[Bug 1946286] Re: Merge openssh from Debian unstable for 22.04

Colin Watson 1946286 at bugs.launchpad.net
Sun Nov 7 18:10:54 UTC 2021 

I've just synced 1:8.7p1-1.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1946286

Title:
  Merge openssh from Debian unstable for 22.04

Status in openssh package in Ubuntu:
  Invalid

Bug description:
  Scheduled-For: 22.12
  Upstream: tbd
  Debian:   1:8.4p1-6    
  Ubuntu:   1:8.4p1-6ubuntu2


  Debian typically updates openssh every 1 months on average, but it was
  last updated 21.08 and looks overdue.  Check back in on this monthly.

  
  ### New Debian Changes ###

  openssh
  openssh (1:8.4p1-6) unstable; urgency=medium

    [ Colin Watson ]
    * Rename ssh group to _ssh (closes: #990456).  It's only used by
      ssh-agent.
    * debian/tests/regress: Don't fail cleanup if haveged isn't running.
    * Backport from upstream:
      - Add includes.h to compat tests (closes: #992134, LP: #1939751).
    * Use 'command -v' in maintainer scripts rather than 'which'.

    [ Athos Ribeiro ]
    * d/systemd/ssh at .service: preserve the systemd managed runtime directory to
      ensure parallel processes will not disrupt one another when halting
      (LP: #1905285) (closes: #934663)

   -- Colin Watson <cjwatson at debian.org>  Thu, 19 Aug 2021 11:04:01
  +0100

  openssh (1:8.4p1-5) unstable; urgency=high

    * CVE-2021-28041: Fix double free in ssh-agent(1) (closes: #984940).

   -- Colin Watson <cjwatson at debian.org>  Sat, 13 Mar 2021 09:59:40
  +0000

  openssh (1:8.4p1-4) unstable; urgency=medium

    * Avoid using libmd's <sha2.h> even if it's installed (closes:
  #982705).

   -- Colin Watson <cjwatson at debian.org>  Mon, 15 Feb 2021 10:25:17
  +0000

  openssh (1:8.4p1-3) unstable; urgency=medium

    * Backport from upstream:
      - Fix `EOF: command not found` error in ssh-copy-id (closes: #975540).

   -- Colin Watson <cjwatson at debian.org>  Wed, 02 Dec 2020 10:32:23
  +0000

  openssh (1:8.4p1-2) unstable; urgency=medium

    * Revert incorrect upstream patch that claimed to fix the seccomp sandbox
      on x32 but in fact broke it instead.

   -- Colin Watson <cjwatson at debian.org>  Mon, 26 Oct 2020 17:41:13
  +0000

  openssh (1:8.4p1-1) unstable; urgency=medium

    * New upstream release (https://www.openssh.com/txt/release-8.4):
      - [SECURITY] ssh-agent(1): restrict ssh-agent from signing web
        challenges for FIDO/U2F keys.
      - [SECURITY] ssh-keygen(1): Enable FIDO 2.1 credProtect extension when
        generating a FIDO resident key.
      - ssh-keygen(1): the format of the attestation information optionally
        recorded when a FIDO key is generated has changed. It now includes the
        authenticator data needed to validate attestation signatures. 
      - The API between OpenSSH and the FIDO token middleware has changed and
        the SSH_SK_VERSION_MAJOR version has been incremented as a result.
        Third-party middleware libraries must support the current API version
        (7) to work with OpenSSH 8.4.
      - ssh(1), ssh-keygen(1): support for FIDO keys that require a PIN for
        each use. These keys may be generated using ssh-keygen using a new
        'verify-required' option. When a PIN-required key is used, the user
        will be prompted for a PIN to complete the signature operation.
      - sshd(8): authorized_keys now supports a new 'verify-required' option
        to require FIDO signatures assert that the token verified that the
        user was present before making the signature. The FIDO protocol
        supports multiple methods for user-verification, but currently OpenSSH
        only supports PIN verification.
      - sshd(8), ssh-keygen(1): add support for verifying FIDO webauthn
        signatures. Webauthn is a standard for using FIDO keys in web
        browsers. These signatures are a slightly different format to plain
        FIDO signatures and thus require explicit support.
      - ssh(1): allow some keywords to expand shell-style ${ENV} environment
        variables. The supported keywords are CertificateFile, ControlPath,
        IdentityAgent and IdentityFile, plus LocalForward and RemoteForward
        when used for Unix domain socket paths.
      - ssh(1), ssh-agent(1): allow some additional control over the use of
        ssh-askpass via a new $SSH_ASKPASS_REQUIRE environment variable,
        including forcibly enabling and disabling its use (closes: #368657).
      - ssh(1): allow ssh_config(5)'s AddKeysToAgent keyword accept a time
        limit for keys in addition to its current flag options. Time-limited
        keys will automatically be removed from ssh-agent after their expiry
        time has passed.
      - scp(1), sftp(1): allow the -A flag to explicitly enable agent
        forwarding in scp and sftp. The default remains to not forward an
        agent, even when ssh_config enables it.
      - ssh(1): add a '%k' TOKEN that expands to the effective HostKey of the
        destination. This allows, e.g., keeping host keys in individual files
        using 'UserKnownHostsFile ~/.ssh/known_hosts.d/%k' (closes: #481250).
      - ssh(1): add %-TOKEN, environment variable and tilde expansion to the
        UserKnownHostsFile directive, allowing the path to be completed by the
        configuration.
      - ssh-keygen(1): allow 'ssh-add -d -' to read keys to be deleted from
        stdin.
      - sshd(8): improve logging for MaxStartups connection throttling.  sshd
        will now log when it starts and stops throttling and periodically
        while in this state.
      - ssh(1), ssh-keygen(1): better support for multiple attached FIDO
        tokens. In cases where OpenSSH cannot unambiguously determine which
        token to direct a request to, the user is now required to select a
        token by touching it. In cases of operations that require a PIN to be
        verified, this avoids sending the wrong PIN to the wrong token and


  ### Old Ubuntu Delta ###

  openssh (1:8.4p1-6ubuntu2) impish; urgency=medium

    * Configure with ac_cv_func_closefrom=no to avoid an incompatibility
      with glibc 2.34's fallback_closefrom function (LP: #1944621)

   -- William 'jawn-smith' Wilson <william.wilson at canonical.com>  Tue,
  21 Sep 2021 22:08:39 +0000

  openssh (1:8.4p1-6ubuntu1) impish; urgency=low

    * Merge from Debian unstable (LP: #1941799). Remaining changes:
      - Cherry-pick seccomp fixes for glibc 2.33 thanks to Dave Jones for
        reports on armhf.

   -- William 'jawn-smith' Wilson <william.wilson at canonical.com>  Thu,
  26 Aug 2021 12:51:02 -0600

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1946286/+subscriptions

More information about the foundations-bugs mailing list