Debian Package Tracker

From: Colin Watson <cjwatson@debian.org>
To: <debian-devel-changes@lists.debian.org>
Subject: Accepted openssh 1:7.9p1-1 (source) into unstable
Date: Sun, 21 Oct 2018 10:04:53 +0000
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 21 Oct 2018 10:39:24 +0100
Source: openssh
Binary: openssh-client openssh-server openssh-sftp-server ssh ssh-askpass-gnome openssh-client-udeb openssh-server-udeb
Architecture: source
Version: 1:7.9p1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Description:
 openssh-client - secure shell (SSH) client, for secure access to remote machines
 openssh-client-udeb - secure shell client for the Debian installer (udeb)
 openssh-server - secure shell (SSH) server, for secure access from remote machines
 openssh-server-udeb - secure shell server for the Debian installer (udeb)
 openssh-sftp-server - secure shell (SSH) sftp server module, for SFTP access from remot
 ssh        - secure shell client and server (metapackage)
 ssh-askpass-gnome - interactive X program to prompt users for a passphrase for ssh-ad
Closes: 177406 789532 828475 844494
Changes:
 openssh (1:7.9p1-1) unstable; urgency=medium
 .
   * New upstream release (https://www.openssh.com/txt/release-7.9):
     - ssh(1), sshd(8): allow most port numbers to be specified using service
       names from getservbyname(3) (typically /etc/services; closes:
       #177406).
     - ssh(1): allow the IdentityAgent configuration directive to accept
       environment variable names.  This supports the use of multiple agent
       sockets without needing to use fixed paths.
     - sshd(8): support signalling sessions via the SSH protocol.  A limited
       subset of signals is supported and only for login or command sessions
       (i.e. not subsystems) that were not subject to a forced command via
       authorized_keys or sshd_config.
     - ssh(1): support "ssh -Q sig" to list supported signature options.
       Also "ssh -Q help" to show the full set of supported queries.
     - ssh(1), sshd(8): add a CASignatureAlgorithms option for the client and
       server configs to allow control over which signature formats are
       allowed for CAs to sign certificates.  For example, this allows
       banning CAs that sign certificates using the RSA-SHA1 signature
       algorithm.
     - sshd(8), ssh-keygen(1): allow key revocation lists (KRLs) to revoke
       keys specified by SHA256 hash.
     - ssh-keygen(1): allow creation of key revocation lists directly from
       base64-encoded SHA256 fingerprints.  This supports revoking keys using
       only the information contained in sshd(8) authentication log messages.
     - ssh(1), ssh-keygen(1): avoid spurious "invalid format" errors when
       attempting to load PEM private keys while using an incorrect
       passphrase.
     - sshd(8): when a channel closed message is received from a client,
       close the stderr file descriptor at the same time stdout is closed.
       This avoids stuck processes if they were waiting for stderr to close
       and were insensitive to stdin/out closing (closes: #844494).
     - ssh(1): allow ForwardX11Timeout=0 to disable the untrusted X11
       forwarding timeout and support X11 forwarding indefinitely.
       Previously the behaviour of ForwardX11Timeout=0 was undefined.
     - sshd(8): when compiled with GSSAPI support, cache supported method
       OIDs regardless of whether GSSAPI authentication is enabled in the
       main section of sshd_config.  This avoids sandbox violations if GSSAPI
       authentication was later enabled in a Match block.
     - sshd(8): do not fail closed when configured with a text key revocation
       list that contains a too-short key.
     - ssh(1): treat connections with ProxyJump specified the same as ones
       with a ProxyCommand set with regards to hostname canonicalisation
       (i.e. don't try to canonicalise the hostname unless
       CanonicalizeHostname is set to 'always').
     - ssh(1): fix regression in OpenSSH 7.8 that could prevent public-key
       authentication using certificates hosted in a ssh-agent(1) or against
       sshd(8) from OpenSSH <7.8 (LP: #1790963).
     - All: support building against the openssl-1.1 API (releases 1.1.0g and
       later).  The openssl-1.0 API will remain supported at least until
       OpenSSL terminates security patch support for that API version
       (closes: #828475).
     - sshd(8): allow the futex(2) syscall in the Linux seccomp sandbox;
       apparently required by some glibc/OpenSSL combinations.
   * Remove dh_builddeb override to use xz compression; this has been the
     default since dpkg 1.17.0.
   * Simplify debian/rules using /usr/share/dpkg/default.mk.
   * Remove /etc/network/if-up.d/openssh-server, as it causes more problems
     than it solves (thanks, Christian Ehrhardt, Andreas Hasenack, and David
     Britton; closes: #789532, LP: #1037738, #1674330, #1718227).  Add an
     "if-up hook removed" section to README.Debian documenting the corner
     case that may need configuration adjustments.
Checksums-Sha1:
 02f65cb5d41cb680cdbd59533b4e1ca8e6e706f6 3121 openssh_7.9p1-1.dsc
 993aceedea8ecabb1d0dd7293508a361891c4eaa 1565384 openssh_7.9p1.orig.tar.gz
 e23d601363ab5ff0daae5714e77d06539a9aebe9 683 openssh_7.9p1.orig.tar.gz.asc
 0420173569b37d7f64df25cde2981147ee735870 163012 openssh_7.9p1-1.debian.tar.xz
 9f824d07b600b84035802712a43e83923b4db7e7 14938 openssh_7.9p1-1_source.buildinfo
Checksums-Sha256:
 dcf0986f38bead63c956b8c75cee6cd6263d5f836faedf8a3a34f1976e6907fa 3121 openssh_7.9p1-1.dsc
 6b4b3ba2253d84ed3771c8050728d597c91cfce898713beb7b64a305b6f11aad 1565384 openssh_7.9p1.orig.tar.gz
 4fd584498595450d68f5514b3d79eb14425a3d6aa9e9021d9e928fdd7b4469eb 683 openssh_7.9p1.orig.tar.gz.asc
 7b2ca8e1fac29e7a42141fdb6efb05c12ac3c98c4018478377d301098a7762da 163012 openssh_7.9p1-1.debian.tar.xz
 aa8896c424a4357f4e3f70c9498d1226df96d029913e3afce40e27a392ef0f04 14938 openssh_7.9p1-1_source.buildinfo
Files:
 169fdfded198d365193f03a2d8f2b616 3121 net standard openssh_7.9p1-1.dsc
 c6af50b7a474d04726a5aa747a5dce8f 1565384 net standard openssh_7.9p1.orig.tar.gz
 36f798ff56b24004e16c08bf4a5fc021 683 net standard openssh_7.9p1.orig.tar.gz.asc
 f9fe15f8723a54a2072d7222dcd6f0d9 163012 net standard openssh_7.9p1-1.debian.tar.xz
 acb341421aa0f910d6308e6f1465c502 14938 net standard openssh_7.9p1-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAlvMSYAACgkQOTWH2X2G
UAsUMA//ewIH7+cPTzKVeQpmMDwIESrYoqRALoehigkz49fQ1iYcOB5R/Bb9ap8Y
3EVwlh5ryxclHbADuPkbQJEtyX7jLhW050tpholKTJsaCdNLn0/5Kojg39EGPSXq
u54vzm7j+OsWPFavzC/gjKVwqAOTdmOUXBg6rwTP1rjHrrKcX+olrTHMQ5V9bUqc
BedfpqM0eneO0Ei3mREXjoGMooXBg7AcQaUEImewdeMJLdFRWeg8Pk9pDIxpo4cE
SHKIC3UYqbUZnlJ/eqLHyACBKpsRWW3TYwyjDnNV8J8dJaeiPvlOoYiM/+ARuYDj
iC+KsP6DBWtjpunGHh32prok0ZTqpSXnZdg4Kog+AGVxzfPb8RzRGATOOjmvqXR/
5mhRWAZFdLqzRoC/Vltt6+ljumv1ewksOM5iY4bLuL18S50wOvdWMDdyZG64sLXm
BnVd2wNiIW08tIghNp3NjxyQKwI74iF2yfJcFE5AqULkPI7mWZvi/bIDjEJDgSlA
AtYyvuyUVLIZzYKs1Ic27RG5TnZZCVPmX1uqxR+B3NIsFDJtGHcJsO5azCMtevV/
gHK1Wx2bcN1JEUNS/DOPLB9GZQk7hlmAgG6MREmC2QAQg7Zo8TZeIW4mf6OELHqx
JRpHjJM+BH/9THJbweSy/yjLQ7PVyngGX0wxxxcbIvXWIV8HQdA=
=nwlI
-----END PGP SIGNATURE-----
News for package openssh
