| Age | Commit message (Collapse) | Author |
|---|
|
These options were used as part of Debian's response to CVE-2008-0166.
Nearly six years later, we no longer need to continue carrying the bulk
of that patch, but we do need to avoid failing when the associated
configuration options are still present.
Last-Update: 2014-02-09
Patch-Name: ssh-vulnkey-compat.patch
|
|
Rejected upstream due to discomfort with magic usernames; a better approach
will need an SSH protocol change. In the meantime, this came from Debian's
SELinux maintainer, so we'll keep it until we have something better.
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641
Bug-Debian: http://bugs.debian.org/394795
Last-Update: 2013-09-14
Patch-Name: selinux-role.patch
|
|
This patch has been rejected upstream: "None of the OpenSSH developers are
in favour of adding this, and this situation has not changed for several
years. This is not a slight on Simon's patch, which is of fine quality, but
just that a) we don't trust GSSAPI implementations that much and b) we don't
like adding new KEX since they are pre-auth attack surface. This one is
particularly scary, since it requires hooks out to typically root-owned
system resources."
However, quite a lot of people rely on this in Debian, and it's better to
have it merged into the main openssh package rather than having separate
-krb5 packages (as we used to have). It seems to have a generally good
security history.
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242
Last-Updated: 2014-03-19
Patch-Name: gssapi.patch
|
|
|
|
|
|
(thanks, Axel Beckert).
|
|
|
|
|
|
guarantees that ssh.service has stopped before ssh.socket starts (thanks, Uoti Urpala).
|
|
[session.c]
ignore enviornment variables with embedded '=' or '\0' characters;
spotted by Jann Horn; ok deraadt@
|
|
no moduli file exists at the expected location.
|
|
|
|
[agent-ptrace.sh agent.sh]
keep return values that are printed in error messages;
from portable
(Id sync only)
|
|
[login-timeout.sh]
remove any existing LoginGraceTime from sshd_config before adding
a specific one for the test back in
|
|
[scp-ssh-wrapper.sh scp.sh]
make sure $SCP is tested on the remote end rather than whichever one
happens to be in $PATH; from portable
(Id sync only)
|
|
[regress/cert-hostkey.sh]
automatically generate revoked keys from listed keys rather than
manually specifying each type; from portable
(Id sync only)
|
|
[regress/Makefile regress/dhgex.sh]
Add a test for DH GEX sizes
|
|
[sftp-chroot.sh]
append to rather than truncating the log file
|
|
[regress/sftp-chroot.sh]
Don't use -q on sftp as it suppresses logging, instead redirect the
output to the regress logfile.
|
|
[contrib/suse/openssh.spec] Crank version numbers
|
|
[version.h]
openssh-6.6
|
|
[sshd_config.5]
bz#2184 clarify behaviour of a keyword that appears in multiple
matching Match blocks; ok dtucker@
|
|
[bufbn.c]
off by one in range check
|
|
[bufbn.c]
fix unsigned overflow that could lead to reading a short ssh protocol
1 bignum value; found by Ben Hawkes; ok deraadt@
|
|
[sshd.c]
ssh_gssapi_prepare_supported_oids needs GSSAPI
|
|
[channels.c]
don't assume that the socks4 username is \0 terminated;
spotted by Ben Hawkes; ok markus@
|
|
[auth2-gss.c gss-serv.c ssh-gss.h sshd.c]
bz#2107 - cache OIDs of supported GSSAPI mechanisms before privsep
sandboxing, as running this code in the sandbox can cause violations;
ok markus@
|
|
[ssh.c]
bz#2205: avoid early hostname lookups unless canonicalisation is enabled;
ok dtucker@ markus@
|
|
[readconf.c readconf.h ssh.c ssh_config.5]
reparse ssh_config and ~/.ssh/config if hostname canonicalisation changes
the hostname. This allows users to write configurations that always
refer to canonical hostnames, e.g.
CanonicalizeHostname yes
CanonicalDomains int.example.org example.org
CanonicalizeFallbackLocal no
Host *.int.example.org
Compression off
Host *.example.org
User djm
ok markus@
|
|
[ssh-ed25519.c]
check for unsigned overflow; not reachable in OpenSSH but others might
copy our code...
|
|
[readconf.c]
when processing Match blocks, skip 'exec' clauses if previous predicates
failed to match; ok markus@
|
|
[channels.c]
avoid spurious "getsockname failed: Bad file descriptor" errors in ssh -W;
bz#2200, debian#738692 via Colin Watson; ok dtucker@
|
|
[cipher.c mac.c]
remove some logging that makes ssh debugging output very verbose;
ok markus
|
|
This allows it to also be used by other SSH server implementations like
dropbear (closes: #504290).
|
|
- (tim) [configure.ac] Fix cut-and-paste error. Patch from Bryan Drewery.
|
|
sshd" in the sysvinit script (thanks, Michael Biebl).
|
|
|
|
|
|
Origin: upstream, https://bugzilla.mindrot.org/show_bug.cgi?id=2200
Bug-Debian: http://bugs.debian.org/738693
Last-Update: 2014-02-15
Patch-Name: getsockname-error.patch
|
|
no longer supported.
|
|
Amend "Running sshd from inittab" instructions in README.Debian to recommend
'update-rc.d ssh disable', rather than manual removal of rc*.d symlinks that
won't work with dependency-based sysv-rc.
|
|
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=60155 (closes: #738798).
|
|
code for older OpenSSL versions that don't have EVP_MD_CTX_copy_ex.
|
|
|
|
|
|
|
|
|
|
Drop some very old Conflicts and Replaces (ssh (<< 1:3.8.1p1-9), rsh-client
(<< 0.16.1-1), ssh-krb5 (<< 1:4.3p2-7), ssh-nonfree (<< 2), and
openssh-client (<< 1:3.8.1p1-11)). These all relate to pre-etch versions,
for which we no longer have maintainer script code, and per policy they
would have to become Breaks nowadays anyway.
|
|
Debian patch) rather than plain GPL.
|
|
Remove tests for whether /dev/null is a character device from the Upstart
job and the systemd service files; it's there to avoid a confusing failure
mode in daemon(), but with modern init systems we use the -D option to
suppress daemonisation anyway.
|
