diff options
Diffstat (limited to 'debian/changelog')
-rw-r--r-- | debian/changelog | 54 |
1 files changed, 52 insertions, 2 deletions
diff --git a/debian/changelog b/debian/changelog index dc9c82813..234cc9191 100644 --- a/debian/changelog +++ b/debian/changelog | |||
@@ -1,6 +1,56 @@ | |||
1 | openssh (1:7.1p2-3) UNRELEASED; urgency=medium | 1 | openssh (1:7.2p1-1) UNRELEASED; urgency=medium |
2 | 2 | ||
3 | * New upstream release (http://www.openssh.com/txt/release-7.2): | ||
4 | - This release disables a number of legacy cryptographic algorithms by | ||
5 | default in ssh: | ||
6 | + Several ciphers blowfish-cbc, cast128-cbc, all arcfour variants and | ||
7 | the rijndael-cbc aliases for AES. | ||
8 | + MD5-based and truncated HMAC algorithms. | ||
9 | These algorithms are already disabled by default in sshd. | ||
10 | - ssh(1), sshd(8): Remove unfinished and unused roaming code (was | ||
11 | already forcibly disabled in OpenSSH 7.1p2). | ||
12 | - ssh(1): Eliminate fallback from untrusted X11 forwarding to trusted | ||
13 | forwarding when the X server disables the SECURITY extension. | ||
14 | - ssh(1), sshd(8): Increase the minimum modulus size supported for | ||
15 | diffie-hellman-group-exchange to 2048 bits. | ||
16 | - sshd(8): Pre-auth sandboxing is now enabled by default (previous | ||
17 | releases enabled it for new installations via sshd_config). | ||
18 | - all: Add support for RSA signatures using SHA-256/512 hash algorithms | ||
19 | based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt. | ||
20 | - ssh(1): Add an AddKeysToAgent client option which can be set to 'yes', | ||
21 | 'no', 'ask', or 'confirm', and defaults to 'no'. When enabled, a | ||
22 | private key that is used during authentication will be added to | ||
23 | ssh-agent if it is running (with confirmation enabled if set to | ||
24 | 'confirm'). | ||
25 | - sshd(8): Add a new authorized_keys option "restrict" that includes all | ||
26 | current and future key restrictions (no-*-forwarding, etc.). Also add | ||
27 | permissive versions of the existing restrictions, e.g. "no-pty" -> | ||
28 | "pty". This simplifies the task of setting up restricted keys and | ||
29 | ensures they are maximally-restricted, regardless of any permissions | ||
30 | we might implement in the future. | ||
31 | - ssh(1): Add ssh_config CertificateFile option to explicitly list | ||
32 | certificates. | ||
33 | - ssh-keygen(1): Allow ssh-keygen to change the key comment for all | ||
34 | supported formats (closes: #811125). | ||
35 | - ssh-keygen(1): Allow fingerprinting from standard input, e.g. | ||
36 | "ssh-keygen -lf -" (closes: #509058). | ||
37 | - ssh-keygen(1): Allow fingerprinting multiple public keys in a file, | ||
38 | e.g. "ssh-keygen -lf ~/.ssh/authorized_keys". | ||
39 | - sshd(8): Support "none" as an argument for sshd_config Foreground and | ||
40 | ChrootDirectory. Useful inside Match blocks to override a global | ||
41 | default. | ||
42 | - ssh-keygen(1): Support multiple certificates (one per line) and | ||
43 | reading from standard input (using "-f -") for "ssh-keygen -L" | ||
44 | - ssh-keyscan(1): Add "ssh-keyscan -c ..." flag to allow fetching | ||
45 | certificates instead of plain keys. | ||
46 | - ssh(1): Better handle anchored FQDNs (e.g. 'cvs.openbsd.org.') in | ||
47 | hostname canonicalisation - treat them as already canonical and remove | ||
48 | the trailing '.' before matching ssh_config. | ||
49 | - sftp(1): Existing destination directories should not terminate | ||
50 | recursive uploads (regression in OpenSSH 6.8; LP: #1553378). | ||
3 | * Use HTTPS for Vcs-* URLs, and link to cgit rather than gitweb. | 51 | * Use HTTPS for Vcs-* URLs, and link to cgit rather than gitweb. |
52 | * Restore slogin symlinks for compatibility, although they were removed | ||
53 | upstream. | ||
4 | 54 | ||
5 | -- Colin Watson <cjwatson@debian.org> Wed, 27 Jan 2016 13:04:38 +0000 | 55 | -- Colin Watson <cjwatson@debian.org> Wed, 27 Jan 2016 13:04:38 +0000 |
6 | 56 | ||