Debian Package Tracker

general

source: openssh (main)
version: 1:7.9p1-6
maintainer: Debian OpenSSH Maintainers (archive) [DMD]
uploaders: Matthew Vernon [DMD] – Colin Watson [DMD]
arch: all any
std-ver: 4.1.0
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 1:6.0p1-4+deb7u4
o-o-sec: 1:6.0p1-4+deb7u7
o-o-bpo: 1:6.6p1-4~bpo70+1
oldstable: 1:6.7p1-5+deb8u4
old-sec: 1:6.7p1-5+deb8u7
stable: 1:7.4p1-10+deb9u5
stable-sec: 1:7.4p1-10+deb9u5
testing: 1:7.9p1-6
unstable: 1:7.9p1-6

versioned links

1:6.0p1-4+deb7u4: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:6.0p1-4+deb7u7: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:6.6p1-4~bpo70+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:6.7p1-5+deb8u4: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:6.7p1-5+deb8u7: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:7.4p1-10+deb9u5: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:7.9p1-6: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

openssh-client
openssh-client-udeb
openssh-server
openssh-server-udeb
openssh-sftp-server
openssh-tests
ssh
ssh-askpass-gnome

action needed

1 security issue in sid high

There is 1 open security issue in sid.

1 important issue:

CVE-2018-15919: Remotely observable behaviour in auth-gss2.c in OpenSSH through 7.8 could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. NOTE: the discoverer states 'We understand that the OpenSSH developers do not want to treat such a username enumeration (or "oracle") as a vulnerability.'

Please fix it.

Created: 2018-08-28 Last update: 2019-02-21 05:13

5 security issues in jessie high

There are 5 open security issues in jessie.

3 important issues:

CVE-2019-6109: An issue was discovered in OpenSSH 7.9. Due to missing character encoding in the progress display, a malicious server (or Man-in-The-Middle attacker) can employ crafted object names to manipulate the client output, e.g., by using ANSI control codes to hide additional files being transferred. This affects refresh_progress_meter() in progressmeter.c.
CVE-2019-6111: An issue was discovered in OpenSSH 7.9. Due to the scp implementation being derived from 1983 rcp, the server chooses which files/directories are sent to the client. However, the scp client only performs cursory validation of the object name returned (only directory traversal attacks are prevented). A malicious scp server (or Man-in-The-Middle attacker) can overwrite arbitrary files in the scp client target directory. If recursive operation (-r) is performed, the server can manipulate subdirectories as well (for example, to overwrite the .ssh/authorized_keys file).
CVE-2018-20685: In OpenSSH 7.9, scp.c in the scp client allows remote SSH servers to bypass intended access restrictions via the filename of . or an empty filename. The impact is modifying the permissions of the target directory on the client side.

2 issues skipped by the security teams:

CVE-2016-8858: ** DISPUTED ** The kex_input_kexinit function in kex.c in OpenSSH 6.x and 7.x through 7.3 allows remote attackers to cause a denial of service (memory consumption) by sending many duplicate KEXINIT requests. NOTE: a third party reports that "OpenSSH upstream does not consider this as a security issue."
CVE-2018-15919: Remotely observable behaviour in auth-gss2.c in OpenSSH through 7.8 could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. NOTE: the discoverer states 'We understand that the OpenSSH developers do not want to treat such a username enumeration (or "oracle") as a vulnerability.'

Please fix them.

Created: 2015-07-12 Last update: 2019-02-21 05:13

47 bugs tagged patch in the BTS normal

The BTS contains patches fixing 47 bugs (65 if counting merged bugs), consider including or untagging them.

Created: 2018-10-01 Last update: 2019-02-21 18:40

Depends on packages which need a new maintainer normal

The packages that openssh depends on which need a new maintainer are:

dh-exec (#851746)
- Build-Depends: dh-exec

Created: 2017-12-02 Last update: 2019-02-21 18:16

lintian reports 35 warnings normal

Lintian reports 35 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2018-04-12 Last update: 2019-01-14 07:32

1 ignored security issue in stretch low

There is 1 open security issue in stretch.

1 issue skipped by the security teams:

CVE-2018-15919: Remotely observable behaviour in auth-gss2.c in OpenSSH through 7.8 could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. NOTE: the discoverer states 'We understand that the OpenSSH developers do not want to treat such a username enumeration (or "oracle") as a vulnerability.'

Please fix it.

Created: 2018-08-28 Last update: 2019-02-21 05:13

1 ignored security issue in buster low

There is 1 open security issue in buster.

1 issue skipped by the security teams:

CVE-2018-15919: Remotely observable behaviour in auth-gss2.c in OpenSSH through 7.8 could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. NOTE: the discoverer states 'We understand that the OpenSSH developers do not want to treat such a username enumeration (or "oracle") as a vulnerability.'

Please fix it.

Created: 2018-08-28 Last update: 2019-02-21 05:13

Build log checks report 1 warning low

Build log checks report 1 warning

Created: 2017-10-26 Last update: 2018-04-03 19:52

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.3.0 instead of 4.1.0).

Created: 2017-06-25 Last update: 2019-02-09 01:11

news

[rss feed]

[2019-02-11] openssh 1:7.9p1-6 MIGRATED to testing (Debian testing watch)
[2019-02-09] Accepted openssh 1:7.4p1-10+deb9u5 (source) into proposed-updates->stable-new, proposed-updates (Yves-Alexis Perez)
[2019-02-09] Accepted openssh 1:7.4p1-10+deb9u5 (source) into stable->embargoed, stable (Yves-Alexis Perez)
[2019-02-08] Accepted openssh 1:7.9p1-6 (source) into unstable (Colin Watson)
[2019-01-15] openssh 1:7.9p1-5 MIGRATED to testing (Debian testing watch)
[2019-01-13] Accepted openssh 1:7.9p1-5 (source) into unstable (Colin Watson)
[2018-11-19] openssh 1:7.9p1-4 MIGRATED to testing (Debian testing watch)
[2018-11-16] Accepted openssh 1:7.9p1-4 (source) into unstable (Colin Watson)
[2018-11-16] Accepted openssh 1:7.9p1-3 (all amd64 source) into unstable, unstable (Colin Watson)
[2018-10-28] openssh 1:7.9p1-1 MIGRATED to testing (Debian testing watch)
[2018-10-21] Accepted openssh 1:7.9p1-1 (source) into unstable (Colin Watson)
[2018-09-12] Accepted openssh 1:6.7p1-5+deb8u7 (source amd64 all) into oldstable (Santiago Ruano Rincón)
[2018-09-10] Accepted openssh 1:6.7p1-5+deb8u6 (source amd64 all) into oldstable (Santiago Ruano Rincón)
[2018-09-02] openssh 1:7.8p1-1 MIGRATED to testing (Debian testing watch)
[2018-08-30] Accepted openssh 1:7.8p1-1 (source) into unstable (Colin Watson)
[2018-08-24] Accepted openssh 1:7.4p1-10+deb9u4 (source amd64 all) into proposed-updates->stable-new, proposed-updates (Sebastien Delafond)
[2018-08-22] Accepted openssh 1:7.4p1-10+deb9u4 (source amd64 all) into stable->embargoed, stable (Sebastien Delafond)
[2018-08-21] Accepted openssh 1:6.7p1-5+deb8u5 (source amd64 all) into oldstable (Chris Lamb)
[2018-08-19] openssh 1:7.7p1-4 MIGRATED to testing (Debian testing watch)
[2018-08-17] Accepted openssh 1:7.7p1-4 (source) into unstable (Colin Watson)
[2018-07-13] openssh 1:7.7p1-3 MIGRATED to testing (Debian testing watch)
[2018-07-10] Accepted openssh 1:7.7p1-3 (source) into unstable (Colin Watson)
[2018-04-09] openssh 1:7.7p1-2 MIGRATED to testing (Debian testing watch)
[2018-04-04] Accepted openssh 1:7.7p1-2 (source) into unstable (Colin Watson)
[2018-04-03] Accepted openssh 1:7.7p1-1 (source) into unstable (Colin Watson)
[2018-04-01] Accepted openssh 1:7.6p1-5 (source) into unstable (Colin Watson)
[2018-03-03] Accepted openssh 1:7.4p1-10+deb9u3 (source) into proposed-updates->stable-new, proposed-updates (Colin Watson)
[2018-02-15] openssh 1:7.6p1-4 MIGRATED to testing (Debian testing watch)
[2018-02-10] Accepted openssh 1:7.6p1-4 (source) into unstable (Colin Watson)
[2018-01-26] Accepted openssh 1:6.0p1-4+deb7u7 (source amd64 all) into oldoldstable (Antoine Beaupré)

bugs [bug history graph]

all: 590 641
RC: 0
I&N: 362 385
M&W: 226 254
F&P: 2
patch: 47 65

links

homepage
lintian (0, 35)
buildd: logs, checks, clang, reproducibility
popcon
debci
browse source code
edit tags
security tracker

ubuntu

[Information about Ubuntu for Debian Developers]

version: 1:7.9p1-6
137 bugs (5 patches)