-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Sun, 18 Jun 2017 12:08:42 +0100 Source: openssh Binary: openssh-client openssh-client-ssh1 openssh-server openssh-sftp-server ssh ssh-krb5 ssh-askpass-gnome openssh-client-udeb openssh-server-udeb Architecture: source Version: 1:7.5p1-5 Distribution: unstable Urgency: medium Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org> Changed-By: Colin Watson <cjwatson@debian.org> Description: openssh-client - secure shell (SSH) client, for secure access to remote machines openssh-client-ssh1 - secure shell (SSH) client for legacy SSH1 protocol openssh-client-udeb - secure shell client for the Debian installer (udeb) openssh-server - secure shell (SSH) server, for secure access from remote machines openssh-server-udeb - secure shell server for the Debian installer (udeb) openssh-sftp-server - secure shell (SSH) sftp server module, for SFTP access from remot ssh - secure shell client and server (metapackage) ssh-askpass-gnome - interactive X program to prompt users for a passphrase for ssh-ad ssh-krb5 - secure shell client and server (transitional package) Closes: 407754 797964 Changes: openssh (1:7.5p1-5) unstable; urgency=medium . * Upload to unstable. * Fix syntax error in debian/copyright. . openssh (1:7.5p1-4) experimental; urgency=medium . * Drop README.Debian section on privilege separation, as it's no longer optional. * Only call "initctl set-env" from agent-launch if $UPSTART_SESSION is set (LP: #1689299). * Fix incoming compression statistics (thanks, Russell Coker; closes: #797964). * Relicense debian/* under a two-clause BSD licence for bidirectional compatibility with upstream, with permission from Matthew Vernon and others. . openssh (1:7.5p1-3) experimental; urgency=medium . * Fix debian/adjust-openssl-dependencies to account for preferring libssl1.0-dev. * Adjust OpenSSL dependencies for openssh-client-ssh1 too. * Fix purge failure when /etc/ssh has already somehow been removed (LP: #1682817). * Ensure that /etc/ssh exists before trying to create /etc/ssh/sshd_config (LP: #1685022). . openssh (1:7.5p1-2) experimental; urgency=medium . * Add missing header on Linux/s390. * Fix syntax error on Linux/X32. . openssh (1:7.5p1-1) experimental; urgency=medium . * New upstream release (https://www.openssh.com/txt/release-7.5): - SECURITY: ssh(1), sshd(8): Fix weakness in CBC padding oracle countermeasures that allowed a variant of the attack fixed in OpenSSH 7.3 to proceed. Note that the OpenSSH client disables CBC ciphers by default, sshd offers them as lowest-preference options and will remove them by default entirely in the next release. - This release deprecates the sshd_config UsePrivilegeSeparation option, thereby making privilege separation mandatory (closes: #407754). - The format of several log messages emitted by the packet code has changed to include additional information about the user and their authentication state. Software that monitors ssh/sshd logs may need to account for these changes. - ssh(1), sshd(8): Support "=-" syntax to easily remove methods from algorithm lists, e.g. Ciphers=-*cbc. - sshd(1): Fix NULL dereference crash when key exchange start messages are sent out of sequence. - ssh(1), sshd(8): Allow form-feed characters to appear in configuration files. - sshd(8): Fix regression in OpenSSH 7.4 support for the server-sig-algs extension, where SHA2 RSA signature methods were not being correctly advertised. - ssh(1), ssh-keygen(1): Fix a number of case-sensitivity bugs in known_hosts processing. - ssh(1): Allow ssh to use certificates accompanied by a private key file but no corresponding plain *.pub public key. - ssh(1): When updating hostkeys using the UpdateHostKeys option, accept RSA keys if HostkeyAlgorithms contains any RSA keytype. Previously, ssh could ignore RSA keys when only the ssh-rsa-sha2-* methods were enabled in HostkeyAlgorithms and not the old ssh-rsa method. - ssh(1): Detect and report excessively long configuration file lines. - Merge a number of fixes found by Coverity and reported via Redhat and FreeBSD. Includes fixes for some memory and file descriptor leaks in error paths. - ssh(1), sshd(8): When logging long messages to stderr, don't truncate "\r\n" if the length of the message exceeds the buffer. - ssh(1): Fully quote [host]:port in generated ProxyJump/-J command- line; avoid confusion over IPv6 addresses and shells that treat square bracket characters specially. - Fix various fallout and sharp edges caused by removing SSH protocol 1 support from the server, including the server banner string being incorrectly terminated with only \n (instead of \r\n), confusing error messages from ssh-keyscan, and a segfault in sshd if protocol v.1 was enabled for the client and sshd_config contained references to legacy keys. - ssh(1), sshd(8): Free fd_set on connection timeout. - sftp(1): Fix division by zero crash in "df" output when server returns zero total filesystem blocks/inodes. - ssh(1), ssh-add(1), ssh-keygen(1), sshd(8): Translate OpenSSL errors encountered during key loading to more meaningful error codes. - ssh-keygen(1): Sanitise escape sequences in key comments sent to printf but preserve valid UTF-8 when the locale supports it. - ssh(1), sshd(8): Return reason for port forwarding failures where feasible rather than always "administratively prohibited". - sshd(8): Fix deadlock when AuthorizedKeysCommand or AuthorizedPrincipalsCommand produces a lot of output and a key is matched early. - ssh(1): Fix typo in ~C error message for bad port forward cancellation. - ssh(1): Show a useful error message when included config files can't be opened. - sshd_config(5): Repair accidentally-deleted mention of %k token in AuthorizedKeysCommand. - sshd(8): Remove vestiges of previously removed LOGIN_PROGRAM. - ssh-agent(1): Relax PKCS#11 whitelist to include libexec and common 32-bit compatibility library directories. - sftp-client(1): Fix non-exploitable integer overflow in SSH2_FXP_NAME response handling. - ssh-agent(1): Fix regression in 7.4 of deleting PKCS#11-hosted keys. It was not possible to delete them except by specifying their full physical path. - sshd(8): Avoid sandbox errors for Linux S390 systems using an ICA crypto coprocessor. - sshd(8): Fix non-exploitable weakness in seccomp-bpf sandbox arg inspection. - ssh-keygen(1), ssh(1), sftp(1): Fix output truncation for various that contain non-printable characters where the codeset in use is ASCII. Checksums-Sha1: b04a282b907cc0626636d085cbaed106cb029ee3 2892 openssh_7.5p1-5.dsc a840646cc73e2a944059cdaae613f8b9549678a8 158776 openssh_7.5p1-5.debian.tar.xz a3ca5ffc61a4619c4c017bef919b9c72df884fce 13528 openssh_7.5p1-5_source.buildinfo Checksums-Sha256: f39775e585cb084eb5f477b5d34d143635f03398491a220513c9879b8d87a92b 2892 openssh_7.5p1-5.dsc f23a12c7e5f2d8dabfa55e310ef7dfcbe94d15464470681ea114f022cdd842c3 158776 openssh_7.5p1-5.debian.tar.xz 656411e101d1586354ac9726d95cff5c4743c4f5f3e0a71d9fa607278d87e000 13528 openssh_7.5p1-5_source.buildinfo Files: a991857086599a0c65b2697e5f73ed58 2892 net standard openssh_7.5p1-5.dsc be3034e764fb9c648fbb2023954e4878 158776 net standard openssh_7.5p1-5.debian.tar.xz 017713a31ab70964adc457d439d03106 13528 net standard openssh_7.5p1-5_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAllGX2EACgkQOTWH2X2G UAsGPw//WLQOsu6QuiFCJMCzZ5m6ur4dNoDDFSobCpPeYfYcGBe6Ejb1eXKsrI1q d9ftmP8qWfKTtUMwGyEfhfL+VGDjlY+wMYu++O6X+AvJmW/NQLg9gChcXqGjlSt9 PYlm7G/ejEMVOkm12Ay+m86Yjx5/PdMecmrBecg0e/irtprjNOVD1U1m9sb+vVOd 3Z/flmBhsq891LH7M3URTFRtk80C1jpz+EwI4jg2Hz+1eIItAf47MTi4rkRAOZbq jz/EC4fnCCSZuIPClofhVkYiEJD25NDDMQ3lylHSyQJoNF/RNMZaUoFxsxDEBWXP WumdQZKYX6YhDNzijQvM3C7aEBjkYNbN/XMOjq5fAG3Jdhrj28jmzM7mrfQdcREV fgda7q1YxEoLYy+buew9kn38xGvCT4TQArWx27jv2LUX0nDqI2DieMoS0YLwHy7k 4pKgGZxznz/8vfSwNaEzhreDJTCeNTMsamqcEsQRCCrpY+gS/3pGjNY2WcCcWHyd vsR8xjvU+tY2TrxuSDUwX6riHdO+l56U3lhzlcsiMrq3aqHJSdTifTx9OnbgN6fy bb0zBVj1Tdr4pSwUYDZ3dJLmhVUJdyb+DTkrNfch8ns4NcY6UgRbVHIXldMe0mX/ Etv1eq0vopT+XSat6dKxqwY7dJIXkRT3ClluwN0q69ZJX8XYQj8= =/Z34 -----END PGP SIGNATURE-----
