.6 that caused ssh-agent
		69	to fatally exit if presented an invalid signature request message.
		70	- sshd_config(5): Accept yes/no flag options case-insensitively, as has
		71	been the case in ssh_config(5) for a long time (LP: #1656557).
		72	- ssh(1): Improve error reporting for failures during connection. Under
		73	some circumstances misleading errors were being shown.
		74	- ssh-keyscan(1): Add -D option to allow printing of results directly in
		75	SSHFP format.
		76	- ssh(1): Compatibility fix for some servers that erroneously drop the
		77	connection when the IUTF8 (RFC8160) option is sent.
		78	- scp(1): Disable RemoteCommand and RequestTTY in the ssh session
		79	started by scp (sftp was already doing this).
		80	- ssh-keygen(1): Refuse to create a certificate with an unusable number
		81	of principals.
		82	- ssh-keygen(1): Fatally exit if ssh-keygen is unable to write all the
		83	public key during key generation. Previously it would silently ignore
		84	errors writing the comment and terminating newline.
		85	- ssh(1): Do not modify hostname arguments that are addresses by
		86	automatically forcing them to lower-case. Instead canonicalise them
		87	jo resolve ambiguities (e.g. ::0001 => ::1) before they are matched
		88	against known_hosts.
		89	- ssh(1): Don't accept junk after "yes" or "no" responses to hostkey
		90	prompts.
		91	- sftp(1): Have sftp print a warning about shell cleanliness when
		92	decoding the first packet fails, which is usually caused by shells
		93	polluting stdout of non-interactive startups.
		94	- ssh(1)/sshd(8): Switch timers in packet code from using wall-clock
		95	time to monotonic time, allowing the packet layer to better function
		96	over a clock step and avoiding possible integer overflows during
		97	steps.
		98	- sshd(8): Correctly detect MIPS ABI in use at configure time. Fixes
		99	sandbox violations on some environments.
		100	- Build and link with "retpoline" flags when available to mitigate the
		101	"branch target injection" style (variant 2) of the Spectre
		102	branch-prediction vulnerability.
		103
		104	-- Colin Watson <cjwatson@debian.org> Tue, 03 Apr 2018 12:40:24 +0100
		105
		106	openssh (1:7.6p1-5) unstable; urgency=medium
		107
		108	* Explicitly build-depend on pkg-config, rather than implicitly
		109	build-depending on it via libgtk-3-dev (thanks, Aurelien Jarno; closes:
		110	#894558).
		111
		112	-- Colin Watson <cjwatson@debian.org> Sun, 01 Apr 2018 21:37:19 +0100
		113
1	openssh (1:7.6p1-4) unstable; urgency=medium	114	openssh (1:7.6p1-4) unstable; urgency=medium
2		115
3	* Move VCS to salsa.debian.org.	116	* Move VCS to salsa.debian.org.