summaryrefslogtreecommitdiff
path: root/debian/changelog
AgeCommit message (Collapse)Author
2011-02-05releasing version 1:5.8p1-1Colin Watson
2011-02-05* New upstream release (http://www.openssh.org/txt/release-5.8):Colin Watson
- Fix stack information leak in legacy certificate signing (http://www.openssh.com/txt/legacy-cert.adv).
2011-01-27releasing version 1:5.7p1-2Colin Watson
2011-01-27Fix crash in ssh_selinux_setfscreatecon when SELinux is disabledColin Watson
(LP: #708571).
2011-01-27releasing version 1:5.7p1-1Colin Watson
2011-01-26adjust ECDSA commentary in changelog - we aren't generating ECDSA host keys ↵Colin Watson
on upgrades
2011-01-26changelog for GSSAPI updateColin Watson
2011-01-25Rearrange selinux-role.patch so that it links properly given thisColin Watson
SELinux build fix.
2011-01-25Backport SELinux build fix from CVS.Colin Watson
2011-01-24Build-depend on libssl-dev (>= 0.9.8g) to ensure sufficient ECC support.Colin Watson
2011-01-24Generate ECDSA host keys. These will only be used on freshColin Watson
installations or if you manually add 'HostKey /etc/ssh/ssh_host_ecdsa_key' to /etc/ssh/sshd_config.
2011-01-24* New upstream release (http://www.openssh.org/txt/release-5.7):Colin Watson
- Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys. - sftp(1)/sftp-server(8): add a protocol extension to support a hard link operation. It is available through the "ln" command in the client. The old "ln" behaviour of creating a symlink is available using its "-s" option or through the preexisting "symlink" command. - scp(1): Add a new -3 option to scp: Copies between two remote hosts are transferred through the local host (closes: #508613). - ssh(1): "atomically" create the listening mux socket by binding it on a temporary name and then linking it into position after listen() has succeeded. This allows the mux clients to determine that the server socket is either ready or stale without races (closes: #454784). Stale server sockets are now automatically removed (closes: #523250). - ssh(1): install a SIGCHLD handler to reap expired child process (closes: #594687). - ssh(1)/ssh-agent(1): honour $TMPDIR for client xauth and ssh-agent temporary directories (closes: #357469, although only if you arrange for ssh-agent to actually see $TMPDIR since the setgid bit will cause it to be stripped off).
2010-12-30releasing version 1:5.6p1-3Colin Watson
2010-12-30* Merge 1:5.5p1-6.Colin Watson
2010-12-27releasing version 1:5.5p1-6Colin Watson
2010-12-26Touch /var/run/sshd/.placeholder in the preinst so that /var/run/sshd,Colin Watson
which is intentionally no longer shipped in the openssh-server package due to /var/run often being a temporary directory, is not removed on upgrade (closes: #575582).
2010-11-02Drop override for desktop-file-but-no-dh_desktop-call, which Lintian noColin Watson
longer issues.
2010-10-26releasing version 1:5.6p1-2Colin Watson
2010-10-26Backport upstream patch to install a SIGCHLD handler to reap expired sshColin Watson
child processes, preventing lots of zombies when using ControlPersist (closes: #594687).
2010-08-24releasing version 1:5.6p1-1Colin Watson
2010-08-23* New upstream release (http://www.openssh.com/txt/release-5.6):Colin Watson
- Added a ControlPersist option to ssh_config(5) that automatically starts a background ssh(1) multiplex master when connecting. This connection can stay alive indefinitely, or can be set to automatically close after a user-specified duration of inactivity (closes: #335697, #350898, #454787, #500573, #550262). - Support AuthorizedKeysFile, AuthorizedPrincipalsFile, HostbasedUsesNameFromPacketOnly, and PermitTunnel in sshd_config(5) Match blocks (closes: #549858). - sftp(1): fix ls in working directories that contain globbing characters in their pathnames (LP: #530714).
2010-08-23releasing version 1:5.5p1-5Colin Watson
2010-08-13* debconf template translations:Colin Watson
- Update Danish (thanks, Joe Hansen; closes: #592800).
2010-08-05Use an architecture wildcard for libselinux1-dev (closes: #591740).Colin Watson
2010-05-22releasing version 1:5.5p1-4Colin Watson
2010-05-22Check primary group memberships as well as supplementary groupColin Watson
memberships, and only allow group-writability by groups with exactly one member, as zero-member groups are typically used by setgid binaries rather than being user-private groups (closes: #581697).
2010-05-22Allow ~/.ssh/authorized_keys and other secure files to beColin Watson
group-writable, provided that the group in question contains only the file's owner; this extends a patch previously applied to ~/.ssh/config (closes: #581919).
2010-05-04Add powerpcspe to architecture list for libselinux1-dev build-dependencySebastian Andrzej Siewior
(closes: #579843).
2010-04-28releasing version 1:5.5p1-3Colin Watson
2010-04-28Drop IDEA key check; I don't think it works properly any more due toColin Watson
textual changes in error output, it's only relevant for direct upgrades from truly ancient versions, and it breaks upgrades if /etc/ssh/ssh_host_key can't be loaded (closes: #579570).
2010-04-26Discard error messages while checking whether rsh, rlogin, and rcpColin Watson
alternatives exist (closes: #579285).
2010-04-17releasing version 1:5.5p1-2Colin Watson
2010-04-17Use dh_installinit -n, since our maintainer scripts already handle thisColin Watson
more carefully (thanks, Julien Cristau).
2010-04-16releasing version 1:5.5p1-1Colin Watson
2010-04-16* New upstream release:Colin Watson
- Unbreak sshd_config's AuthorizedKeysFile option for $HOME-relative paths. - Include a language tag when sending a protocol 2 disconnection message. - Make logging of certificates used for user authentication more clear and consistent between CAs specified using TrustedUserCAKeys and authorized_keys.
2010-04-16releasing version 1:5.4p1-2Colin Watson
2010-04-09Add a NEWS.Debian entry about changes in smartcard support relative toColin Watson
previous unofficial builds (closes: #231472).
2010-04-08Use dh_install more effectively.Colin Watson
2010-04-07Drop lpia support, since Ubuntu no longer supports this architecture.Colin Watson
2010-04-07Convert to dh(1), and use dh_installdocs --link-doc.Colin Watson
2010-04-06Borrow patch from Fedora to add DNSSEC support: if glibc 2.11 isColin Watson
installed, the host key is published in an SSHFP RR secured with DNSSEC, and VerifyHostKeyDNS=yes, then ssh will no longer prompt for host key verification (closes: #572049).
2010-04-06releasing version 1:5.4p1-1Colin Watson
2010-04-03* Policy version 3.8.4:Colin Watson
- Add a Homepage field.
2010-03-31Drop most of our "LogLevel SILENT" (-qq) patch. This was originallyColin Watson
introduced to match the behaviour of non-free SSH, in which -q does not suppress fatal errors, but matching the behaviour of OpenSSH upstream is much more important nowadays. We no longer document that -q does not suppress fatal errors (closes: #280609). Migrate "LogLevel SILENT" to "LogLevel QUIET" in sshd_config on upgrade.
2010-03-31Drop Debian-specific removal of OpenSSL version check. Upstream ignoresColin Watson
the two patchlevel nybbles now, which is sufficient to address the original reason this change was introduced, and it appears that any change in the major/minor/fix nybbles would involve a new libssl package name. (We'd still lose if the status nybble were ever changed, but that would mean somebody had packaged a development/beta version rather than a proper release, which doesn't appear to be normal practice.)
2010-03-31Remove SSHD_OOM_ADJUST configuration. sshd now unconditionally makesColin Watson
itself non-OOM-killable, and doesn't require configuration to avoid log spam in virtualisation containers (closes: #555625).
2010-03-31* New upstream release (LP: #535029).Colin Watson
- After a transition period of about 10 years, this release disables SSH protocol 1 by default. Clients and servers that need to use the legacy protocol must explicitly enable it in ssh_config / sshd_config or on the command-line. - Remove the libsectok/OpenSC-based smartcard code and add support for PKCS#11 tokens. This support is enabled by default in the Debian packaging, since it now doesn't involve additional library dependencies (closes: #231472, LP: #16918). - Add support for certificate authentication of users and hosts using a new, minimal OpenSSH certificate format (closes: #482806). - Added a 'netcat mode' to ssh(1): "ssh -W host:port ...". - Add the ability to revoke keys in sshd(8) and ssh(1). (For the Debian package, this overlaps with the key blacklisting facility added in openssh 1:4.7p1-9, but with different file formats and slightly different scopes; for the moment, I've roughly merged the two.) - Various multiplexing improvements, including support for requesting port-forwardings via the multiplex protocol (closes: #360151). - Allow setting an explicit umask on the sftp-server(8) commandline to override whatever default the user has (closes: #496843). - Many sftp client improvements, including tab-completion, more options, and recursive transfer support for get/put (LP: #33378). The old mget/mput commands never worked properly and have been removed (closes: #270399, #428082). - Do not prompt for a passphrase if we fail to open a keyfile, and log the reason why the open failed to debug (closes: #431538). - Prevent sftp from crashing when given a "-" without a command. Also, allow whitespace to follow a "-" (closes: #531561).
2010-03-29Hardcode the location of xauth to /usr/bin/xauth rather thanColin Watson
/usr/bin/X11/xauth (thanks, Aron Griffis; closes: #575725, LP: #8440). xauth no longer depends on x11-common, so we're no longer guaranteed to have the /usr/bin/X11 symlink available. I was taking advantage of the /usr/bin/X11 symlink to smooth X's move to /usr/bin, but this is far enough in the past now that it's probably safe to just use /usr/bin.
2010-03-17Fix substitution of ETC_PAM_D_SSH, following the rename in 1:4.7p1-4.Colin Watson
2010-03-08Drop compatibility with the old gssapi mechanism used in ssh-krb5 <<Colin Watson
3.8.1p1-1. Simon Wilkinson refused this patch since the old gssapi mechanism was removed due to a serious security hole, and since these versions of ssh-krb5 are no longer security-supported by Debian I don't think there's any point keeping client compatibility for them.