[Bug 2064435] Re: Merge openssh from Debian unstable for oracular
Bryce Harrington
2064435 at bugs.launchpad.net
Wed May 1 15:27:40 UTC 2024
** Changed in: openssh (Ubuntu)
Milestone: None => ubuntu-24.10-beta
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/2064435
Title:
Merge openssh from Debian unstable for oracular
Status in openssh package in Ubuntu:
New
Bug description:
Scheduled-For: Backlog
Upstream: tbd
Debian: 1:9.7p1-4
Ubuntu: 1:9.6p1-3ubuntu13
NOT SERVER TEAM has maintained this package's merge in the past.
If it turns out this needs a sync rather than a merge, please change
the tag 'needs-merge' to 'needs-sync', and (optionally) update the
title as desired.
If this merge pulls in a new upstream version, also consider adding an
entry to the Oracular Release Notes:
https://discourse.ubuntu.com/c/release/38
### New Debian Changes ###
openssh (1:9.7p1-4) unstable; urgency=medium
* Rework systemd readiness notification and socket activation patches to
not link against libsystemd (the former via an upstream patch).
* Force -fzero-call-used-regs=used not to be used on ppc64el (it's
unsupported, but configure fails to detect this).
-- Colin Watson <cjwatson at debian.org> Wed, 03 Apr 2024 12:06:08
+0100
openssh (1:9.7p1-3) unstable; urgency=medium
* Fix gssapi-keyex declaration further (thanks, Andreas Hasenack;
LP: #2053146).
* Extend -fzero-call-used-regs check to catch m68k gcc bug (closes:
#1067243).
* debian/tests/regress: Set a different IP address for UNKNOWN.
* Re-enable ssh-askpass-gnome on all architectures.
* regress: Redirect conch stdin from /dev/zero (re-enables conch interop
tests).
* Drop 'Work around RSA SHA-2 signature issues in conch' patch (no longer
needed now that Twisted is fixed).
-- Colin Watson <cjwatson at debian.org> Sun, 31 Mar 2024 11:55:38
+0100
openssh (1:9.7p1-2) unstable; urgency=medium
[ Simon McVittie ]
* d/control, d/rules: Disable ssh-askpass-gnome on 32-bit, except i386
(closes: #1066847).
-- Colin Watson <cjwatson at debian.org> Thu, 14 Mar 2024 11:45:12
+0000
openssh (1:9.7p1-1) unstable; urgency=medium
* Add the isolation-container restriction to the 'regress' autopkgtest.
Our setup code wants to ensure that the haveged service is running, and
furthermore at least the agent-subprocess test assumes that there's an
init to reap zombie processes and doesn't work in (e.g.)
autopkgtest-virt-unshare.
* New upstream release (https://www.openssh.com/releasenotes.html#9.7p1):
- ssh(1), sshd(8): add a 'global' ChannelTimeout type that watches all
open channels and will close all open channels if there is no traffic
on any of them for the specified interval. This is in addition to the
existing per-channel timeouts added recently.
This supports situations like having both session and x11 forwarding
channels open where one may be idle for an extended period but the
other is actively used. The global timeout could close both channels
when both have been idle for too long (closes: #165185).
- All: make DSA key support compile-time optional, defaulting to on.
- sshd(8): don't append an unnecessary space to the end of subsystem
arguments (bz3667)
- ssh(1): fix the multiplexing 'channel proxy' mode, broken when
keystroke timing obfuscation was added. (GHPR#463)
- ssh(1), sshd(8): fix spurious configuration parsing errors when
options that accept array arguments are overridden (bz3657).
- ssh-agent(1): fix potential spin in signal handler (bz3670)
- Many fixes to manual pages and other documentation.
- Greatly improve interop testing against PuTTY.
* Skip utimensat test on ZFS, since it seems to leave the atime set to 0.
* Allow passing extra options to debian/tests/regress, for debugging.
* Fix gssapi-keyex declaration, broken when rebasing onto 8.9p1
(LP: #2053146).
-- Colin Watson <cjwatson at debian.org> Thu, 14 Mar 2024 10:47:58
+0000
openssh (1:9.6p1-5) unstable; urgency=medium
* Restore systemd template unit for per-connection sshd instances,
although without any corresponding .socket unit for now; this is mainly
for use with the forthcoming systemd-ssh-generator (closes: #1061516).
It's now called sshd at .service, since unlike the main service there's no
need to be concerned about compatibility with the slightly confusing
'ssh' service name that Debian has traditionally used.
-- Colin Watson <cjwatson at debian.org> Wed, 06 Mar 2024 09:45:56
+0000
openssh (1:9.6p1-4) unstable; urgency=medium
* Add sshd_config checksums for 1:9.2p1-1 to ucf reference file, and add a
test to ensure it doesn't get out of date again.
* Drop manual adjustment of OpenSSL dependencies; OpenSSH relaxed its
checks for OpenSSL >= 3 in 9.4p1.
* Build-depend on pkgconf rather than pkg-config.
* Adjust debian/copyright to handle the 'placed in the public domain'
status of rijndael.* more explicitly.
-- Colin Watson <cjwatson at debian.org> Mon, 26 Feb 2024 12:26:57
+0000
openssh (1:9.6p1-3) unstable; urgency=medium
* Allow passing extra ssh-agent arguments via
'/usr/lib/openssh/agent-launch start', making it possible to override
things like identity lifetime using a systemd drop-in unit (closes:
#1059639).
* Don't try to start rescue-ssh.target in postinst (LP: #2047082).
-- Colin Watson <cjwatson at debian.org> Wed, 17 Jan 2024 22:50:07
+0000
openssh (1:9.6p1-2) unstable; urgency=medium
### Old Ubuntu Delta ###
openssh (1:9.6p1-3ubuntu13) noble; urgency=medium
[ Marco Trevisan (Treviño) ]
* debian: Remove dependency on libsystemd
As per the xz backdoor we learned that the least dependencies sshd have,
the best it is, so avoid to plug libsystemd (which also brings various
other dependencies) inside sshd for no reason:
- d/p/systemd-readiness.patch: Use upstream patch with no libsystemd
dependency
- d/p/systemd-socket-activation.patch: Import patch from debian that
mimics the libsystemd sd_listen_fds() code, as refactored by Colin
Watson.
- d/control: Remove dependencies on libsystemd-dev | libelogind-dev
- d/rules: Drop --with-systemd flag (new options are used by default)
[ Nick Rosbrook ]
* debian/patches: only set PAM_RHOST if remote host is not 'UNKNOWN'
(LP: #2060150)
* debian/openssh-server.postinst: don't re-enable ssh.socket if it was disabled
(LP: #2059874)
* d/p/sshd-socket-generator.patch: do not always ignore ListenStream=22
(LP: #2059872)
-- Nick Rosbrook <enr0n at ubuntu.com> Fri, 05 Apr 2024 15:30:31 -0400
openssh (1:9.6p1-3ubuntu12) noble; urgency=medium
* No-change rebuild for CVE-2024-3094
-- Steve Langasek <steve.langasek at ubuntu.com> Sun, 31 Mar 2024
09:23:28 +0000
openssh (1:9.6p1-3ubuntu11) noble; urgency=medium
* d/t/ssh-gssapi: make the test a bit more rebust (LP: #2058276):
- deal with return codes
- match a more specific success expression from the logs
- add klist output in the case of failure
-- Andreas Hasenack <andreas at canonical.com> Mon, 18 Mar 2024
10:25:15 -0300
openssh (1:9.6p1-3ubuntu10) noble; urgency=medium
* Build again with gnome.
-- Matthias Klose <doko at ubuntu.com> Sat, 16 Mar 2024 19:30:41 +0100
openssh (1:9.6p1-3ubuntu9) noble; urgency=medium
* d/p/gssapi.patch: fix method_gsskeyex structure and
userauth_gsskeyex function regarding changes introduced in upstream
commit dbb339f015c33d63484261d140c84ad875a9e548 ('prepare for
multiple names for authmethods') (LP: #2053146)
* d/t/{ssh-gssapi,util}: ssh-gssapi DEP8 test for gssapi-with-mic
and gssapi-keyex authentication methods
-- Andreas Hasenack <andreas at canonical.com> Fri, 15 Mar 2024
16:18:01 -0300
openssh (1:9.6p1-3ubuntu8) noble; urgency=medium
* No-change rebuild against libcom-err2
-- Steve Langasek <steve.langasek at ubuntu.com> Tue, 12 Mar 2024
20:34:07 +0000
openssh (1:9.6p1-3ubuntu7) noble; urgency=medium
* No-change rebuild against libglib2.0-0t64
-- Steve Langasek <steve.langasek at ubuntu.com> Mon, 11 Mar 2024
23:25:42 +0000
openssh (1:9.6p1-3ubuntu6) noble; urgency=medium
* No-change rebuild against libglib2.0-0t64
-- Steve Langasek <steve.langasek at ubuntu.com> Fri, 08 Mar 2024
06:32:05 +0000
openssh (1:9.6p1-3ubuntu5) noble; urgency=medium
* debian/systemd/ssh.service: restore RuntimeDirectory=sshd (LP: #2055806)
We started using a tmpfile in Ubuntu when we invoked sshd -G in
openssh-server.postinst as a part of migration to systemd socket activation.
Since we use a generator now, instead of invoking sshd -G, we no longer need
this change.
-- Nick Rosbrook <enr0n at ubuntu.com> Thu, 07 Mar 2024 13:59:57 -0500
openssh (1:9.6p1-3ubuntu5~ppa2) noble; urgency=medium
* Build without gnome.
-- Matthias Klose <doko at ubuntu.com> Tue, 05 Mar 2024 15:53:05 +0100
openssh (1:9.6p1-3ubuntu4) noble; urgency=medium
* No-change rebuild against libssl3t64
-- Steve Langasek <steve.langasek at ubuntu.com> Mon, 04 Mar 2024
20:31:25 +0000
openssh (1:9.6p1-3ubuntu3) noble; urgency=medium
* Add sshd-socket-generator to generate ssh.socket drop-in configuration
instead of doing one-time generation on package upgrade:
- debian/control: Build-Depends: systemd-dev
- d/p/sshd-socket-generator.patch: add generator for socket activation
- debian/openssh-server.install: install sshd-socket-generator
- debian/openssh-server.postinst: handle migration to sshd-socket-generator
- d/t/sshd-socket-generator: add dep8 test for sshd-socket-generator
- ssh.socket: adjust unit for socket activation by default
- debian/README.Debian: update ssh.socket documentation
- debian/rules: explicitly enable LTO
The armhf build was not using LTO, which made sshd-socket-generator FTBFS.
This change ensures that all arches are using LTO.
* Drop the following changes related to previous ssh socket activation approach:
- debian/openssh-server.postrm: remove systemd drop-ins for
socket-activated sshd on purge
- debian/openssh-server.templates: include debconf prompt explaining
when migration cannot happen due to multiple ListenAddress values
- debian/openssh-server.postinst: handle migration of sshd_config options
to systemd socket options on upgrade.
- debian/patches/socket-activation-documentation.patch: Document in
sshd_config(5) that ListenAddress and Port no longer work.
* debian/openssh-server.ucf-md5sum: update for new Ubuntu delta
-- Nick Rosbrook <enr0n at ubuntu.com> Wed, 21 Feb 2024 12:51:30 -0500
openssh (1:9.6p1-3ubuntu2) noble; urgency=medium
[ Marco Trevisan (Treviño) ]
* debian/patches: Immediately report interactive instructions to PAM clients
* debian/patches: sshconnect2: Write kbd-interactive messages as utf-8
-- Julian Andres Klode <juliank at ubuntu.com> Thu, 15 Feb 2024
11:13:03 +0100
openssh (1:9.6p1-3ubuntu1) noble; urgency=medium
* Merge with Debian unstable (LP: #2040406). Remaining changes:
- debian/rules: modify dh_installsystemd invocations for
socket-activated sshd.
- debian/openssh-server.postinst: handle migration of sshd_config
options to systemd socket options on upgrade.
- debian/README.Debian: document systemd socket activation.
- debian/patches/socket-activation-documentation.patch: Document
in sshd_config(5) that ListenAddress and Port no longer work.
- debian/openssh-server.templates: include debconf prompt
explaining when migration cannot happen due to multiple
ListenAddress values.
- debian/.gitignore: drop file.
- debian/openssh-server.postrm: remove systemd drop-ins for
socket-activated sshd on purge.
- debian/openssh-server.ucf-md5sum: update for Ubuntu delta
- debian/openssh-server.tmpfile,debian/systemd/ssh.service: Move
/run/sshd creation out of the systemd unit to a tmpfile config
so that sshd can be run manually if necessary without having to
create this directory by hand.
- debian/patches/systemd-socket-activation.patch: Fix sshd
re-execution behavior when socket activation is used.
- debian/tests/systemd-socket-activation: Add autopkgtest
for systemd socket activation functionality.
- d/p/test-set-UsePAM-no-on-some-tests.patch: set UsePAM=no
for some tests.
* Dropped changes, fixed upstream:
- d/p/fix-ftbfs-with-zlib13.patch: fix ftbfs when using zlib 1.3
(LP #2049552)
-- Miriam España Acebal <miriam.espana at canonical.com> Mon, 29 Jan
2024 11:16:31 +0100
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2064435/+subscriptions
More information about the foundations-bugs
mailing list