Among the 28 debian patches available in version 1:9.7p1-2 of the package, we noticed the following issues:
commit 495df49ddd80f9397c8aa89def732ed8563433d2 Merge: 427ed07 3ca0b61 Author: Colin Watson <cjwatson@debian.org> Date: Thu Mar 14 12:16:14 2024 +0000 Fix gssapi-keyex declaration further Thanks, Andreas Hasenack. LP: #2053146 commit 3ca0b6141cad720f205bfbfe596e9e2d3059634c Author: Colin Watson <cjwatson@debian.org> Date: Mon Mar 11 16:24:49 2024 +0000 Skip utimensat test on ZFS On ZFS (which may be used by e.g. `autopkgtest-virt-incus`), `utimensat` seems to leave the access time set to 0. It's not clear why. Forwarded: no Last-Update: 2024-03-11 Patch-Name: skip-utimensat-test-on-zfs.patch commit 1db9024aad39a375d8d0bfafd4127a16b34397b8 Author: Steve Langasek <steve.langasek@ubuntu.com> Date: Thu Sep 1 16:03:37 2022 +0100 Support systemd socket activation Unlike inetd socket activation, with systemd socket activation the supervisor passes the listened-on socket to the child process and lets the child process handle the accept(). This lets us do delayed start of the sshd daemon without becoming incompatible with config options like ClientAliveCountMax. Last-Update: 2022-09-01 Patch-Name: systemd-socket-activation.patch commit 67439e06fc08479a80b985fc743bc507d8bc46bc Author: Colin Watson <cjwatson@debian.org> Date: Tue Feb 15 18:25:35 2022 +0000 Work around RSA SHA-2 signature issues in conch This was supposed to be fixed in Twisted upstream (https://twistedmatrix.com/trac/ticket/9765), and that fix is in Debian now. However, regression tests still seem to fail in GitLab CI but not locally (see e.g. https://salsa.debian.org/ssh-team/openssh/-/jobs/3513178). Leave this in place for now until we figure out what's wrong. Forwarded: not-needed Last-Update: 2022-11-14 Patch-Name: conch-ssh-rsa.patch commit 25f238231292eefa02a723b84de6428baca3b7ab Author: Svante Signell <svante.signell@gmail.com> Date: Fri Nov 5 23:22:53 2021 +0000 Define MAXHOSTNAMELEN on GNU/Hurd Bug-Debian: https://bugs.debian.org/997030 Last-Update: 2021-11-05 Patch-Name: maxhostnamelen.patch commit c6529b6eeabc3312e7b0c00c8451a496eb5d8ae6 Author: Colin Watson <cjwatson@debian.org> Date: Mon Apr 8 10:46:29 2019 +0100 Revert "upstream: Update default IPQoS in ssh(1), sshd(8) to DSCP AF21 for" This reverts commit 5ee8448ad7c306f05a9f56769f95336a8269f379. The IPQoS default changes have some unfortunate interactions with iptables (see https://bugs.debian.org/923880) and VMware, so I'm temporarily reverting them until those have been fixed. Bug-Debian: https://bugs.debian.org/923879 Bug-Debian: https://bugs.debian.org/926229 Bug-Ubuntu: https://bugs.launchpad.net/bugs/1822370 Last-Update: 2019-04-08 Patch-Name: revert-ipqos-defaults.patch commit 629d831d473ca49b8593e4a711012bb812e544b7 Author: Colin Watson <cjwatson@debian.org> Date: Sun Mar 5 02:02:11 2017 +0000 Restore reading authorized_keys2 by default Upstream seems to intend to gradually phase this out, so don't assume that this will remain the default forever. However, we were late in adopting the upstream sshd_config changes, so it makes sense to extend the grace period. Bug-Debian: https://bugs.debian.org/852320 Forwarded: not-needed Last-Update: 2017-03-05 Patch-Name: restore-authorized_keys2.patch commit 4f52dcf6ce616f6e674d6af0ceebb3e2f6b147a3 Author: Colin Watson <cjwatson@debian.org> Date: Sun Feb 9 16:10:18 2014 +0000 Various Debian-specific configuration changes ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause fewer problems with existing setups (http://bugs.debian.org/237021). ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024). ssh: Enable HashKnownHosts by default to try to limit the spread of ssh worms. ssh: Enable GSSAPIAuthentication by default. ssh: Include /etc/ssh/ssh_config.d/*.conf. sshd: Enable PAM, disable KbdInteractiveAuthentication, and disable PrintMotd. sshd: Enable X11Forwarding. sshd: Set 'AcceptEnv LANG LC_*' by default. sshd: Change sftp subsystem path to /usr/lib/openssh/sftp-server. sshd: Include /etc/ssh/sshd_config.d/*.conf. regress: Run tests with 'UsePAM yes', to match sshd_config. Document all of this. Author: Russ Allbery <rra@debian.org> Forwarded: not-needed Last-Update: 2023-01-03 Patch-Name: debian-config.patch commit b939a041afc3938937a3e9d2495202cf1a7b90ab Author: Michael Biebl <biebl@debian.org> Date: Mon Dec 21 16:08:47 2015 +0000 Add systemd readiness notification support Bug-Debian: https://bugs.debian.org/778913 Forwarded: no Last-Update: 2017-08-22 Patch-Name: systemd-readiness.patch commit 808d4d2c8a93272e5ec08a27024e76efd491ce14 Author: Vincent Untz <vuntz@ubuntu.com> Date: Sun Feb 9 16:10:16 2014 +0000 Give the ssh-askpass-gnome window a default icon Bug-Ubuntu: https://bugs.launchpad.net/bugs/27152 Last-Update: 2010-02-28 Patch-Name: gnome-ssh-askpass2-icon.patch commit 03ba0382a8ac499aba50aa0203d89586fa785628 Author: Kurt Roeckx <kurt@roeckx.be> Date: Sun Feb 9 16:10:14 2014 +0000 Don't check the status field of the OpenSSL version There is no reason to check the version of OpenSSL (in Debian). If it's not compatible the soname will change. OpenSSH seems to want to do a check for the soname based on the version number, but wants to keep the status of the release the same. Remove that check on the status since it doesn't tell you anything about how compatible that version is. Author: Colin Watson <cjwatson@debian.org> Bug-Debian: https://bugs.debian.org/93581 Bug-Debian: https://bugs.debian.org/664383 Bug-Debian: https://bugs.debian.org/732940 Forwarded: not-needed Last-Update: 2023-09-02 Patch-Name: no-openssl-version-status.patch commit 93c14bbee1fee649dd5b8f0e5fa7f8904b1a2a71 Author: Colin Watson <cjwatson@debian.org> Date: Sun Feb 9 16:10:13 2014 +0000 Document consequences of ssh-agent being setgid in ssh-agent(1) Bug-Debian: http://bugs.debian.org/711623 Forwarded: no Last-Update: 2020-02-21 Patch-Name: ssh-agent-setgid.patch commit a783425eb21dfb3e4432dbbdb7e4e0653a436e7e Author: Colin Watson <cjwatson@debian.org> Date: Sun Feb 9 16:10:11 2014 +0000 Document that HashKnownHosts may break tab-completion Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1727 Bug-Debian: http://bugs.debian.org/430154 Last-Update: 2021-11-05 Patch-Name: doc-hash-tab-completion.patch commit 50eb278261460a0ddc942b72b1542910c17966ad Author: Colin Watson <cjwatson@debian.org> Date: Sun Feb 9 16:10:10 2014 +0000 ssh(1): Refer to ssh-argv0(1) Old versions of OpenSSH (up to 2.5 or thereabouts) allowed creating symlinks to ssh with the name of the host you want to connect to. Debian ships an ssh-argv0 script restoring this feature; this patch refers to its manual page from ssh(1). Bug-Debian: http://bugs.debian.org/111341 Forwarded: not-needed Last-Update: 2013-09-14 Patch-Name: ssh-argv0.patch commit 5ec3ad9b1f13f624244f7dea20d43e8972ce9e97 Author: Colin Watson <cjwatson@debian.org> Date: Sun Feb 9 16:10:09 2014 +0000 Adjust various OpenBSD-specific references in manual pages No single bug reference for this patch, but history includes: https://bugs.debian.org/154434 (login.conf(5)) https://bugs.debian.org/513417 (/etc/rc) https://bugs.debian.org/530692 (ssl(8)) https://bugs.launchpad.net/bugs/456660 (ssl(8)) https://bugs.debian.org/998069 (rdomain(4)) Forwarded: not-needed Last-Update: 2023-09-02 Patch-Name: openbsd-docs.patch commit 8c2f7f932f143c330a74389d094117d7c85f51f9 Author: Tomas Pospisek <tpo_deb@sourcepole.ch> Date: Sun Feb 9 16:10:07 2014 +0000 Install authorized_keys(5) as a symlink to sshd(8) Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1720 Bug-Debian: http://bugs.debian.org/441817 Last-Update: 2013-09-14 Patch-Name: authorized-keys-man-symlink.patch commit 30df3f03ff91b648414b35bdc697ce9127a9fe90 Author: Kees Cook <kees@debian.org> Date: Sun Feb 9 16:10:06 2014 +0000 Add DebianBanner server configuration option Setting this to "no" causes sshd to omit the Debian revision from its initial protocol handshake, for those scared by package-versioning.patch. Bug-Debian: http://bugs.debian.org/562048 Forwarded: not-needed Last-Update: 2023-12-18 Patch-Name: debian-banner.patch commit eb68bf3cb81031d4a765b9c7745842bb49b7b3bb Author: Matthew Vernon <matthew@debian.org> Date: Sun Feb 9 16:10:05 2014 +0000 Include the Debian version in our identification This makes it easier to audit networks for versions patched against security vulnerabilities. It has little detrimental effect, as attackers will generally just try attacks rather than bothering to scan for vulnerable-looking version strings. (However, see debian-banner.patch.) Forwarded: not-needed Last-Update: 2023-12-18 Patch-Name: package-versioning.patch commit 60c7e9102d69c1b2a50fd58c9a322d8e6d1d2117 Author: Scott Moser <smoser@ubuntu.com> Date: Sun Feb 9 16:10:03 2014 +0000 Mention ssh-keygen in ssh fingerprint changed warning Author: Chris Lamb <lamby@debian.org> Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1843 Bug-Ubuntu: https://bugs.launchpad.net/bugs/686607 Last-Update: 2023-12-11 Patch-Name: mention-ssh-keygen-on-keychange.patch commit 2d07e4a73975fd8b478680e8a4490fc6c48a6390 Author: Colin Watson <cjwatson@debian.org> Date: Sun Feb 9 16:10:01 2014 +0000 Force use of DNSSEC even if "options edns0" isn't in resolv.conf This allows SSHFP DNS records to be verified if glibc 2.11 is installed. Origin: vendor, https://cvs.fedoraproject.org/viewvc/F-12/openssh/openssh-5.2p1-edns.patch?revision=1.1&view=markup Bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572049 Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572049 Last-Update: 2023-06-19 Patch-Name: dnssec-sshfp.patch commit 09466af13847aea5aa2ff17c29181c6e55e31dc2 Author: Colin Watson <cjwatson@debian.org> Date: Sun Feb 9 16:10:00 2014 +0000 Look for $SHELL on the path for ProxyCommand/LocalCommand There's some debate on the upstream bug about whether POSIX requires this. I (Colin Watson) agree with Vincent and think it does. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1494 Bug-Debian: http://bugs.debian.org/492728 Last-Update: 2020-02-21 Patch-Name: shell-path.patch commit 5c274c836094e9091ebad95435d79780a4316020 Author: Nicolas Valcárcel <nvalcarcel@ubuntu.com> Date: Sun Feb 9 16:09:59 2014 +0000 Adjust scp quoting in verbose mode Tweak scp's reporting of filenames in verbose mode to be a bit less confusing with spaces. This should be revised to mimic real shell quoting. Bug-Ubuntu: https://bugs.launchpad.net/bugs/89945 Last-Update: 2010-02-27 Patch-Name: scp-quoting.patch commit 673c225f85e2666e10be71a1d87225de2bb2aeb2 Author: Colin Watson <cjwatson@debian.org> Date: Sun Feb 9 16:09:58 2014 +0000 Allow harmless group-writability Allow secure files (~/.ssh/config, ~/.ssh/authorized_keys, etc.) to be group-writable, provided that the group in question contains only the file's owner. Rejected upstream for IMO incorrect reasons (e.g. a misunderstanding about the contents of gr->gr_mem). Given that per-user groups and umask 002 are the default setup in Debian (for good reasons - this makes operating in setgid directories with other groups much easier), we need to permit this by default. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1060 Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=314347 Last-Update: 2022-02-23 Patch-Name: user-group-modes.patch commit 1b1705fba0225804c8ecec8b3a911d4407248c91 Author: Natalie Amery <nmamery@chiark.greenend.org.uk> Date: Sun Feb 9 16:09:54 2014 +0000 "LogLevel SILENT" compatibility "LogLevel SILENT" (-qq) was introduced in Debian openssh 1:3.0.1p1-1 to match the behaviour of non-free SSH, in which -q does not suppress fatal errors. However, this was unintentionally broken in 1:4.6p1-2 and nobody complained, so we've dropped most of it. The parts that remain are basic configuration file compatibility, and an adjustment to "Pseudo-terminal will not be allocated ..." which should be split out into a separate patch. Author: Matthew Vernon <matthew@debian.org> Author: Colin Watson <cjwatson@debian.org> Last-Update: 2013-09-14 Patch-Name: syslog-level-silent.patch commit 50a68a21649c42d5587e78cab2c63ee3add81dd4 Author: Richard Kettlewell <rjk@greenend.org.uk> Date: Sun Feb 9 16:09:52 2014 +0000 Various keepalive extensions Add compatibility aliases for ProtocolKeepAlives and SetupTimeOut, supported in previous versions of Debian's OpenSSH package but since superseded by ServerAliveInterval. (We're probably stuck with this bit for compatibility.) In batch mode, default ServerAliveInterval to five minutes. Adjust documentation to match and to give some more advice on use of keepalives. Author: Ian Jackson <ian@chiark.greenend.org.uk> Author: Matthew Vernon <matthew@debian.org> Author: Colin Watson <cjwatson@debian.org> Last-Update: 2023-12-18 Patch-Name: keepalive-extensions.patch commit 2d6d05de518be9a3b3724a951e9dcb57e4c6124e Author: Colin Watson <cjwatson@ubuntu.com> Date: Sun Feb 9 16:09:50 2014 +0000 Accept obsolete ssh-vulnkey configuration options These options were used as part of Debian's response to CVE-2008-0166. Nearly six years later, we no longer need to continue carrying the bulk of that patch, but we do need to avoid failing when the associated configuration options are still present. Last-Update: 2014-02-09 Patch-Name: ssh-vulnkey-compat.patch commit 13a9ed0149b0861aac9c6c6f078ff42a5d8839f0 Author: Manoj Srivastava <srivasta@debian.org> Date: Sun Feb 9 16:09:49 2014 +0000 Handle SELinux authorisation roles Rejected upstream due to discomfort with magic usernames; a better approach will need an SSH protocol change. In the meantime, this came from Debian's SELinux maintainer, so we'll keep it until we have something better. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641 Bug-Debian: http://bugs.debian.org/394795 Last-Update: 2021-11-05 Patch-Name: selinux-role.patch commit f6856e554804e6bd6c93fb48bea73a26f912ad7f Author: Colin Watson <cjwatson@debian.org> Date: Tue Oct 7 13:22:41 2014 +0100 Restore TCP wrappers support Support for TCP wrappers was dropped in OpenSSH 6.7. See this message and thread: https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032497.html It is true that this reduces preauth attack surface in sshd. On the other hand, this support seems to be quite widely used, and abruptly dropping it (from the perspective of users who don't read openssh-unix-dev) could easily cause more serious problems in practice. It's not entirely clear what the right long-term answer for Debian is, but it at least probably doesn't involve dropping this feature shortly before a freeze. Forwarded: not-needed Last-Update: 2022-02-23 Patch-Name: restore-tcp-wrappers.patch commit 4431708c5c325cdbcf802e5d86ea1f4da78c1b50 Author: Simon Wilkinson <simon@sxw.org.uk> Date: Sun Feb 9 16:09:48 2014 +0000 GSSAPI key exchange support This patch has been rejected upstream: "None of the OpenSSH developers are in favour of adding this, and this situation has not changed for several years. This is not a slight on Simon's patch, which is of fine quality, but just that a) we don't trust GSSAPI implementations that much and b) we don't like adding new KEX since they are pre-auth attack surface. This one is particularly scary, since it requires hooks out to typically root-owned system resources." However, quite a lot of people rely on this in Debian, and it's better to have it merged into the main openssh package rather than having separate -krb5 packages (as we used to have). It seems to have a generally good security history. Author: Simon Wilkinson <simon@sxw.org.uk> Author: Colin Watson <cjwatson@debian.org> Author: Jakub Jelen <jjelen@redhat.com> Origin: other, https://github.com/openssh-gsskex/openssh-gsskex/pull/23 Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 Last-Updated: 2024-03-14 Patch-Name: gssapi.patch