-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Wed, 02 Dec 2015 20:18:35 +0000 Source: openssh Binary: openssh-client openssh-server openssh-sftp-server ssh ssh-krb5 ssh-askpass-gnome openssh-client-udeb openssh-server-udeb Architecture: source Version: 1:7.1p1-1 Distribution: unstable Urgency: medium Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org> Changed-By: Colin Watson <cjwatson@debian.org> Description: openssh-client - secure shell (SSH) client, for secure access to remote machines openssh-client-udeb - secure shell client for the Debian installer (udeb) openssh-server - secure shell (SSH) server, for secure access from remote machines openssh-server-udeb - secure shell server for the Debian installer (udeb) openssh-sftp-server - secure shell (SSH) sftp server module, for SFTP access from remot ssh - secure shell client and server (metapackage) ssh-askpass-gnome - interactive X program to prompt users for a passphrase for ssh-ad ssh-krb5 - secure shell client and server (transitional package) Closes: 779068 785190 Changes: openssh (1:7.1p1-1) unstable; urgency=medium . * New upstream release (http://www.openssh.com/txt/release-7.0, closes: #785190): - Support for the legacy SSH version 1 protocol is disabled by default at compile time. - Support for the 1024-bit diffie-hellman-group1-sha1 key exchange is disabled by default at run-time. It may be re-enabled using the instructions at http://www.openssh.com/legacy.html - Support for ssh-dss, ssh-dss-cert-* host and user keys is disabled by default at run-time. These may be re-enabled using the instructions at http://www.openssh.com/legacy.html - Support for the legacy v00 cert format has been removed. - The default for the sshd_config(5) PermitRootLogin option has changed from "yes" to "prohibit-password". - PermitRootLogin=without-password/prohibit-password now bans all interactive authentication methods, allowing only public-key, hostbased and GSSAPI authentication (previously it permitted keyboard-interactive and password-less authentication if those were enabled). - ssh_config(5): Add PubkeyAcceptedKeyTypes option to control which public key types are available for user authentication. - sshd_config(5): Add HostKeyAlgorithms option to control which public key types are offered for host authentications. - ssh(1), sshd(8): Extend Ciphers, MACs, KexAlgorithms, HostKeyAlgorithms, PubkeyAcceptedKeyTypes and HostbasedKeyTypes options to allow appending to the default set of algorithms instead of replacing it. Options may now be prefixed with a '+' to append to the default, e.g. "HostKeyAlgorithms=+ssh-dss". - sshd_config(5): PermitRootLogin now accepts an argument of 'prohibit-password' as a less-ambiguous synonym of 'without- password'. - ssh(1), sshd(8): Add compatability workarounds for Cisco and more PuTTY versions. - Fix some omissions and errors in the PROTOCOL and PROTOCOL.mux documentation relating to Unix domain socket forwarding. - ssh(1): Improve the ssh(1) manual page to include a better description of Unix domain socket forwarding (closes: #779068). - ssh(1), ssh-agent(1): Skip uninitialised PKCS#11 slots, fixing failures to load keys when they are present. - ssh(1), ssh-agent(1): Do not ignore PKCS#11 hosted keys that wth empty CKA_ID. - sshd(8): Clarify documentation for UseDNS option. - Check realpath(3) behaviour matches what sftp-server requires and use a replacement if necessary. * New upstream release (http://www.openssh.com/txt/release-7.1): - sshd(8): OpenSSH 7.0 contained a logic error in PermitRootLogin= prohibit-password/without-password that could, depending on compile-time configuration, permit password authentication to root while preventing other forms of authentication. This problem was reported by Mantas Mikulenas. - ssh(1), sshd(8): Add compatibility workarounds for FuTTY. - ssh(1), sshd(8): Refine compatibility workarounds for WinSCP. - Fix a number of memory faults (double-free, free of uninitialised memory, etc) in ssh(1) and ssh-keygen(1). Reported by Mateusz Kocielski. * Change "PermitRootLogin without-password" to the new preferred spelling of "PermitRootLogin prohibit-password" in sshd_config, and update documentation to reflect the new upstream default. * Enable conch interoperability tests under autopkgtest. Checksums-Sha1: 74404353cf0d1b0c4881ebe43638a8658a4221be 2742 openssh_7.1p1-1.dsc ed22af19f962262c493fcc6ed8c8826b2761d9b6 1493170 openssh_7.1p1.orig.tar.gz f64451f488184fa814bc3691fdfa3ac5ea595dd5 147284 openssh_7.1p1-1.debian.tar.xz Checksums-Sha256: fe30647a6b3c8a709003dd1075ca58b7ecd99f376a7dd8bbe49e3247a6671231 2742 openssh_7.1p1-1.dsc fc0a6d2d1d063d5c66dffd952493d0cda256cad204f681de0f84ef85b2ad8428 1493170 openssh_7.1p1.orig.tar.gz c9b9c5c01037164203ddb00c093861d4a81dd97ba1b9ab5fc6377e64507aab8b 147284 openssh_7.1p1-1.debian.tar.xz Files: 89e07dcdc4c82810a38f4abe6ed97371 2742 net standard openssh_7.1p1-1.dsc 8709736bc8a8c253bc4eeb4829888ca5 1493170 net standard openssh_7.1p1.orig.tar.gz ef12210fd2c534eb50891e25e2c48e4c 147284 net standard openssh_7.1p1-1.debian.tar.xz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Colin Watson <cjwatson@debian.org> -- Debian developer iQIVAwUBVl9SLTk1h9l9hlALAQjijQ/+NM9UV0fX7kdNtsEo87RfXkExk29gYJCA ldY2Dli6nSC+8FRX/yipnj2XU7U+L28Euv0Z6QgRPLEQJUx5tF3UUxprmSabld3p M4IS5udmZDdjUuYmnxEtNLvfEgPJP1HUdIMBumB246RLQvtMN3EROFC+CjXAGLgU fF9VnQkjdnycfRLr9obuwdDCQxWFfqpcL0Ihs4bc4qs7yEeqFbOSt0OuiZSSMbLd 0Lo+4j9KKD4PpQNIiLYYzpfIZAXYCDw0sv2MMXbFEQTIoACraWBxdRep62t+6VNM z6vk2ieos9ubipBs5nEu2KV1qDEogj4PImCTkjkay46+Xg63rJjnq6GJWLTwzKGo U0Sh1znMH+fLcwRz2sU/83dTUYTAfne1kZNXpYCZwsj9E3APD2fNNrYWNm/UdtJ0 MMga7gXylwaVzAmvC0JNH/eBMv5QkAc9MCypBrnLx7JRCp6IdrwIQrX+jqdsUqou KPKEbe/+BMNjSQz/qrgTIZJ3pTwPGYrjgOUca/YnZ5CQD3Z6ohQPG7RggaJOAXOD MQoM+9cYTLIU9eS3Sll83K38B5Vpu4AUMSORGT5R9WJKb8CX+Zn8qkAtdNb0bqmK m8iM9vqoCNR0V3g7H8/O+6ySijeYbnnSFQ+jBcZMGMUeqz6VYoBa+RWmD4qU4qer J28+CdBCN3g= =3VGo -----END PGP SIGNATURE-----
