diff options
Diffstat (limited to 'debian/changelog')
| -rw-r--r-- | debian/changelog | 45 |
1 files changed, 43 insertions, 2 deletions
diff --git a/debian/changelog b/debian/changelog index 0cf20dc14..e89bee3b7 100644 --- a/debian/changelog +++ b/debian/changelog | |||
| @@ -1,5 +1,46 @@ | |||
| 1 | openssh (1:6.6p1-9) UNRELEASED; urgency=medium | 1 | openssh (1:6.7p1-1) UNRELEASED; urgency=medium |
| 2 | 2 | ||
| 3 | * New upstream release (http://www.openssh.com/txt/release-6.7): | ||
| 4 | - sshd(8): The default set of ciphers and MACs has been altered to | ||
| 5 | remove unsafe algorithms. In particular, CBC ciphers and arcfour* are | ||
| 6 | disabled by default. The full set of algorithms remains available if | ||
| 7 | configured explicitly via the Ciphers and MACs sshd_config options. | ||
| 8 | - ssh(1), sshd(8): Add support for Unix domain socket forwarding. A | ||
| 9 | remote TCP port may be forwarded to a local Unix domain socket and | ||
| 10 | vice versa or both ends may be a Unix domain socket (closes: #236718). | ||
| 11 | - ssh(1), ssh-keygen(1): Add support for SSHFP DNS records for ED25519 | ||
| 12 | key types. | ||
| 13 | - sftp(1): Allow resumption of interrupted uploads. | ||
| 14 | - ssh(1): When rekeying, skip file/DNS lookups of the hostkey if it is | ||
| 15 | the same as the one sent during initial key exchange. | ||
| 16 | - sshd(8): Allow explicit ::1 and 127.0.0.1 forwarding bind addresses | ||
| 17 | when GatewayPorts=no; allows client to choose address family. | ||
| 18 | - sshd(8): Add a sshd_config PermitUserRC option to control whether | ||
| 19 | ~/.ssh/rc is executed, mirroring the no-user-rc authorized_keys | ||
| 20 | option. | ||
| 21 | - ssh(1): Add a %C escape sequence for LocalCommand and ControlPath that | ||
| 22 | expands to a unique identifer based on a hash of the tuple of (local | ||
| 23 | host, remote user, hostname, port). Helps avoid exceeding miserly | ||
| 24 | pathname limits for Unix domain sockets in multiplexing control paths. | ||
| 25 | - sshd(8): Make the "Too many authentication failures" message include | ||
| 26 | the user, source address, port and protocol in a format similar to the | ||
| 27 | authentication success / failure messages. | ||
| 28 | - Use CLOCK_BOOTTIME in preference to CLOCK_MONOTONIC when it is | ||
| 29 | available. It considers time spent suspended, thereby ensuring | ||
| 30 | timeouts (e.g. for expiring agent keys) fire correctly (closes: | ||
| 31 | #734553). | ||
| 32 | - Use prctl() to prevent sftp-server from accessing | ||
| 33 | /proc/self/{mem,maps}. | ||
| 34 | * Restore TCP wrappers support, removed upstream in 6.7. It is true that | ||
| 35 | dropping this reduces preauth attack surface in sshd. On the other | ||
| 36 | hand, this support seems to be quite widely used, and abruptly dropping | ||
| 37 | it (from the perspective of users who don't read openssh-unix-dev) could | ||
| 38 | easily cause more serious problems in practice. It's not entirely clear | ||
| 39 | what the right long-term answer for Debian is, but it at least probably | ||
| 40 | doesn't involve dropping this feature shortly before a freeze. | ||
| 41 | * Replace patch to disable OpenSSL version check with an updated version | ||
| 42 | of Kurt Roeckx's patch from #732940 to just avoid checking the status | ||
| 43 | field. | ||
| 3 | * Build-depend on a new enough dpkg-dev for dpkg-buildflags, rather than | 44 | * Build-depend on a new enough dpkg-dev for dpkg-buildflags, rather than |
| 4 | simply a new enough dpkg. | 45 | simply a new enough dpkg. |
| 5 | * Simplify debian/rules using /usr/share/dpkg/buildflags.mk. | 46 | * Simplify debian/rules using /usr/share/dpkg/buildflags.mk. |