| Age | Commit message (Collapse) | Author |
|---|
|
regardless of how many times it is listed
ok markus@
Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=5b64f85bb811246c59ebab70aed331f26ba37b18
Forwarded: not-needed
Last-Update: 2015-08-19
Patch-Name: backport-kbdint-duplicates.patch
|
|
Avoids use-after-free in monitor when privsep child is compromised.
Reported by Moritz Jodeit; ok dtucker@
Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=5e75f5198769056089fb06c4d738ab0e5abc66f7
Forwarded: not-needed
Last-Update: 2015-08-19
Patch-Name: backport-pam-use-after-free.patch
|
|
Pointed out by Moritz Jodeit; ok dtucker@
Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=d4697fe9a28dab7255c60433e4dd23cf7fce8a8b
Forwarded: not-needed
Last-Update: 2015-08-19
Patch-Name: backport-do-not-resend-username-to-pam.patch
|
|
Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=6f941396b6835ad18018845f515b0c4fe20be21a
Forwarded: not-needed
Last-Update: 2015-08-19
Patch-Name: backport-fix-pty-permissions.patch
|
|
ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause
fewer problems with existing setups (http://bugs.debian.org/237021).
ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024).
ssh: Enable HashKnownHosts by default to try to limit the spread of ssh
worms.
ssh: Enable GSSAPIAuthentication and disable GSSAPIDelegateCredentials by
default.
sshd: Refer to /usr/share/doc/openssh-server/README.Debian.gz alongside
PermitRootLogin default.
Document all of this, along with several sshd defaults set in
debian/openssh-server.postinst.
Author: Russ Allbery <rra@debian.org>
Forwarded: not-needed
Last-Update: 2015-08-19
Patch-Name: debian-config.patch
|
|
Author: Robie Basak <robie.basak@ubuntu.com>
Forwarded: no
Last-Update: 2014-04-14
Patch-Name: sigstop.patch
|
|
Bug-Ubuntu: https://bugs.launchpad.net/bugs/27152
Last-Update: 2010-02-28
Patch-Name: gnome-ssh-askpass2-icon.patch
|
|
There is no reason to check the version of OpenSSL (in Debian). If it's
not compatible the soname will change. OpenSSH seems to want to do a
check for the soname based on the version number, but wants to keep the
status of the release the same. Remove that check on the status since
it doesn't tell you anything about how compatible that version is.
Author: Colin Watson <cjwatson@debian.org>
Bug-Debian: https://bugs.debian.org/93581
Bug-Debian: https://bugs.debian.org/664383
Bug-Debian: https://bugs.debian.org/732940
Forwarded: not-needed
Last-Update: 2014-10-07
Patch-Name: no-openssl-version-status.patch
|
|
Bug-Debian: http://bugs.debian.org/711623
Forwarded: no
Last-Update: 2013-06-08
Patch-Name: ssh-agent-setgid.patch
|
|
Forwarded: not-needed
Last-Update: 2013-09-14
Patch-Name: doc-upstart.patch
|
|
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1727
Bug-Debian: http://bugs.debian.org/430154
Last-Update: 2013-09-14
Patch-Name: doc-hash-tab-completion.patch
|
|
Old versions of OpenSSH (up to 2.5 or thereabouts) allowed creating symlinks
to ssh with the name of the host you want to connect to. Debian ships an
ssh-argv0 script restoring this feature; this patch refers to its manual
page from ssh(1).
Bug-Debian: http://bugs.debian.org/111341
Forwarded: not-needed
Last-Update: 2013-09-14
Patch-Name: ssh-argv0.patch
|
|
No single bug reference for this patch, but history includes:
http://bugs.debian.org/154434 (login.conf(5))
http://bugs.debian.org/513417 (/etc/rc)
http://bugs.debian.org/530692 (ssl(8))
https://bugs.launchpad.net/bugs/456660 (ssl(8))
Forwarded: not-needed
Last-Update: 2014-10-07
Patch-Name: openbsd-docs.patch
|
|
Apparently this breaks some SVR4 packaging systems, so upstream can't win
either way and opted to keep the status quo. We need this patch anyway.
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1728
Last-Update: 2013-09-14
Patch-Name: lintian-symlink-pickiness.patch
|
|
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1720
Bug-Debian: http://bugs.debian.org/441817
Last-Update: 2013-09-14
Patch-Name: authorized-keys-man-symlink.patch
|
|
Setting this to "no" causes sshd to omit the Debian revision from its
initial protocol handshake, for those scared by package-versioning.patch.
Bug-Debian: http://bugs.debian.org/562048
Forwarded: not-needed
Last-Update: 2015-08-19
Patch-Name: debian-banner.patch
|
|
This makes it easier to audit networks for versions patched against security
vulnerabilities. It has little detrimental effect, as attackers will
generally just try attacks rather than bothering to scan for
vulnerable-looking version strings. (However, see debian-banner.patch.)
Forwarded: not-needed
Last-Update: 2013-09-14
Patch-Name: package-versioning.patch
|
|
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1843
Bug-Ubuntu: https://bugs.launchpad.net/bugs/686607
Last-Update: 2015-09-08
Patch-Name: mention-ssh-keygen-on-keychange.patch
|
|
Bug-Debian: http://bugs.debian.org/630606
Forwarded: no
Last-Update: 2013-09-14
Patch-Name: auth-log-verbosity.patch
|
|
This allows SSHFP DNS records to be verified if glibc 2.11 is installed.
Origin: vendor, https://cvs.fedoraproject.org/viewvc/F-12/openssh/openssh-5.2p1-edns.patch?revision=1.1&view=markup
Bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572049
Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572049
Last-Update: 2010-04-06
Patch-Name: dnssec-sshfp.patch
|
|
There's some debate on the upstream bug about whether POSIX requires this.
I (Colin Watson) agree with Vincent and think it does.
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1494
Bug-Debian: http://bugs.debian.org/492728
Last-Update: 2013-09-14
Patch-Name: shell-path.patch
|
|
Tweak scp's reporting of filenames in verbose mode to be a bit less
confusing with spaces.
This should be revised to mimic real shell quoting.
Bug-Ubuntu: https://bugs.launchpad.net/bugs/89945
Last-Update: 2010-02-27
Patch-Name: scp-quoting.patch
|
|
Allow secure files (~/.ssh/config, ~/.ssh/authorized_keys, etc.) to be
group-writable, provided that the group in question contains only the file's
owner. Rejected upstream for IMO incorrect reasons (e.g. a misunderstanding
about the contents of gr->gr_mem). Given that per-user groups and umask 002
are the default setup in Debian (for good reasons - this makes operating in
setgid directories with other groups much easier), we need to permit this by
default.
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1060
Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=314347
Last-Update: 2013-09-14
Patch-Name: user-group-modes.patch
|
|
|
|
architecture-independent-only build (closes: #806090).
|
|
#799271).
|
|
Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=55b263fb7cfeacb81aaf1c2036e0394c881637da
Forwarded: not-needed
Last-Update: 2015-08-20
Patch-Name: backport-regress-principals-command-noexec.patch
|
|
regardless of how many times it is listed
ok markus@
Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=5b64f85bb811246c59ebab70aed331f26ba37b18
Forwarded: not-needed
Last-Update: 2015-08-19
Patch-Name: backport-kbdint-duplicates.patch
|
|
Avoids use-after-free in monitor when privsep child is compromised.
Reported by Moritz Jodeit; ok dtucker@
Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=5e75f5198769056089fb06c4d738ab0e5abc66f7
Forwarded: not-needed
Last-Update: 2015-08-19
Patch-Name: backport-pam-use-after-free.patch
|
|
Pointed out by Moritz Jodeit; ok dtucker@
Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=d4697fe9a28dab7255c60433e4dd23cf7fce8a8b
Forwarded: not-needed
Last-Update: 2015-08-19
Patch-Name: backport-do-not-resend-username-to-pam.patch
|
|
Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=6f941396b6835ad18018845f515b0c4fe20be21a
Forwarded: not-needed
Last-Update: 2015-08-19
Patch-Name: backport-fix-pty-permissions.patch
|
|
ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause
fewer problems with existing setups (http://bugs.debian.org/237021).
ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024).
ssh: Enable HashKnownHosts by default to try to limit the spread of ssh
worms.
ssh: Enable GSSAPIAuthentication and disable GSSAPIDelegateCredentials by
default.
sshd: Refer to /usr/share/doc/openssh-server/README.Debian.gz alongside
PermitRootLogin default.
Document all of this, along with several sshd defaults set in
debian/openssh-server.postinst.
Author: Russ Allbery <rra@debian.org>
Forwarded: not-needed
Last-Update: 2015-08-19
Patch-Name: debian-config.patch
|
|
Author: Robie Basak <robie.basak@ubuntu.com>
Forwarded: no
Last-Update: 2014-04-14
Patch-Name: sigstop.patch
|
|
Bug-Ubuntu: https://bugs.launchpad.net/bugs/27152
Last-Update: 2010-02-28
Patch-Name: gnome-ssh-askpass2-icon.patch
|
|
There is no reason to check the version of OpenSSL (in Debian). If it's
not compatible the soname will change. OpenSSH seems to want to do a
check for the soname based on the version number, but wants to keep the
status of the release the same. Remove that check on the status since
it doesn't tell you anything about how compatible that version is.
Author: Colin Watson <cjwatson@debian.org>
Bug-Debian: https://bugs.debian.org/93581
Bug-Debian: https://bugs.debian.org/664383
Bug-Debian: https://bugs.debian.org/732940
Forwarded: not-needed
Last-Update: 2014-10-07
Patch-Name: no-openssl-version-status.patch
|
|
Bug-Debian: http://bugs.debian.org/711623
Forwarded: no
Last-Update: 2013-06-08
Patch-Name: ssh-agent-setgid.patch
|
|
Bug-Debian: http://bugs.debian.org/50308
Last-Update: 2010-02-27
Patch-Name: helpful-wait-terminate.patch
|
|
Forwarded: not-needed
Last-Update: 2013-09-14
Patch-Name: doc-upstart.patch
|
|
This produces irritating messages when using ProxyCommand or other programs
that use ssh under the covers (e.g. Subversion). These messages are more
normally printed by the calling program, such as the shell.
According to the upstream bug, the right way to avoid this is to use the -q
option, so we may drop this patch after further investigation into whether
any software in Debian is still relying on it.
Author: Colin Watson <cjwatson@debian.org>
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1118
Bug-Debian: http://bugs.debian.org/313371
Last-Update: 2013-09-14
Patch-Name: quieter-signals.patch
|
|
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1727
Bug-Debian: http://bugs.debian.org/430154
Last-Update: 2013-09-14
Patch-Name: doc-hash-tab-completion.patch
|
|
Old versions of OpenSSH (up to 2.5 or thereabouts) allowed creating symlinks
to ssh with the name of the host you want to connect to. Debian ships an
ssh-argv0 script restoring this feature; this patch refers to its manual
page from ssh(1).
Bug-Debian: http://bugs.debian.org/111341
Forwarded: not-needed
Last-Update: 2013-09-14
Patch-Name: ssh-argv0.patch
|
|
No single bug reference for this patch, but history includes:
http://bugs.debian.org/154434 (login.conf(5))
http://bugs.debian.org/513417 (/etc/rc)
http://bugs.debian.org/530692 (ssl(8))
https://bugs.launchpad.net/bugs/456660 (ssl(8))
Forwarded: not-needed
Last-Update: 2014-10-07
Patch-Name: openbsd-docs.patch
|
|
Apparently this breaks some SVR4 packaging systems, so upstream can't win
either way and opted to keep the status quo. We need this patch anyway.
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1728
Last-Update: 2013-09-14
Patch-Name: lintian-symlink-pickiness.patch
|
|
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1720
Bug-Debian: http://bugs.debian.org/441817
Last-Update: 2013-09-14
Patch-Name: authorized-keys-man-symlink.patch
|
|
Setting this to "no" causes sshd to omit the Debian revision from its
initial protocol handshake, for those scared by package-versioning.patch.
Bug-Debian: http://bugs.debian.org/562048
Forwarded: not-needed
Last-Update: 2015-08-19
Patch-Name: debian-banner.patch
|
|
This makes it easier to audit networks for versions patched against security
vulnerabilities. It has little detrimental effect, as attackers will
generally just try attacks rather than bothering to scan for
vulnerable-looking version strings. (However, see debian-banner.patch.)
Forwarded: not-needed
Last-Update: 2013-09-14
Patch-Name: package-versioning.patch
|
|
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1843
Bug-Ubuntu: https://bugs.launchpad.net/bugs/686607
Last-Update: 2015-09-08
Patch-Name: mention-ssh-keygen-on-keychange.patch
|
|
Bug-Debian: http://bugs.debian.org/630606
Forwarded: no
Last-Update: 2013-09-14
Patch-Name: auth-log-verbosity.patch
|
|
This allows SSHFP DNS records to be verified if glibc 2.11 is installed.
Origin: vendor, https://cvs.fedoraproject.org/viewvc/F-12/openssh/openssh-5.2p1-edns.patch?revision=1.1&view=markup
Bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572049
Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572049
Last-Update: 2010-04-06
Patch-Name: dnssec-sshfp.patch
|
|
There's some debate on the upstream bug about whether POSIX requires this.
I (Colin Watson) agree with Vincent and think it does.
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1494
Bug-Debian: http://bugs.debian.org/492728
Last-Update: 2013-09-14
Patch-Name: shell-path.patch
|
