Age | Commit message (Collapse) | Author | |
---|---|---|---|
2010-01-02 | more bug fix notes | Colin Watson | |
2010-01-01 | * New upstream release (closes: #536182). Yes, I know 5.3p1 has been out | Colin Watson | |
for a while, but there's no GSSAPI patch available for it yet. - Change the default cipher order to prefer the AES CTR modes and the revised "arcfour256" mode to CBC mode ciphers that are susceptible to CPNI-957037 "Plaintext Recovery Attack Against SSH". - Add countermeasures to mitigate CPNI-957037-style attacks against the SSH protocol's use of CBC-mode ciphers. Upon detection of an invalid packet length or Message Authentication Code, ssh/sshd will continue reading up to the maximum supported packet length rather than immediately terminating the connection. This eliminates most of the known differences in behaviour that leaked information about the plaintext of injected data which formed the basis of this attack (closes: #506115, LP: #379329). - ForceCommand directive now accepts commandline arguments for the internal-sftp server (closes: #524423, LP: #362511). - Add AllowAgentForwarding to available Match keywords list (closes: #540623). - Make ssh(1) send the correct channel number for SSH2_MSG_CHANNEL_SUCCESS and SSH2_MSG_CHANNEL_FAILURE messages to avoid triggering 'Non-public channel' error messages on sshd(8) in openssh-5.1. - Avoid printing 'Non-public channel' warnings in sshd(8), since the ssh(1) has sent incorrect channel numbers since ~2004 (this reverts a behaviour introduced in openssh-5.1; closes: #496017). * Update to GSSAPI patch from http://www.sxw.org.uk/computing/patches/openssh-5.2p1-gsskex-all-20090726.patch, including cascading credentials support (LP: #416958). | |||
2010-01-01 | TODO for gssapi branch handling | Colin Watson | |
2009-12-21 | pushed some previous upstream release branches to Launchpad | Colin Watson | |
2009-12-21 | Add debian/README.source with instructions on bzr handling. | Colin Watson | |
2009-12-21 | move local ignores to .bzrignore and resync .cvsignore files with upstream | Colin Watson | |
2009-12-21 | Moved to bzr.debian.org; add Vcs-Bzr and Vcs-Browser control fields. | Colin Watson | |
2009-11-12 | Use x11.pc when compiling/linking gnome-ssh-askpass2 (closes: #555951). | Colin Watson | |
2009-10-05 | releasing version 1:5.1p1-8 | Colin Watson | |
2009-10-04 | Pass $SSHD_OPTS when checking configuration too (thanks, "sobtwmxt"; | Colin Watson | |
closes: #548662). | |||
2009-09-30 | Fix grammar in if-up script (closes: #549128). | Colin Watson | |
2009-09-17 | Build-depend on libselinux1-dev on sh4 too (thanks, Nobuhiro Iwamatsu; | Colin Watson | |
closes: #547103). | |||
2009-08-28 | Build with just -fPIC on mips/mipsel, not -fPIE as well (thanks, LIU Qi; | Colin Watson | |
closes: #538313). | |||
2009-07-31 | releasing version 1:5.1p1-7 | Colin Watson | |
2009-07-31 | Upgrade to debhelper v7. | Colin Watson | |
2009-07-31 | Use 'which' rather than 'type' in maintainer scripts. | Colin Watson | |
2009-07-31 | Add ${misc:Depends} to keep Lintian happy. | Colin Watson | |
2009-07-28 | Set umask to 022 in the init script as well as postinsts (closes: | Colin Watson | |
#539030). | |||
2009-07-24 | Update config.guess and config.sub from autotools-dev 20090611.1 | Colin Watson | |
(closes: #538301). | |||
2009-06-05 | releasing version 1:5.1p1-6 | Colin Watson | |
2009-06-05 | this isn't needed, already removed above | Colin Watson | |
2009-06-05 | Use invoke-rc.d in openssh-server's if-up script. | Colin Watson | |
2009-06-05 | Remove /var/run/sshd from openssh-server package; it will be created at | Colin Watson | |
run-time before starting the server. | |||
2009-06-05 | Build with -fPIC on mips/mipsel (thanks, Luk Claes; closes: #531942). | Colin Watson | |
2009-05-28 | Check if delgroup is present in openssh-client.postrm (closes: #530501). | Colin Watson | |
2009-04-06 | Add a comment above PermitRootLogin in sshd_config pointing to | Colin Watson | |
README.Debian. | |||
2009-01-28 | Add ufw integration (thanks, Didier Roche; see | Colin Watson | |
https://wiki.ubuntu.com/UbuntuFirewall#Integrating%20UFW%20with%20Packages; LP: #261884). | |||
2009-01-14 | Disable OOM adjustment for vserver/OpenVZ (thanks, Karl Chen; closes: | Colin Watson | |
#511771). | |||
2009-01-14 | Open /proc/self/oom_adj with O_RDONLY or O_WRONLY as necessary, rather | Colin Watson | |
than O_RDWR. | |||
2009-01-14 | releasing version 1:5.1p1-5 | Colin Watson | |
2009-01-14 | While the above is a valuable sanity-check, it turns out that it doesn't | Colin Watson | |
really fix the bug (thanks to Kevin Price for testing), so for the meantime we'll just use '/etc/init.d/ssh restart', even though it is unfortunately heavyweight. | |||
2009-01-13 | fix reversed logic | Colin Watson | |
2009-01-13 | Check that /var/run/sshd.pid exists and that the process ID listed there | Colin Watson | |
corresponds to sshd before running '/etc/init.d/ssh reload' from if-up script; SIGHUP is racy if called at boot before sshd has a chance to install its signal handler, but fortunately the pid file is written after that which lets us avoid the race (closes: #502444). | |||
2009-01-13 | * Backport from upstream CVS (Markus Friedl): | Colin Watson | |
- packet_disconnect() on padding error, too. Should reduce the success probability for the CPNI-957037 Plaintext Recovery Attack to 2^-18. | |||
2008-11-23 | releasing version 1:5.1p1-4 | Colin Watson | |
2008-11-23 | Fix double-free when failing to parse a forwarding specification given | Colin Watson | |
using ~C (closes: #505330; forwarded upstream as https://bugzilla.mindrot.org/show_bug.cgi?id=1539). | |||
2008-11-23 | * Backport from upstream CVS (Markus Friedl): | Colin Watson | |
- Only send eow and no-more-sessions requests to openssh 5 and newer; fixes interop problems with broken ssh v2 implementations (closes: #495917). | |||
2008-10-09 | add upstream bug link | Colin Watson | |
2008-10-09 | ssh-copy-id: Strip trailing colons from hostname (closes: #226172, | Colin Watson | |
LP: #249706; thanks to Karl Goetz for nudging this along). | |||
2008-09-30 | releasing version 1:5.1p1-3 | Colin Watson | |
2008-09-29 | Fix handling of zero-length server banners (thanks, Tomas Mraz; closes: | Colin Watson | |
#497026). | |||
2008-09-12 | Configure with --disable-strip; dh_strip will deal with stripping | Colin Watson | |
binaries and will honour DEB_BUILD_OPTIONS (thanks, Bernhard R. Link; closes: #498681). | |||
2008-08-25 | Remove unnecessary ssh-vulnkey output in non-verbose mode when no | Colin Watson | |
compromised or unknown keys were found (closes: #496495). | |||
2008-07-29 | releasing version 1:5.1p1-2 | Colin Watson | |
2008-07-29 | Look for $SHELL on the path when executing ProxyCommands or | Colin Watson | |
LocalCommands (closes: #492728). | |||
2008-07-25 | releasing version 1:5.1p1-1 | Colin Watson | |
2008-07-25 | this doesn't seem to work yet; remove changelog entry claiming it does at ↵ | Colin Watson | |
least until I figure it out | |||
2008-07-24 | typo | Colin Watson | |
2008-07-23 | * Merge from Ubuntu: | Colin Watson | |
- Add 'status' action to openssh-server init script, requiring lsb-base (>= 3.2-13) (thanks, Dustin Kirkland). | |||
2008-07-23 | note SELinux status caching (LP: #237557) and ssh-keyscan rsa default (LP: ↵ | Colin Watson | |
#129794) |