[Bug 2018094] [NEW] Merge openssh from Debian unstable for mantic
Bryce Harrington
2018094 at bugs.launchpad.net
Fri Apr 28 22:22:20 UTC 2023
Public bug reported:
Scheduled-For: Backlog
Upstream: tbd
Debian: 1:9.2p1-2
Ubuntu: 1:9.0p1-1ubuntu8
The NOT SERVER TEAM team has maintained this package in the past and may be handling this merge.
If it turns out this needs a sync rather than a merge, please change the
tag 'needs-merge' to 'needs-sync', and (optionally) update the title as
desired.
### New Debian Changes ###
openssh (1:9.2p1-2) unstable; urgency=medium
* Fix mistakenly-unreleased entry for 1:9.2p1-1 in debian/NEWS.
-- Colin Watson <cjwatson at debian.org> Wed, 08 Feb 2023 10:43:07 +0000
openssh (1:9.2p1-1) unstable; urgency=medium
* Set 'UsePAM yes' when running regression tests, to match our default
sshd configuration.
* Ignore Lintian error about depending on lsb-base for now, to avoid
problems with partial upgrades on non-default init systems.
* New upstream release (https://www.openssh.com/releasenotes.html#9.2p1):
- [SECURITY] sshd(8): fix a pre-authentication double-free memory fault
introduced in OpenSSH 9.1. This is not believed to be exploitable, and
it occurs in the unprivileged pre-auth process that is subject to
chroot(2) and is further sandboxed on most major platforms.
- [SECURITY] ssh(8): in OpenSSH releases after 8.7, the PermitRemoteOpen
option would ignore its first argument unless it was one of the
special keywords 'any' or 'none', causing the permission list to fail
open if only one permission was specified.
- [SECURITY] ssh(1): if the CanonicalizeHostname and
CanonicalizePermittedCNAMEs options were enabled, and the system/libc
resolver did not check that names in DNS responses were valid, then
use of these options could allow an attacker with control of DNS to
include invalid characters (possibly including wildcards) in names
added to known_hosts files when they were updated. These names would
still have to match the CanonicalizePermittedCNAMEs allow-list, so
practical exploitation appears unlikely.
- ssh(1): add a new EnableEscapeCommandline ssh_config(5) option that
controls whether the client-side ~C escape sequence that provides a
command-line is available. Among other things, the ~C command-line
could be used to add additional port-forwards at runtime. This option
defaults to 'no', disabling the ~C command-line that was previously
enabled by default.
- sshd(8): add support for channel inactivity timeouts via a new
sshd_config(5) ChannelTimeout directive. This allows channels that
have not seen traffic in a configurable interval to be automatically
closed. Different timeouts may be applied to session, X11, agent and
TCP forwarding channels.
- sshd(8): add a sshd_config UnusedConnectionTimeout option to terminate
client connections that have no open channels for a length of time.
This complements the ChannelTimeout option above.
- sshd(8): add a -V (version) option to sshd like the ssh client has.
- ssh(1): add a 'Host' line to the output of ssh -G showing the original
hostname argument. bz3343
- scp(1), sftp(1): add a -X option to both scp(1) and sftp(1) to allow
control over some SFTP protocol parameters: the copy buffer length and
the number of in-flight requests, both of which are used during
upload/download. Previously these could be controlled in sftp(1) only.
This makes them available in both SFTP protocol clients using the same
option character sequence.
- ssh-keyscan(1): allow scanning of complete CIDR address ranges, e.g.
'ssh-keyscan 192.168.0.0/24'. If a CIDR range is passed, then it will
be expanded to all possible addresses in the range including the
all-0s and all-1s addresses.
- ssh(1): support dynamic remote port forwarding in escape
command-line's -R processing.
- ssh(1): when restoring non-blocking mode to stdio fds, restore exactly
the flags that ssh started with and don't just clobber them with zero,
as this could also remove the append flag from the set.
- ssh(1): avoid printf('%s', NULL) if using UserKnownHostsFile=none and
a hostkey in one of the system known hosts file changes.
- scp(1): switch scp from using pipes to a socket-pair for communication
with its ssh sub-processes, matching how sftp(1) operates.
- sshd(8): clear signal mask early in main(); sshd may have been started
with one or more signals masked (sigprocmask(2) is not cleared on
fork/exec) and this could interfere with various things, e.g. the
login grace timer. Execution environments that fail to clear the
signal mask before running sshd are clearly broken, but apparently
they do exist.
- ssh(1): warn if no host keys for hostbased auth can be loaded.
- sshd(8): Add server debugging for hostbased auth that is queued and
sent to the client after successful authentication, but also logged to
assist in diagnosis of HostbasedAuthentication problems.
- ssh(1): document use of the IdentityFile option as being usable to
list public keys as well as private keys.
- sshd(8): check for and disallow MaxStartups values less than or equal
to zero during config parsing, rather than failing later at runtime.
- ssh-keygen(1): fix parsing of hex cert expiry times specified on the
command-line when acting as a CA.
- scp(1): when scp(1) is using the SFTP protocol for transport (the
default), better match scp/rcp's handling of globs that don't match
the globbed characters but do match literally (e.g. trying to transfer
a file named 'foo.[1]'). Previously scp(1) in SFTP mode would not
match these pathnames but legacy scp/rcp mode would.
- ssh-agent(1): document the '-O no-restrict-websafe' command-line
option.
- ssh(1): honour user's umask(2) if it is more restrictive then the ssh
default (022).
- sshd(8): allow writev(2) in the Linux seccomp sandbox. This seems to
be used by recent glibcs at least in some configurations during error
conditions.
- sshd(8): simplify handling of SSH_CONNECTION PAM env var, removing
global variable and checking the return value from pam_putenv.
- sshd(8): disable SANDBOX_SECCOMP_FILTER_DEBUG that was mistakenly
enabled during the OpenSSH 9.1 release cycle.
- sshd(8): defer PRNG seeding until after the initial closefrom(2) call.
PRNG seeding will initialize OpenSSL, and some engine providers (e.g.
Intel's QAT) will open descriptors for their own use that closefrom(2)
### Old Ubuntu Delta ###
openssh (1:9.0p1-1ubuntu8) lunar; urgency=medium
* debian/openssh-server.postinst: Fix handling of ListenAddress when a port
is specified (LP: #1993478):
- Strip port before converting hostnames to numerical addresses.
- Only append ports when the ListenAddress does not already specify a
port.
- Revert socket migration on upgrade if a previous version did the
migration when it should not have.
* debian/openssh-server.postinst: Ignore empty directory failure from rmdir
when skipping socket migration (LP: #1995294).
-- Nick Rosbrook <nick.rosbrook at canonical.com> Tue, 25 Oct 2022
11:57:43 -0400
openssh (1:9.0p1-1ubuntu7) kinetic; urgency=medium
* Update list of stock sshd_config checksums to include those from
jammy and kinetic.
* Add a workaround for LP: #1990863 (now fixed in livecd-rootfs) to
avoid spurious ucf prompts on upgrade.
* Move /run/sshd creation out of the systemd unit to a tmpfile config
so that sshd can be run manually if necessary without having to create
this directory by hand. LP: #1991283.
[ Nick Rosbrook ]
* debian/openssh-server.postinst: Fix addresses.conf generation when only
non-default Port is used in /etc/ssh/sshd_config (LP: #1991199).
-- Steve Langasek <vorlon at debian.org> Mon, 26 Sep 2022 21:55:14 +0000
openssh (1:9.0p1-1ubuntu6) kinetic; urgency=medium
* Fix syntax error in postinst :/
-- Steve Langasek <vorlon at debian.org> Fri, 23 Sep 2022 19:51:32 +0000
openssh (1:9.0p1-1ubuntu5) kinetic; urgency=medium
* Correctly handle the case of new installs, and correctly apply systemd
unit overrides on upgrade from existing kinetic systems.
-- Steve Langasek <vorlon at debian.org> Fri, 23 Sep 2022 19:45:18 +0000
openssh (1:9.0p1-1ubuntu4) kinetic; urgency=medium
* Don't migrate users to socket activation if multiple ListenAddresses
might make sshd unreliable on boot.
* Fix regexp bug that prevented proper migration of IPv6 address settings.
-- Steve Langasek <vorlon at debian.org> Fri, 23 Sep 2022 19:35:37 +0000
openssh (1:9.0p1-1ubuntu3) kinetic; urgency=medium
* Document in the default sshd_config file the changes in behavior
triggered by use of socket-based activation.
-- Steve Langasek <steve.langasek at ubuntu.com> Fri, 26 Aug 2022
00:40:11 +0000
openssh (1:9.0p1-1ubuntu2) kinetic; urgency=medium
* Fix manpage to not claim socket-based activation is the default on
Debian!
-- Steve Langasek <steve.langasek at ubuntu.com> Fri, 26 Aug 2022
00:21:42 +0000
openssh (1:9.0p1-1ubuntu1) kinetic; urgency=medium
* debian/patches/systemd-socket-activation.patch: support systemd
socket activation.
* debian/systemd/ssh.socket, debian/systemd/ssh.service: use socket
activation by default.
* debian/rules: rejigger dh_installsystemd invocations so ssh.service and
ssh.socket don't fight.
* debian/openssh-server.postinst: handle migration of sshd_config options
to systemd socket options on upgrade.
* debian/README.Debian: document systemd socket activation.
* debian/patches/socket-activation-documentation.patch: Document in
sshd_config(5) that ListenAddress and Port no longer work.
* debian/openssh-server.templates, debian/openssh-server.postinst: include
debconf warning about possible service failure with multiple
ListenAddress settings.
-- Steve Langasek <steve.langasek at ubuntu.com> Fri, 19 Aug 2022
20:43:16 +0000
** Affects: openssh (Ubuntu)
Importance: Undecided
Status: New
** Tags: needs-merge upgrade-software-version
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/2018094
Title:
Merge openssh from Debian unstable for mantic
Status in openssh package in Ubuntu:
New
Bug description:
Scheduled-For: Backlog
Upstream: tbd
Debian: 1:9.2p1-2
Ubuntu: 1:9.0p1-1ubuntu8
The NOT SERVER TEAM team has maintained this package in the past and may be handling this merge.
If it turns out this needs a sync rather than a merge, please change
the tag 'needs-merge' to 'needs-sync', and (optionally) update the
title as desired.
### New Debian Changes ###
openssh (1:9.2p1-2) unstable; urgency=medium
* Fix mistakenly-unreleased entry for 1:9.2p1-1 in debian/NEWS.
-- Colin Watson <cjwatson at debian.org> Wed, 08 Feb 2023 10:43:07
+0000
openssh (1:9.2p1-1) unstable; urgency=medium
* Set 'UsePAM yes' when running regression tests, to match our default
sshd configuration.
* Ignore Lintian error about depending on lsb-base for now, to avoid
problems with partial upgrades on non-default init systems.
* New upstream release (https://www.openssh.com/releasenotes.html#9.2p1):
- [SECURITY] sshd(8): fix a pre-authentication double-free memory fault
introduced in OpenSSH 9.1. This is not believed to be exploitable, and
it occurs in the unprivileged pre-auth process that is subject to
chroot(2) and is further sandboxed on most major platforms.
- [SECURITY] ssh(8): in OpenSSH releases after 8.7, the PermitRemoteOpen
option would ignore its first argument unless it was one of the
special keywords 'any' or 'none', causing the permission list to fail
open if only one permission was specified.
- [SECURITY] ssh(1): if the CanonicalizeHostname and
CanonicalizePermittedCNAMEs options were enabled, and the system/libc
resolver did not check that names in DNS responses were valid, then
use of these options could allow an attacker with control of DNS to
include invalid characters (possibly including wildcards) in names
added to known_hosts files when they were updated. These names would
still have to match the CanonicalizePermittedCNAMEs allow-list, so
practical exploitation appears unlikely.
- ssh(1): add a new EnableEscapeCommandline ssh_config(5) option that
controls whether the client-side ~C escape sequence that provides a
command-line is available. Among other things, the ~C command-line
could be used to add additional port-forwards at runtime. This option
defaults to 'no', disabling the ~C command-line that was previously
enabled by default.
- sshd(8): add support for channel inactivity timeouts via a new
sshd_config(5) ChannelTimeout directive. This allows channels that
have not seen traffic in a configurable interval to be automatically
closed. Different timeouts may be applied to session, X11, agent and
TCP forwarding channels.
- sshd(8): add a sshd_config UnusedConnectionTimeout option to terminate
client connections that have no open channels for a length of time.
This complements the ChannelTimeout option above.
- sshd(8): add a -V (version) option to sshd like the ssh client has.
- ssh(1): add a 'Host' line to the output of ssh -G showing the original
hostname argument. bz3343
- scp(1), sftp(1): add a -X option to both scp(1) and sftp(1) to allow
control over some SFTP protocol parameters: the copy buffer length and
the number of in-flight requests, both of which are used during
upload/download. Previously these could be controlled in sftp(1) only.
This makes them available in both SFTP protocol clients using the same
option character sequence.
- ssh-keyscan(1): allow scanning of complete CIDR address ranges, e.g.
'ssh-keyscan 192.168.0.0/24'. If a CIDR range is passed, then it will
be expanded to all possible addresses in the range including the
all-0s and all-1s addresses.
- ssh(1): support dynamic remote port forwarding in escape
command-line's -R processing.
- ssh(1): when restoring non-blocking mode to stdio fds, restore exactly
the flags that ssh started with and don't just clobber them with zero,
as this could also remove the append flag from the set.
- ssh(1): avoid printf('%s', NULL) if using UserKnownHostsFile=none and
a hostkey in one of the system known hosts file changes.
- scp(1): switch scp from using pipes to a socket-pair for communication
with its ssh sub-processes, matching how sftp(1) operates.
- sshd(8): clear signal mask early in main(); sshd may have been started
with one or more signals masked (sigprocmask(2) is not cleared on
fork/exec) and this could interfere with various things, e.g. the
login grace timer. Execution environments that fail to clear the
signal mask before running sshd are clearly broken, but apparently
they do exist.
- ssh(1): warn if no host keys for hostbased auth can be loaded.
- sshd(8): Add server debugging for hostbased auth that is queued and
sent to the client after successful authentication, but also logged to
assist in diagnosis of HostbasedAuthentication problems.
- ssh(1): document use of the IdentityFile option as being usable to
list public keys as well as private keys.
- sshd(8): check for and disallow MaxStartups values less than or equal
to zero during config parsing, rather than failing later at runtime.
- ssh-keygen(1): fix parsing of hex cert expiry times specified on the
command-line when acting as a CA.
- scp(1): when scp(1) is using the SFTP protocol for transport (the
default), better match scp/rcp's handling of globs that don't match
the globbed characters but do match literally (e.g. trying to transfer
a file named 'foo.[1]'). Previously scp(1) in SFTP mode would not
match these pathnames but legacy scp/rcp mode would.
- ssh-agent(1): document the '-O no-restrict-websafe' command-line
option.
- ssh(1): honour user's umask(2) if it is more restrictive then the ssh
default (022).
- sshd(8): allow writev(2) in the Linux seccomp sandbox. This seems to
be used by recent glibcs at least in some configurations during error
conditions.
- sshd(8): simplify handling of SSH_CONNECTION PAM env var, removing
global variable and checking the return value from pam_putenv.
- sshd(8): disable SANDBOX_SECCOMP_FILTER_DEBUG that was mistakenly
enabled during the OpenSSH 9.1 release cycle.
- sshd(8): defer PRNG seeding until after the initial closefrom(2) call.
PRNG seeding will initialize OpenSSL, and some engine providers (e.g.
Intel's QAT) will open descriptors for their own use that closefrom(2)
### Old Ubuntu Delta ###
openssh (1:9.0p1-1ubuntu8) lunar; urgency=medium
* debian/openssh-server.postinst: Fix handling of ListenAddress when a port
is specified (LP: #1993478):
- Strip port before converting hostnames to numerical addresses.
- Only append ports when the ListenAddress does not already specify a
port.
- Revert socket migration on upgrade if a previous version did the
migration when it should not have.
* debian/openssh-server.postinst: Ignore empty directory failure from rmdir
when skipping socket migration (LP: #1995294).
-- Nick Rosbrook <nick.rosbrook at canonical.com> Tue, 25 Oct 2022
11:57:43 -0400
openssh (1:9.0p1-1ubuntu7) kinetic; urgency=medium
* Update list of stock sshd_config checksums to include those from
jammy and kinetic.
* Add a workaround for LP: #1990863 (now fixed in livecd-rootfs) to
avoid spurious ucf prompts on upgrade.
* Move /run/sshd creation out of the systemd unit to a tmpfile config
so that sshd can be run manually if necessary without having to create
this directory by hand. LP: #1991283.
[ Nick Rosbrook ]
* debian/openssh-server.postinst: Fix addresses.conf generation when only
non-default Port is used in /etc/ssh/sshd_config (LP: #1991199).
-- Steve Langasek <vorlon at debian.org> Mon, 26 Sep 2022 21:55:14
+0000
openssh (1:9.0p1-1ubuntu6) kinetic; urgency=medium
* Fix syntax error in postinst :/
-- Steve Langasek <vorlon at debian.org> Fri, 23 Sep 2022 19:51:32
+0000
openssh (1:9.0p1-1ubuntu5) kinetic; urgency=medium
* Correctly handle the case of new installs, and correctly apply systemd
unit overrides on upgrade from existing kinetic systems.
-- Steve Langasek <vorlon at debian.org> Fri, 23 Sep 2022 19:45:18
+0000
openssh (1:9.0p1-1ubuntu4) kinetic; urgency=medium
* Don't migrate users to socket activation if multiple ListenAddresses
might make sshd unreliable on boot.
* Fix regexp bug that prevented proper migration of IPv6 address settings.
-- Steve Langasek <vorlon at debian.org> Fri, 23 Sep 2022 19:35:37
+0000
openssh (1:9.0p1-1ubuntu3) kinetic; urgency=medium
* Document in the default sshd_config file the changes in behavior
triggered by use of socket-based activation.
-- Steve Langasek <steve.langasek at ubuntu.com> Fri, 26 Aug 2022
00:40:11 +0000
openssh (1:9.0p1-1ubuntu2) kinetic; urgency=medium
* Fix manpage to not claim socket-based activation is the default on
Debian!
-- Steve Langasek <steve.langasek at ubuntu.com> Fri, 26 Aug 2022
00:21:42 +0000
openssh (1:9.0p1-1ubuntu1) kinetic; urgency=medium
* debian/patches/systemd-socket-activation.patch: support systemd
socket activation.
* debian/systemd/ssh.socket, debian/systemd/ssh.service: use socket
activation by default.
* debian/rules: rejigger dh_installsystemd invocations so ssh.service and
ssh.socket don't fight.
* debian/openssh-server.postinst: handle migration of sshd_config options
to systemd socket options on upgrade.
* debian/README.Debian: document systemd socket activation.
* debian/patches/socket-activation-documentation.patch: Document in
sshd_config(5) that ListenAddress and Port no longer work.
* debian/openssh-server.templates, debian/openssh-server.postinst: include
debconf warning about possible service failure with multiple
ListenAddress settings.
-- Steve Langasek <steve.langasek at ubuntu.com> Fri, 19 Aug 2022
20:43:16 +0000
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2018094/+subscriptions
More information about the foundations-bugs
mailing list