| Age | Commit message (Collapse) | Author |
|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
We now ignore the wildcard if we have another matching key -- even if
the wildcard entry comes first in authorized_keys.
This is how it worked before the forward port.
|
|
|
|
|
|
|
|
This is just until issues with "iptables -m tos" and VMware have been
fixed.
Closes: #923879, #926229
LP: #1822370
|
|
This reverts commit 5ee8448ad7c306f05a9f56769f95336a8269f379.
The IPQoS default changes have some unfortunate interactions with
iptables (see https://bugs.debian.org/923880) and VMware, so I'm
temporarily reverting them until those have been fixed.
Bug-Debian: https://bugs.debian.org/923879
Bug-Debian: https://bugs.debian.org/926229
Bug-Ubuntu: https://bugs.launchpad.net/1822370
Last-Update: 2019-04-08
Patch-Name: revert-ipqos-defaults.patch
|
|
|
|
|
|
match what the client requested, be prepared to handle shell-style brace
alternations, e.g. "{foo,bar}".
"looks good to me" millert@ + in snaps for the last week courtesy
deraadt@
OpenBSD-Commit-ID: 3b1ce7639b0b25b2248e3a30f561a548f6815f3e
Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=3d896c157c722bc47adca51a58dca859225b5874
Bug-Debian: https://bugs.debian.org/923486
Last-Update: 2019-03-01
Patch-Name: scp-handle-braces.patch
|
|
|
|
This goes with /etc/ssh/moduli; forgotten in 1:7.9p1-5.
|
|
Closes: #919344
|
|
Closes: #923419
|
|
rsa-sha2-{256|512}-cert-v01@openssh.com cert algorithms; ok markus@
OpenBSD-Commit-ID: afc6f7ca216ccd821656d1c911d2a3deed685033
Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=f429c1b2ef631f2855e51a790cf71761d752bbca
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2944
Bug-Debian: https://bugs.debian.org/923419
Last-Update: 2019-02-28
Patch-Name: request-rsa-sha2-cert-signatures.patch
|
|
|
|
PubkeyAcceptedKeyTypes options. If only RSA-SHA2 siganture types were
specified, then authentication would always fail for RSA keys as the monitor
checks only the base key (not the signature algorithm) type against
*AcceptedKeyTypes. bz#2746; reported by Jakub Jelen; ok dtucker
OpenBSD-Commit-ID: 117bc3dc54578dbdb515a1d3732988cb5b00461b
Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=cd9467318b56e6e93ff9575c906ff8350af9b8a2
Last-Update: 2019-02-28
Patch-Name: fix-key-type-check.patch
|
|
|
|
Pass "--exec /usr/sbin/sshd" to start-stop-daemon on stop as well as
start and pass "--chuid 0:0" on start, to avoid problems with non-root
groups leaking into the ownership of /run/sshd.pid.
Closes: #922365
|
|
Recommend "default-logind | logind | libpam-systemd" rather than just
libpam-systemd. (I've retained libpam-systemd as an alternative for a
while to avoid backporting accidents, although it can be removed
later.)
Thanks, Adam Borowski.
Closes: #923199
|
|
|
|
CVE-2019-6111
|
|
remote->local directory copies satisfy the wildcard specified by the user.
This checking provides some protection against a malicious server
sending unexpected filenames, but it comes at a risk of rejecting wanted
files due to differences between client and server wildcard expansion rules.
For this reason, this also adds a new -T flag to disable the check.
reported by Harry Sintonen
fix approach suggested by markus@;
has been in snaps for ~1wk courtesy deraadt@
OpenBSD-Commit-ID: 00f44b50d2be8e321973f3c6d014260f8f7a8eda
CVE-2019-6111
Origin: backport, https://anongit.mindrot.org/openssh.git/commit/?id=391ffc4b9d31fa1f4ad566499fef9176ff8a07dc
Last-Update: 2019-02-08
Patch-Name: check-filenames-in-scp-client.patch
|
|
CVE-2019-6109
Closes: #793412
|
|
end of each transfer. Fixes the problem recently introduces where very quick
transfers do not display the progressmeter at all. Spotted by naddy@
OpenBSD-Commit-ID: 68dc46c259e8fdd4f5db3ec2a130f8e4590a7a9a
Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=bdc6c63c80b55bcbaa66b5fde31c1cb1d09a41eb
Last-Update: 2019-02-08
Patch-Name: have-progressmeter-force-update-at-beginning-and-end-transfer.patch
|
|
the progressmeter formatting outside of signal handler context and have the
atomicio callback called for EINTR too. bz#2434 with contributions from djm
and jjelen at redhat.com, ok djm@
OpenBSD-Commit-ID: 1af61c1f70e4f3bd8ab140b9f1fa699481db57d8
CVE-2019-6109
Origin: backport, https://anongit.mindrot.org/openssh.git/commit/?id=8976f1c4b2721c26e878151f52bdf346dfe2d54c
Bug-Debian: https://bugs.debian.org/793412
Last-Update: 2019-02-08
Patch-Name: sanitize-scp-filenames-via-snmprintf.patch
|
|
|
|
Closes: #919101
|
|
current directory; based on report/patch from Harry Sintonen
OpenBSD-Commit-ID: f27651b30eaee2df49540ab68d030865c04f6de9
Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=6010c0303a422a9c5fa8860c061bf7105eb7f8b2
Bug-Debian: https://bugs.debian.org/919101
Last-Update: 2019-01-12
Patch-Name: scp-disallow-dot-or-empty-filename.patch
|
|
Closes: #917342
|
|
It's reasonably large and only used by sshd.
Closes: #858050
|
|
|
|
This time with syntax that works.
|
|
The documentation comment for dpkg_vendor_derives_from is wrong (thanks,
Jeremy Bicha; see #913816).
|
|
|
|
Restore direct test dependencies on openssl, putty-tools, and
python-twisted-conch; these are really only indirect dependencies via
openssh-tests, but including them means that this package will be
retested when they change.
|
|
|
|
|
|
Be more specific about what files to install in openssh-tests, to avoid
installing a symlink into the build tree.
|
|
|
|
This contains enough files to run the upstream regression tests. Doing
this allows autopkgtest to run more efficiently, as it doesn't have to
build part of the source tree again.
|
|
There's no default for this in regress/Makefile (only in the top-level
Makefile), so leaving it unset here doesn't work.
|
|
I think we can do without this in most cases nowadays, as things have
been pretty stable for a while.
|
|
|
|
|
