-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Mon, 14 Nov 2022 16:25:45 +0000 Source: openssh Architecture: source Version: 1:9.1p1-1 Distribution: unstable Urgency: medium Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org> Changed-By: Colin Watson <cjwatson@debian.org> Closes: 197037 1016340 1021585 Changes: openssh (1:9.1p1-1) unstable; urgency=medium . [ Markus Teich ] * Delete obsolete upstart configuration override. . [ Colin Watson ] * Work around apparent dh-exec regressions (closes: #1016340). * Don't install unnecessary *.lo files in openssh-tests. * Update Lintian overrides to current syntax. * Pass on compiler/linker flags when building debian/keygen-test. * Remove obsolete and misleading rcp/rlogin/rsh alternatives, and stop providing rsh-client (closes: #197037). * Add sshd_config checksums for 1:8.2p1-1 and 1:8.7p1-1 to ucf reference file. * New upstream release (https://www.openssh.com/releasenotes.html#9.1p1, closes: #1021585): - ssh-keyscan(1): fix a one-byte overflow in SSH- banner processing. - ssh-keygen(1): double free() in error path of file hashing step in signing/verify code. - ssh-keysign(8): double-free in error path introduced in openssh-8.9. - ssh(1), sshd(8): SetEnv directives in ssh_config and sshd_config are now first-match-wins to match other directives. Previously if an environment variable was multiply specified the last set value would have been used. - ssh-keygen(8): ssh-keygen -A (generate all default host key types) will no longer generate DSA keys, as these are insecure and have not been used by default for some years. - ssh(1), sshd(8): add a RequiredRSASize directive to set a minimum RSA key length. Keys below this length will be ignored for user authentication and for host authentication in sshd(8). ssh(1) will terminate a connection if the server offers an RSA key that falls below this limit, as the SSH protocol does not include the ability to retry a failed key exchange. - sftp-server(8): add a "users-groups-by-id@openssh.com" extension request that allows the client to obtain user/group names that correspond to a set of uids/gids. - sftp(1): use "users-groups-by-id@openssh.com" sftp-server extension (when available) to fill in user/group names for directory listings. - sftp-server(8): support the "home-directory" extension request defined in draft-ietf-secsh-filexfer-extensions-00. This overlaps a bit with the existing "expand-path@openssh.com", but some other clients support it. - ssh-keygen(1), sshd(8): allow certificate validity intervals, sshsig verification times and authorized_keys expiry-time options to accept dates in the UTC time zone in addition to the default of interpreting them in the system time zone. YYYYMMDD and YYMMDDHHMM[SS] dates/times will be interpreted as UTC if suffixed with a 'Z' character. Also allow certificate validity intervals to be specified in raw seconds-since-epoch as hex value, e.g. -V 0x1234:0x4567890. This is intended for use by regress tests and other tools that call ssh-keygen as part of a CA workflow. - sftp(1): allow arguments to the sftp -D option, e.g. sftp -D "/usr/libexec/sftp-server -el debug3". - ssh-keygen(1): allow the existing -U (use agent) flag to work with "-Y sign" operations, where it will be interpreted to require that the private keys is hosted in an agent. - ssh-keygen(1): implement the "verify-required" certificate option. This was already documented when support for user-verified FIDO keys was added, but the ssh-keygen(1) code was missing. - ssh-agent(1): hook up the restrict_websafe command-line flag; previously the flag was accepted but never actually used. - sftp(1): improve filename tab completions: never try to complete names to non-existent commands, and better match the completion type (local or remote filename) against the argument position being completed. - ssh-keygen(1), ssh(1), ssh-agent(1): several fixes to FIDO key handling, especially relating to keys that request user-verification. These should reduce the number of unnecessary PIN prompts for keys that support intrinsic user verification. - ssh-keygen(1): when enrolling a FIDO resident key, check if a credential with matching application and user ID strings already exists and, if so, prompt the user for confirmation before overwriting the credential. - sshd(8): improve logging of errors when opening authorized_keys files. - ssh(1): avoid multiplexing operations that could cause SIGPIPE from causing the client to exit early. - ssh_config(5), sshd_config(5): clarify that the RekeyLimit directive applies to both transmitted and received data. - ssh-keygen(1): avoid double fclose() in error path. - sshd(8): log an error if pipe() fails while accepting a connection. - ssh-keyscan(1): add missing *-sk types to ssh-keyscan manpage. - sshd(8): ensure that authentication passwords are cleared from memory in error paths. - ssh(1), ssh-agent(1): avoid possibility of notifier code executing kill(-1). - ssh_config(5): note that the ProxyJump directive also accepts the same tokens as ProxyCommand. - scp(1): do not ftruncate(3) files early when in sftp mode. The previous behaviour of unconditionally truncating the destination file would cause "scp ~/foo localhost:foo" and the reverse "scp localhost:foo ~/foo" to delete all the contents of their destination. - ssh-keygen(1): improve error message when 'ssh-keygen -Y sign' is unable to load a private key. - sftp(1), scp(1): when performing operations that glob(3) a remote path, ensure that the implicit working directory used to construct that path escapes glob(3) characters. This prevents glob characters from being processed in places they shouldn't, e.g. "cd /tmp/a*/", "get *.txt" should have the get operation treat the path "/tmp/a*" literally and not attempt to expand it (LP: #1483751). - ssh(1), sshd(8): be stricter in which characters will be accepted in specifying a mask length; allow only 0-9. - ssh-keygen(1): avoid printing hash algorithm twice when dumping a KRL. - ssh(1), sshd(8): continue running local I/O for open channels during SSH transport rekeying. This should make ~-escapes work in the client (e.g. to exit) if the connection happened to have stalled during a rekey event. - ssh(1), sshd(8): avoid potential poll() spin during rekeying. - Further hardening for sshbuf internals: disallow "reparenting" a hierarchical sshbuf and zero the entire buffer if reallocation fails. - sshd(8): add AUDIT_ARCH_PPC to supported seccomp sandbox architectures. * Drop patch to work around https://twistedmatrix.com/trac/ticket/9765, since the fix for that is in Debian testing. * Rewrite gnome-ssh-askpass(1) manual page using mdoc macros, and flesh it out a bit more. . [ Steve Langasek ] * Support systemd socket activation. Migrate any existing inetd-style socket activation to systemd socket activation. . [ Gioele Barabucci ] * Remove ancient version constraints. * d/openssh-server.{postinst,config}: get_config_option: Replace perl with sed. Checksums-Sha1: 3d09519333c37fc37e447ab2211f880099db487a 3311 openssh_9.1p1-1.dsc 15545440268967511d3194ebf20bcd0c7ff3fcc9 1838747 openssh_9.1p1.orig.tar.gz 739873beca6afe4163d79a2168dbe7d313dbce39 833 openssh_9.1p1.orig.tar.gz.asc e04988d8ebc3e51dd57438359123cfaec4ebb505 179584 openssh_9.1p1-1.debian.tar.xz Checksums-Sha256: 66cecc01833154ecc84909a16b947e66b800935b58d33c11c45fe84a3026e8af 3311 openssh_9.1p1-1.dsc 19f85009c7e3e23787f0236fbb1578392ab4d4bf9f8ec5fe6bc1cd7e8bfdd288 1838747 openssh_9.1p1.orig.tar.gz abac4673e0862604ab1f69a4597d191940c0cf58679dc5fc81fbdbd8b28ca267 833 openssh_9.1p1.orig.tar.gz.asc a6ffc0939c91d636ef4fe6514295de63ac57280a1c2fd207e9914c5618648d0d 179584 openssh_9.1p1-1.debian.tar.xz Files: 8bdfe7169b837f30f4a27d44e9bc6086 3311 net standard openssh_9.1p1-1.dsc 471912038124285c96918882ee190a22 1838747 net standard openssh_9.1p1.orig.tar.gz e7e81a9eb2de83e00509ad97aa71f36c 833 net standard openssh_9.1p1.orig.tar.gz.asc 092d3782dab1f39ef4b668a263b70e48 179584 net standard openssh_9.1p1-1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAmNybs0ACgkQOTWH2X2G UAualw//ZCjlVdmo1lWSXrd81sRy8iGBZq0/eUL9cOOriwuBfpXGmAH3eK7I8kEo JanY1P5oNmyFE/cpprBq5/fZprL/U/OHSoihMuNDIsWQljP9sIXtlKrSlAPcw4w8 M1WRtXcLCJMjefJV4NeKkmgnrJ7eqQUDDvNFtm/v5jAQsqZ583DNWncgBQn6F+kz QQ15kWL9AsOn1Ok1LEz93h3Gai2TanbXQDKrbPKEv1CN7PWP12afU/cH3FPwqseO j1oM+HyV9ABJZVupxwZDSzehdE/7462t1vKc58ZpO5ppFkxPkC3+ADY81PtWzZBN l3gHB5QA+ROfTXJFLZ0GFRgcHGmxJJTOwlm9B93cEGSVOvXvwYwz7HwpBGfrT2As XWlPf/Rqj7Je/VZh79Aqdd8rz3mPTEO2tQDEgT78qduAkj+CPDuan6yavoarYoi5 Pl/z1p5HXJIpEips0sqcMgSRjyFg/XFGjtQ/hsGy1z1rVzod9CdD8O9Du6NZeC8L KJLPJeDihoOj5ktzO+WgCMbV7D8cRJEspznHai+eBnKaIKpZkoi9BC/iXqfMc3/V XUdI33xzv33Iv2w2z6nyYZTpWVLt/QNRN8WeZx7TO7aWGJ7OF8XIRmEw6QWmvzzq LXXHJQt/N8vcpYVjBqBw5mU2AC2i28qWb+jmnjuObx+8VzKEYHE= =ol9e -----END PGP SIGNATURE-----