-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Sun, 07 Aug 2016 22:45:26 +0100 Source: openssh Binary: openssh-client openssh-client-ssh1 openssh-server openssh-sftp-server ssh ssh-krb5 ssh-askpass-gnome openssh-client-udeb openssh-server-udeb Architecture: source Version: 1:7.3p1-1 Distribution: unstable Urgency: medium Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org> Changed-By: Colin Watson <cjwatson@debian.org> Description: openssh-client - secure shell (SSH) client, for secure access to remote machines openssh-client-ssh1 - secure shell (SSH) client for legacy SSH1 protocol openssh-client-udeb - secure shell client for the Debian installer (udeb) openssh-server - secure shell (SSH) server, for secure access from remote machines openssh-server-udeb - secure shell server for the Debian installer (udeb) openssh-sftp-server - secure shell (SSH) sftp server module, for SFTP access from remot ssh - secure shell client and server (metapackage) ssh-askpass-gnome - interactive X program to prompt users for a passphrase for ssh-ad ssh-krb5 - secure shell client and server (transitional package) Closes: 337041 396295 407088 536031 Changes: openssh (1:7.3p1-1) unstable; urgency=medium . * New upstream release (http://www.openssh.com/txt/release-7.3): - SECURITY: sshd(8): Mitigate a potential denial-of-service attack against the system's crypt(3) function via sshd(8). An attacker could send very long passwords that would cause excessive CPU use in crypt(3). sshd(8) now refuses to accept password authentication requests of length greater than 1024 characters. - SECURITY: ssh(1), sshd(8): Fix observable timing weakness in the CBC padding oracle countermeasures. Note that CBC ciphers are disabled by default and only included for legacy compatibility. - SECURITY: ssh(1), sshd(8): Improve operation ordering of MAC verification for Encrypt-then-MAC (EtM) mode transport MAC algorithms to verify the MAC before decrypting any ciphertext. This removes the possibility of timing differences leaking facts about the plaintext, though no such leakage has been observed. - ssh(1): Add a ProxyJump option and corresponding -J command-line flag to allow simplified indirection through a one or more SSH bastions or "jump hosts". - ssh(1): Add an IdentityAgent option to allow specifying specific agent sockets instead of accepting one from the environment. - ssh(1): Allow ExitOnForwardFailure and ClearAllForwardings to be optionally overridden when using ssh -W. - ssh(1), sshd(8): Implement support for the IUTF8 terminal mode as per draft-sgtatham-secsh-iutf8-00 (closes: #337041, LP: #394570). - ssh(1), sshd(8): Add support for additional fixed Diffie-Hellman 2K, 4K and 8K groups from draft-ietf-curdle-ssh-kex-sha2-03. - ssh-keygen(1), ssh(1), sshd(8): Support SHA256 and SHA512 RSA signatures in certificates. - ssh(1): Add an Include directive for ssh_config(5) files (closes: #536031). - ssh(1): Permit UTF-8 characters in pre-authentication banners sent from the server. - ssh(1), sshd(8): Reduce the syslog level of some relatively common protocol events from LOG_CRIT. - sshd(8): Refuse AuthenticationMethods="" in configurations and accept AuthenticationMethods=any for the default behaviour of not requiring multiple authentication. - sshd(8): Remove obsolete and misleading "POSSIBLE BREAK-IN ATTEMPT!" message when forward and reverse DNS don't match. - ssh(1): Deduplicate LocalForward and RemoteForward entries to fix failures when both ExitOnForwardFailure and hostname canonicalisation are enabled. - sshd(8): Remove fallback from moduli to obsolete "primes" file that was deprecated in 2001 (LP: #1528251). - sshd_config(5): Correct description of UseDNS: it affects ssh hostname processing for authorized_keys, not known_hosts. - sshd(8): Send ClientAliveInterval pings when a time-based RekeyLimit is set; previously keepalive packets were not being sent. - sshd(8): Whitelist more architectures to enable the seccomp-bpf sandbox. - scp(1): Respect the local user's LC_CTYPE locale (closes: #396295). - Take character display widths into account for the progressmeter (closes: #407088). Checksums-Sha1: 1696e0c90be02c5ab37c283422be50c5c9c3de67 2884 openssh_7.3p1-1.dsc bfade84283fcba885e2084343ab19a08c7d123a5 1522617 openssh_7.3p1.orig.tar.gz e384b5ef8d31c23bdab9cdd216284500ffc1f942 153400 openssh_7.3p1-1.debian.tar.xz Checksums-Sha256: 61e8414cb2ed2a72ee15053511d3a2f55ace4b8fb76fff2d901ec67d4a1cf5ba 2884 openssh_7.3p1-1.dsc 3ffb989a6dcaa69594c3b550d4855a5a2e1718ccdde7f5e36387b424220fbecc 1522617 openssh_7.3p1.orig.tar.gz a9a96b33427697afb344d6c82078abc54da411f108b19949c9f3378b947b4971 153400 openssh_7.3p1-1.debian.tar.xz Files: f4140e6c58f897bebd9db969be5c63fc 2884 net standard openssh_7.3p1-1.dsc dfadd9f035d38ce5d58a3bf130b86d08 1522617 net standard openssh_7.3p1.orig.tar.gz 28764a8e122da612b35b36bcbf23b2cf 153400 net standard openssh_7.3p1-1.debian.tar.xz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Colin Watson <cjwatson@debian.org> -- Debian developer iQIVAwUBV6etsTk1h9l9hlALAQiPUQ/+IC9t/bgqKFE73f34nVZZ1zuONs4+ykn6 7asE52PNycFrZ7mt3vvxrrSgDAh5ixJhWKZQP6tfhX6d4QMi3hFM0MNNpVF+eqE3 FynWWwqpkT/wEenj88hngmHSZb9heYCtXri6D1AzpKYbsQFEIQkMPO48mllxBmbj aQVjm5UKbfZrFjrayNE4XC0Aqkhlc2HOPKTtNexZb4xantsAkJcyE/oDztI8rbcn 56cTxiMpsHmJ8dlO6tvZTYwOqwso7S+H/A3u3923mKfswyrHpIjCYjq9eAQuDlCD mjSUWdQIW0YlQ/Hfws2lX8mUopw8eKwCWovrF0y/XHZTXqtU+3jkWlliZCjJYh0o 6u9FntqHlP7nuVLsw8Ek/4QfB2uvuckMBaAt+2EoWtCJfvS/1SxyHkXSXpGPpLhO WtmwYVLRlv0a5adUXLgbAPJKDh6k2XTXpyoif4gZHU+zfLCHt8PE98heZCCou7QN GN7H/WuF6LxooWqUv7fERyjG5wAGt3DH+aUoExPY++uovLlo7jLE94XtSyEV67yL Qa3Ek57IBXaMhMGLJmV5v/Ut5xRd58YuCvDIGsFqwTTKfjzXGO05qLqgUogJftgJ JEGXDqSwUplEaQUzOR86CGKXeNcUMRe2RkVbBqj7bxguL6/NI5rf7DMtApqiTlgx UT1nfn54N9M= =DYzz -----END PGP SIGNATURE-----
