Age | Commit message (Collapse) | Author |
|
shouldn't be necessary, but I can't seem to get things working in the Ubuntu autopkgtest environment otherwise.
|
|
|
|
|
|
possible in all autopkgtest virtualisation environments.
|
|
|
|
|
|
allow some extra syscalls for crypto cards on s390x (LP: #1686618).
|
|
The EP11 crypto card needs to make an ioctl call, which receives an
specific argument. This crypto card is for s390 only.
Signed-off-by: Eduardo Barretto <ebarretto@linux.vnet.ibm.com>
Origin: other, https://bugzilla.mindrot.org/show_bug.cgi?id=2752
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2752
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1686618
Last-Update: 2017-08-28
Patch-Name: seccomp-s390-ioctl-ep11-crypto.patch
|
|
getuid and geteuid are needed when using an openssl engine that calls a
crypto card, e.g. ICA (libica).
Those syscalls are also needed by the distros for audit code.
Signed-off-by: Eduardo Barretto <ebarretto@linux.vnet.ibm.com>
Origin: other, https://bugzilla.mindrot.org/show_bug.cgi?id=2752
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2752
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1686618
Last-Update: 2017-08-28
Patch-Name: seccomp-getuid-geteuid.patch
|
|
In order to use the OpenSSL-ibmpkcs11 engine it is needed to allow flock
and ipc calls, because this engine calls OpenCryptoki (a PKCS#11
implementation) which calls the libraries that will communicate with the
crypto cards. OpenCryptoki makes use of flock and ipc and, as of now,
this is only need on s390 architecture.
Signed-off-by: Eduardo Barretto <ebarretto@linux.vnet.ibm.com>
Origin: other, https://bugzilla.mindrot.org/show_bug.cgi?id=2752
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2752
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1686618
Last-Update: 2017-08-28
Patch-Name: seccomp-s390-flock-ipc.patch
|
|
key generation (LP: #1712921).
|
|
|
|
|
|
ssh.service (closes: #872978).
|
|
|
|
|
|
|
|
|
|
Bug-Debian: https://bugs.debian.org/797964
Forwarded: https://lists.mindrot.org/pipermail/openssh-unix-dev/2017-June/036077.html
Last-Update: 2017-06-06
Patch-Name: fix-incoming-compression-statistics.patch
|
|
Patch from Mike Frysinger
Origin: https://anongit.mindrot.org/openssh.git/commit/?id=6b853c6f8ba5eecc50f3b57af8e63f8184eb0fa6
Last-Update: 2017-04-02
Patch-Name: x32-syntax-error.patch
|
|
Patch from Jakub Jelen
Origin: https://anongit.mindrot.org/openssh.git/commit/?id=58b8cfa2a062b72139d7229ae8de567f55776f24
Last-Update: 2017-04-02
Patch-Name: s390-missing-header.patch
|
|
Upstream seems to intend to gradually phase this out, so don't assume
that this will remain the default forever. However, we were late in
adopting the upstream sshd_config changes, so it makes sense to extend
the grace period.
Bug-Debian: https://bugs.debian.org/852320
Forwarded: not-needed
Last-Update: 2017-03-05
Patch-Name: restore-authorized_keys2.patch
|
|
The client no longer accepts DSA host keys, and servers using the
default HostKey setting should have better host keys available.
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2662
Bug-Debian: https://bugs.debian.org/850614
Last-Update: 2017-01-16
Patch-Name: no-dsa-host-key-by-default.patch
|
|
If the first test in a series for a given MAC happens to modify the low
bytes of a packet length, then ssh will time out and this will be
interpreted as a test failure. Handle this failure mode.
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2658
Patch-Name: regress-integrity-robust.patch
Last-Update: 2017-01-01
|
|
ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause
fewer problems with existing setups (http://bugs.debian.org/237021).
ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024).
ssh: Enable HashKnownHosts by default to try to limit the spread of ssh
worms.
ssh: Enable GSSAPIAuthentication by default.
sshd: Enable PAM, disable ChallengeResponseAuthentication, and disable
PrintMotd.
sshd: Enable X11Forwarding.
sshd: Set 'AcceptEnv LANG LC_*' by default.
sshd: Change sftp subsystem path to /usr/lib/openssh/sftp-server.
Document all of this.
Author: Russ Allbery <rra@debian.org>
Forwarded: not-needed
Last-Update: 2016-12-26
Patch-Name: debian-config.patch
|
|
Bug-Debian: https://bugs.debian.org/778913
Forwarded: no
Last-Update: 2017-08-22
Patch-Name: systemd-readiness.patch
|
|
Bug-Ubuntu: https://bugs.launchpad.net/bugs/27152
Last-Update: 2010-02-28
Patch-Name: gnome-ssh-askpass2-icon.patch
|
|
There is no reason to check the version of OpenSSL (in Debian). If it's
not compatible the soname will change. OpenSSH seems to want to do a
check for the soname based on the version number, but wants to keep the
status of the release the same. Remove that check on the status since
it doesn't tell you anything about how compatible that version is.
Author: Colin Watson <cjwatson@debian.org>
Bug-Debian: https://bugs.debian.org/93581
Bug-Debian: https://bugs.debian.org/664383
Bug-Debian: https://bugs.debian.org/732940
Forwarded: not-needed
Last-Update: 2014-10-07
Patch-Name: no-openssl-version-status.patch
|
|
Bug-Debian: http://bugs.debian.org/711623
Forwarded: no
Last-Update: 2013-06-08
Patch-Name: ssh-agent-setgid.patch
|
|
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1727
Bug-Debian: http://bugs.debian.org/430154
Last-Update: 2013-09-14
Patch-Name: doc-hash-tab-completion.patch
|
|
Old versions of OpenSSH (up to 2.5 or thereabouts) allowed creating symlinks
to ssh with the name of the host you want to connect to. Debian ships an
ssh-argv0 script restoring this feature; this patch refers to its manual
page from ssh(1).
Bug-Debian: http://bugs.debian.org/111341
Forwarded: not-needed
Last-Update: 2013-09-14
Patch-Name: ssh-argv0.patch
|
|
No single bug reference for this patch, but history includes:
http://bugs.debian.org/154434 (login.conf(5))
http://bugs.debian.org/513417 (/etc/rc)
http://bugs.debian.org/530692 (ssl(8))
https://bugs.launchpad.net/bugs/456660 (ssl(8))
Forwarded: not-needed
Last-Update: 2014-10-07
Patch-Name: openbsd-docs.patch
|
|
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1720
Bug-Debian: http://bugs.debian.org/441817
Last-Update: 2013-09-14
Patch-Name: authorized-keys-man-symlink.patch
|
|
Setting this to "no" causes sshd to omit the Debian revision from its
initial protocol handshake, for those scared by package-versioning.patch.
Bug-Debian: http://bugs.debian.org/562048
Forwarded: not-needed
Last-Update: 2015-11-29
Patch-Name: debian-banner.patch
|
|
This makes it easier to audit networks for versions patched against security
vulnerabilities. It has little detrimental effect, as attackers will
generally just try attacks rather than bothering to scan for
vulnerable-looking version strings. (However, see debian-banner.patch.)
Forwarded: not-needed
Last-Update: 2013-09-14
Patch-Name: package-versioning.patch
|
|
Author: Chris Lamb <lamby@debian.org>
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1843
Bug-Ubuntu: https://bugs.launchpad.net/bugs/686607
Last-Update: 2017-08-22
Patch-Name: mention-ssh-keygen-on-keychange.patch
|
|
|
|
|
|
Bug-Debian: https://bugs.debian.org/797964
Forwarded: https://lists.mindrot.org/pipermail/openssh-unix-dev/2017-June/036077.html
Last-Update: 2017-06-06
Patch-Name: fix-incoming-compression-statistics.patch
|
|
Patch from Mike Frysinger
Origin: https://anongit.mindrot.org/openssh.git/commit/?id=6b853c6f8ba5eecc50f3b57af8e63f8184eb0fa6
Last-Update: 2017-04-02
Patch-Name: x32-syntax-error.patch
|
|
Patch from Jakub Jelen
Origin: https://anongit.mindrot.org/openssh.git/commit/?id=58b8cfa2a062b72139d7229ae8de567f55776f24
Last-Update: 2017-04-02
Patch-Name: s390-missing-header.patch
|
|
Upstream seems to intend to gradually phase this out, so don't assume
that this will remain the default forever. However, we were late in
adopting the upstream sshd_config changes, so it makes sense to extend
the grace period.
Bug-Debian: https://bugs.debian.org/852320
Forwarded: not-needed
Last-Update: 2017-03-05
Patch-Name: restore-authorized_keys2.patch
|
|
The client no longer accepts DSA host keys, and servers using the
default HostKey setting should have better host keys available.
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2662
Bug-Debian: https://bugs.debian.org/850614
Last-Update: 2017-01-16
Patch-Name: no-dsa-host-key-by-default.patch
|
|
If the first test in a series for a given MAC happens to modify the low
bytes of a packet length, then ssh will time out and this will be
interpreted as a test failure. Handle this failure mode.
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2658
Patch-Name: regress-integrity-robust.patch
Last-Update: 2017-01-01
|
|
ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause
fewer problems with existing setups (http://bugs.debian.org/237021).
ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024).
ssh: Enable HashKnownHosts by default to try to limit the spread of ssh
worms.
ssh: Enable GSSAPIAuthentication by default.
sshd: Enable PAM, disable ChallengeResponseAuthentication, and disable
PrintMotd.
sshd: Enable X11Forwarding.
sshd: Set 'AcceptEnv LANG LC_*' by default.
sshd: Change sftp subsystem path to /usr/lib/openssh/sftp-server.
Document all of this.
Author: Russ Allbery <rra@debian.org>
Forwarded: not-needed
Last-Update: 2016-12-26
Patch-Name: debian-config.patch
|
|
Bug-Debian: https://bugs.debian.org/778913
Forwarded: no
Last-Update: 2017-08-22
Patch-Name: systemd-readiness.patch
|
|
Bug-Ubuntu: https://bugs.launchpad.net/bugs/27152
Last-Update: 2010-02-28
Patch-Name: gnome-ssh-askpass2-icon.patch
|
|
There is no reason to check the version of OpenSSL (in Debian). If it's
not compatible the soname will change. OpenSSH seems to want to do a
check for the soname based on the version number, but wants to keep the
status of the release the same. Remove that check on the status since
it doesn't tell you anything about how compatible that version is.
Author: Colin Watson <cjwatson@debian.org>
Bug-Debian: https://bugs.debian.org/93581
Bug-Debian: https://bugs.debian.org/664383
Bug-Debian: https://bugs.debian.org/732940
Forwarded: not-needed
Last-Update: 2014-10-07
Patch-Name: no-openssl-version-status.patch
|
|
Bug-Debian: http://bugs.debian.org/711623
Forwarded: no
Last-Update: 2013-06-08
Patch-Name: ssh-agent-setgid.patch
|
|
|