summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2014-10-07record new upstream branch created by importing openssh_6.7p1.orig.tar.gzColin Watson
2014-10-06Use Package-Type rather than XC-Package-Type, now that it is an official field.Colin Watson
2014-10-06Simplify debian/rules using /usr/share/dpkg/buildflags.mk.Colin Watson
2014-10-06Build-depend on a new enough dpkg-dev for dpkg-buildflags, rather than ↵Colin Watson
simply a new enough dpkg.
2014-10-03releasing package openssh version 1:6.6p1-8Colin Watson
2014-09-30Don't link /usr/share/doc/ssh to openssh-client, as this is not safe between ↵Colin Watson
Architecture: all and Architecture: any binary packages (closes: #763375).
2014-09-28Policy version 3.9.6: no changes required.Colin Watson
2014-09-20Show fingerprints of new keys after creating them in the postinst (closes: ↵Colin Watson
#762128).
2014-08-13Make the if-up hook use "reload" rather than "restart" if the system was ↵Colin Watson
booted using systemd (closes: #756547).
2014-08-05releasing package openssh version 1:6.6p1-7Colin Watson
2014-08-05Pass noupdate to the second call to pam_motd, not the first (thanks, Ken T ↵Colin Watson
Takusagawa; closes: #757059).
2014-08-02Remove several unnecessary entries in debian/*.dirs.Colin Watson
2014-08-02Turkish (thanks, Mert Dirik; closes: #756757).Colin Watson
2014-08-02Use dh-exec to simplify override_dh_install target.Colin Watson
2014-07-20Make sure that DEB_HOST_ARCH is set, even when invoking debian/rules directly.Colin Watson
2014-06-28releasing package openssh version 1:6.6p1-6Colin Watson
2014-06-28Make get_config_option more robust against trailing whitespace (thanks, ↵Colin Watson
LaMont Jones).
2014-06-12Czech (thanks, Michal Šimůnek; closes: #751419).Colin Watson
2014-05-26Only use pam_keyinit on Linux architectures (closes: #747245).Colin Watson
2014-05-26Upgrade to debhelper v9.Colin Watson
2014-05-01releasing package openssh version 1:6.6p1-5Colin Watson
2014-04-28Force ssh-agent Upstart job to use sh syntax regardless of the user's shell ↵Colin Watson
(thanks, Steffen Stempel; LP: #1312928).
2014-04-21releasing package openssh version 1:6.6p1-4Colin Watson
2014-04-21Apply upstream-recommended patch to fix bignum encoding for ↵Colin Watson
curve25519-sha256@libssh.org, fixing occasional key exchange failures.
2014-04-21bad bignum encoding for curve25519-sha256@libssh.orgDamien Miller
Hi, So I screwed up when writing the support for the curve25519 KEX method that doesn't depend on OpenSSL's BIGNUM type - a bug in my code left leading zero bytes where they should have been skipped. The impact of this is that OpenSSH 6.5 and 6.6 will fail during key exchange with a peer that implements curve25519-sha256@libssh.org properly about 0.2% of the time (one in every 512ish connections). We've fixed this for OpenSSH 6.7 by avoiding the curve25519-sha256 key exchange for previous versions, but I'd recommend distributors of OpenSSH apply this patch so the affected code doesn't become too entrenched in LTS releases. The patch fixes the bug and makes OpenSSH identify itself as 6.6.1 so as to distinguish itself from the incorrect versions so the compatibility code to disable the affected KEX isn't activated. I've committed this on the 6.6 branch too. Apologies for the hassle. -d Origin: upstream, https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032494.html Forwarded: not-needed Last-Update: 2014-04-21 Patch-Name: curve25519-sha256-bignum-encoding.patch
2014-04-15Spanish (thanks, Matías Bellone; closes: #744867).Colin Watson
2014-04-14releasing package openssh version 1:6.6p1-3Colin Watson
2014-04-14Never signal the service supervisor with SIGSTOP more than once, toColin Watson
prevent a hang on re-exec (thanks, Robie Basak; LP: #1306877).
2014-04-14Attempt SSHFP lookup even if server presents a certificateMatthew Vernon
If an ssh server presents a certificate to the client, then the client does not check the DNS for SSHFP records. This means that a malicious server can essentially disable DNS-host-key-checking, which means the client will fall back to asking the user (who will just say "yes" to the fingerprint, sadly). This patch is by Damien Miller (of openssh upstream). It's simpler than the patch by Mark Wooding which I applied yesterday; a copy is taken of the proffered key/cert, the key extracted from the cert (if necessary), and then the DNS consulted. Signed-off-by: Matthew Vernon <matthew@debian.org> Bug-Debian: http://bugs.debian.org/742513 Patch-Name: sshfp_with_server_cert_upstr
2014-04-14Various Debian-specific configuration changesColin Watson
ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause fewer problems with existing setups (http://bugs.debian.org/237021). ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024). ssh: Enable HashKnownHosts by default to try to limit the spread of ssh worms. ssh: Enable GSSAPIAuthentication and disable GSSAPIDelegateCredentials by default. sshd: Refer to /usr/share/doc/openssh-server/README.Debian.gz alongside PermitRootLogin default. Document all of this, along with several sshd defaults set in debian/openssh-server.postinst. Author: Russ Allbery <rra@debian.org> Forwarded: not-needed Last-Update: 2014-02-12 Patch-Name: debian-config.patch
2014-04-14Support synchronisation with service supervisor using SIGSTOPColin Watson
Author: Robie Basak <robie.basak@ubuntu.com> Forwarded: no Last-Update: 2014-04-14 Patch-Name: sigstop.patch
2014-04-01French (thanks, Étienne Gilli; closes: #743242).Colin Watson
2014-03-31releasing package openssh version 1:6.6p1-2Colin Watson
2014-03-31If no root password is set, then switch to "PermitRootLogin ↵Colin Watson
without-password" without asking (LP: #1300127).
2014-03-28releasing package openssh version 1:6.6p1-1Colin Watson
2014-03-28Don't start ssh-agent from the Upstart user session job if something like ↵Colin Watson
Xsession has already done so (based on work by Bruno Vasselle; LP: #1244736).
2014-03-28Add CVE-2014-2653 for SSHFP bug.Colin Watson
2014-03-28Italian (thanks, Beatrice Torracca).Colin Watson
2014-03-27Close LP bug asking for 6.6.Colin Watson
2014-03-27Add copyright information as requested by Stephan.Colin Watson
2014-03-27German (thanks, Stephan Beck; closes: #742541).Colin Watson
2014-03-27Japanese (thanks, victory).Colin Watson
2014-03-27Swedish (thanks, Andreas Rönnquist).Colin Watson
2014-03-27Russian (thanks, Yuri Kozlov; closes: #742308).Colin Watson
2014-03-27Portuguese (thanks, Américo Monteiro).Colin Watson
2014-03-27Danish (thanks, Joe Hansen).Colin Watson
2014-03-27Change to "PermitRootLogin without-password" for new installationsColin Watson
Also ask a debconf question when upgrading systems with "PermitRootLogin yes" from previous versions. Closes: #298138
2014-03-27Re-enable btmp logging, as its permissions were fixed a long time ago in ↵Colin Watson
response to #370050 (closes: #341883).
2014-03-26merge patched into masterMatthew Vernon
2014-03-26Attempt SSHFP lookup even if server presents a certificateMatthew Vernon
If an ssh server presents a certificate to the client, then the client does not check the DNS for SSHFP records. This means that a malicious server can essentially disable DNS-host-key-checking, which means the client will fall back to asking the user (who will just say "yes" to the fingerprint, sadly). This patch is by Damien Miller (of openssh upstream). It's simpler than the patch by Mark Wooding which I applied yesterday; a copy is taken of the proffered key/cert, the key extracted from the cert (if necessary), and then the DNS consulted. Signed-off-by: Matthew Vernon <matthew@debian.org> Bug-Debian: http://bugs.debian.org/742513 Patch-Name: sshfp_with_server_cert_upstr