Age | Commit message (Collapse) | Author | |
---|---|---|---|
2017-10-05 | New upstream release (7.6p1) | Colin Watson | |
2017-08-28 | Apply patches from https://bugzilla.mindrot.org/show_bug.cgi?id=2752 to ↵ | Colin Watson | |
allow some extra syscalls for crypto cards on s390x (LP: #1686618). | |||
2017-08-22 | Quote IP address in suggested "ssh-keygen -f" calls (closes: #872643). | Colin Watson | |
2017-08-22 | Drop Upstart-specific patches | Colin Watson | |
2017-06-06 | Fix incoming compression statistics (thanks, Russell Coker; closes: #797964). | Colin Watson | |
2017-04-02 | Fix syntax error on Linux/X32 | Colin Watson | |
2017-04-02 | Add missing header on Linux/s390 | Colin Watson | |
2017-04-02 | New upstream release (7.5p1) | Colin Watson | |
2017-03-30 | Unbreak Unix domain socket forwarding for root (closes: #858252). | Colin Watson | |
2017-03-16 | Fix null pointer dereference in ssh-keygen; this fixes an autopkgtest ↵ | Colin Watson | |
regression introduced in 1:7.4p1-8. | |||
2017-03-14 | Fix ssh-keyscan to correctly hash hosts with a port number (closes: #857736, ↵ | Colin Watson | |
LP: #1670745). | |||
2017-03-09 | Fix ssh-keygen -H accidentally corrupting known_hosts that contained ↵ | Colin Watson | |
already-hashed entries (closes: #851734, LP: #1668093). | |||
2017-03-05 | Restore reading authorized_keys2 by default | Colin Watson | |
Upstream seems to intend to gradually phase this out, so don't assume that this will remain the default forever. However, we were late in adopting the upstream sshd_config changes, so it makes sense to extend the grace period (closes: #852320). | |||
2017-01-16 | Fix rekeying failure with GSSAPI key exchange (thanks, Harald Barth; closes: ↵ | Colin Watson | |
#819361). | |||
2017-01-16 | Remove ssh_host_dsa_key from HostKey default (closes: #850614). | Colin Watson | |
2017-01-03 | Work around clock_gettime kernel bug on Linux x32 (closes: #849923). | Colin Watson | |
2017-01-03 | Create mux socket for regression tests in a temporary directory. | Colin Watson | |
2017-01-02 | merge patched into master | Colin Watson | |
2017-01-01 | Make integrity tests more robust against timeouts in the case where the ↵ | Colin Watson | |
first test in a series for a given MAC happens to modify the low bytes of a packet length. | |||
2016-12-28 | Avoid calling into Kerberos libraries from ssh_gssapi_server_mechanisms in ↵ | Colin Watson | |
the privsep monitor. | |||
2016-12-26 | Remove redundant "GSSAPIDelegateCredentials no" from ssh_config (already the ↵ | Colin Watson | |
upstream default), and document that setting ServerAliveInterval to 300 by default if BatchMode is set is Debian-specific (closes: #765630). | |||
2016-12-26 | Start handling /etc/ssh/sshd_config using ucf. | Colin Watson | |
* Start handling /etc/ssh/sshd_config using ucf. The immediate motivation for this is to deal with deprecations of options related to protocol 1, but something like this has been needed for a long time (closes: #419574, #848089): - sshd_config is now a slightly-patched version of upstream's, and only contains non-default settings (closes: #147201). - I've included as many historical md5sums of default versions of sshd_config as I could reconstruct from version control, but I'm sure I've missed some. - Explicitly synchronise the debconf database with the current configuration file state in openssh-server.config, to ensure that the PermitRootLogin setting is properly preserved. - UsePrivilegeSeparation now defaults to the stronger "sandbox" rather than "yes", per upstream. | |||
2016-12-23 | New upstream release (7.4p1). | Colin Watson | |
2016-11-19 | Fix and enable PuTTY interoperability tests under autopkgtest. | Colin Watson | |
2016-10-24 | CVE-2016-8858: Unregister the KEXINIT handler after message has been ↵ | Colin Watson | |
received (closes: #841884). | |||
2016-08-07 | New upstream release (7.3p1). | Colin Watson | |
2016-07-22 | Backport upstream patch to close ControlPersist background process stderr ↵ | Colin Watson | |
when not in debug mode or when logging to a file or syslog (closes: #714526). | |||
2016-07-22 | CVE-2016-6210: Mitigate user enumeration via covert timing channel. | Colin Watson | |
2016-04-28 | Backport upstream patch to unbreak authentication using lone certificate ↵ | Colin Watson | |
keys in ssh-agent: when attempting pubkey auth with a certificate, if no separate private key is found among the keys then try with the certificate key itself (thanks, Paul Querna; LP: #1575961). | |||
2016-04-13 | CVE-2015-8325: Ignore PAM environment vars when UseLogin=yes. | Colin Watson | |
2016-03-21 | Fix kexgss_server to cope with DH_GRP_MIN/DH_GRP_MAX being stricter on the ↵ | Colin Watson | |
server end than the client (thanks, Damien Miller; closes: #817870, LP: #1558576). | |||
2016-03-10 | New upstream release (7.2p2). | Colin Watson | |
2016-03-08 | New upstream release (7.2). | Colin Watson | |
2016-01-14 | New upstream release (7.1p2). | Colin Watson | |
2016-01-04 | Shuffle PROPOSAL_KEX_ALGS mangling for GSSAPI key exchange a little later in ↵ | Colin Watson | |
ssh_kex2 so that it's actually effective (closes: #809696). | |||
2016-01-04 | Allow authenticating as root using gssapi-keyex even with "PermitRootLogin ↵ | Colin Watson | |
prohibit-password" (closes: #809695). | |||
2016-01-04 | Don't call sd_notify when sshd is re-execed (closes: #809035). | Michael Biebl | |
2015-12-21 | Add systemd readiness notification support (closes: #778913). | Michael Biebl | |
2015-12-15 | Backport upstream patch to unbreak connections with peers that set ↵ | Colin Watson | |
first_kex_follows (LP: #1526357). | |||
2015-12-07 | Update "Subsystem sftp" path in example sshd_config (closes: #691004). | Colin Watson | |
2015-12-03 | Drop SSH1 keepalive patch. Now that SSH1 is disabled at compile-time, it's ↵ | Colin Watson | |
been rejected upstream and there isn't much point carrying it any more. | |||
2015-11-29 | New upstream release (7.1p1). | Colin Watson | |
2015-11-29 | New upstream release (7.0p1). | Colin Watson | |
2015-11-24 | Drop ConsoleKit session registration patch; it was only ever enabled for ↵ | Colin Watson | |
Ubuntu, which no longer needs it (LP: #1334916, #1502045). | |||
2015-09-17 | ssh_config(5): Fix markup errors in description of GSSAPITrustDns (closes: ↵ | Colin Watson | |
#799271). | |||
2015-09-08 | mention-ssh-keygen-on-keychange.patch: Move example ssh-keygen invocation ↵ | Colin Watson | |
onto a separate line to make it easier to copy and paste (LP: #1491532). | |||
2015-08-20 | Let principals-command.sh work for noexec /var/run. | Colin Watson | |
2015-08-19 | Document the Debian-specific change to the default value of ↵ | Colin Watson | |
ForwardX11Trusted in ssh(1) (closes: #781469). | |||
2015-08-19 | CVE-2015-5600: sshd(8): Fix circumvention of MaxAuthTries using ↵ | Colin Watson | |
keyboard-interactive authentication (closes: #793616). | |||
2015-08-19 | Backport PAM security fixes. | Colin Watson | |
- sshd(8): Fixed a privilege separation weakness related to PAM support. Attackers who could successfully compromise the pre-authentication process for remote code execution and who had valid credentials on the host could impersonate other users. Reported by Moritz Jodeit. - sshd(8): Fixed a use-after-free bug related to PAM support that was reachable by attackers who could compromise the pre-authentication process for remote code execution (closes: #795711). Also reported by Moritz Jodeit. |