[ubuntu/lucid] openssh 1:5.2p1-1ubuntu1 (Accepted)
Colin Watson
cjwatson at ubuntu.com
Mon Jan 4 14:00:19 GMT 2010
openssh (1:5.2p1-1ubuntu1) lucid; urgency=low
* Resynchronise with Debian. Remaining changes:
- Add support for registering ConsoleKit sessions on login.
- Drop openssh-blacklist and openssh-blacklist-extra to Suggests; they
take up a lot of CD space, and I suspect that rolling them out in
security updates has covered most affected systems now.
* Convert to Upstart. The init script is still here for the benefit of
people running sshd in chroots. Note that the Upstart job does not
support /etc/default/ssh, because it's much more straightforward to edit
the job (/etc/init/ssh.conf) than it was to edit the init script.
openssh (1:5.2p1-1) unstable; urgency=low
* New upstream release (closes: #536182). Yes, I know 5.3p1 has been out
for a while, but there's no GSSAPI patch available for it yet.
- Change the default cipher order to prefer the AES CTR modes and the
revised "arcfour256" mode to CBC mode ciphers that are susceptible to
CPNI-957037 "Plaintext Recovery Attack Against SSH".
- Add countermeasures to mitigate CPNI-957037-style attacks against the
SSH protocol's use of CBC-mode ciphers. Upon detection of an invalid
packet length or Message Authentication Code, ssh/sshd will continue
reading up to the maximum supported packet length rather than
immediately terminating the connection. This eliminates most of the
known differences in behaviour that leaked information about the
plaintext of injected data which formed the basis of this attack
(closes: #506115, LP: #379329).
- ForceCommand directive now accepts commandline arguments for the
internal-sftp server (closes: #524423, LP: #362511).
- Add AllowAgentForwarding to available Match keywords list (closes:
#540623).
- Make ssh(1) send the correct channel number for
SSH2_MSG_CHANNEL_SUCCESS and SSH2_MSG_CHANNEL_FAILURE messages to
avoid triggering 'Non-public channel' error messages on sshd(8) in
openssh-5.1.
- Avoid printing 'Non-public channel' warnings in sshd(8), since the
ssh(1) has sent incorrect channel numbers since ~2004 (this reverts a
behaviour introduced in openssh-5.1; closes: #496017).
- Disable nonfunctional ssh(1) ~C escape handler in multiplex slave
connections (closes: #507541).
- Fix "whitepsace" typo in ssh_config(5) (closes: #514313, LP: #303835).
* Update to GSSAPI patch from
http://www.sxw.org.uk/computing/patches/openssh-5.2p1-gsskex-all-20090726.patch,
including cascading credentials support (LP: #416958).
* Use x11.pc when compiling/linking gnome-ssh-askpass2 (closes: #555951).
* Moved to bzr.debian.org; add Vcs-Bzr and Vcs-Browser control fields.
* Add debian/README.source with instructions on bzr handling.
* Make ChrootDirectory work with SELinux (thanks, Russell Coker; closes:
#556644).
* Initialise sc to NULL in ssh_selinux_getctxbyname (thanks, Václav Ovsík;
closes: #498684).
* Don't duplicate backslashes when displaying server banner (thanks,
Michał Górny; closes: #505378, LP: #425346).
* Use hardening-includes for hardening logic (thanks, Kees Cook; closes:
#561887).
* Update OpenSSH FAQ to revision 1.110.
* Remove ssh/new_config, only needed for direct upgrades from potato which
are no longer particularly feasible anyway (closes: #420682).
* Cope with insserv reordering of init script links.
* Remove init script stop link in rc1, as killprocs handles it already.
* Adjust short descriptions to avoid relying on previous experience with
rsh, based on suggestions from Reuben Thomas (closes: #512198).
* Remove manual page references to login.conf, which aren't applicable on
non-BSD systems (closes: #154434).
* Remove/adjust manual page references to BSD-specific /etc/rc (closes:
#513417).
* Refer to sshd_config(5) rather than sshd(8) in postinst-written
/etc/ssh/sshd_config, and add UsePAM commentary from upstream-shipped
configuration file (closes: #415008, although unfortunately this will
only be conveniently visible on new installations).
* Include URL to OpenBSD's ssl(8) in ssh(1), since I don't see a better
source for the same information among Debian's manual pages (closes:
#530692, LP: #456660).
Date: Mon, 04 Jan 2010 13:45:21 +0000
Changed-By: Colin Watson <cjwatson at ubuntu.com>
Signed-By: Colin Watson <cjwatson at canonical.com>
https://launchpad.net/ubuntu/lucid/+source/openssh/1:5.2p1-1ubuntu1
-------------- next part --------------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 04 Jan 2010 13:45:21 +0000
Source: openssh
Binary: openssh-client openssh-server ssh ssh-krb5 ssh-askpass-gnome openssh-client-udeb openssh-server-udeb
Architecture: source
Version: 1:5.2p1-1ubuntu1
Distribution: lucid
Urgency: low
Maintainer: Colin Watson <cjwatson at ubuntu.com>
Changed-By: Colin Watson <cjwatson at ubuntu.com>
Description:
openssh-client - secure shell (SSH) client, for secure access to remote machines
openssh-client-udeb - secure shell client for the Debian installer (udeb)
openssh-server - secure shell (SSH) server, for secure access from remote machines
openssh-server-udeb - secure shell server for the Debian installer (udeb)
ssh - secure shell client and server (metapackage)
ssh-askpass-gnome - interactive X program to prompt users for a passphrase for ssh-ad
ssh-krb5 - secure shell client and server (transitional package)
Closes: 154434 415008 420682 496017 498684 505378 506115 507541 512198 513417 514313 524423 530692 536182 540623 555951 556644 561887
Changes:
openssh (1:5.2p1-1ubuntu1) lucid; urgency=low
.
* Resynchronise with Debian. Remaining changes:
- Add support for registering ConsoleKit sessions on login.
- Drop openssh-blacklist and openssh-blacklist-extra to Suggests; they
take up a lot of CD space, and I suspect that rolling them out in
security updates has covered most affected systems now.
* Convert to Upstart. The init script is still here for the benefit of
people running sshd in chroots. Note that the Upstart job does not
support /etc/default/ssh, because it's much more straightforward to edit
the job (/etc/init/ssh.conf) than it was to edit the init script.
.
openssh (1:5.2p1-1) unstable; urgency=low
.
* New upstream release (closes: #536182). Yes, I know 5.3p1 has been out
for a while, but there's no GSSAPI patch available for it yet.
- Change the default cipher order to prefer the AES CTR modes and the
revised "arcfour256" mode to CBC mode ciphers that are susceptible to
CPNI-957037 "Plaintext Recovery Attack Against SSH".
- Add countermeasures to mitigate CPNI-957037-style attacks against the
SSH protocol's use of CBC-mode ciphers. Upon detection of an invalid
packet length or Message Authentication Code, ssh/sshd will continue
reading up to the maximum supported packet length rather than
immediately terminating the connection. This eliminates most of the
known differences in behaviour that leaked information about the
plaintext of injected data which formed the basis of this attack
(closes: #506115, LP: #379329).
- ForceCommand directive now accepts commandline arguments for the
internal-sftp server (closes: #524423, LP: #362511).
- Add AllowAgentForwarding to available Match keywords list (closes:
#540623).
- Make ssh(1) send the correct channel number for
SSH2_MSG_CHANNEL_SUCCESS and SSH2_MSG_CHANNEL_FAILURE messages to
avoid triggering 'Non-public channel' error messages on sshd(8) in
openssh-5.1.
- Avoid printing 'Non-public channel' warnings in sshd(8), since the
ssh(1) has sent incorrect channel numbers since ~2004 (this reverts a
behaviour introduced in openssh-5.1; closes: #496017).
- Disable nonfunctional ssh(1) ~C escape handler in multiplex slave
connections (closes: #507541).
- Fix "whitepsace" typo in ssh_config(5) (closes: #514313, LP: #303835).
* Update to GSSAPI patch from
http://www.sxw.org.uk/computing/patches/openssh-5.2p1-gsskex-all-20090726.patch,
including cascading credentials support (LP: #416958).
* Use x11.pc when compiling/linking gnome-ssh-askpass2 (closes: #555951).
* Moved to bzr.debian.org; add Vcs-Bzr and Vcs-Browser control fields.
* Add debian/README.source with instructions on bzr handling.
* Make ChrootDirectory work with SELinux (thanks, Russell Coker; closes:
#556644).
* Initialise sc to NULL in ssh_selinux_getctxbyname (thanks, Václav Ovsík;
closes: #498684).
* Don't duplicate backslashes when displaying server banner (thanks,
Michał Górny; closes: #505378, LP: #425346).
* Use hardening-includes for hardening logic (thanks, Kees Cook; closes:
#561887).
* Update OpenSSH FAQ to revision 1.110.
* Remove ssh/new_config, only needed for direct upgrades from potato which
are no longer particularly feasible anyway (closes: #420682).
* Cope with insserv reordering of init script links.
* Remove init script stop link in rc1, as killprocs handles it already.
* Adjust short descriptions to avoid relying on previous experience with
rsh, based on suggestions from Reuben Thomas (closes: #512198).
* Remove manual page references to login.conf, which aren't applicable on
non-BSD systems (closes: #154434).
* Remove/adjust manual page references to BSD-specific /etc/rc (closes:
#513417).
* Refer to sshd_config(5) rather than sshd(8) in postinst-written
/etc/ssh/sshd_config, and add UsePAM commentary from upstream-shipped
configuration file (closes: #415008, although unfortunately this will
only be conveniently visible on new installations).
* Include URL to OpenBSD's ssl(8) in ssh(1), since I don't see a better
source for the same information among Debian's manual pages (closes:
#530692, LP: #456660).
Checksums-Sha1:
17588c2a6d128f453d023cdf501af7fb12d09969 2389 openssh_5.2p1-1ubuntu1.dsc
8273a0237db98179fbdc412207ff8eb14ff3d6de 1016612 openssh_5.2p1.orig.tar.gz
4d851fdc17c231f991b7d70bdca93847f9c8dc70 237461 openssh_5.2p1-1ubuntu1.diff.gz
Checksums-Sha256:
138ba76ad826ee589fe937df231edeeb8182653b835b8b8c3be3fcc049b0bc54 2389 openssh_5.2p1-1ubuntu1.dsc
4023710c37d0b3d79e6299cb79b6de2a31db7d581fe59e775a5351784034ecae 1016612 openssh_5.2p1.orig.tar.gz
4654802e3a6022d45b9d86d01d8fb791b04b930b34b5178daf085c026117e1a6 237461 openssh_5.2p1-1ubuntu1.diff.gz
Files:
0ed52590d0ba53c9f051913468b0e80f 2389 net standard openssh_5.2p1-1ubuntu1.dsc
ada79c7328a8551bdf55c95e631e7dad 1016612 net standard openssh_5.2p1.orig.tar.gz
3b8ca9cdd9ac19d1a9cc6c2cbb6e29e6 237461 net standard openssh_5.2p1-1ubuntu1.diff.gz
Launchpad-Bugs-Fixed: 303835 362511 379329 416958 425346 456660
Original-Maintainer: Debian OpenSSH Maintainers <debian-ssh at lists.debian.org>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Colin Watson <cjwatson at debian.org> -- Debian developer
iQIVAwUBS0HyCTk1h9l9hlALAQisBQ//Um8kF9vSmec0ec8DzW2UvVj+sZjICLoC
Wu+g50oaffrzcRVAmxcgfjoChY4vvVaiqKQ8YWW/muod/W7qdH5X81MRbVkyafJi
T5+yQXUM246ic7waJ7GPB494nrBW4O1SxspI/Ysa/86gD3pFb23Dm/g0wNb5IkYF
VkMC7nMligU2niYKyieyu+QlhY6/em3AMF8pfk+onDeQNpCnxN1zZqIHpZLyfMKB
YfSOxeGUSERzxsQZsZJVOksbYX8Iy1oCg0UM2pGKNbfmkXwMoawqlOMcxJHxYFjh
YenjaJIni9gHAjWz2kES554YYeYTdvqiUEvBffv6Jjoq1fjxIx2IRoxMZbuFf3/H
RQpufmTF7JyBOSrFQzEOBYJqdlZJ3rYaoGxUPbrlPTOE05lxI81sieeasyVTnZf1
tCo/5Cn+ANNJ+gfzlKOo2QTPf9q/7ss3VoB7FOsQjo56KCQcLYwXF5fzlg+i+o9y
5mcXr9ZfQHnIiX+YiH0GsTq70eL/sjSszM4qyqD3JDis/0XNTXR8Es5GsdauAzcZ
g1q4o4ZqlKM4wWzfVHdT3UXpEkrM+F8gjEo2WSqwTPXPcZl93NXJlBnK7L/MpRAY
0v0LpA51/zsqKlYU+27ZiI5n5E7JM1FfNaYz75jayJIwJ3B6imOu1XHJdOX/c38Z
ECQKVZ/22xc=
=kwUh
-----END PGP SIGNATURE-----
More information about the Lucid-changes
mailing list