diff options
Diffstat (limited to 'debian/changelog')
-rw-r--r-- | debian/changelog | 45 |
1 files changed, 43 insertions, 2 deletions
diff --git a/debian/changelog b/debian/changelog index 0cf20dc14..e89bee3b7 100644 --- a/debian/changelog +++ b/debian/changelog | |||
@@ -1,5 +1,46 @@ | |||
1 | openssh (1:6.6p1-9) UNRELEASED; urgency=medium | 1 | openssh (1:6.7p1-1) UNRELEASED; urgency=medium |
2 | 2 | ||
3 | * New upstream release (http://www.openssh.com/txt/release-6.7): | ||
4 | - sshd(8): The default set of ciphers and MACs has been altered to | ||
5 | remove unsafe algorithms. In particular, CBC ciphers and arcfour* are | ||
6 | disabled by default. The full set of algorithms remains available if | ||
7 | configured explicitly via the Ciphers and MACs sshd_config options. | ||
8 | - ssh(1), sshd(8): Add support for Unix domain socket forwarding. A | ||
9 | remote TCP port may be forwarded to a local Unix domain socket and | ||
10 | vice versa or both ends may be a Unix domain socket (closes: #236718). | ||
11 | - ssh(1), ssh-keygen(1): Add support for SSHFP DNS records for ED25519 | ||
12 | key types. | ||
13 | - sftp(1): Allow resumption of interrupted uploads. | ||
14 | - ssh(1): When rekeying, skip file/DNS lookups of the hostkey if it is | ||
15 | the same as the one sent during initial key exchange. | ||
16 | - sshd(8): Allow explicit ::1 and 127.0.0.1 forwarding bind addresses | ||
17 | when GatewayPorts=no; allows client to choose address family. | ||
18 | - sshd(8): Add a sshd_config PermitUserRC option to control whether | ||
19 | ~/.ssh/rc is executed, mirroring the no-user-rc authorized_keys | ||
20 | option. | ||
21 | - ssh(1): Add a %C escape sequence for LocalCommand and ControlPath that | ||
22 | expands to a unique identifer based on a hash of the tuple of (local | ||
23 | host, remote user, hostname, port). Helps avoid exceeding miserly | ||
24 | pathname limits for Unix domain sockets in multiplexing control paths. | ||
25 | - sshd(8): Make the "Too many authentication failures" message include | ||
26 | the user, source address, port and protocol in a format similar to the | ||
27 | authentication success / failure messages. | ||
28 | - Use CLOCK_BOOTTIME in preference to CLOCK_MONOTONIC when it is | ||
29 | available. It considers time spent suspended, thereby ensuring | ||
30 | timeouts (e.g. for expiring agent keys) fire correctly (closes: | ||
31 | #734553). | ||
32 | - Use prctl() to prevent sftp-server from accessing | ||
33 | /proc/self/{mem,maps}. | ||
34 | * Restore TCP wrappers support, removed upstream in 6.7. It is true that | ||
35 | dropping this reduces preauth attack surface in sshd. On the other | ||
36 | hand, this support seems to be quite widely used, and abruptly dropping | ||
37 | it (from the perspective of users who don't read openssh-unix-dev) could | ||
38 | easily cause more serious problems in practice. It's not entirely clear | ||
39 | what the right long-term answer for Debian is, but it at least probably | ||
40 | doesn't involve dropping this feature shortly before a freeze. | ||
41 | * Replace patch to disable OpenSSL version check with an updated version | ||
42 | of Kurt Roeckx's patch from #732940 to just avoid checking the status | ||
43 | field. | ||
3 | * Build-depend on a new enough dpkg-dev for dpkg-buildflags, rather than | 44 | * Build-depend on a new enough dpkg-dev for dpkg-buildflags, rather than |
4 | simply a new enough dpkg. | 45 | simply a new enough dpkg. |
5 | * Simplify debian/rules using /usr/share/dpkg/buildflags.mk. | 46 | * Simplify debian/rules using /usr/share/dpkg/buildflags.mk. |