openssh.git -

Age	Commit message (Collapse)	Author
2018-08-17	releasing package openssh version 1:7.7p1-4	Colin Watson

2018-08-17	Fix user enumeration vulnerability	Colin Watson
	Apply upstream patch to delay bailout for invalid authenticating user until after the packet containing the request has been fully parsed. Closes: #906236
2018-08-17	upstream: delay bailout for invalid authenticating user	djm@openbsd.org
	... until after the packet containing the request has been fully parsed. Reported by Dariusz Tytko and Michał Sajdak; ok deraadt OpenBSD-Commit-ID: b4891882fbe413f230fe8ac8a37349b03bd0b70d Origin: backport, http://anongit.mindrot.org/openssh.git/commit/?id=74287f5df9966a0648b4a68417451dd18f079ab8 Bug-Debian: https://bugs.debian.org/906236 Last-Update: 2018-08-17 Patch-Name: upstream-delay-bailout-for-invalid-authenticating-user.patch
2018-07-10	releasing package openssh version 1:7.7p1-3	Colin Watson

2018-07-10	Close #903474 as well	Colin Watson

2018-07-10	Merge branch 'fix-authorized_keys-environment-var' into 'master'	Colin Watson
	Fix ENV restriction of authorized keys See merge request ssh-team/openssh!2
2018-06-28	[ Christian Ehrhardt ]	Christian Ehrhardt
	Fix unintentional restriction of authorized keys environment options to be alphanumeric (LP: #1771011)
2018-06-28	upstream: relax checking of authorized_keys environment="..."	djm@openbsd.org
	options to allow underscores in variable names (regression introduced in 7.7). bz2851, ok deraadt@ OpenBSD-Commit-ID: 69690ffe0c97ff393f2c76d25b4b3d2ed4e4ac9c Original-Author: Damien Miller <djm@mindrot.org> Origin: backport, http://anongit.mindrot.org/openssh.git/commit/?id=40f5f03544a07ebd2003b443d42e85cb51d94d59 Bug-Ubuntu: https://bugs.launchpad.net/bugs/1771011 Last-Update: 2018-06-28 Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com> Patch-Name: upstream-relax-checking-of-authorized_keys-environme.patch
2018-06-18	Add documentation links for systemd	Colin Watson
	Add Documentation keys to ssh-agent.service, ssh.service, and ssh@.service.
2018-06-18	Remove no-longer-used Lintian overrides from openssh-server and ssh.	Colin Watson

2018-06-18	Remove trailing blanks from old changelog entries	Colin Watson

2018-06-16	Chase Vcs-Git redirection	Colin Watson

2018-06-16	Merge branch 'gratuxri-guest/master'	Colin Watson
	Add rescue.target with ssh support See merge request ssh-team/openssh!1
2018-06-16	Adjust git-dpm tagging configuration.	Colin Watson

2018-04-04	releasing package openssh version 1:7.7p1-2	Colin Watson

2018-04-03	Fix parsing of DebianBanner option	Colin Watson
	Closes: #894730
2018-04-03	Enable specific ioctl call for EP11 crypto card (s390)	Eduardo Barretto
	The EP11 crypto card needs to make an ioctl call, which receives an specific argument. This crypto card is for s390 only. Signed-off-by: Eduardo Barretto <ebarretto@linux.vnet.ibm.com> Origin: other, https://bugzilla.mindrot.org/show_bug.cgi?id=2752 Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2752 Bug-Ubuntu: https://bugs.launchpad.net/bugs/1686618 Last-Update: 2017-08-28 Patch-Name: seccomp-s390-ioctl-ep11-crypto.patch
2018-04-03	Allow getuid and geteuid calls	Eduardo Barretto
	getuid and geteuid are needed when using an openssl engine that calls a crypto card, e.g. ICA (libica). Those syscalls are also needed by the distros for audit code. Signed-off-by: Eduardo Barretto <ebarretto@linux.vnet.ibm.com> Origin: other, https://bugzilla.mindrot.org/show_bug.cgi?id=2752 Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2752 Bug-Ubuntu: https://bugs.launchpad.net/bugs/1686618 Last-Update: 2017-08-28 Patch-Name: seccomp-getuid-geteuid.patch
2018-04-03	Allow flock and ipc syscall for s390 architecture	Eduardo Barretto
	In order to use the OpenSSL-ibmpkcs11 engine it is needed to allow flock and ipc calls, because this engine calls OpenCryptoki (a PKCS#11 implementation) which calls the libraries that will communicate with the crypto cards. OpenCryptoki makes use of flock and ipc and, as of now, this is only need on s390 architecture. Signed-off-by: Eduardo Barretto <ebarretto@linux.vnet.ibm.com> Origin: other, https://bugzilla.mindrot.org/show_bug.cgi?id=2752 Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2752 Bug-Ubuntu: https://bugs.launchpad.net/bugs/1686618 Last-Update: 2017-08-28 Patch-Name: seccomp-s390-flock-ipc.patch
2018-04-03	Restore reading authorized_keys2 by default	Colin Watson
	Upstream seems to intend to gradually phase this out, so don't assume that this will remain the default forever. However, we were late in adopting the upstream sshd_config changes, so it makes sense to extend the grace period. Bug-Debian: https://bugs.debian.org/852320 Forwarded: not-needed Last-Update: 2017-03-05 Patch-Name: restore-authorized_keys2.patch
2018-04-03	Various Debian-specific configuration changes	Colin Watson
	ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause fewer problems with existing setups (http://bugs.debian.org/237021). ssh: Set 'SendEnv LANG LC_' by default (http://bugs.debian.org/264024). ssh: Enable HashKnownHosts by default to try to limit the spread of ssh worms. ssh: Enable GSSAPIAuthentication by default. sshd: Enable PAM, disable ChallengeResponseAuthentication, and disable PrintMotd. sshd: Enable X11Forwarding. sshd: Set 'AcceptEnv LANG LC_' by default. sshd: Change sftp subsystem path to /usr/lib/openssh/sftp-server. Document all of this. Author: Russ Allbery <rra@debian.org> Forwarded: not-needed Last-Update: 2017-10-04 Patch-Name: debian-config.patch
2018-04-03	Add systemd readiness notification support	Michael Biebl
	Bug-Debian: https://bugs.debian.org/778913 Forwarded: no Last-Update: 2017-08-22 Patch-Name: systemd-readiness.patch
2018-04-03	Give the ssh-askpass-gnome window a default icon	Vincent Untz
	Bug-Ubuntu: https://bugs.launchpad.net/bugs/27152 Last-Update: 2010-02-28 Patch-Name: gnome-ssh-askpass2-icon.patch
2018-04-03	Don't check the status field of the OpenSSL version	Kurt Roeckx
	There is no reason to check the version of OpenSSL (in Debian). If it's not compatible the soname will change. OpenSSH seems to want to do a check for the soname based on the version number, but wants to keep the status of the release the same. Remove that check on the status since it doesn't tell you anything about how compatible that version is. Author: Colin Watson <cjwatson@debian.org> Bug-Debian: https://bugs.debian.org/93581 Bug-Debian: https://bugs.debian.org/664383 Bug-Debian: https://bugs.debian.org/732940 Forwarded: not-needed Last-Update: 2014-10-07 Patch-Name: no-openssl-version-status.patch
2018-04-03	Document consequences of ssh-agent being setgid in ssh-agent(1)	Colin Watson
	Bug-Debian: http://bugs.debian.org/711623 Forwarded: no Last-Update: 2013-06-08 Patch-Name: ssh-agent-setgid.patch
2018-04-03	Document that HashKnownHosts may break tab-completion	Colin Watson
	Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1727 Bug-Debian: http://bugs.debian.org/430154 Last-Update: 2013-09-14 Patch-Name: doc-hash-tab-completion.patch
2018-04-03	ssh(1): Refer to ssh-argv0(1)	Colin Watson
	Old versions of OpenSSH (up to 2.5 or thereabouts) allowed creating symlinks to ssh with the name of the host you want to connect to. Debian ships an ssh-argv0 script restoring this feature; this patch refers to its manual page from ssh(1). Bug-Debian: http://bugs.debian.org/111341 Forwarded: not-needed Last-Update: 2013-09-14 Patch-Name: ssh-argv0.patch
2018-04-03	Adjust various OpenBSD-specific references in manual pages	Colin Watson
	No single bug reference for this patch, but history includes: http://bugs.debian.org/154434 (login.conf(5)) http://bugs.debian.org/513417 (/etc/rc) http://bugs.debian.org/530692 (ssl(8)) https://bugs.launchpad.net/bugs/456660 (ssl(8)) Forwarded: not-needed Last-Update: 2017-10-04 Patch-Name: openbsd-docs.patch
2018-04-03	Install authorized_keys(5) as a symlink to sshd(8)	Tomas Pospisek
	Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1720 Bug-Debian: http://bugs.debian.org/441817 Last-Update: 2013-09-14 Patch-Name: authorized-keys-man-symlink.patch
2018-04-03	Add DebianBanner server configuration option	Kees Cook
	Setting this to "no" causes sshd to omit the Debian revision from its initial protocol handshake, for those scared by package-versioning.patch. Bug-Debian: http://bugs.debian.org/562048 Forwarded: not-needed Last-Update: 2018-04-03 Patch-Name: debian-banner.patch
2018-04-03	releasing package openssh version 1:7.7p1-1	Colin Watson

2018-04-03	New upstream release (7.7p1)	Colin Watson

2018-04-03	Enable specific ioctl call for EP11 crypto card (s390)	Eduardo Barretto
	The EP11 crypto card needs to make an ioctl call, which receives an specific argument. This crypto card is for s390 only. Signed-off-by: Eduardo Barretto <ebarretto@linux.vnet.ibm.com> Origin: other, https://bugzilla.mindrot.org/show_bug.cgi?id=2752 Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2752 Bug-Ubuntu: https://bugs.launchpad.net/bugs/1686618 Last-Update: 2017-08-28 Patch-Name: seccomp-s390-ioctl-ep11-crypto.patch
2018-04-03	Allow getuid and geteuid calls	Eduardo Barretto
	getuid and geteuid are needed when using an openssl engine that calls a crypto card, e.g. ICA (libica). Those syscalls are also needed by the distros for audit code. Signed-off-by: Eduardo Barretto <ebarretto@linux.vnet.ibm.com> Origin: other, https://bugzilla.mindrot.org/show_bug.cgi?id=2752 Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2752 Bug-Ubuntu: https://bugs.launchpad.net/bugs/1686618 Last-Update: 2017-08-28 Patch-Name: seccomp-getuid-geteuid.patch
2018-04-03	Allow flock and ipc syscall for s390 architecture	Eduardo Barretto
	In order to use the OpenSSL-ibmpkcs11 engine it is needed to allow flock and ipc calls, because this engine calls OpenCryptoki (a PKCS#11 implementation) which calls the libraries that will communicate with the crypto cards. OpenCryptoki makes use of flock and ipc and, as of now, this is only need on s390 architecture. Signed-off-by: Eduardo Barretto <ebarretto@linux.vnet.ibm.com> Origin: other, https://bugzilla.mindrot.org/show_bug.cgi?id=2752 Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2752 Bug-Ubuntu: https://bugs.launchpad.net/bugs/1686618 Last-Update: 2017-08-28 Patch-Name: seccomp-s390-flock-ipc.patch
2018-04-03	Restore reading authorized_keys2 by default	Colin Watson
	Upstream seems to intend to gradually phase this out, so don't assume that this will remain the default forever. However, we were late in adopting the upstream sshd_config changes, so it makes sense to extend the grace period. Bug-Debian: https://bugs.debian.org/852320 Forwarded: not-needed Last-Update: 2017-03-05 Patch-Name: restore-authorized_keys2.patch
2018-04-03	Various Debian-specific configuration changes	Colin Watson
	ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause fewer problems with existing setups (http://bugs.debian.org/237021). ssh: Set 'SendEnv LANG LC_' by default (http://bugs.debian.org/264024). ssh: Enable HashKnownHosts by default to try to limit the spread of ssh worms. ssh: Enable GSSAPIAuthentication by default. sshd: Enable PAM, disable ChallengeResponseAuthentication, and disable PrintMotd. sshd: Enable X11Forwarding. sshd: Set 'AcceptEnv LANG LC_' by default. sshd: Change sftp subsystem path to /usr/lib/openssh/sftp-server. Document all of this. Author: Russ Allbery <rra@debian.org> Forwarded: not-needed Last-Update: 2017-10-04 Patch-Name: debian-config.patch
2018-04-03	Add systemd readiness notification support	Michael Biebl
	Bug-Debian: https://bugs.debian.org/778913 Forwarded: no Last-Update: 2017-08-22 Patch-Name: systemd-readiness.patch
2018-04-03	Give the ssh-askpass-gnome window a default icon	Vincent Untz
	Bug-Ubuntu: https://bugs.launchpad.net/bugs/27152 Last-Update: 2010-02-28 Patch-Name: gnome-ssh-askpass2-icon.patch
2018-04-03	Don't check the status field of the OpenSSL version	Kurt Roeckx
	There is no reason to check the version of OpenSSL (in Debian). If it's not compatible the soname will change. OpenSSH seems to want to do a check for the soname based on the version number, but wants to keep the status of the release the same. Remove that check on the status since it doesn't tell you anything about how compatible that version is. Author: Colin Watson <cjwatson@debian.org> Bug-Debian: https://bugs.debian.org/93581 Bug-Debian: https://bugs.debian.org/664383 Bug-Debian: https://bugs.debian.org/732940 Forwarded: not-needed Last-Update: 2014-10-07 Patch-Name: no-openssl-version-status.patch
2018-04-03	Document consequences of ssh-agent being setgid in ssh-agent(1)	Colin Watson
	Bug-Debian: http://bugs.debian.org/711623 Forwarded: no Last-Update: 2013-06-08 Patch-Name: ssh-agent-setgid.patch
2018-04-03	Document that HashKnownHosts may break tab-completion	Colin Watson
	Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1727 Bug-Debian: http://bugs.debian.org/430154 Last-Update: 2013-09-14 Patch-Name: doc-hash-tab-completion.patch
2018-04-03	ssh(1): Refer to ssh-argv0(1)	Colin Watson
	Old versions of OpenSSH (up to 2.5 or thereabouts) allowed creating symlinks to ssh with the name of the host you want to connect to. Debian ships an ssh-argv0 script restoring this feature; this patch refers to its manual page from ssh(1). Bug-Debian: http://bugs.debian.org/111341 Forwarded: not-needed Last-Update: 2013-09-14 Patch-Name: ssh-argv0.patch
2018-04-03	Adjust various OpenBSD-specific references in manual pages	Colin Watson
	No single bug reference for this patch, but history includes: http://bugs.debian.org/154434 (login.conf(5)) http://bugs.debian.org/513417 (/etc/rc) http://bugs.debian.org/530692 (ssl(8)) https://bugs.launchpad.net/bugs/456660 (ssl(8)) Forwarded: not-needed Last-Update: 2017-10-04 Patch-Name: openbsd-docs.patch
2018-04-03	Install authorized_keys(5) as a symlink to sshd(8)	Tomas Pospisek
	Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1720 Bug-Debian: http://bugs.debian.org/441817 Last-Update: 2013-09-14 Patch-Name: authorized-keys-man-symlink.patch
2018-04-03	Add DebianBanner server configuration option	Kees Cook
	Setting this to "no" causes sshd to omit the Debian revision from its initial protocol handshake, for those scared by package-versioning.patch. Bug-Debian: http://bugs.debian.org/562048 Forwarded: not-needed Last-Update: 2017-10-04 Patch-Name: debian-banner.patch
2018-04-03	Include the Debian version in our identification	Matthew Vernon
	This makes it easier to audit networks for versions patched against security vulnerabilities. It has little detrimental effect, as attackers will generally just try attacks rather than bothering to scan for vulnerable-looking version strings. (However, see debian-banner.patch.) Forwarded: not-needed Last-Update: 2017-10-04 Patch-Name: package-versioning.patch
2018-04-03	Mention ssh-keygen in ssh fingerprint changed warning	Scott Moser
	Author: Chris Lamb <lamby@debian.org> Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1843 Bug-Ubuntu: https://bugs.launchpad.net/bugs/686607 Last-Update: 2017-08-22 Patch-Name: mention-ssh-keygen-on-keychange.patch
2018-04-03	Force use of DNSSEC even if "options edns0" isn't in resolv.conf	Colin Watson
	This allows SSHFP DNS records to be verified if glibc 2.11 is installed. Origin: vendor, https://cvs.fedoraproject.org/viewvc/F-12/openssh/openssh-5.2p1-edns.patch?revision=1.1&view=markup Bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572049 Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572049 Last-Update: 2010-04-06 Patch-Name: dnssec-sshfp.patch
2018-04-03	Look for $SHELL on the path for ProxyCommand/LocalCommand	Colin Watson
	There's some debate on the upstream bug about whether POSIX requires this. I (Colin Watson) agree with Vincent and think it does. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1494 Bug-Debian: http://bugs.debian.org/492728 Last-Update: 2013-09-14 Patch-Name: shell-path.patch