summaryrefslogtreecommitdiff
path: root/debian/patches
AgeCommit message (Collapse)Author
2010-08-24unconstify key argument to describe_key and do_keyColin Watson
2010-08-24unconstify key argument to blacklisted_key_in_file and blacklisted_keyColin Watson
2010-08-23* New upstream release (http://www.openssh.com/txt/release-5.6):Colin Watson
- Added a ControlPersist option to ssh_config(5) that automatically starts a background ssh(1) multiplex master when connecting. This connection can stay alive indefinitely, or can be set to automatically close after a user-specified duration of inactivity (closes: #335697, #350898, #454787, #500573, #550262). - Support AuthorizedKeysFile, AuthorizedPrincipalsFile, HostbasedUsesNameFromPacketOnly, and PermitTunnel in sshd_config(5) Match blocks (closes: #549858). - sftp(1): fix ls in working directories that contain globbing characters in their pathnames (LP: #530714).
2010-05-22Check primary group memberships as well as supplementary groupColin Watson
memberships, and only allow group-writability by groups with exactly one member, as zero-member groups are typically used by setgid binaries rather than being user-private groups (closes: #581697).
2010-05-22Allow ~/.ssh/authorized_keys and other secure files to beColin Watson
group-writable, provided that the group in question contains only the file's owner; this extends a patch previously applied to ~/.ssh/config (closes: #581919).
2010-04-16* New upstream release:Colin Watson
- Unbreak sshd_config's AuthorizedKeysFile option for $HOME-relative paths. - Include a language tag when sending a protocol 2 disconnection message. - Make logging of certificates used for user authentication more clear and consistent between CAs specified using TrustedUserCAKeys and authorized_keys.
2010-04-10lintian-symlink-pickiness: remember to bump Last-UpdateColin Watson
2010-04-06Borrow patch from Fedora to add DNSSEC support: if glibc 2.11 isColin Watson
installed, the host key is published in an SSHFP RR secured with DNSSEC, and VerifyHostKeyDNS=yes, then ssh will no longer prompt for host key verification (closes: #572049).
2010-04-06lintian-symlink-pickiness.patch rejected upstream, but we need to keep itColin Watson
2010-03-31Drop most of our "LogLevel SILENT" (-qq) patch. This was originallyColin Watson
introduced to match the behaviour of non-free SSH, in which -q does not suppress fatal errors, but matching the behaviour of OpenSSH upstream is much more important nowadays. We no longer document that -q does not suppress fatal errors (closes: #280609). Migrate "LogLevel SILENT" to "LogLevel QUIET" in sshd_config on upgrade.
2010-03-31Drop Debian-specific removal of OpenSSL version check. Upstream ignoresColin Watson
the two patchlevel nybbles now, which is sufficient to address the original reason this change was introduced, and it appears that any change in the major/minor/fix nybbles would involve a new libssl package name. (We'd still lose if the status nybble were ever changed, but that would mean somebody had packaged a development/beta version rather than a proper release, which doesn't appear to be normal practice.)
2010-03-31ssh-vulnkey.patch: update another call to auth_key_is_revokedColin Watson
2010-03-31* New upstream release (LP: #535029).Colin Watson
- After a transition period of about 10 years, this release disables SSH protocol 1 by default. Clients and servers that need to use the legacy protocol must explicitly enable it in ssh_config / sshd_config or on the command-line. - Remove the libsectok/OpenSC-based smartcard code and add support for PKCS#11 tokens. This support is enabled by default in the Debian packaging, since it now doesn't involve additional library dependencies (closes: #231472, LP: #16918). - Add support for certificate authentication of users and hosts using a new, minimal OpenSSH certificate format (closes: #482806). - Added a 'netcat mode' to ssh(1): "ssh -W host:port ...". - Add the ability to revoke keys in sshd(8) and ssh(1). (For the Debian package, this overlaps with the key blacklisting facility added in openssh 1:4.7p1-9, but with different file formats and slightly different scopes; for the moment, I've roughly merged the two.) - Various multiplexing improvements, including support for requesting port-forwardings via the multiplex protocol (closes: #360151). - Allow setting an explicit umask on the sftp-server(8) commandline to override whatever default the user has (closes: #496843). - Many sftp client improvements, including tab-completion, more options, and recursive transfer support for get/put (LP: #33378). The old mget/mput commands never worked properly and have been removed (closes: #270399, #428082). - Do not prompt for a passphrase if we fail to open a keyfile, and log the reason why the open failed to debug (closes: #431538). - Prevent sftp from crashing when given a "-" without a command. Also, allow whitespace to follow a "-" (closes: #531561).
2010-03-08Drop compatibility with the old gssapi mechanism used in ssh-krb5 <<Colin Watson
3.8.1p1-1. Simon Wilkinson refused this patch since the old gssapi mechanism was removed due to a serious security hole, and since these versions of ssh-krb5 are no longer security-supported by Debian I don't think there's any point keeping client compatibility for them.
2010-03-01commentary from Jonathan (original patch author) on syslog-level-silent.patchColin Watson
2010-03-01existing upstream bug reference for quieter-signals.patchColin Watson
2010-03-01forwarded lintian-symlink-pickiness.patchColin Watson
2010-03-01forwarded old-gssapi.patchColin Watson
2010-03-01forwarded gssapi-compat.patchColin Watson
2010-03-01forwarded doc-hash-tab-completion.patchColin Watson
2010-03-01forwarded selinux-fix-chroot-directory.patchColin Watson
2010-03-01update Last-Update fieldsColin Watson
2010-03-01forwarded gnome-ssh-askpass2-link.patchColin Watson
2010-03-01forwarded doc-connection-sharing.patchColin Watson
2010-03-01forwarded ssh-copy-id-status-check.patchColin Watson
2010-03-01forwarded config-guess-sub.patchColin Watson
2010-03-01forwarded hurd-epfnosupport.patchColin Watson
2010-03-01forwarded authorized-keys-man-symlink.patchColin Watson
2010-03-01ssh-vulnkey.patch: fix offsetsColin Watson
2010-02-28forwarded gssapi-dump.patchColin Watson
2010-02-28Add GSSAPIStoreCredentialsOnRekey to 'sshd -T' configuration dump.Colin Watson
2010-02-28DEP-3 tagging of all remaining patchesColin Watson
2010-02-28DEP-3 tagging of versioning and file system layoutColin Watson
2010-02-28better patch nameColin Watson
2010-02-28DEP-3 tagging of remaining miscellaneous bug fixesColin Watson
2010-02-27DEP-3 tagging for message adjustments, and start on miscellaneous bug fixesColin Watson
2010-02-27DEP-3 tagging of autotools, SELinux, key blacklisting, and keepalive patchesColin Watson
2010-02-27DEP-3 tagging of GSSAPI patches; split old-gssapi.patch more appropriatelyColin Watson
2010-02-27Convert to source format 3.0 (quilt).Colin Watson