Debian Package Tracker

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: <debian-devel-changes@lists.debian.org>
Subject: Accepted openssh 1:9.9p1-1 (source) into unstable
Date: Tue, 24 Sep 2024 04:19:14 +0000
Signed by: Colin Watson <cjwatson@debian.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 23 Sep 2024 21:09:59 -0700
Source: openssh
Architecture: source
Version: 1:9.9p1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Changes:
 openssh (1:9.9p1-1) unstable; urgency=medium
 .
   * Alias the old Debian-specific SetupTimeOut client option to
     ConnectTimeout rather than to ServerAliveInterval.
   * New upstream release (https://www.openssh.com/releasenotes.html#9.9p1):
     - ssh(1): remove support for pre-authentication compression.
     - ssh(1), sshd(8): processing of the arguments to the "Match"
       configuration directive now follows more shell-like rules for quoted
       strings, including allowing nested quotes and \-escaped characters.
     - ssh(1), sshd(8): add support for a new hybrid post-quantum key
       exchange based on the FIPS 203 Module-Lattice Key Enapsulation
       mechanism (ML-KEM) combined with X25519 ECDH as described by
       https://datatracker.ietf.org/doc/html/draft-kampanakis-curdle-ssh-pq-ke-03
       This algorithm "mlkem768x25519-sha256" is available by default.
     - ssh(1): the ssh_config "Include" directive can now expand environment
       as well as the same set of %-tokens "Match Exec" supports.
     - sshd(8): add a sshd_config "RefuseConnection" option that, if set will
       terminate the connection at the first authentication request.
     - sshd(8): add a "refuseconnection" penalty class to sshd_config
       PerSourcePenalties that is applied when a connection is dropped by the
       new RefuseConnection keyword.
     - sshd(8): add a "Match invalid-user" predicate to sshd_config Match
       options that matches when the target username is not valid on the
       server.
     - ssh(1), sshd(8): update the Streamlined NTRUPrime code to a
       substantially faster implementation.
     - ssh(1), sshd(8): the hybrid Streamlined NTRUPrime/X25519 key exchange
       algorithm now has an IANA-assigned name in addition to the
       "@openssh.com" vendor extension name. This algorithm is now also
       available under this name "sntrup761x25519-sha512"
     - ssh(1), sshd(8), ssh-agent(1): prevent private keys from being
       included in core dump files for most of their lifespans. This is in
       addition to pre-existing controls in ssh-agent(1) and sshd(8) that
       prevented coredumps.
     - All: convert key handling to use the libcrypto EVP_PKEY API, with the
       exception of DSA.
     - sshd(8): add a random amount of jitter (up to 4 seconds) to the grace
       login time to make its expiry unpredictable.
     - sshd(8): fix regression introduced in openssh-9.8 that swapped the
       order of source and destination addresses in some sshd log messages.
     - sshd(8): do not apply authorized_keys options when signature
       verification fails. Prevents more restrictive key options being
       incorrectly applied to subsequent keys in authorized_keys.
     - ssh-keygen(1): include pathname in some of ssh-keygen's passphrase
       prompts. Helps the user know what's going on when ssh-keygen is
       invoked via other tools.
     - ssh(1), ssh-add(1): make parsing user@host consistently look for the
       last '@' in the string rather than the first. This makes it possible
       to more consistently use usernames that contain '@' characters.
     - ssh(1), sshd(8): be more strict in parsing key type names. Only allow
       short names (e.g "rsa") in user-interface code and require full SSH
       protocol names (e.g. "ssh-rsa") everywhere else.
     - regress: many performance and correctness improvements to the
       re-keying regression test.
     - ssh-keygen(1): clarify that ed25519 is the default key type generated
       and clarify that rsa-sha2-512 is the default signature scheme when RSA
       is in use.
     - sshd(8): fix minor memory leak in Subsystem option parsing.
     - All: additional hardening and consistency checks for the sshbuf code.
     - sshd(8): reduce default logingrace penalty to ensure that a single
       forgotten login that times out will be below the penalty threshold.
     - ssh(1): fix proxy multiplexing (-O proxy) bug. If a mux started with
       ControlPersist then later has a forwarding added using mux proxy
       connection and the forwarding was used, then when the mux proxy
       session terminated, the mux master process would issue a bad message
       that terminated the connection.
     - Sync contrib/ssh-copy-id to the latest upstream version.
     - sshd(8): restore audit call before exit that regressed in openssh-9.8.
       Fixes an issue where the SSH_CONNECTION_ABANDON event was not
       recorded.
     - Fix detection of setres*id on GNU/Hurd.
Checksums-Sha1:
 6659072b5811d1ca2a820c8af82d630a79f7e87e 3465 openssh_9.9p1-1.dsc
 5ded7eb0add0b02b5d1a1c4bf5cb2c89d2117b53 1964864 openssh_9.9p1.orig.tar.gz
 6f100e4757e1942d7b5e01310fcaf624b71f6740 833 openssh_9.9p1.orig.tar.gz.asc
 74312e9c0bd3cc7be50a61114302c082e51dfb12 195332 openssh_9.9p1-1.debian.tar.xz
Checksums-Sha256:
 d23623e4679bbaaf72f78e95a25c2ce4755bbcbc029f9a6152967ca0f3df2e99 3465 openssh_9.9p1-1.dsc
 b343fbcdbff87f15b1986e6e15d6d4fc9a7d36066be6b7fb507087ba8f966c02 1964864 openssh_9.9p1.orig.tar.gz
 0a3c462e9cb862bf0bb3a56c7251091f1c88a47724d10cede3ea018f97cf1c94 833 openssh_9.9p1.orig.tar.gz.asc
 763ab24503717d7820ccca624d38731cddd883c2aab5baf986f41dbde1b9c82b 195332 openssh_9.9p1-1.debian.tar.xz
Files:
 b2855da38c96a64f5f8e9006660f32b2 3465 net standard openssh_9.9p1-1.dsc
 1893c9b712eb8c55ec2d5146e7323b92 1964864 net standard openssh_9.9p1.orig.tar.gz
 8c3a6720795ce7234ba4e1532769bac6 833 net standard openssh_9.9p1.orig.tar.gz.asc
 07551163723a0b7239aab30d761f13d5 195332 net standard openssh_9.9p1-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAmbyO9MACgkQOTWH2X2G
UAtPUA//epoXszBabtE41yT+tFVLJuTnmz1eg0mjQ4gKlUiiJexJElM2YVsV1+Zo
lA3lVMIim7AAr2FIHG03F3Dz+h9XBsPJ5CgkyVr+uJQiXCJfl6p4Yo0CwjeQ6Jr7
4fJS7f7J8cFhD1kSz4zBl2QwVAhBRU/bbX+vtnKxbmzc/OnIVGxvUd54k3B4s+V0
+AExoPbea0khvYmUArwOGuIQMoxO94GYUvtTVQ1Pb0J8xZy9k048MRLfwFShS3Vy
uN7R5oOHreIOgwLw411UyagaxavIuwWu8yB2zs3VC1Ruthjmzxh0rhTfNm2Ym9EC
kdMyxIvz4xTco/DtMsWt4a7zvkrSjYhHwPz5YcDQkqEBCfOi1WzBo8M1B2GObvVK
/nxv7nsaJysAuzMS9bK6mHxQdxmF3zJ/aJwnQ8Cf1pDjlT67+T78QeURvp+KxAIx
dHHv6AtQBpBHyvEi2jnOjmykYvixtCDzP7s9LqI8/Xak4CM136RHqCUNRdXJyKuB
UD0dzkySkTxDCXn+8uTcG7rjSF5W8ta7xduG1t1i9r6fbKvW1fRkpEGe23J1FZEh
/UqGJnoQ0Pb8lMdIfgUIkAreZH1Jmt0+MaaLA9bgWtZEpEtgSM/rG6yZDvO8gAa2
/o0Zedq5FSl3a8pwsiNX2JQ9IFEmwqjliv3m95h7NxHYxrl/HZg=
=qyRk
-----END PGP SIGNATURE-----
News for package openssh
