1 files changed, 42 insertions, 2 deletions
diff --git a/debian/changelog b/debian/changelog
index 0d0363119..98e6ed73a 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,5 +1,45 @@
-openssh (1:4.2p1-9) UNRELEASED; urgency=low
+openssh (1:4.3p2-1) UNRELEASED; urgency=low
+  * New upstream release (closes: #361032).
+    - CVE-2006-0225: scp (as does rcp, on which it is based) invoked a
+      subshell to perform local to local, and remote to remote copy
+      operations. This subshell exposed filenames to shell expansion twice;
+      allowing a local attacker to create filenames containing shell
+      metacharacters that, if matched by a wildcard, could lead to execution
+      of attacker-specified commands with the privilege of the user running
+      scp (closes: #349645).
+    - Add support for tunneling arbitrary network packets over a connection
+      between an OpenSSH client and server via tun(4) virtual network
+      interfaces. This allows the use of OpenSSH (4.3+) to create a true VPN
+      between the client and server providing real network connectivity at
+      layer 2 or 3. This feature is experimental.
+    - Reduce default key length for new DSA keys generated by ssh-keygen
+      back to 1024 bits. DSA is not specified for longer lengths and does
+      not fully benefit from simply making keys longer. As per FIPS 186-2
+      Change Notice 1, ssh-keygen will refuse to generate a new DSA key
+      smaller or larger than 1024 bits.
+    - Fixed X forwarding failing to start when the X11 client is executed in
+      background at the time of session exit.
+    - Change ssh-keygen to generate a protocol 2 RSA key when invoked
+      without arguments (closes: #114894).
+    - Fix timing variance for valid vs. invalid accounts when attempting
+      Kerberos authentication.
+    - Ensure that ssh always returns code 255 on internal error
+      (closes: #259865).
+    - Cleanup wtmp files on SIGTERM when not using privsep.
+    - Set SO_REUSEADDR on X11 listeners to avoid problems caused by
+      lingering sockets from previous session (X11 applications can
+      sometimes not connect to 127.0.0.1:60xx) (closes:
+      https://launchpad.net/bugs/25528).
+    - Ensure that fds 0, 1 and 2 are always attached in all programs, by
+      duping /dev/null to them if necessary.
+    - Xauth list invocation had bogus "." argument.
+    - Remove internal assumptions on key exchange hash algorithm and output
+      length, preparing OpenSSH for KEX methods with alternate hashes.
+    - Ignore junk sent by a server before it sends the "SSH-" banner.
+    - Many manual page improvements.
+    - Lots of cleanups, including fixes to memory leaks on error paths and
+      possible crashes.
  * Rename KeepAlive to TCPKeepAlive in default sshd_config
    (closes: #349896).
  * debconf template translations:

diff --git a/debian/changelog b/debian/changelog index 0d0363119..98e6ed73a 100644 --- a/debian/changelog +++ b/debian/changelog
@@ -1,5 +1,45 @@
1	openssh (1:4.2p1-9) UNRELEASED; urgency=low	1	openssh (1:4.3p2-1) UNRELEASED; urgency=low
2		2
		3	* New upstream release (closes: #361032).
		4	- CVE-2006-0225: scp (as does rcp, on which it is based) invoked a
		5	subshell to perform local to local, and remote to remote copy
		6	operations. This subshell exposed filenames to shell expansion twice;
		7	allowing a local attacker to create filenames containing shell
		8	metacharacters that, if matched by a wildcard, could lead to execution
		9	of attacker-specified commands with the privilege of the user running
		10	scp (closes: #349645).
		11	- Add support for tunneling arbitrary network packets over a connection
		12	between an OpenSSH client and server via tun(4) virtual network
		13	interfaces. This allows the use of OpenSSH (4.3+) to create a true VPN
		14	between the client and server providing real network connectivity at
		15	layer 2 or 3. This feature is experimental.
		16	- Reduce default key length for new DSA keys generated by ssh-keygen
		17	back to 1024 bits. DSA is not specified for longer lengths and does
		18	not fully benefit from simply making keys longer. As per FIPS 186-2
		19	Change Notice 1, ssh-keygen will refuse to generate a new DSA key
		20	smaller or larger than 1024 bits.
		21	- Fixed X forwarding failing to start when the X11 client is executed in
		22	background at the time of session exit.
		23	- Change ssh-keygen to generate a protocol 2 RSA key when invoked
		24	without arguments (closes: #114894).
		25	- Fix timing variance for valid vs. invalid accounts when attempting
		26	Kerberos authentication.
		27	- Ensure that ssh always returns code 255 on internal error
		28	(closes: #259865).
		29	- Cleanup wtmp files on SIGTERM when not using privsep.
		30	- Set SO_REUSEADDR on X11 listeners to avoid problems caused by
		31	lingering sockets from previous session (X11 applications can
		32	sometimes not connect to 127.0.0.1:60xx) (closes:
		33	https://launchpad.net/bugs/25528).
		34	- Ensure that fds 0, 1 and 2 are always attached in all programs, by
		35	duping /dev/null to them if necessary.
		36	- Xauth list invocation had bogus "." argument.
		37	- Remove internal assumptions on key exchange hash algorithm and output
		38	length, preparing OpenSSH for KEX methods with alternate hashes.
		39	- Ignore junk sent by a server before it sends the "SSH-" banner.
		40	- Many manual page improvements.
		41	- Lots of cleanups, including fixes to memory leaks on error paths and
		42	possible crashes.
3	* Rename KeepAlive to TCPKeepAlive in default sshd_config	43	* Rename KeepAlive to TCPKeepAlive in default sshd_config
4	(closes: #349896).	44	(closes: #349896).
5	* debconf template translations:	45	* debconf template translations: