[Bug 1993427] Re: Merge openssh from Debian unstable for l-series
Bryce Harrington
1993427 at bugs.launchpad.net
Mon Nov 21 21:34:23 UTC 2022
There is a 9.1 release available for merge now
openssh | 1:9.0p1-1ubuntu7 | kinetic
openssh | 1:9.0p1-1ubuntu7 | lunar
openssh | 1:9.0p1-1ubuntu7.1 | kinetic-updates
openssh | 1:9.0p1-1ubuntu8 | lunar-proposed
openssh | 1:9.1p1-1 | unstable
openssh | 1:9.1p1-1 | unstable-debug
** Changed in: openssh (Ubuntu)
Status: Incomplete => New
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1993427
Title:
Merge openssh from Debian unstable for l-series
Status in openssh package in Ubuntu:
New
Bug description:
Scheduled-For: ubuntu-later
Upstream: tbd
Debian: 1:9.0p1-1
Ubuntu: 1:9.0p1-1ubuntu7
### New Debian Changes ###
openssh (1:9.0p1-1) unstable; urgency=medium
* New upstream release (https://www.openssh.com/releasenotes.html#9.0p1):
- scp(1): Use the SFTP protocol by default (closes: #144579, #204546,
#327019). This changes scp's quoting semantics by no longer performing
wildcard expansion using the remote shell, and (with some server
versions) no longer expanding ~user paths. The -O option is available
to use the old protocol. See NEWS.Debian for more details.
- ssh(1), sshd(8): use the hybrid Streamlined NTRU Prime + x25519 key
exchange method by default ('sntrup761x25519-sha512 at openssh.com').
The NTRU algorithm is believed to resist attacks enabled by future
quantum computers and is paired with the X25519 ECDH key exchange (the
previous default) as a backstop against any weaknesses in NTRU Prime
that may be discovered in the future. The combination ensures that the
hybrid exchange offers at least as good security as the status quo.
- sftp-server(8): support the 'copy-data' extension to allow server-
side copying of files/data, following the design in
draft-ietf-secsh-filexfer-extensions-00.
- sftp(1): add a 'cp' command to allow the sftp client to perform
server-side file copies.
- ssh(1), sshd(8): upstream: fix poll(2) spin when a channel's output fd
closes without data in the channel buffer (closes: #1007822).
- sshd(8): pack pollfd array in server listen/accept loop. Could cause
the server to hang/spin when MaxStartups > RLIMIT_NOFILE.
- ssh-keygen(1): avoid NULL deref via the find-principals and
check-novalidate operations. bz3409 and GHPR307 respectively.
- scp(1): fix a memory leak in argument processing.
- sshd(8): don't try to resolve ListenAddress directives in the sshd
re-exec path. They are unused after re-exec and parsing errors
(possible for example if the host's network configuration changed)
could prevent connections from being accepted.
- sshd(8): when refusing a public key authentication request from a
client for using an unapproved or unsupported signature algorithm
include the algorithm name in the log message to make debugging
easier.
- ssh(1), sshd(8): Fix possible integer underflow in scan_scaled(3)
parsing of K/M/G/etc quantities.
- sshd(8): default to not using sandbox when cross compiling. On most
systems poll(2) does not work when the number of FDs is reduced with
setrlimit, so assume it doesn't when cross compiling and we can't run
the test.
* Remove obsolete FAQ, removed from openssh.com in 2016.
-- Colin Watson <cjwatson at debian.org> Sat, 09 Apr 2022 14:14:10
+0100
openssh (1:8.9p1-3) unstable; urgency=medium
* Allow ppoll_time64 in seccomp filter (closes: #1006445).
-- Colin Watson <cjwatson at debian.org> Fri, 25 Feb 2022 23:30:49
+0000
openssh (1:8.9p1-2) unstable; urgency=medium
* Improve detection of -fzero-call-used-regs=all support.
-- Colin Watson <cjwatson at debian.org> Thu, 24 Feb 2022 16:09:56
+0000
openssh (1:8.9p1-1) unstable; urgency=medium
* New upstream release (https://www.openssh.com/releasenotes.html#8.9p1):
- sshd(8): fix an integer overflow in the user authentication path that,
in conjunction with other logic errors, could have yielded
unauthenticated access under difficult to exploit conditions.
- sshd(8), portable OpenSSH only: this release removes in-built support
for MD5-hashed passwords.
- ssh(1), sshd(8), ssh-add(1), ssh-agent(1): add a system for
restricting forwarding and use of keys added to ssh-agent(1).
- ssh(1), sshd(8): add the sntrup761x25519-sha512 at openssh.com hybrid
ECDH/x25519 + Streamlined NTRU Prime post-quantum KEX to the default
KEXAlgorithms list (after the ECDH methods but before the prime-group
DH ones). The next release of OpenSSH is likely to make this key
exchange the default method.
- ssh-keygen(1): when downloading resident keys from a FIDO token, pass
back the user ID that was used when the key was created and append it
to the filename the key is written to (if it is not the default).
Avoids keys being clobbered if the user created multiple resident keys
with the same application string but different user IDs.
- ssh-keygen(1), ssh(1), ssh-agent(1): better handling for FIDO keys on
tokens that provide user verification (UV) on the device itself,
including biometric keys, avoiding unnecessary PIN prompts.
- ssh-keygen(1): add 'ssh-keygen -Y match-principals' operation to
perform matching of principals names against an allowed signers file.
To be used towards a TOFU model for SSH signatures in git.
- ssh-add(1), ssh-agent(1): allow pin-required FIDO keys to be added to
ssh-agent(1). $SSH_ASKPASS will be used to request the PIN at
authentication time.
- ssh-keygen(1): allow selection of hash at sshsig signing time (either
sha512 (default) or sha256).
- ssh(1), sshd(8): read network data directly to the packet input buffer
instead indirectly via a small stack buffer. Provides a modest
performance improvement.
- ssh(1), sshd(8): read data directly to the channel input buffer,
providing a similar modest performance improvement.
- ssh(1): extend the PubkeyAuthentication configuration directive to
accept yes|no|unbound|host-bound to allow control over one of the
protocol extensions used to implement agent-restricted keys.
- sshd(8): document that CASignatureAlgorithms, ExposeAuthInfo and
PubkeyAuthOptions can be used in a Match block.
- sshd(8): fix possible string truncation when constructing paths to
.rhosts/.shosts files with very long user home directory names.
### Old Ubuntu Delta ###
openssh (1:9.0p1-1ubuntu7) kinetic; urgency=medium
* Update list of stock sshd_config checksums to include those from
jammy and kinetic.
* Add a workaround for LP: #1990863 (now fixed in livecd-rootfs) to
avoid spurious ucf prompts on upgrade.
* Move /run/sshd creation out of the systemd unit to a tmpfile config
so that sshd can be run manually if necessary without having to create
this directory by hand. LP: #1991283.
[ Nick Rosbrook ]
* debian/openssh-server.postinst: Fix addresses.conf generation when only
non-default Port is used in /etc/ssh/sshd_config (LP: #1991199).
-- Steve Langasek <vorlon at debian.org> Mon, 26 Sep 2022 21:55:14
+0000
openssh (1:9.0p1-1ubuntu6) kinetic; urgency=medium
* Fix syntax error in postinst :/
-- Steve Langasek <vorlon at debian.org> Fri, 23 Sep 2022 19:51:32
+0000
openssh (1:9.0p1-1ubuntu5) kinetic; urgency=medium
* Correctly handle the case of new installs, and correctly apply systemd
unit overrides on upgrade from existing kinetic systems.
-- Steve Langasek <vorlon at debian.org> Fri, 23 Sep 2022 19:45:18
+0000
openssh (1:9.0p1-1ubuntu4) kinetic; urgency=medium
* Don't migrate users to socket activation if multiple ListenAddresses
might make sshd unreliable on boot.
* Fix regexp bug that prevented proper migration of IPv6 address settings.
-- Steve Langasek <vorlon at debian.org> Fri, 23 Sep 2022 19:35:37
+0000
openssh (1:9.0p1-1ubuntu3) kinetic; urgency=medium
* Document in the default sshd_config file the changes in behavior
triggered by use of socket-based activation.
-- Steve Langasek <steve.langasek at ubuntu.com> Fri, 26 Aug 2022
00:40:11 +0000
openssh (1:9.0p1-1ubuntu2) kinetic; urgency=medium
* Fix manpage to not claim socket-based activation is the default on
Debian!
-- Steve Langasek <steve.langasek at ubuntu.com> Fri, 26 Aug 2022
00:21:42 +0000
openssh (1:9.0p1-1ubuntu1) kinetic; urgency=medium
* debian/patches/systemd-socket-activation.patch: support systemd
socket activation.
* debian/systemd/ssh.socket, debian/systemd/ssh.service: use socket
activation by default.
* debian/rules: rejigger dh_installsystemd invocations so ssh.service and
ssh.socket don't fight.
* debian/openssh-server.postinst: handle migration of sshd_config options
to systemd socket options on upgrade.
* debian/README.Debian: document systemd socket activation.
* debian/patches/socket-activation-documentation.patch: Document in
sshd_config(5) that ListenAddress and Port no longer work.
* debian/openssh-server.templates, debian/openssh-server.postinst: include
debconf warning about possible service failure with multiple
ListenAddress settings.
-- Steve Langasek <steve.langasek at ubuntu.com> Fri, 19 Aug 2022
20:43:16 +0000
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1993427/+subscriptions
More information about the foundations-bugs
mailing list