Accepted openssh 1:8.2p1-1 (all amd64 source) into unstable, unstable

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 21 Feb 2020 16:36:37 +0000
Source: openssh
Binary: openssh-client openssh-server openssh-sftp-server openssh-sk-helper openssh-tests ssh ssh-askpass-gnome openssh-client-udeb openssh-server-udeb
Architecture: all amd64 source
Version: 1:8.2p1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Closes: 275458 631189 845315 951220 951582 951640
Description: 
 openssh-client - secure shell (SSH) client, for secure access to remote machines
 openssh-client-udeb - secure shell client for the Debian installer (udeb)
 openssh-server - secure shell (SSH) server, for secure access from remote machines
 openssh-server-udeb - secure shell server for the Debian installer (udeb)
 openssh-sftp-server - secure shell (SSH) sftp server module, for SFTP access from remot
 openssh-sk-helper - OpenSSH helper for FIDO authenticator support
 openssh-tests - OpenSSH regression tests
 ssh        - secure shell client and server (metapackage)
 ssh-askpass-gnome - interactive X program to prompt users for a passphrase for ssh-ad
Changes:
 openssh (1:8.2p1-1) unstable; urgency=medium
 .
   * New upstream release (https://www.openssh.com/txt/release-8.2, closes:
     #951582):
     - ssh(1), sshd(8), ssh-keygen(1): this release removes the "ssh-rsa"
       (RSA/SHA1) algorithm from those accepted for certificate signatures
       (i.e. the client and server CASignatureAlgorithms option) and will use
       the rsa-sha2-512 signature algorithm by default when the ssh-keygen(1)
       CA signs new certificates.
     - ssh(1), sshd(8): Remove diffie-hellman-group14-sha1 from the default
       key exchange proposal for both the client and server.
     - ssh-keygen(1): The command-line options related to the generation and
       screening of safe prime numbers used by the
       diffie-hellman-group-exchange-* key exchange algorithms have changed.
       Most options have been folded under the -O flag.
     - sshd(8): The sshd listener process title visible to ps(1) has changed
       to include information about the number of connections that are
       currently attempting authentication and the limits configured by
       MaxStartups.
     - Add support for FIDO/U2F hardware authenticators.
     - ssh-keygen(1): Add a "no-touch-required" option when generating
       FIDO-hosted keys, that disables their default behaviour of requiring a
       physical touch/tap on the token during authentication.  Note: not all
       tokens support disabling the touch requirement.
     - sshd(8): Add a sshd_config PubkeyAuthOptions directive that collects
       miscellaneous public key authentication-related options for sshd(8).
       At present it supports only a single option "no-touch-required".  This
       causes sshd to skip its default check for FIDO/U2F keys that the
       signature was authorised by a touch or press event on the token
       hardware.
     - ssh(1), sshd(8), ssh-keygen(1): Add a "no-touch-required" option for
       authorized_keys and a similar extension for certificates.  This option
       disables the default requirement that FIDO key signatures attest that
       the user touched their key to authorize them, mirroring the similar
       PubkeyAuthOptions sshd_config option.
     - ssh-keygen(1): Add support for the writing the FIDO attestation
       information that is returned when new keys are generated via the "-O
       write-attestation=/path" option.  FIDO attestation certificates may be
       used to verify that a FIDO key is hosted in trusted hardware.  OpenSSH
       does not currently make use of this information, beyond optionally
       writing it to disk.
     - Add support for FIDO2 resident keys.
     - sshd(8): Add an Include sshd_config keyword that allows including
       additional configuration files via glob(3) patterns (closes: #631189).
     - ssh(1)/sshd(8): Make the LE (low effort) DSCP code point available via
       the IPQoS directive.
     - ssh(1): When AddKeysToAgent=yes is set and the key contains no
       comment, add the key to the agent with the key's path as the comment.
     - ssh-keygen(1), ssh-agent(1): Expose PKCS#11 key labels and X.509
       subjects as key comments, rather than simply listing the PKCS#11
       provider library path.
     - ssh-keygen(1): Allow PEM export of DSA and ECDSA keys.
     - sshd(8): When clients get denied by MaxStartups, send a notification
       prior to the SSH2 protocol banner according to RFC4253 section 4.2
       (closes: #275458).
     - ssh(1), ssh-agent(1): When invoking the $SSH_ASKPASS prompt program,
       pass a hint to the program to describe the type of desired prompt.
       The possible values are "confirm" (indicating that a yes/no
       confirmation dialog with no text entry should be shown), "none" (to
       indicate an informational message only), or blank for the original
       ssh-askpass behaviour of requesting a password/phrase.
     - ssh(1): Allow forwarding a different agent socket to the path
       specified by $SSH_AUTH_SOCK, by extending the existing ForwardAgent
       option to accepting an explicit path or the name of an environment
       variable in addition to yes/no.
     - ssh-keygen(1): Add a new signature operations "find-principals" to
       look up the principal associated with a signature from an
       allowed-signers file.
     - sshd(8): Expose the number of currently-authenticating connections
       along with the MaxStartups limit in the process title visible to "ps".
     - sshd(8): Make ClientAliveCountMax=0 have sensible semantics: it will
       now disable connection killing entirely rather than the current
       behaviour of instantly killing the connection after the first liveness
       test regardless of success.
     - sshd(8): Clarify order of AllowUsers / DenyUsers vs AllowGroups /
       DenyGroups in the sshd(8) manual page.
     - sshd(8): Better describe HashKnownHosts in the manual page.
     - sshd(8): Clarify that that permitopen=/PermitOpen do no name or
       address translation in the manual page.
     - sshd(8): Allow the UpdateHostKeys feature to function when multiple
       known_hosts files are in use.  When updating host keys, ssh will now
       search subsequent known_hosts files, but will add updated host keys to
       the first specified file only.
     - All: Replace all calls to signal(2) with a wrapper around
       sigaction(2).  This wrapper blocks all other signals during the
       handler preventing races between handlers, and sets SA_RESTART which
       should reduce the potential for short read/write operations.
     - sftp(1): Fix a race condition in the SIGCHILD handler that could turn
       in to a kill(-1).
     - sshd(8): Fix a case where valid (but extremely large) SSH channel IDs
       were being incorrectly rejected.
     - ssh(1): When checking host key fingerprints as answers to new hostkey
       prompts, ignore whitespace surrounding the fingerprint itself.
     - All: Wait for file descriptors to be readable or writeable during
       non-blocking connect, not just readable.  Prevents a timeout when the
       server doesn't immediately send a banner (e.g. multiplexers like
       sslh).
     - sshd_config(5): Document the sntrup4591761x25519-sha512@tinyssh.org
       key exchange algorithm.
   * Add more historical md5sums of /etc/ssh/sshd_config between 1:7.4p1-1
     and 1:7.8p1-1 inclusive (closes: #951220).
   * ssh(1): Explain that -Y is equivalent to -X in the default configuration
     (closes: #951640).
   * Include /etc/ssh/ssh_config.d/*.conf from /etc/ssh/ssh_config and
     /etc/ssh/sshd_config.d/*.conf from /etc/ssh/sshd_config (closes:
     #845315).
Checksums-Sha1: 
 292b9744ed64aad746d45861d0960a0c88b0156d 3406 openssh_8.2p1-1.dsc
 d1ab35a93507321c5db885e02d41ce1414f0507c 1701197 openssh_8.2p1.orig.tar.gz
 d3814ab57572c13bdee2037ad1477e2f7c51e1b0 683 openssh_8.2p1.orig.tar.gz.asc
 3783ae7208865ee1afdbfea4a0923ec338b3c07c 174008 openssh_8.2p1-1.debian.tar.xz
 0bf85be8ef3542842d4bc793590d8a414540c5d8 3678100 openssh-client-dbgsym_8.2p1-1_amd64.deb
 0e1ef83e4d236e921ce3a64fb56a4c82287555e2 293744 openssh-client-udeb_8.2p1-1_amd64.udeb
 dfc3143bf75a9e66ade5bf63a66a6d97fdc208cc 879648 openssh-client_8.2p1-1_amd64.deb
 d275741c0b3a313c24d697f74c42695b6e332942 1080492 openssh-server-dbgsym_8.2p1-1_amd64.deb
 efd8d7cb0304c60c667a3e8f7c265c2abb311e28 318236 openssh-server-udeb_8.2p1-1_amd64.udeb
 344612e06ef8548f2d3212585b2af3edb7090756 377768 openssh-server_8.2p1-1_amd64.deb
 7ac95e6befa7abcd06e0fcd8e1ab99a37aaf8faf 165652 openssh-sftp-server-dbgsym_8.2p1-1_amd64.deb
 44a88d9b666f3498e0aa97c9ca860202a28fa3de 50888 openssh-sftp-server_8.2p1-1_amd64.deb
 d2558312e66d335e5ef99e7cecc72a29e860391d 297932 openssh-sk-helper-dbgsym_8.2p1-1_amd64.deb
 17912295024a3cc1c848917968908f4a2c65070e 111892 openssh-sk-helper_8.2p1-1_amd64.deb
 13deb2c7ca84fa7140a19b800b7ba00bc4932364 2381024 openssh-tests-dbgsym_8.2p1-1_amd64.deb
 9c264e58b942d577e44b02aec147878c7044de25 909288 openssh-tests_8.2p1-1_amd64.deb
 344ac63c864276d897756a5d483b143f6efa5240 18110 openssh_8.2p1-1_amd64.buildinfo
 13a4b885936b2865702871610c410eb8f35619a8 12824 ssh-askpass-gnome-dbgsym_8.2p1-1_amd64.deb
 960f9d97e3c9b9d51d2067e83490ea923ac9749a 260708 ssh-askpass-gnome_8.2p1-1_amd64.deb
 eec2f56def572d5572df04007ffc8f0e6276527c 248860 ssh_8.2p1-1_all.deb
Checksums-Sha256: 
 54d2d9e607f7165d4f36f6ab23ef77e8dda074cec74a50b1f1bfeabd4ff5d9ad 3406 openssh_8.2p1-1.dsc
 43925151e6cf6cee1450190c0e9af4dc36b41c12737619edff8bcebdff64e671 1701197 openssh_8.2p1.orig.tar.gz
 4f358bb57cb5446a7a8bf986ff5cd835fd1e03f33561df883dfd3f893cd6fe86 683 openssh_8.2p1.orig.tar.gz.asc
 1eaac2056fe12fa3f6419505812be13e2dc9cd02727d9cabd7ea2bfdd0934b41 174008 openssh_8.2p1-1.debian.tar.xz
 0ff015a7a56190c46afbed4b2b6ebdf2c24c8ad63e2c7409063b3186ca5ddffc 3678100 openssh-client-dbgsym_8.2p1-1_amd64.deb
 5c9f2d347813a76242b231d48f4bfaf39141da5caa1876bd4db929a608d4ea98 293744 openssh-client-udeb_8.2p1-1_amd64.udeb
 2111ca74489dde96b7c0536ec2f33f71c926512d9a352c57bdf5af44606a088c 879648 openssh-client_8.2p1-1_amd64.deb
 057cafa2221a32b00bc4c245dc6033b1ea88753e535634bbcdabf72bdb4f0b8c 1080492 openssh-server-dbgsym_8.2p1-1_amd64.deb
 36d4b689ba7b6edfbeb959b2a4580bc1c7099a3a1b8e1080a04cb73e28aae0e5 318236 openssh-server-udeb_8.2p1-1_amd64.udeb
 5356bdb5a8342df734ab0259bacbf2d7ebc49ae86af4996da55201c2aa263efe 377768 openssh-server_8.2p1-1_amd64.deb
 ad6fda847bb52eee200b264e3ee8c54d38f17cc3354e770cb8b79276486ff27f 165652 openssh-sftp-server-dbgsym_8.2p1-1_amd64.deb
 dded1951c710ec6827f0d4462892063305a1b5fe70e48aca7eb9b380a9161d5b 50888 openssh-sftp-server_8.2p1-1_amd64.deb
 fdab29f042876125d7c1faf5cc8156f035d4bc7af3805212237e5c6ce76cc1d5 297932 openssh-sk-helper-dbgsym_8.2p1-1_amd64.deb
 20f6eba9b4793da43314631f61283e02b52ec1e8cc277cbdd81cc5615c73caae 111892 openssh-sk-helper_8.2p1-1_amd64.deb
 eb5019b478daf8527f8222a3cc3558373fd2f782e0e7da49833963a8edebde2d 2381024 openssh-tests-dbgsym_8.2p1-1_amd64.deb
 e2c406f30302f13609667dc1652533818e5b4bb5d4b0329fe43f9a2c98e5b415 909288 openssh-tests_8.2p1-1_amd64.deb
 cc9e7da3c547228973a9bf0b92d7b2163a804d3a5e277002d8367a49c88f88f5 18110 openssh_8.2p1-1_amd64.buildinfo
 13531409fca19fa5192635ede75619576b16a6162a723b4c06d175a214e6d9b8 12824 ssh-askpass-gnome-dbgsym_8.2p1-1_amd64.deb
 5972e3d0a16733507ca861bf4bb047e45ffbde397aa1f5cd18458f5b7fbd74b9 260708 ssh-askpass-gnome_8.2p1-1_amd64.deb
 474b7a72466280743b3d65e3b33e1f2ba08b4b430024f85448f980f93ba26115 248860 ssh_8.2p1-1_all.deb
Files: 
 9aec5f2b30e06a45d04486e9f6ee7930 3406 net standard openssh_8.2p1-1.dsc
 3076e6413e8dbe56d33848c1054ac091 1701197 net standard openssh_8.2p1.orig.tar.gz
 8501565a766e1a50a7e6179079f3c671 683 net standard openssh_8.2p1.orig.tar.gz.asc
 c1d3bedcda13837a88845f95e322ee0f 174008 net standard openssh_8.2p1-1.debian.tar.xz
 572338e4b3fa8fcab009fe74385e03da 3678100 debug optional openssh-client-dbgsym_8.2p1-1_amd64.deb
 b35d9d44f3c90438cbdb56b72dbb91f1 293744 debian-installer optional openssh-client-udeb_8.2p1-1_amd64.udeb
 4f1807d2bbff57ec776da4163ded4a45 879648 net standard openssh-client_8.2p1-1_amd64.deb
 47583684aba12aac65b1fc7e5a8c1fb8 1080492 debug optional openssh-server-dbgsym_8.2p1-1_amd64.deb
 93f555206d7fec19a3cfb55c88d43631 318236 debian-installer optional openssh-server-udeb_8.2p1-1_amd64.udeb
 fc40a8f79a5b4df2f49dd0516a387871 377768 net optional openssh-server_8.2p1-1_amd64.deb
 9b1a12083d263985cc42041f5a61d322 165652 debug optional openssh-sftp-server-dbgsym_8.2p1-1_amd64.deb
 6500a3f54fb51c8ea1b281fc1663df69 50888 net optional openssh-sftp-server_8.2p1-1_amd64.deb
 0f3fc541dfcda26f59028d3c3533be0c 297932 debug optional openssh-sk-helper-dbgsym_8.2p1-1_amd64.deb
 b2dc85e631bbe58af0ad6783d7d045db 111892 net optional openssh-sk-helper_8.2p1-1_amd64.deb
 e879ef2489766af8223923ae634a6d56 2381024 debug optional openssh-tests-dbgsym_8.2p1-1_amd64.deb
 97f3e570eb699fcdf6bdf77e78ce2b1a 909288 net optional openssh-tests_8.2p1-1_amd64.deb
 0e43f99d13491c9adb5942e4b63be5e8 18110 net standard openssh_8.2p1-1_amd64.buildinfo
 1059ea07a220bcc9e0cb333f89e25736 12824 debug optional ssh-askpass-gnome-dbgsym_8.2p1-1_amd64.deb
 42df493e070d2d7bbd7364e63d787acb 260708 gnome optional ssh-askpass-gnome_8.2p1-1_amd64.deb
 de859d711d25edbb25a13af10e893289 248860 net optional ssh_8.2p1-1_all.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAl5QHBgACgkQOTWH2X2G
UAuVXxAAnCvWNqC4F7pY1UOfKIbYLhYSCniVNvopy6J5aWWO/P2aZ0tBocKIs4xf
63lsMP62tBO+Nf9wLl6FwhgVnkIdFVMH/9Qom6dVOin7+3Y3HuH61y5YYTbyGIq6
qFztghzFCwhmMILj6P4kYnJb+q+DL+ckyO3R+OIakNpWqR8yDO+czyQhU50ECEY+
nuohRdAl2av5JfRTaGhHiEqIcQqU6OC/9NJpes0NFIFm8U3/8kioO1Drnkf0JrGG
8bU+CM1hHYE0idZRXGhNAxmpLfA2O+JWQVrYbC45fvQOjfYmBBCdVZhTDI87qPNw
ZSYbBGrtRh2+LKGVml7bZqTDWyIoorYiYCDKCjHvO6havKPoRdOp/A7csVPO+XmR
PYCziV7JloakmxJKFWC7tWEgnvr0FlMfMasCChjMFJc9kS3HJgetuq5jSkyMpInB
sjKiqpk5lLJa4O020tx/0mhLc1Lets6bqNCx9zhLfppDduwcG5dxwfqxAOk197j8
Kr+sfxpizUCNMey9sk1k+fWRvEMmL4t/jUf6tgVpvECKeiKh8qPFeuz8ztojGb/R
+jktFgb2oJ1YIzQ9eEvfHB2uCsoec8T6gVuAm/NmnzP+b+2+p3JLf2w4Ph7oxPWJ
5VU7felUgelhy72e9dz/Y3AZgIgsatdb45nd5SvAmFVrJMMAohw=
=D97J
-----END PGP SIGNATURE-----