-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Tue, 08 Mar 2016 11:47:20 +0000 Source: openssh Binary: openssh-client openssh-client-ssh1 openssh-server openssh-sftp-server ssh ssh-krb5 ssh-askpass-gnome openssh-client-udeb openssh-server-udeb Architecture: source Version: 1:7.2p1-1 Distribution: unstable Urgency: medium Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org> Changed-By: Colin Watson <cjwatson@debian.org> Description: openssh-client - secure shell (SSH) client, for secure access to remote machines openssh-client-ssh1 - secure shell (SSH) client for legacy SSH1 protocol openssh-client-udeb - secure shell client for the Debian installer (udeb) openssh-server - secure shell (SSH) server, for secure access from remote machines openssh-server-udeb - secure shell server for the Debian installer (udeb) openssh-sftp-server - secure shell (SSH) sftp server module, for SFTP access from remot ssh - secure shell client and server (metapackage) ssh-askpass-gnome - interactive X program to prompt users for a passphrase for ssh-ad ssh-krb5 - secure shell client and server (transitional package) Closes: 509058 811125 Changes: openssh (1:7.2p1-1) unstable; urgency=medium . * New upstream release (http://www.openssh.com/txt/release-7.2): - This release disables a number of legacy cryptographic algorithms by default in ssh: + Several ciphers blowfish-cbc, cast128-cbc, all arcfour variants and the rijndael-cbc aliases for AES. + MD5-based and truncated HMAC algorithms. These algorithms are already disabled by default in sshd. - ssh(1), sshd(8): Remove unfinished and unused roaming code (was already forcibly disabled in OpenSSH 7.1p2). - ssh(1): Eliminate fallback from untrusted X11 forwarding to trusted forwarding when the X server disables the SECURITY extension. - ssh(1), sshd(8): Increase the minimum modulus size supported for diffie-hellman-group-exchange to 2048 bits. - sshd(8): Pre-auth sandboxing is now enabled by default (previous releases enabled it for new installations via sshd_config). - all: Add support for RSA signatures using SHA-256/512 hash algorithms based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt. - ssh(1): Add an AddKeysToAgent client option which can be set to 'yes', 'no', 'ask', or 'confirm', and defaults to 'no'. When enabled, a private key that is used during authentication will be added to ssh-agent if it is running (with confirmation enabled if set to 'confirm'). - sshd(8): Add a new authorized_keys option "restrict" that includes all current and future key restrictions (no-*-forwarding, etc.). Also add permissive versions of the existing restrictions, e.g. "no-pty" -> "pty". This simplifies the task of setting up restricted keys and ensures they are maximally-restricted, regardless of any permissions we might implement in the future. - ssh(1): Add ssh_config CertificateFile option to explicitly list certificates. - ssh-keygen(1): Allow ssh-keygen to change the key comment for all supported formats (closes: #811125). - ssh-keygen(1): Allow fingerprinting from standard input, e.g. "ssh-keygen -lf -" (closes: #509058). - ssh-keygen(1): Allow fingerprinting multiple public keys in a file, e.g. "ssh-keygen -lf ~/.ssh/authorized_keys". - sshd(8): Support "none" as an argument for sshd_config Foreground and ChrootDirectory. Useful inside Match blocks to override a global default. - ssh-keygen(1): Support multiple certificates (one per line) and reading from standard input (using "-f -") for "ssh-keygen -L" - ssh-keyscan(1): Add "ssh-keyscan -c ..." flag to allow fetching certificates instead of plain keys. - ssh(1): Better handle anchored FQDNs (e.g. 'cvs.openbsd.org.') in hostname canonicalisation - treat them as already canonical and remove the trailing '.' before matching ssh_config. - sftp(1): Existing destination directories should not terminate recursive uploads (regression in OpenSSH 6.8; LP: #1553378). * Use HTTPS for Vcs-* URLs, and link to cgit rather than gitweb. * Restore slogin symlinks for compatibility, although they were removed upstream. Checksums-Sha1: cf84d64c03d2125fe8afde34d41a9eb611998b58 2837 openssh_7.2p1-1.dsc d30a6fd472199ab5838a7668c0c5fd885fb8d371 1499707 openssh_7.2p1.orig.tar.gz 4f1748ebf771840951a950a2f9f30f4770cb7b4e 149096 openssh_7.2p1-1.debian.tar.xz Checksums-Sha256: bf48023b9dc6ef343deceb641075ceb9d3c883dc2310f9c793355bdd8732692e 2837 openssh_7.2p1-1.dsc 973cc37b2f3597e4cf599b09e604e79c0fe5d9b6f595a24e91ed0662860b4ac3 1499707 openssh_7.2p1.orig.tar.gz 126f2caf91d9137e4b0a5d665ffa2d3c1a3ca2d8e91337bba92522ea103d2d00 149096 openssh_7.2p1-1.debian.tar.xz Files: eb5050ee831c1f34d5890a542af783d5 2837 net standard openssh_7.2p1-1.dsc b984775f0cfff1f7ff18b8797fce8a28 1499707 net standard openssh_7.2p1.orig.tar.gz fbac966761c2977d3a8e25f7832c8fbe 149096 net standard openssh_7.2p1-1.debian.tar.xz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Colin Watson <cjwatson@debian.org> -- Debian developer iQIVAwUBVt68yjk1h9l9hlALAQgYRA/+PAMNeJ9qiC+olkTrsmwB5djEiZFCvDV7 dsjhrq+g0vmz1Yxtn6/3Yyp4iEjsjRiCGnm3HPgwzqv9CrUNAV2Z0HhoXfzC1Xbv 1s7R/qnBsrLFjcy1d0+ntCVljUnjx1Tcipw1JItlUGrWm7KFIblFro2lO6tA8wEu Hbn1UJ9EdM9SKjficvwZokUKy/zMutIJtZFXRIo6Hft1V0wbFyRoQbMbVK/TD5z/ M1MgivJRyMKR71asA9yQlW1bO+wPYLT99N8Kqcsw6rPMvaLlt6us45K8fQC9Og5p eEGkfMODd4XB10W2UzTxuhoLzRJxI4M1KLf9MfHow0u4qWcNEWd71Zg7Gr58hCCn z9ISV+9LOyzUl++8DW5IwV2yMsc7CYSwhaOErLNIl6waQmLEB9Nfmp962pSENIly 6E+19wYYZja1RVKfpg39iqersl374Fduhj6M48I6TsamuTbv+9tm7kPM6P6bV+qm 7GvZ207Dyig3qWb51HNhjUEfDpkS7RXppzwqexVZJmTssLMl5zbD91M1z/aQMUJd Klc0C5SdFcVSU82HjxSHQK9sqdgLKXs+/PlOo6es3D53pA0NwlwSJbSRFUYviOg9 GRUSKRe1xJU3f1Nr5oUS+JWx8C+NgFs4uJZ0rx2ZBZ8EKHMWMawaVbycuWiQxjTQ Z8xrAWmd0kQ= =IAsD -----END PGP SIGNATURE-----