[ubuntu/oracular-proposed] openssh 1:9.7p1-7ubuntu2 (Accepted)
Nick Rosbrook
enr0n at ubuntu.com
Wed Jul 31 16:16:13 UTC 2024
openssh (1:9.7p1-7ubuntu2) oracular; urgency=medium
* d/p/test-set-UsePAM-no-on-some-tests.patch: restore patch
This was mistakenly dropped in the merge from Debian after
testing locally only.
openssh (1:9.7p1-7ubuntu1) oracular; urgency=medium
* Merge with Debian unstable (LP: #2064435). Remaining changes:
- Make systemd socket activation the default:
+ debian/rules: modify dh_installsystemd invocations for
socket-activated sshd
+ debian/README.Debian: document systemd socket activation.
+ debian/patches/systemd-socket-activation.patch: Fix sshd
re-execution behavior when socket activation is used
+ debian/tests/systemd-socket-activation: Add autopkgtest for systemd socket
activation functionality.
+ debian/control: Build-Depends: systemd-dev
+ d/p/sshd-socket-generator.patch: add generator for socket activation
+ debian/openssh-server.install: install sshd-socket-generator
+ debian/openssh-server.postinst: handle migration to sshd-socket-generator
+ d/t/sshd-socket-generator: add dep8 test for sshd-socket-generator
+ ssh.socket: adjust unit for socket activation by default
+ debian/rules: explicitly enable LTO
- debian/.gitignore: drop file
- debian/openssh-server.ucf-md5sum: update for Ubuntu delta
- debian/patches: Immediately report interactive instructions to PAM clients
- debian/patches: sshconnect2: Write kbd-interactive messages as utf-8
- d/t/ssh-gssapi: disable -e in cleanup()
- SECURITY UPDATE: timing attack against echo-off password entry
+ debian/patches/CVE-2024-39894.patch: don't rely on
channel_did_enqueue in clientloop.c
+ CVE-2024-39894
* Dropped changes, included in Debian:
- debian/patches: only set PAM_RHOST if remote host is not "UNKNOWN"
- Remove deprecated user_readenv=1 setting (LP #2059859):
+ d/openssh-server.sshd.pam.in: drop user_readenv=1, which was
deprecated by pam_env upstream. Openssh has the SendEnv and AcceptEnv
configuration options that can be used to replace this feature, and
are in the default config already
+ d/NEWS: update about this change in behavior
- debian: Remove dependency on libsystemd
- d/p/gssapi.patch: fix method_gsskeyex structure and
userauth_gsskeyex function regarding changes introduced in upstream
commit dbb339f015c33d63484261d140c84ad875a9e548 ("prepare for
multiple names for authmethods") (LP #2053146)
- d/t/{ssh-gssapi,util}: ssh-gssapi DEP8 test for gssapi-with-mic
and gssapi-keyex authentication methods
- SECURITY UPDATE: remote code execution via signal handler race
condition (LP #2070497)
+ debian/patches/CVE-2024-6387.patch: don't log in sshsigdie() in log.c.
+ CVE-2024-6387
* Dropped changes, no longer needed:
- debian/openssh-server.postinst: ucf workaround for LP #1968873
[affected upgrade path not supported]
- d/p/test-set-UsePAM-no-on-some-tests.patch: set UsePAM=no
for some tests.
openssh (1:9.7p1-7) unstable; urgency=critical
[ Salvatore Bonaccorso ]
* Disable async-signal-unsafe code from the sshsigdie() function. This is
a minimal workaround for a regression from CVE-2006-5051.
openssh (1:9.7p1-6) unstable; urgency=medium
* Stop reading ~/.pam_environment, which has a history of security
problems and is deprecated by PAM upstream (closes: #1018260).
openssh (1:9.7p1-5) unstable; urgency=medium
[ Colin Watson ]
* Add "After=nss-user-lookup.target" to ssh.service and sshd at .service
(closes: #1069706).
* Avoid cleanup of /tmp/sshauth.*, created by sshd if ExposeAuthInfo is
set.
[ Andreas Hasenack ]
* Add autopkgtests for GSSAPI logins, including gssapi-keyex.
[ Luca Boccassi ]
* Install tmpfiles.d to avoid cleanup of ssh-agent socket in /tmp/
(closes: #1070725).
* Only set PAM_RHOST if the remote host is not "UNKNOWN" (thanks, Daan De
Meyer).
openssh (1:9.7p1-4) unstable; urgency=medium
* Rework systemd readiness notification and socket activation patches to
not link against libsystemd (the former via an upstream patch).
* Force -fzero-call-used-regs=used not to be used on ppc64el (it's
unsupported, but configure fails to detect this).
openssh (1:9.7p1-3) unstable; urgency=medium
* Fix gssapi-keyex declaration further (thanks, Andreas Hasenack;
LP: #2053146).
* Extend -fzero-call-used-regs check to catch m68k gcc bug (closes:
#1067243).
* debian/tests/regress: Set a different IP address for UNKNOWN.
* Re-enable ssh-askpass-gnome on all architectures.
* regress: Redirect conch stdin from /dev/zero (re-enables conch interop
tests).
* Drop "Work around RSA SHA-2 signature issues in conch" patch (no longer
needed now that Twisted is fixed).
openssh (1:9.7p1-2) unstable; urgency=medium
[ Simon McVittie ]
* d/control, d/rules: Disable ssh-askpass-gnome on 32-bit, except i386
(closes: #1066847).
openssh (1:9.7p1-1) unstable; urgency=medium
* Add the isolation-container restriction to the "regress" autopkgtest.
Our setup code wants to ensure that the haveged service is running, and
furthermore at least the agent-subprocess test assumes that there's an
init to reap zombie processes and doesn't work in (e.g.)
autopkgtest-virt-unshare.
* New upstream release (https://www.openssh.com/releasenotes.html#9.7p1):
- ssh(1), sshd(8): add a "global" ChannelTimeout type that watches all
open channels and will close all open channels if there is no traffic
on any of them for the specified interval. This is in addition to the
existing per-channel timeouts added recently.
This supports situations like having both session and x11 forwarding
channels open where one may be idle for an extended period but the
other is actively used. The global timeout could close both channels
when both have been idle for too long (closes: #165185).
- All: make DSA key support compile-time optional, defaulting to on.
- sshd(8): don't append an unnecessary space to the end of subsystem
arguments (bz3667)
- ssh(1): fix the multiplexing "channel proxy" mode, broken when
keystroke timing obfuscation was added. (GHPR#463)
- ssh(1), sshd(8): fix spurious configuration parsing errors when
options that accept array arguments are overridden (bz3657).
- ssh-agent(1): fix potential spin in signal handler (bz3670)
- Many fixes to manual pages and other documentation.
- Greatly improve interop testing against PuTTY.
* Skip utimensat test on ZFS, since it seems to leave the atime set to 0.
* Allow passing extra options to debian/tests/regress, for debugging.
* Fix gssapi-keyex declaration, broken when rebasing onto 8.9p1
(LP: #2053146).
openssh (1:9.6p1-5) unstable; urgency=medium
* Restore systemd template unit for per-connection sshd instances,
although without any corresponding .socket unit for now; this is mainly
for use with the forthcoming systemd-ssh-generator (closes: #1061516).
It's now called sshd at .service, since unlike the main service there's no
need to be concerned about compatibility with the slightly confusing
"ssh" service name that Debian has traditionally used.
openssh (1:9.6p1-4) unstable; urgency=medium
* Add sshd_config checksums for 1:9.2p1-1 to ucf reference file, and add a
test to ensure it doesn't get out of date again.
* Drop manual adjustment of OpenSSL dependencies; OpenSSH relaxed its
checks for OpenSSL >= 3 in 9.4p1.
* Build-depend on pkgconf rather than pkg-config.
* Adjust debian/copyright to handle the "placed in the public domain"
status of rijndael.* more explicitly.
Date: Wed, 31 Jul 2024 10:20:23 -0400
Changed-By: Nick Rosbrook <enr0n at ubuntu.com>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
https://launchpad.net/ubuntu/+source/openssh/1:9.7p1-7ubuntu2
-------------- next part --------------
Format: 1.8
Date: Wed, 31 Jul 2024 10:20:23 -0400
Source: openssh
Built-For-Profiles: noudeb
Architecture: source
Version: 1:9.7p1-7ubuntu2
Distribution: oracular
Urgency: critical
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Nick Rosbrook <enr0n at ubuntu.com>
Closes: 165185 1018260 1061516 1066847 1067243 1069706 1070725
Launchpad-Bugs-Fixed: 2053146 2064435
Changes:
openssh (1:9.7p1-7ubuntu2) oracular; urgency=medium
.
* d/p/test-set-UsePAM-no-on-some-tests.patch: restore patch
This was mistakenly dropped in the merge from Debian after
testing locally only.
.
openssh (1:9.7p1-7ubuntu1) oracular; urgency=medium
.
* Merge with Debian unstable (LP: #2064435). Remaining changes:
- Make systemd socket activation the default:
+ debian/rules: modify dh_installsystemd invocations for
socket-activated sshd
+ debian/README.Debian: document systemd socket activation.
+ debian/patches/systemd-socket-activation.patch: Fix sshd
re-execution behavior when socket activation is used
+ debian/tests/systemd-socket-activation: Add autopkgtest for systemd socket
activation functionality.
+ debian/control: Build-Depends: systemd-dev
+ d/p/sshd-socket-generator.patch: add generator for socket activation
+ debian/openssh-server.install: install sshd-socket-generator
+ debian/openssh-server.postinst: handle migration to sshd-socket-generator
+ d/t/sshd-socket-generator: add dep8 test for sshd-socket-generator
+ ssh.socket: adjust unit for socket activation by default
+ debian/rules: explicitly enable LTO
- debian/.gitignore: drop file
- debian/openssh-server.ucf-md5sum: update for Ubuntu delta
- debian/patches: Immediately report interactive instructions to PAM clients
- debian/patches: sshconnect2: Write kbd-interactive messages as utf-8
- d/t/ssh-gssapi: disable -e in cleanup()
- SECURITY UPDATE: timing attack against echo-off password entry
+ debian/patches/CVE-2024-39894.patch: don't rely on
channel_did_enqueue in clientloop.c
+ CVE-2024-39894
* Dropped changes, included in Debian:
- debian/patches: only set PAM_RHOST if remote host is not "UNKNOWN"
- Remove deprecated user_readenv=1 setting (LP #2059859):
+ d/openssh-server.sshd.pam.in: drop user_readenv=1, which was
deprecated by pam_env upstream. Openssh has the SendEnv and AcceptEnv
configuration options that can be used to replace this feature, and
are in the default config already
+ d/NEWS: update about this change in behavior
- debian: Remove dependency on libsystemd
- d/p/gssapi.patch: fix method_gsskeyex structure and
userauth_gsskeyex function regarding changes introduced in upstream
commit dbb339f015c33d63484261d140c84ad875a9e548 ("prepare for
multiple names for authmethods") (LP #2053146)
- d/t/{ssh-gssapi,util}: ssh-gssapi DEP8 test for gssapi-with-mic
and gssapi-keyex authentication methods
- SECURITY UPDATE: remote code execution via signal handler race
condition (LP #2070497)
+ debian/patches/CVE-2024-6387.patch: don't log in sshsigdie() in log.c.
+ CVE-2024-6387
* Dropped changes, no longer needed:
- debian/openssh-server.postinst: ucf workaround for LP #1968873
[affected upgrade path not supported]
- d/p/test-set-UsePAM-no-on-some-tests.patch: set UsePAM=no
for some tests.
.
openssh (1:9.7p1-7) unstable; urgency=critical
.
[ Salvatore Bonaccorso ]
* Disable async-signal-unsafe code from the sshsigdie() function. This is
a minimal workaround for a regression from CVE-2006-5051.
.
openssh (1:9.7p1-6) unstable; urgency=medium
.
* Stop reading ~/.pam_environment, which has a history of security
problems and is deprecated by PAM upstream (closes: #1018260).
.
openssh (1:9.7p1-5) unstable; urgency=medium
.
[ Colin Watson ]
* Add "After=nss-user-lookup.target" to ssh.service and sshd at .service
(closes: #1069706).
* Avoid cleanup of /tmp/sshauth.*, created by sshd if ExposeAuthInfo is
set.
.
[ Andreas Hasenack ]
* Add autopkgtests for GSSAPI logins, including gssapi-keyex.
.
[ Luca Boccassi ]
* Install tmpfiles.d to avoid cleanup of ssh-agent socket in /tmp/
(closes: #1070725).
* Only set PAM_RHOST if the remote host is not "UNKNOWN" (thanks, Daan De
Meyer).
.
openssh (1:9.7p1-4) unstable; urgency=medium
.
* Rework systemd readiness notification and socket activation patches to
not link against libsystemd (the former via an upstream patch).
* Force -fzero-call-used-regs=used not to be used on ppc64el (it's
unsupported, but configure fails to detect this).
.
openssh (1:9.7p1-3) unstable; urgency=medium
.
* Fix gssapi-keyex declaration further (thanks, Andreas Hasenack;
LP: #2053146).
* Extend -fzero-call-used-regs check to catch m68k gcc bug (closes:
#1067243).
* debian/tests/regress: Set a different IP address for UNKNOWN.
* Re-enable ssh-askpass-gnome on all architectures.
* regress: Redirect conch stdin from /dev/zero (re-enables conch interop
tests).
* Drop "Work around RSA SHA-2 signature issues in conch" patch (no longer
needed now that Twisted is fixed).
.
openssh (1:9.7p1-2) unstable; urgency=medium
.
[ Simon McVittie ]
* d/control, d/rules: Disable ssh-askpass-gnome on 32-bit, except i386
(closes: #1066847).
.
openssh (1:9.7p1-1) unstable; urgency=medium
.
* Add the isolation-container restriction to the "regress" autopkgtest.
Our setup code wants to ensure that the haveged service is running, and
furthermore at least the agent-subprocess test assumes that there's an
init to reap zombie processes and doesn't work in (e.g.)
autopkgtest-virt-unshare.
* New upstream release (https://www.openssh.com/releasenotes.html#9.7p1):
- ssh(1), sshd(8): add a "global" ChannelTimeout type that watches all
open channels and will close all open channels if there is no traffic
on any of them for the specified interval. This is in addition to the
existing per-channel timeouts added recently.
This supports situations like having both session and x11 forwarding
channels open where one may be idle for an extended period but the
other is actively used. The global timeout could close both channels
when both have been idle for too long (closes: #165185).
- All: make DSA key support compile-time optional, defaulting to on.
- sshd(8): don't append an unnecessary space to the end of subsystem
arguments (bz3667)
- ssh(1): fix the multiplexing "channel proxy" mode, broken when
keystroke timing obfuscation was added. (GHPR#463)
- ssh(1), sshd(8): fix spurious configuration parsing errors when
options that accept array arguments are overridden (bz3657).
- ssh-agent(1): fix potential spin in signal handler (bz3670)
- Many fixes to manual pages and other documentation.
- Greatly improve interop testing against PuTTY.
* Skip utimensat test on ZFS, since it seems to leave the atime set to 0.
* Allow passing extra options to debian/tests/regress, for debugging.
* Fix gssapi-keyex declaration, broken when rebasing onto 8.9p1
(LP: #2053146).
.
openssh (1:9.6p1-5) unstable; urgency=medium
.
* Restore systemd template unit for per-connection sshd instances,
although without any corresponding .socket unit for now; this is mainly
for use with the forthcoming systemd-ssh-generator (closes: #1061516).
It's now called sshd at .service, since unlike the main service there's no
need to be concerned about compatibility with the slightly confusing
"ssh" service name that Debian has traditionally used.
.
openssh (1:9.6p1-4) unstable; urgency=medium
.
* Add sshd_config checksums for 1:9.2p1-1 to ucf reference file, and add a
test to ensure it doesn't get out of date again.
* Drop manual adjustment of OpenSSL dependencies; OpenSSH relaxed its
checks for OpenSSL >= 3 in 9.4p1.
* Build-depend on pkgconf rather than pkg-config.
* Adjust debian/copyright to handle the "placed in the public domain"
status of rijndael.* more explicitly.
Checksums-Sha1:
9bb198829ff917803cf2a6f6fa23e604267c4f60 3327 openssh_9.7p1-7ubuntu2.dsc
52d2252949f295262c7d3044b13cd336db4daf2d 207228 openssh_9.7p1-7ubuntu2.debian.tar.xz
ac5f69206c3f8cee202813673c97177e0a55d2ba 8494 openssh_9.7p1-7ubuntu2_source.buildinfo
Checksums-Sha256:
58d8f396769a24512dc40ee0085f5dafbe3a618c85e0235e3e39dca96f3c6602 3327 openssh_9.7p1-7ubuntu2.dsc
878d638e9aaccdd574d534198f6888b33c6f97209cc5ff36ca64f4bb237165a2 207228 openssh_9.7p1-7ubuntu2.debian.tar.xz
51c75c92acbfe6e1bd882fa4ae03d8ed2e27f1cc3306fcc91f302fa41277c029 8494 openssh_9.7p1-7ubuntu2_source.buildinfo
Files:
5801835845fe2572693b42b62b1e0a09 3327 net standard openssh_9.7p1-7ubuntu2.dsc
c9f521f28fbf42fbc2a65f523abe64e3 207228 net standard openssh_9.7p1-7ubuntu2.debian.tar.xz
0e5aae4c8f463b60d4ca464ca8ea19de 8494 net standard openssh_9.7p1-7ubuntu2_source.buildinfo
Original-Maintainer: Debian OpenSSH Maintainers <debian-ssh at lists.debian.org>
Vcs-Git: https://git.launchpad.net/~enr0n/ubuntu/+source/openssh
Vcs-Git-Commit: 947b613b1c4f42d36e73f6915b6f46e0e4f4e295
Vcs-Git-Ref: refs/heads/lp-2064435
More information about the oracular-changes
mailing list