summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2015-09-10releasing package openssh version 1:6.9p1-2Colin Watson
2015-09-10Build with audit support on Linux (closes: #797727, LP: #1478087).Tyler Hicks
2015-09-08mention-ssh-keygen-on-keychange.patch: Move example ssh-keygen invocation ↵Colin Watson
onto a separate line to make it easier to copy and paste (LP: #1491532).
2015-09-08let principals-command.sh work for noexec /var/runDamien Miller
Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=55b263fb7cfeacb81aaf1c2036e0394c881637da Forwarded: not-needed Last-Update: 2015-08-20 Patch-Name: backport-regress-principals-command-noexec.patch
2015-09-08only query each keyboard-interactive device once per authentication request ↵djm@openbsd.org
regardless of how many times it is listed ok markus@ Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=5b64f85bb811246c59ebab70aed331f26ba37b18 Forwarded: not-needed Last-Update: 2015-08-19 Patch-Name: backport-kbdint-duplicates.patch
2015-09-08set sshpam_ctxt to NULL after freeDamien Miller
Avoids use-after-free in monitor when privsep child is compromised. Reported by Moritz Jodeit; ok dtucker@ Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=5e75f5198769056089fb06c4d738ab0e5abc66f7 Forwarded: not-needed Last-Update: 2015-08-19 Patch-Name: backport-pam-use-after-free.patch
2015-09-08Don't resend username to PAM; it already has it.Damien Miller
Pointed out by Moritz Jodeit; ok dtucker@ Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=d4697fe9a28dab7255c60433e4dd23cf7fce8a8b Forwarded: not-needed Last-Update: 2015-08-19 Patch-Name: backport-do-not-resend-username-to-pam.patch
2015-09-08Fix pty permissionsdjm@openbsd.org
Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=6f941396b6835ad18018845f515b0c4fe20be21a Forwarded: not-needed Last-Update: 2015-08-19 Patch-Name: backport-fix-pty-permissions.patch
2015-09-08Various Debian-specific configuration changesColin Watson
ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause fewer problems with existing setups (http://bugs.debian.org/237021). ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024). ssh: Enable HashKnownHosts by default to try to limit the spread of ssh worms. ssh: Enable GSSAPIAuthentication and disable GSSAPIDelegateCredentials by default. sshd: Refer to /usr/share/doc/openssh-server/README.Debian.gz alongside PermitRootLogin default. Document all of this, along with several sshd defaults set in debian/openssh-server.postinst. Author: Russ Allbery <rra@debian.org> Forwarded: not-needed Last-Update: 2015-08-19 Patch-Name: debian-config.patch
2015-09-08Support synchronisation with service supervisor using SIGSTOPColin Watson
Author: Robie Basak <robie.basak@ubuntu.com> Forwarded: no Last-Update: 2014-04-14 Patch-Name: sigstop.patch
2015-09-08Give the ssh-askpass-gnome window a default iconVincent Untz
Bug-Ubuntu: https://bugs.launchpad.net/bugs/27152 Last-Update: 2010-02-28 Patch-Name: gnome-ssh-askpass2-icon.patch
2015-09-08Don't check the status field of the OpenSSL versionKurt Roeckx
There is no reason to check the version of OpenSSL (in Debian). If it's not compatible the soname will change. OpenSSH seems to want to do a check for the soname based on the version number, but wants to keep the status of the release the same. Remove that check on the status since it doesn't tell you anything about how compatible that version is. Author: Colin Watson <cjwatson@debian.org> Bug-Debian: https://bugs.debian.org/93581 Bug-Debian: https://bugs.debian.org/664383 Bug-Debian: https://bugs.debian.org/732940 Forwarded: not-needed Last-Update: 2014-10-07 Patch-Name: no-openssl-version-status.patch
2015-09-08Document consequences of ssh-agent being setgid in ssh-agent(1)Colin Watson
Bug-Debian: http://bugs.debian.org/711623 Forwarded: no Last-Update: 2013-06-08 Patch-Name: ssh-agent-setgid.patch
2015-09-08Refer to ssh's Upstart job as well as its init scriptColin Watson
Forwarded: not-needed Last-Update: 2013-09-14 Patch-Name: doc-upstart.patch
2015-09-08Document that HashKnownHosts may break tab-completionColin Watson
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1727 Bug-Debian: http://bugs.debian.org/430154 Last-Update: 2013-09-14 Patch-Name: doc-hash-tab-completion.patch
2015-09-08ssh(1): Refer to ssh-argv0(1)Colin Watson
Old versions of OpenSSH (up to 2.5 or thereabouts) allowed creating symlinks to ssh with the name of the host you want to connect to. Debian ships an ssh-argv0 script restoring this feature; this patch refers to its manual page from ssh(1). Bug-Debian: http://bugs.debian.org/111341 Forwarded: not-needed Last-Update: 2013-09-14 Patch-Name: ssh-argv0.patch
2015-09-08Adjust various OpenBSD-specific references in manual pagesColin Watson
No single bug reference for this patch, but history includes: http://bugs.debian.org/154434 (login.conf(5)) http://bugs.debian.org/513417 (/etc/rc) http://bugs.debian.org/530692 (ssl(8)) https://bugs.launchpad.net/bugs/456660 (ssl(8)) Forwarded: not-needed Last-Update: 2014-10-07 Patch-Name: openbsd-docs.patch
2015-09-08Fix picky lintian errors about slogin symlinksColin Watson
Apparently this breaks some SVR4 packaging systems, so upstream can't win either way and opted to keep the status quo. We need this patch anyway. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1728 Last-Update: 2013-09-14 Patch-Name: lintian-symlink-pickiness.patch
2015-09-08Install authorized_keys(5) as a symlink to sshd(8)Tomas Pospisek
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1720 Bug-Debian: http://bugs.debian.org/441817 Last-Update: 2013-09-14 Patch-Name: authorized-keys-man-symlink.patch
2015-09-08Add DebianBanner server configuration optionKees Cook
Setting this to "no" causes sshd to omit the Debian revision from its initial protocol handshake, for those scared by package-versioning.patch. Bug-Debian: http://bugs.debian.org/562048 Forwarded: not-needed Last-Update: 2015-08-19 Patch-Name: debian-banner.patch
2015-09-08Include the Debian version in our identificationMatthew Vernon
This makes it easier to audit networks for versions patched against security vulnerabilities. It has little detrimental effect, as attackers will generally just try attacks rather than bothering to scan for vulnerable-looking version strings. (However, see debian-banner.patch.) Forwarded: not-needed Last-Update: 2013-09-14 Patch-Name: package-versioning.patch
2015-09-08Mention ssh-keygen in ssh fingerprint changed warningScott Moser
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1843 Bug-Ubuntu: https://bugs.launchpad.net/bugs/686607 Last-Update: 2015-09-08 Patch-Name: mention-ssh-keygen-on-keychange.patch
2015-08-22Import openssh_7.1p1.orig.tar.gzColin Watson
2015-08-22Import openssh_7.0p1.orig.tar.gzColin Watson
2015-08-21we don't use Github for issues/pull-requestsDamien Miller
2015-08-21fix URL for connect.cDamien Miller
2015-08-21update version numbers for 7.1Damien Miller
2015-08-21upstream commitdjm@openbsd.org
openssh-7.1 Upstream-ID: ff7b1ef4b06caddfb45e08ba998128c88be3d73f
2015-08-21upstream commitdjm@openbsd.org
fix inverted logic that broke PermitRootLogin; reported by Mantas Mikulenas; ok markus@ Upstream-ID: 260dd6a904c1bb7e43267e394b1c9cf70bdd5ea5
2015-08-21upstream commitderaadt@openbsd.org
Do not cast result of malloc/calloc/realloc* if stdlib.h is in scope ok krw millert Upstream-ID: 5e50ded78cadf3841556649a16cc4b1cb6c58667
2015-08-21upstream commitnaddy@openbsd.org
In the certificates section, be consistent about using "host_key" and "user_key" for the respective key types. ok sthen@ deraadt@ Upstream-ID: 9e037ea3b15577b238604c5533e082a3947f13cb
2015-08-20releasing package openssh version 1:6.9p1-1Colin Watson
2015-08-20Let principals-command.sh work for noexec /var/run.Colin Watson
2015-08-20let principals-command.sh work for noexec /var/runDamien Miller
Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=55b263fb7cfeacb81aaf1c2036e0394c881637da Forwarded: not-needed Last-Update: 2015-08-20 Patch-Name: backport-regress-principals-command-noexec.patch
2015-08-20upstream commitdjm@openbsd.org
Better compat matching for WinSCP, add compat matching for FuTTY (fork of PuTTY); ok markus@ deraadt@ Upstream-ID: 24001d1ac115fa3260fbdc329a4b9aeb283c5389
2015-08-20upstream commitdjm@openbsd.org
fix double-free() in error path of DSA key generation reported by Mateusz Kocielski; ok markus@ Upstream-ID: 4735d8f888b10599a935fa1b374787089116713c
2015-08-20upstream commitdjm@openbsd.org
fix free() of uninitialised pointer reported by Mateusz Kocielski; ok markus@ Upstream-ID: 519552b050618501a06b7b023de5cb104e2c5663
2015-08-20upstream commitdjm@openbsd.org
fixed unlink([uninitialised memory]) reported by Mateusz Kocielski; ok markus@ Upstream-ID: 14a0c4e7d891f5a8dabc4b89d4f6b7c0d5a20109
2015-08-20Fix autopkgtests to build some more regression test binaries.Colin Watson
2015-08-19Document the Debian-specific change to the default value of ↵Colin Watson
ForwardX11Trusted in ssh(1) (closes: #781469).
2015-08-19only query each keyboard-interactive device once per authentication request ↵djm@openbsd.org
regardless of how many times it is listed ok markus@ Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=5b64f85bb811246c59ebab70aed331f26ba37b18 Forwarded: not-needed Last-Update: 2015-08-19 Patch-Name: backport-kbdint-duplicates.patch
2015-08-19set sshpam_ctxt to NULL after freeDamien Miller
Avoids use-after-free in monitor when privsep child is compromised. Reported by Moritz Jodeit; ok dtucker@ Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=5e75f5198769056089fb06c4d738ab0e5abc66f7 Forwarded: not-needed Last-Update: 2015-08-19 Patch-Name: backport-pam-use-after-free.patch
2015-08-19Don't resend username to PAM; it already has it.Damien Miller
Pointed out by Moritz Jodeit; ok dtucker@ Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=d4697fe9a28dab7255c60433e4dd23cf7fce8a8b Forwarded: not-needed Last-Update: 2015-08-19 Patch-Name: backport-do-not-resend-username-to-pam.patch
2015-08-19Fix pty permissionsdjm@openbsd.org
Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=6f941396b6835ad18018845f515b0c4fe20be21a Forwarded: not-needed Last-Update: 2015-08-19 Patch-Name: backport-fix-pty-permissions.patch
2015-08-19Various Debian-specific configuration changesColin Watson
ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause fewer problems with existing setups (http://bugs.debian.org/237021). ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024). ssh: Enable HashKnownHosts by default to try to limit the spread of ssh worms. ssh: Enable GSSAPIAuthentication and disable GSSAPIDelegateCredentials by default. sshd: Refer to /usr/share/doc/openssh-server/README.Debian.gz alongside PermitRootLogin default. Document all of this, along with several sshd defaults set in debian/openssh-server.postinst. Author: Russ Allbery <rra@debian.org> Forwarded: not-needed Last-Update: 2015-08-19 Patch-Name: debian-config.patch
2015-08-19Add a couple of SECURITY: tags.Colin Watson
2015-08-19CVE-2015-5600: sshd(8): Fix circumvention of MaxAuthTries using ↵Colin Watson
keyboard-interactive authentication (closes: #793616).
2015-08-19only query each keyboard-interactive device once per authentication request ↵djm@openbsd.org
regardless of how many times it is listed ok markus@ Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=5b64f85bb811246c59ebab70aed331f26ba37b18 Forwarded: not-needed Last-Update: 2015-08-19 Patch-Name: backport-kbdint-duplicates.patch
2015-08-19Backport PAM security fixes.Colin Watson
- sshd(8): Fixed a privilege separation weakness related to PAM support. Attackers who could successfully compromise the pre-authentication process for remote code execution and who had valid credentials on the host could impersonate other users. Reported by Moritz Jodeit. - sshd(8): Fixed a use-after-free bug related to PAM support that was reachable by attackers who could compromise the pre-authentication process for remote code execution (closes: #795711). Also reported by Moritz Jodeit.
2015-08-19set sshpam_ctxt to NULL after freeDamien Miller
Avoids use-after-free in monitor when privsep child is compromised. Reported by Moritz Jodeit; ok dtucker@ Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=5e75f5198769056089fb06c4d738ab0e5abc66f7 Forwarded: not-needed Last-Update: 2015-08-19 Patch-Name: backport-pam-use-after-free.patch
generated by cgit v1.2.3 (git 2.39.1) at 2024-09-05 11:24:49 +0000