Debian Package Tracker

general

source: openssh (main)
version: 1:7.7p1-2
maintainer: Debian OpenSSH Maintainers (archive) [DMD]
uploaders: Matthew Vernon [DMD] – Colin Watson [DMD]
arch: all any
std-ver: 4.1.0
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 1:6.0p1-4+deb7u4
o-o-sec: 1:6.0p1-4+deb7u7
o-o-bpo: 1:6.6p1-4~bpo70+1
oldstable: 1:6.7p1-5+deb8u4
old-sec: 1:6.7p1-5+deb8u3
stable: 1:7.4p1-10+deb9u3
testing: 1:7.7p1-2
unstable: 1:7.7p1-2

versioned links

1:6.0p1-4+deb7u4: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:6.0p1-4+deb7u7: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:6.6p1-4~bpo70+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:6.7p1-5+deb8u3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:6.7p1-5+deb8u4: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:7.4p1-10+deb9u3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:7.7p1-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

openssh-client
openssh-client-udeb
openssh-server
openssh-server-udeb
openssh-sftp-server
ssh
ssh-askpass-gnome

action needed

Depends on packages which need a new maintainer normal

The packages that openssh depends on which need a new maintainer are:

dh-exec (#851746)
- Build-Depends: dh-exec

Created: 2017-12-02 Last update: 2018-06-20 14:19

47 bugs tagged patch in the BTS normal

The BTS contains patches fixing 47 bugs (65 if counting merged bugs), consider including or untagging them.

Created: 2017-11-21 Last update: 2018-06-20 13:48

A new version is available in the VCS, consider uploading it. normal

vcswatch reports that this package has a new version ready in the VCS. You should consider uploading into the archive.

Created: 2018-06-17 Last update: 2018-06-19 09:03

lintian reports 4 warnings normal

Lintian reports 4 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2018-04-12 Last update: 2018-04-12 07:56

13 ignored security issues in jessie low

There are 13 open security issues in jessie.

13 issues skipped by the security teams:

CVE-2016-8858: ** DISPUTED ** The kex_input_kexinit function in kex.c in OpenSSH 6.x and 7.x through 7.3 allows remote attackers to cause a denial of service (memory consumption) by sending many duplicate KEXINIT requests. NOTE: a third party reports that "OpenSSH upstream does not consider this as a security issue."
CVE-2016-10708: sshd in OpenSSH before 7.4 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an out-of-sequence NEWKEYS message, as demonstrated by Honggfuzz, related to kex.c and packet.c.
CVE-2015-6564: Use-after-free vulnerability in the mm_answer_pam_free_ctx function in monitor.c in sshd in OpenSSH before 7.0 on non-OpenBSD platforms might allow local users to gain privileges by leveraging control of the sshd uid to send an unexpectedly early MONITOR_REQ_PAM_FREE_CTX request.
CVE-2016-10012: The shared memory manager (associated with pre-authentication compression) in sshd in OpenSSH before 7.4 does not ensure that a bounds check is enforced by all compilers, which might allows local users to gain privileges by leveraging access to a sandboxed privilege-separation process, related to the m_zback and m_zlib data structures.
CVE-2015-6563: The monitor component in sshd in OpenSSH before 7.0 on non-OpenBSD platforms accepts extraneous username data in MONITOR_REQ_PAM_INIT_CTX requests, which allows local users to conduct impersonation attacks by leveraging any SSH login access in conjunction with control of the sshd uid to send a crafted MONITOR_REQ_PWNAM request, related to monitor.c and monitor_wrap.c.
CVE-2017-15906: The process_open function in sftp-server.c in OpenSSH before 7.6 does not properly prevent write operations in readonly mode, which allows attackers to create zero-length files.
CVE-2016-3115: Multiple CRLF injection vulnerabilities in session.c in sshd in OpenSSH before 7.2p2 allow remote authenticated users to bypass intended shell-command restrictions via crafted X11 forwarding data, related to the (1) do_authenticated1 and (2) session_x11_req functions.
CVE-2015-5352: The x11_open_helper function in channels.c in ssh in OpenSSH before 6.9, when ForwardX11Trusted mode is not used, lacks a check of the refusal deadline for X connections, which makes it easier for remote attackers to bypass intended access restrictions via a connection outside of the permitted time window.
CVE-2016-1908: The client in OpenSSH before 7.2 mishandles failed cookie generation for untrusted X11 forwarding and relies on the local X11 server for access-control decisions, which allows remote X11 clients to trigger a fallback and obtain trusted X11 forwarding privileges by leveraging configuration issues on this X11 server, as demonstrated by lack of the SECURITY extension on this X11 server.
CVE-2015-5600: The kbdint_next_device function in auth2-chall.c in sshd in OpenSSH through 6.9 does not properly restrict the processing of keyboard-interactive devices within a single connection, which makes it easier for remote attackers to conduct brute-force attacks or cause a denial of service (CPU consumption) via a long and duplicative list in the ssh -oKbdInteractiveDevices option, as demonstrated by a modified client that provides a different password for each pam element on this list.
CVE-2016-10009: Untrusted search path vulnerability in ssh-agent.c in ssh-agent in OpenSSH before 7.4 allows remote attackers to execute arbitrary local PKCS#11 modules by leveraging control over a forwarded agent-socket.
CVE-2016-6515: The auth_password function in auth-passwd.c in sshd in OpenSSH before 7.3 does not limit password lengths for password authentication, which allows remote attackers to cause a denial of service (crypt CPU consumption) via a long string.
CVE-2016-10011: authfile.c in sshd in OpenSSH before 7.4 does not properly consider the effects of realloc on buffer contents, which might allow local users to obtain sensitive private-key information by leveraging access to a privilege-separated child process.

Please fix them.

Created: 2015-07-12 Last update: 2018-06-02 08:03

Build log checks report 1 warning low

Build log checks report 1 warning

Created: 2017-10-26 Last update: 2018-04-03 19:52

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.1.4 instead of 4.1.0).

Created: 2017-06-25 Last update: 2018-04-16 20:47

news

[rss feed]

[2018-04-09] openssh 1:7.7p1-2 MIGRATED to testing (Debian testing watch)
[2018-04-04] Accepted openssh 1:7.7p1-2 (source) into unstable (Colin Watson)
[2018-04-03] Accepted openssh 1:7.7p1-1 (source) into unstable (Colin Watson)
[2018-04-01] Accepted openssh 1:7.6p1-5 (source) into unstable (Colin Watson)
[2018-03-03] Accepted openssh 1:7.4p1-10+deb9u3 (source) into proposed-updates->stable-new, proposed-updates (Colin Watson)
[2018-02-15] openssh 1:7.6p1-4 MIGRATED to testing (Debian testing watch)
[2018-02-10] Accepted openssh 1:7.6p1-4 (source) into unstable (Colin Watson)
[2018-01-26] Accepted openssh 1:6.0p1-4+deb7u7 (source amd64 all) into oldoldstable (Antoine Beaupré)
[2018-01-22] openssh 1:7.6p1-3 MIGRATED to testing (Debian testing watch)
[2018-01-16] Accepted openssh 1:7.6p1-3 (source) into unstable (Colin Watson)
[2017-11-19] Accepted openssh 1:6.7p1-5+deb8u4 (source amd64 all) into oldstable-proposed-updates->oldstable-new, oldstable-proposed-updates (Colin Watson)
[2017-11-18] Accepted openssh 1:7.4p1-10+deb9u2 (source) into proposed-updates->stable-new, proposed-updates (Colin Watson)
[2017-10-12] openssh 1:7.6p1-2 MIGRATED to testing (Debian testing watch)
[2017-10-07] Accepted openssh 1:7.6p1-2 (source) into unstable (Colin Watson)
[2017-10-06] Accepted openssh 1:7.6p1-1 (source) into unstable (Colin Watson)
[2017-09-06] openssh 1:7.5p1-10 MIGRATED to testing (Debian testing watch)
[2017-09-01] Accepted openssh 1:7.5p1-10 (source) into unstable (Colin Watson)
[2017-08-31] Accepted openssh 1:7.5p1-9 (source) into unstable (Colin Watson)
[2017-08-28] Accepted openssh 1:7.5p1-8 (source) into unstable (Colin Watson)
[2017-08-23] Accepted openssh 1:7.5p1-7 (source) into unstable (Colin Watson)
[2017-08-23] Accepted openssh 1:7.5p1-6 (source) into unstable (Colin Watson)
[2017-06-24] Accepted openssh 1:7.4p1-10+deb9u1 (source) into proposed-updates->stable-new, proposed-updates (Colin Watson)
[2017-06-23] openssh 1:7.5p1-5 MIGRATED to testing (Debian testing watch)
[2017-06-18] Accepted openssh 1:7.5p1-5 (source) into unstable (Colin Watson)
[2017-06-06] Accepted openssh 1:7.5p1-4 (source) into experimental (Colin Watson)
[2017-06-06] Accepted openssh 1:7.4p1-11 (source) into unstable (Colin Watson)
[2017-05-02] Accepted openssh 1:7.5p1-3 (source) into experimental (Colin Watson)
[2017-04-07] openssh 1:7.4p1-10 MIGRATED to testing (Debian testing watch)
[2017-04-02] Accepted openssh 1:7.5p1-2 (source) into experimental (Colin Watson)
[2017-04-02] Accepted openssh 1:7.5p1-1 (source) into experimental (Colin Watson)

bugs [bug history graph]

all: 580 631
RC: 1
I&N: 353 376
M&W: 224 252
F&P: 2

links

homepage
lintian (0, 4)
buildd: logs, checks, clang, reproducibility
popcon
debci
browse source code
edit tags
security tracker

ubuntu

[Information about Ubuntu for Debian Developers]

version: 1:7.7p1-2
144 bugs (6 patches)