[ubuntu/oracular-proposed] openssh 1:9.7p1-7ubuntu1 (Accepted)
Nick Rosbrook
enr0n at ubuntu.com
Tue Jul 30 15:30:15 UTC 2024
openssh (1:9.7p1-7ubuntu1) oracular; urgency=medium
* Merge with Debian unstable (LP: #2064435). Remaining changes:
- Make systemd socket activation the default:
+ debian/rules: modify dh_installsystemd invocations for
socket-activated sshd
+ debian/README.Debian: document systemd socket activation.
+ debian/patches/systemd-socket-activation.patch: Fix sshd
re-execution behavior when socket activation is used
+ debian/tests/systemd-socket-activation: Add autopkgtest for systemd socket
activation functionality.
+ debian/control: Build-Depends: systemd-dev
+ d/p/sshd-socket-generator.patch: add generator for socket activation
+ debian/openssh-server.install: install sshd-socket-generator
+ debian/openssh-server.postinst: handle migration to sshd-socket-generator
+ d/t/sshd-socket-generator: add dep8 test for sshd-socket-generator
+ ssh.socket: adjust unit for socket activation by default
+ debian/rules: explicitly enable LTO
- debian/.gitignore: drop file
- debian/openssh-server.ucf-md5sum: update for Ubuntu delta
- debian/patches: Immediately report interactive instructions to PAM clients
- debian/patches: sshconnect2: Write kbd-interactive messages as utf-8
- d/t/ssh-gssapi: disable -e in cleanup()
- SECURITY UPDATE: timing attack against echo-off password entry
+ debian/patches/CVE-2024-39894.patch: don't rely on
channel_did_enqueue in clientloop.c
+ CVE-2024-39894
* Dropped changes, included in Debian:
- debian/patches: only set PAM_RHOST if remote host is not "UNKNOWN"
- Remove deprecated user_readenv=1 setting (LP #2059859):
+ d/openssh-server.sshd.pam.in: drop user_readenv=1, which was
deprecated by pam_env upstream. Openssh has the SendEnv and AcceptEnv
configuration options that can be used to replace this feature, and
are in the default config already
+ d/NEWS: update about this change in behavior
- debian: Remove dependency on libsystemd
- d/p/gssapi.patch: fix method_gsskeyex structure and
userauth_gsskeyex function regarding changes introduced in upstream
commit dbb339f015c33d63484261d140c84ad875a9e548 ("prepare for
multiple names for authmethods") (LP #2053146)
- d/t/{ssh-gssapi,util}: ssh-gssapi DEP8 test for gssapi-with-mic
and gssapi-keyex authentication methods
- SECURITY UPDATE: remote code execution via signal handler race
condition (LP #2070497)
+ debian/patches/CVE-2024-6387.patch: don't log in sshsigdie() in log.c.
+ CVE-2024-6387
* Dropped changes, no longer needed:
- debian/openssh-server.postinst: ucf workaround for LP #1968873
[affected upgrade path not supported]
- d/p/test-set-UsePAM-no-on-some-tests.patch: set UsePAM=no
for some tests.
openssh (1:9.7p1-7) unstable; urgency=critical
[ Salvatore Bonaccorso ]
* Disable async-signal-unsafe code from the sshsigdie() function. This is
a minimal workaround for a regression from CVE-2006-5051.
openssh (1:9.7p1-6) unstable; urgency=medium
* Stop reading ~/.pam_environment, which has a history of security
problems and is deprecated by PAM upstream (closes: #1018260).
openssh (1:9.7p1-5) unstable; urgency=medium
[ Colin Watson ]
* Add "After=nss-user-lookup.target" to ssh.service and sshd at .service
(closes: #1069706).
* Avoid cleanup of /tmp/sshauth.*, created by sshd if ExposeAuthInfo is
set.
[ Andreas Hasenack ]
* Add autopkgtests for GSSAPI logins, including gssapi-keyex.
[ Luca Boccassi ]
* Install tmpfiles.d to avoid cleanup of ssh-agent socket in /tmp/
(closes: #1070725).
* Only set PAM_RHOST if the remote host is not "UNKNOWN" (thanks, Daan De
Meyer).
openssh (1:9.7p1-4) unstable; urgency=medium
* Rework systemd readiness notification and socket activation patches to
not link against libsystemd (the former via an upstream patch).
* Force -fzero-call-used-regs=used not to be used on ppc64el (it's
unsupported, but configure fails to detect this).
openssh (1:9.7p1-3) unstable; urgency=medium
* Fix gssapi-keyex declaration further (thanks, Andreas Hasenack;
LP: #2053146).
* Extend -fzero-call-used-regs check to catch m68k gcc bug (closes:
#1067243).
* debian/tests/regress: Set a different IP address for UNKNOWN.
* Re-enable ssh-askpass-gnome on all architectures.
* regress: Redirect conch stdin from /dev/zero (re-enables conch interop
tests).
* Drop "Work around RSA SHA-2 signature issues in conch" patch (no longer
needed now that Twisted is fixed).
openssh (1:9.7p1-2) unstable; urgency=medium
[ Simon McVittie ]
* d/control, d/rules: Disable ssh-askpass-gnome on 32-bit, except i386
(closes: #1066847).
openssh (1:9.7p1-1) unstable; urgency=medium
* Add the isolation-container restriction to the "regress" autopkgtest.
Our setup code wants to ensure that the haveged service is running, and
furthermore at least the agent-subprocess test assumes that there's an
init to reap zombie processes and doesn't work in (e.g.)
autopkgtest-virt-unshare.
* New upstream release (https://www.openssh.com/releasenotes.html#9.7p1):
- ssh(1), sshd(8): add a "global" ChannelTimeout type that watches all
open channels and will close all open channels if there is no traffic
on any of them for the specified interval. This is in addition to the
existing per-channel timeouts added recently.
This supports situations like having both session and x11 forwarding
channels open where one may be idle for an extended period but the
other is actively used. The global timeout could close both channels
when both have been idle for too long (closes: #165185).
- All: make DSA key support compile-time optional, defaulting to on.
- sshd(8): don't append an unnecessary space to the end of subsystem
arguments (bz3667)
- ssh(1): fix the multiplexing "channel proxy" mode, broken when
keystroke timing obfuscation was added. (GHPR#463)
- ssh(1), sshd(8): fix spurious configuration parsing errors when
options that accept array arguments are overridden (bz3657).
- ssh-agent(1): fix potential spin in signal handler (bz3670)
- Many fixes to manual pages and other documentation.
- Greatly improve interop testing against PuTTY.
* Skip utimensat test on ZFS, since it seems to leave the atime set to 0.
* Allow passing extra options to debian/tests/regress, for debugging.
* Fix gssapi-keyex declaration, broken when rebasing onto 8.9p1
(LP: #2053146).
openssh (1:9.6p1-5) unstable; urgency=medium
* Restore systemd template unit for per-connection sshd instances,
although without any corresponding .socket unit for now; this is mainly
for use with the forthcoming systemd-ssh-generator (closes: #1061516).
It's now called sshd at .service, since unlike the main service there's no
need to be concerned about compatibility with the slightly confusing
"ssh" service name that Debian has traditionally used.
openssh (1:9.6p1-4) unstable; urgency=medium
* Add sshd_config checksums for 1:9.2p1-1 to ucf reference file, and add a
test to ensure it doesn't get out of date again.
* Drop manual adjustment of OpenSSL dependencies; OpenSSH relaxed its
checks for OpenSSL >= 3 in 9.4p1.
* Build-depend on pkgconf rather than pkg-config.
* Adjust debian/copyright to handle the "placed in the public domain"
status of rijndael.* more explicitly.
Date: Mon, 29 Jul 2024 15:19:02 -0400
Changed-By: Nick Rosbrook <enr0n at ubuntu.com>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
https://launchpad.net/ubuntu/+source/openssh/1:9.7p1-7ubuntu1
-------------- next part --------------
Format: 1.8
Date: Mon, 29 Jul 2024 15:19:02 -0400
Source: openssh
Built-For-Profiles: noudeb
Architecture: source
Version: 1:9.7p1-7ubuntu1
Distribution: oracular
Urgency: critical
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Nick Rosbrook <enr0n at ubuntu.com>
Closes: 165185 1018260 1061516 1066847 1067243 1069706 1070725
Launchpad-Bugs-Fixed: 2053146 2064435
Changes:
openssh (1:9.7p1-7ubuntu1) oracular; urgency=medium
.
* Merge with Debian unstable (LP: #2064435). Remaining changes:
- Make systemd socket activation the default:
+ debian/rules: modify dh_installsystemd invocations for
socket-activated sshd
+ debian/README.Debian: document systemd socket activation.
+ debian/patches/systemd-socket-activation.patch: Fix sshd
re-execution behavior when socket activation is used
+ debian/tests/systemd-socket-activation: Add autopkgtest for systemd socket
activation functionality.
+ debian/control: Build-Depends: systemd-dev
+ d/p/sshd-socket-generator.patch: add generator for socket activation
+ debian/openssh-server.install: install sshd-socket-generator
+ debian/openssh-server.postinst: handle migration to sshd-socket-generator
+ d/t/sshd-socket-generator: add dep8 test for sshd-socket-generator
+ ssh.socket: adjust unit for socket activation by default
+ debian/rules: explicitly enable LTO
- debian/.gitignore: drop file
- debian/openssh-server.ucf-md5sum: update for Ubuntu delta
- debian/patches: Immediately report interactive instructions to PAM clients
- debian/patches: sshconnect2: Write kbd-interactive messages as utf-8
- d/t/ssh-gssapi: disable -e in cleanup()
- SECURITY UPDATE: timing attack against echo-off password entry
+ debian/patches/CVE-2024-39894.patch: don't rely on
channel_did_enqueue in clientloop.c
+ CVE-2024-39894
* Dropped changes, included in Debian:
- debian/patches: only set PAM_RHOST if remote host is not "UNKNOWN"
- Remove deprecated user_readenv=1 setting (LP #2059859):
+ d/openssh-server.sshd.pam.in: drop user_readenv=1, which was
deprecated by pam_env upstream. Openssh has the SendEnv and AcceptEnv
configuration options that can be used to replace this feature, and
are in the default config already
+ d/NEWS: update about this change in behavior
- debian: Remove dependency on libsystemd
- d/p/gssapi.patch: fix method_gsskeyex structure and
userauth_gsskeyex function regarding changes introduced in upstream
commit dbb339f015c33d63484261d140c84ad875a9e548 ("prepare for
multiple names for authmethods") (LP #2053146)
- d/t/{ssh-gssapi,util}: ssh-gssapi DEP8 test for gssapi-with-mic
and gssapi-keyex authentication methods
- SECURITY UPDATE: remote code execution via signal handler race
condition (LP #2070497)
+ debian/patches/CVE-2024-6387.patch: don't log in sshsigdie() in log.c.
+ CVE-2024-6387
* Dropped changes, no longer needed:
- debian/openssh-server.postinst: ucf workaround for LP #1968873
[affected upgrade path not supported]
- d/p/test-set-UsePAM-no-on-some-tests.patch: set UsePAM=no
for some tests.
.
openssh (1:9.7p1-7) unstable; urgency=critical
.
[ Salvatore Bonaccorso ]
* Disable async-signal-unsafe code from the sshsigdie() function. This is
a minimal workaround for a regression from CVE-2006-5051.
.
openssh (1:9.7p1-6) unstable; urgency=medium
.
* Stop reading ~/.pam_environment, which has a history of security
problems and is deprecated by PAM upstream (closes: #1018260).
.
openssh (1:9.7p1-5) unstable; urgency=medium
.
[ Colin Watson ]
* Add "After=nss-user-lookup.target" to ssh.service and sshd at .service
(closes: #1069706).
* Avoid cleanup of /tmp/sshauth.*, created by sshd if ExposeAuthInfo is
set.
.
[ Andreas Hasenack ]
* Add autopkgtests for GSSAPI logins, including gssapi-keyex.
.
[ Luca Boccassi ]
* Install tmpfiles.d to avoid cleanup of ssh-agent socket in /tmp/
(closes: #1070725).
* Only set PAM_RHOST if the remote host is not "UNKNOWN" (thanks, Daan De
Meyer).
.
openssh (1:9.7p1-4) unstable; urgency=medium
.
* Rework systemd readiness notification and socket activation patches to
not link against libsystemd (the former via an upstream patch).
* Force -fzero-call-used-regs=used not to be used on ppc64el (it's
unsupported, but configure fails to detect this).
.
openssh (1:9.7p1-3) unstable; urgency=medium
.
* Fix gssapi-keyex declaration further (thanks, Andreas Hasenack;
LP: #2053146).
* Extend -fzero-call-used-regs check to catch m68k gcc bug (closes:
#1067243).
* debian/tests/regress: Set a different IP address for UNKNOWN.
* Re-enable ssh-askpass-gnome on all architectures.
* regress: Redirect conch stdin from /dev/zero (re-enables conch interop
tests).
* Drop "Work around RSA SHA-2 signature issues in conch" patch (no longer
needed now that Twisted is fixed).
.
openssh (1:9.7p1-2) unstable; urgency=medium
.
[ Simon McVittie ]
* d/control, d/rules: Disable ssh-askpass-gnome on 32-bit, except i386
(closes: #1066847).
.
openssh (1:9.7p1-1) unstable; urgency=medium
.
* Add the isolation-container restriction to the "regress" autopkgtest.
Our setup code wants to ensure that the haveged service is running, and
furthermore at least the agent-subprocess test assumes that there's an
init to reap zombie processes and doesn't work in (e.g.)
autopkgtest-virt-unshare.
* New upstream release (https://www.openssh.com/releasenotes.html#9.7p1):
- ssh(1), sshd(8): add a "global" ChannelTimeout type that watches all
open channels and will close all open channels if there is no traffic
on any of them for the specified interval. This is in addition to the
existing per-channel timeouts added recently.
This supports situations like having both session and x11 forwarding
channels open where one may be idle for an extended period but the
other is actively used. The global timeout could close both channels
when both have been idle for too long (closes: #165185).
- All: make DSA key support compile-time optional, defaulting to on.
- sshd(8): don't append an unnecessary space to the end of subsystem
arguments (bz3667)
- ssh(1): fix the multiplexing "channel proxy" mode, broken when
keystroke timing obfuscation was added. (GHPR#463)
- ssh(1), sshd(8): fix spurious configuration parsing errors when
options that accept array arguments are overridden (bz3657).
- ssh-agent(1): fix potential spin in signal handler (bz3670)
- Many fixes to manual pages and other documentation.
- Greatly improve interop testing against PuTTY.
* Skip utimensat test on ZFS, since it seems to leave the atime set to 0.
* Allow passing extra options to debian/tests/regress, for debugging.
* Fix gssapi-keyex declaration, broken when rebasing onto 8.9p1
(LP: #2053146).
.
openssh (1:9.6p1-5) unstable; urgency=medium
.
* Restore systemd template unit for per-connection sshd instances,
although without any corresponding .socket unit for now; this is mainly
for use with the forthcoming systemd-ssh-generator (closes: #1061516).
It's now called sshd at .service, since unlike the main service there's no
need to be concerned about compatibility with the slightly confusing
"ssh" service name that Debian has traditionally used.
.
openssh (1:9.6p1-4) unstable; urgency=medium
.
* Add sshd_config checksums for 1:9.2p1-1 to ucf reference file, and add a
test to ensure it doesn't get out of date again.
* Drop manual adjustment of OpenSSL dependencies; OpenSSH relaxed its
checks for OpenSSL >= 3 in 9.4p1.
* Build-depend on pkgconf rather than pkg-config.
* Adjust debian/copyright to handle the "placed in the public domain"
status of rijndael.* more explicitly.
Checksums-Sha1:
9abc94dc3e6e90165d5f7de95e5d6dbf9da16a25 3327 openssh_9.7p1-7ubuntu1.dsc
ce8985ea0ea2f16a5917fd982ade0972848373cc 1848766 openssh_9.7p1.orig.tar.gz
6848845450c5d5776afd10f8217f870d320cc4d5 833 openssh_9.7p1.orig.tar.gz.asc
2556728e1038de265714802b80310caa95589741 206764 openssh_9.7p1-7ubuntu1.debian.tar.xz
1b1d63b3c759c7590b093bd76fbf675eeee89b1f 8494 openssh_9.7p1-7ubuntu1_source.buildinfo
Checksums-Sha256:
ecb4da7b47356308bed890b5cee2f2f889ea0cc10f72491963d33099e4dde869 3327 openssh_9.7p1-7ubuntu1.dsc
490426f766d82a2763fcacd8d83ea3d70798750c7bd2aff2e57dc5660f773ffd 1848766 openssh_9.7p1.orig.tar.gz
9cee21fd45be07747fa82cd799e4cd8d14203165834d6fc7ccbcf60718901489 833 openssh_9.7p1.orig.tar.gz.asc
8ae7d3f5ced7e3af3253d460fe8dd4d11643e9bac8d5bac17387a30aed1d581b 206764 openssh_9.7p1-7ubuntu1.debian.tar.xz
fb2c766a7ef546506619a9bd62272c813cf273ff67887f7ac0af14f01a9f1b31 8494 openssh_9.7p1-7ubuntu1_source.buildinfo
Files:
5932b1dd91c4c8bc5c621feef1c00c17 3327 net standard openssh_9.7p1-7ubuntu1.dsc
1100f170ca1bc669038ca3743e074094 1848766 net standard openssh_9.7p1.orig.tar.gz
d741ad3a505e35f9bb4ae0a8208cf5d9 833 net standard openssh_9.7p1.orig.tar.gz.asc
f677cf1bd1111acc1bd9ac515ff5e30c 206764 net standard openssh_9.7p1-7ubuntu1.debian.tar.xz
8cbbe9770ebdcb5fb2e4d488c30da4be 8494 net standard openssh_9.7p1-7ubuntu1_source.buildinfo
Original-Maintainer: Debian OpenSSH Maintainers <debian-ssh at lists.debian.org>
Vcs-Git: https://git.launchpad.net/~enr0n/ubuntu/+source/openssh
Vcs-Git-Commit: f06ffe21c51ed3f4dda873f2263a43508489d06a
Vcs-Git-Ref: refs/heads/lp-2064435
More information about the oracular-changes
mailing list