summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2019-06-06Added wildcard authorization for authorized_keys.joe
2019-04-08releasing package openssh version 1:7.9p1-10Colin Watson
2019-04-08Temporarily revert IPQoS defaults to pre-7.8 valuesColin Watson
This is just until issues with "iptables -m tos" and VMware have been fixed. Closes: #923879, #926229 LP: #1822370
2019-04-08Revert "upstream: Update default IPQoS in ssh(1), sshd(8) to DSCP AF21 for"Colin Watson
This reverts commit 5ee8448ad7c306f05a9f56769f95336a8269f379. The IPQoS default changes have some unfortunate interactions with iptables (see https://bugs.debian.org/923880) and VMware, so I'm temporarily reverting them until those have been fixed. Bug-Debian: https://bugs.debian.org/923879 Bug-Debian: https://bugs.debian.org/926229 Bug-Ubuntu: https://bugs.launchpad.net/1822370 Last-Update: 2019-04-08 Patch-Name: revert-ipqos-defaults.patch
2019-03-01releasing package openssh version 1:7.9p1-9Colin Watson
2019-03-01Handle shell-style brace expansions in scp checksColin Watson
2019-03-01upstream: when checking that filenames sent by the server sidedjm@openbsd.org
match what the client requested, be prepared to handle shell-style brace alternations, e.g. "{foo,bar}". "looks good to me" millert@ + in snaps for the last week courtesy deraadt@ OpenBSD-Commit-ID: 3b1ce7639b0b25b2248e3a30f561a548f6815f3e Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=3d896c157c722bc47adca51a58dca859225b5874 Bug-Debian: https://bugs.debian.org/923486 Last-Update: 2019-03-01 Patch-Name: scp-handle-braces.patch
2019-02-28releasing package openssh version 1:7.9p1-8Colin Watson
2019-02-28Move moduli(5) manual page to openssh-serverColin Watson
This goes with /etc/ssh/moduli; forgotten in 1:7.9p1-5.
2019-02-28Correctly handle conffile move to openssh-serverDominik George
Closes: #919344
2019-02-28Request RSA-SHA2 signatures for corresponding cert algorithmsColin Watson
Closes: #923419
2019-02-28upstream: Request RSA-SHA2 signatures fordjm@openbsd.org
rsa-sha2-{256|512}-cert-v01@openssh.com cert algorithms; ok markus@ OpenBSD-Commit-ID: afc6f7ca216ccd821656d1c911d2a3deed685033 Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=f429c1b2ef631f2855e51a790cf71761d752bbca Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2944 Bug-Debian: https://bugs.debian.org/923419 Last-Update: 2019-02-28 Patch-Name: request-rsa-sha2-cert-signatures.patch
2019-02-28Fix key type checks with RSA-SHA2 signature typesColin Watson
2019-02-28upstream: fix bug in HostbasedAcceptedKeyTypes anddjm@openbsd.org
PubkeyAcceptedKeyTypes options. If only RSA-SHA2 siganture types were specified, then authentication would always fail for RSA keys as the monitor checks only the base key (not the signature algorithm) type against *AcceptedKeyTypes. bz#2746; reported by Jakub Jelen; ok dtucker OpenBSD-Commit-ID: 117bc3dc54578dbdb515a1d3732988cb5b00461b Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=cd9467318b56e6e93ff9575c906ff8350af9b8a2 Last-Update: 2019-02-28 Patch-Name: fix-key-type-check.patch
2019-02-26releasing package openssh version 1:7.9p1-7Colin Watson
2019-02-25Tighten up start-stop-daemon invocationsColin Watson
Pass "--exec /usr/sbin/sshd" to start-stop-daemon on stop as well as start and pass "--chuid 0:0" on start, to avoid problems with non-root groups leaking into the ownership of /run/sshd.pid. Closes: #922365
2019-02-25Update logind recommendationColin Watson
Recommend "default-logind | logind | libpam-systemd" rather than just libpam-systemd. (I've retained libpam-systemd as an alternative for a while to avoid backporting accidents, although it can be removed later.) Thanks, Adam Borowski. Closes: #923199
2019-02-08releasing package openssh version 1:7.9p1-6Colin Watson
2019-02-08scp: Check remote->local directory copy filenamesColin Watson
CVE-2019-6111
2019-02-08upstream: check in scp client that filenames sent duringdjm@openbsd.org
remote->local directory copies satisfy the wildcard specified by the user. This checking provides some protection against a malicious server sending unexpected filenames, but it comes at a risk of rejecting wanted files due to differences between client and server wildcard expansion rules. For this reason, this also adds a new -T flag to disable the check. reported by Harry Sintonen fix approach suggested by markus@; has been in snaps for ~1wk courtesy deraadt@ OpenBSD-Commit-ID: 00f44b50d2be8e321973f3c6d014260f8f7a8eda CVE-2019-6111 Origin: backport, https://anongit.mindrot.org/openssh.git/commit/?id=391ffc4b9d31fa1f4ad566499fef9176ff8a07dc Last-Update: 2019-02-08 Patch-Name: check-filenames-in-scp-client.patch
2019-02-08Sanitize scp filenames via snmprintfColin Watson
CVE-2019-6109 Closes: #793412
2019-02-08upstream: Have progressmeter force an update at the beginning anddtucker@openbsd.org
end of each transfer. Fixes the problem recently introduces where very quick transfers do not display the progressmeter at all. Spotted by naddy@ OpenBSD-Commit-ID: 68dc46c259e8fdd4f5db3ec2a130f8e4590a7a9a Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=bdc6c63c80b55bcbaa66b5fde31c1cb1d09a41eb Last-Update: 2019-02-08 Patch-Name: have-progressmeter-force-update-at-beginning-and-end-transfer.patch
2019-02-08upstream: Sanitize scp filenames via snmprintf. To do this we movedtucker@openbsd.org
the progressmeter formatting outside of signal handler context and have the atomicio callback called for EINTR too. bz#2434 with contributions from djm and jjelen at redhat.com, ok djm@ OpenBSD-Commit-ID: 1af61c1f70e4f3bd8ab140b9f1fa699481db57d8 CVE-2019-6109 Origin: backport, https://anongit.mindrot.org/openssh.git/commit/?id=8976f1c4b2721c26e878151f52bdf346dfe2d54c Bug-Debian: https://bugs.debian.org/793412 Last-Update: 2019-02-08 Patch-Name: sanitize-scp-filenames-via-snmprintf.patch
2019-01-13releasing package openssh version 1:7.9p1-5Colin Watson
2019-01-12scp: disallow empty incoming filename or "."Colin Watson
Closes: #919101
2019-01-12upstream: disallow empty incoming filename or ones that refer to thedjm@openbsd.org
current directory; based on report/patch from Harry Sintonen OpenBSD-Commit-ID: f27651b30eaee2df49540ab68d030865c04f6de9 Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=6010c0303a422a9c5fa8860c061bf7105eb7f8b2 Bug-Debian: https://bugs.debian.org/919101 Last-Update: 2019-01-12 Patch-Name: scp-disallow-dot-or-empty-filename.patch
2018-12-26Drop obsolete alternate build-dependency on libssl1.0-devColin Watson
Closes: #917342
2018-12-06Move /etc/ssh/moduli to openssh-serverColin Watson
It's reasonably large and only used by sshd. Closes: #858050
2018-11-16releasing package openssh version 1:7.9p1-4Colin Watson
2018-11-16Use dpkg_vendor_derives_from againColin Watson
This time with syntax that works.
2018-11-15Fix Ubuntu detection in debian/rulesColin Watson
The documentation comment for dpkg_vendor_derives_from is wrong (thanks, Jeremy Bicha; see #913816).
2018-11-15releasing package openssh version 1:7.9p1-3Colin Watson
2018-11-15Restore some direct test dependenciesColin Watson
Restore direct test dependencies on openssl, putty-tools, and python-twisted-conch; these are really only indirect dependencies via openssh-tests, but including them means that this package will be retested when they change.
2018-11-15Re-export debian/upstream/signing-key.asc without extra signaturesColin Watson
2018-11-15debian/control: Remove trailing whitespaceColin Watson
2018-11-15Avoid incorrect Makefile symlink in openssh-testsColin Watson
Be more specific about what files to install in openssh-tests, to avoid installing a symlink into the build tree.
2018-11-14releasing package openssh version 1:7.9p1-2Colin Watson
2018-11-05Add an openssh-tests binary packageColin Watson
This contains enough files to run the upstream regression tests. Doing this allows autopkgtest to run more efficiently, as it doesn't have to build part of the source tree again.
2018-11-05Set TEST_SHELL againColin Watson
There's no default for this in regress/Makefile (only in the top-level Makefile), so leaving it unset here doesn't work.
2018-11-03Drop "set -x" verbosity from the autopkgtestColin Watson
I think we can do without this in most cases nowadays, as things have been pretty stable for a while.
2018-11-03Make the autopkgtest create /run/sshd if it doesn't already existColin Watson
2018-11-03Add GitLab CI configurationColin Watson
2018-10-22Mark debian/NEWS entry as releasedColin Watson
2018-10-21releasing package openssh version 1:7.9p1-1Colin Watson
2018-10-21Remove /etc/network/if-up.d/openssh-serverColin Watson
It causes more problems than it solves. Add an "if-up hook removed" section to README.Debian documenting the corner case that may need configuration adjustments. Thanks, Christian Ehrhardt, Andreas Hasenack, and David Britton. Closes: #789532 LP: #1037738, #1674330, #1718227
2018-10-21Simplify debian/rules using /usr/share/dpkg/default.mk.Colin Watson
2018-10-20Remove dh_builddeb override to use xz compressionColin Watson
This has been the default since dpkg 1.17.0.
2018-10-20New upstream release (7.9p1)Colin Watson
2018-10-20Work around conch interoperability failureColin Watson
Twisted Conch fails to read private keys in the new format (https://twistedmatrix.com/trac/ticket/9515). Work around this until it can be fixed in Twisted. Forwarded: not-needed Last-Update: 2018-08-30 Patch-Name: conch-old-privkey-format.patch
2018-10-20Enable specific ioctl call for EP11 crypto card (s390)Eduardo Barretto
The EP11 crypto card needs to make an ioctl call, which receives an specific argument. This crypto card is for s390 only. Signed-off-by: Eduardo Barretto <ebarretto@linux.vnet.ibm.com> Origin: other, https://bugzilla.mindrot.org/show_bug.cgi?id=2752 Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2752 Bug-Ubuntu: https://bugs.launchpad.net/bugs/1686618 Last-Update: 2017-08-28 Patch-Name: seccomp-s390-ioctl-ep11-crypto.patch
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-10 20:48:03 +0000