Accepted: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Thu, 30 Aug 2018 15:35:27 +0100 Source: openssh Binary: openssh-client openssh-server openssh-sftp-server ssh ssh-askpass-gnome openssh-client-udeb openssh-server-udeb Architecture: source Version: 1:7.8p1-1 Distribution: unstable Urgency: medium Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org> Changed-By: Colin Watson <cjwat...@debian.org> Description: openssh-client - secure shell (SSH) client, for secure access to remote machines openssh-client-udeb - secure shell client for the Debian installer (udeb) openssh-server - secure shell (SSH) server, for secure access from remote machines openssh-server-udeb - secure shell server for the Debian installer (udeb) openssh-sftp-server - secure shell (SSH) sftp server module, for SFTP access from remot ssh - secure shell client and server (metapackage) ssh-askpass-gnome - interactive X program to prompt users for a passphrase for ssh-ad Closes: 573316 905407 907534 Changes: openssh (1:7.8p1-1) unstable; urgency=medium . * New upstream release (https://www.openssh.com/txt/release-7.8, closes: #907534): - ssh-keygen(1): Write OpenSSH format private keys by default instead of using OpenSSL's PEM format (closes: #905407). The OpenSSH format, supported in OpenSSH releases since 2014 and described in the PROTOCOL.key file in the source distribution, offers substantially better protection against offline password guessing and supports key comments in private keys. If necessary, it is possible to write old PEM-style keys by adding "-m PEM" to ssh-keygen's arguments when generating or updating a key. - sshd(8): Remove internal support for S/Key multiple factor authentication. S/Key may still be used via PAM or BSD auth. - ssh(1): Remove vestigial support for running ssh(1) as setuid. This used to be required for hostbased authentication and the (long gone) rhosts-style authentication, but has not been necessary for a long time. Attempting to execute ssh as a setuid binary, or with uid != effective uid will now yield a fatal error at runtime. - sshd(8): The semantics of PubkeyAcceptedKeyTypes and the similar HostbasedAcceptedKeyTypes options have changed. These now specify signature algorithms that are accepted for their respective authentication mechanism, where previously they specified accepted key types. This distinction matters when using the RSA/SHA2 signature algorithms "rsa-sha2-256", "rsa-sha2-512" and their certificate counterparts. Configurations that override these options but omit these algorithm names may cause unexpected authentication failures (no action is required for configurations that accept the default for these options). - sshd(8): The precedence of session environment variables has changed. ~/.ssh/environment and environment="..." options in authorized_keys files can no longer override SSH_* variables set implicitly by sshd. - ssh(1)/sshd(8): The default IPQoS used by ssh/sshd has changed. They will now use DSCP AF21 for interactive traffic and CS1 for bulk. For a detailed rationale, please see the commit message: https://cvsweb.openbsd.org/src/usr.bin/ssh/readconf.c#rev1.284 - ssh(1)/sshd(8): Add new signature algorithms "rsa-sha2-256-cert- v...@openssh.com" and "rsa-sha2-512-cert-...@openssh.com" to explicitly force use of RSA/SHA2 signatures in authentication. - sshd(8): Extend the PermitUserEnvironment option to accept a whitelist of environment variable names in addition to global "yes" or "no" settings. - sshd(8): Add a PermitListen directive to sshd_config(5) and a corresponding permitlisten= authorized_keys option that control which listen addresses and port numbers may be used by remote forwarding (ssh -R ...). - sshd(8): Add some countermeasures against timing attacks used for account validation/enumeration. sshd will enforce a minimum time or each failed authentication attempt consisting of a global 5ms minimum plus an additional per-user 0-4ms delay derived from a host secret. - sshd(8): Add a SetEnv directive to allow an administrator to explicitly specify environment variables in sshd_config. Variables set by SetEnv override the default and client-specified environment. - ssh(1): Add a SetEnv directive to request that the server sets an environment variable in the session. Similar to the existing SendEnv option, these variables are set subject to server configuration. - ssh(1): Allow "SendEnv -PATTERN" to clear environment variables previously marked for sending to the server (closes: #573316). - ssh(1)/sshd(8): Make UID available as a %-expansion everywhere that the username is available currently. - ssh(1): Allow setting ProxyJump=none to disable ProxyJump functionality. - sshd(8): Avoid observable differences in request parsing that could be used to determine whether a target user is valid. - ssh(1)/sshd(8): Fix some memory leaks. - ssh(1): Fix a pwent clobber (introduced in openssh-7.7) that could occur during key loading, manifesting as crash on some platforms. - sshd_config(5): Clarify documentation for AuthenticationMethods option. - ssh(1): Ensure that the public key algorithm sent in a public key SSH_MSG_USERAUTH_REQUEST matches the content of the signature blob. Previously, these could be inconsistent when a legacy or non-OpenSSH ssh-agent returned a RSA/SHA1 signature when asked to make a RSA/SHA2 signature. - sshd(8): Fix failures to read authorized_keys caused by faulty supplemental group caching. - scp(1): Apply umask to directories, fixing potential mkdir/chmod race when copying directory trees. - ssh-keygen(1): Return correct exit code when searching for and hashing known_hosts entries in a single operation. - ssh(1): Prefer the ssh binary pointed to via argv[0] to $PATH when re-executing ssh for ProxyJump. - sshd(8): Do not ban PTY allocation when a sshd session is restricted because the user password is expired as it breaks password change dialog. - ssh(1)/sshd(8): Fix error reporting from select() failures. - ssh(1): Improve documentation for -w (tunnel) flag, emphasising that -w implicitly sets Tunnel=point-to-point. - ssh-agent(1): Implement EMFILE mitigation for ssh-agent. ssh-agent will no longer spin when its file descriptor limit is exceeded. - ssh(1)/sshd(8): Disable SSH2_MSG_DEBUG messages for Twisted Conch clients. Twisted Conch versions that lack a version number in their identification strings will mishandle these messages when running on Python 2.x (https://twistedmatrix.com/trac/ticket/9422). - sftp(1): Notify user immediately when underlying ssh process dies expectedly. - ssh(1)/sshd(8): Fix tunnel forwarding; regression in 7.7 release. - ssh-agent(1): Don't kill ssh-agent's listening socket entirely if it fails to accept(2) a connection. - ssh(1): Add some missing options in the configuration dump output (ssh -G). - sshd(8): Expose details of completed authentication to PAM auth modules via SSH_AUTH_INFO_0 in the PAM environment. * Switch debian/watch to HTTPS. * Temporarily work around https://twistedmatrix.com/trac/ticket/9515 in regression tests. Checksums-Sha1: f7754d84e88db335b8f62a70155a62953f6a0199 3121 openssh_7.8p1-1.dsc 27e267e370315561de96577fccae563bc2c37a60 1548026 openssh_7.8p1.orig.tar.gz 7734c7f9db5051f26ef4e32da44e9df3a52c1c22 683 openssh_7.8p1.orig.tar.gz.asc 19163a9c46b988c47050a642eb4aeb56ed1b52dc 161912 openssh_7.8p1-1.debian.tar.xz 9df3248b61a1f85f6f6e9beb4223b94c0da9112e 14871 openssh_7.8p1-1_source.buildinfo Checksums-Sha256: 8ec0c6c21c59e00899e1102b2641ddfea63b1ca3aade5865db6c5aa6a628e266 3121 openssh_7.8p1-1.dsc 1a484bb15152c183bb2514e112aa30dd34138c3cfb032eee5490a66c507144ca 1548026 openssh_7.8p1.orig.tar.gz 01649b5f618d9f19c861a038b981db456778dd7b38a20d039513e2639a022fe4 683 openssh_7.8p1.orig.tar.gz.asc e9c101ac6c8123a8148702585c67880229a8d472fb74d4a9ad3767a72b3e7592 161912 openssh_7.8p1-1.debian.tar.xz a36fc3140573c86fd10929b5a5ab1ee227e433842050f475912119e93bdbf044 14871 openssh_7.8p1-1_source.buildinfo Files: 1fd95800878abe0c4d423cfa06e8dc25 3121 net standard openssh_7.8p1-1.dsc ce1d090fa6239fd38eb989d5e983b074 1548026 net standard openssh_7.8p1.orig.tar.gz 5d7d65086c1c47b66cc42216eb1f3c34 683 net standard openssh_7.8p1.orig.tar.gz.asc 2a1bb49fc4212a0ef0a2e0903251706e 161912 net standard openssh_7.8p1-1.debian.tar.xz d6be3f9fc74e8d936907910fa968871f 14871 net standard openssh_7.8p1-1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAluIASAACgkQOTWH2X2G UAsFnA//Zgba/rVNCuvBtoLa4tnA8KzmeS9H/GNZIohGHQhCGMhJkP/Yrn2unrKl QgxaUoF0dJEkFLn1fkHhRye+JYyVcDBepXM0UFP/75qE6Vu6Gl+tjBqXFD6tD5U6 gz9IkZ170BOY9iSbW7OKEA0V1j2FoXSAE1dfgGbQ3Utmpg9aQqFzWIk5IjCkwEqI wpM6o7G6hBPI2da0V2kV8ZyZz5QrUez4a1mIQLDB59OZVX1+YKR5SP+6R1RbpMxS 4LB/XFiwcH6AlFwKkf47bfbA6e0dq2V+g5cyotKUaJx5R6tLEginZsrzR0fnNKmU SArjVsmMkAQAEnkwUCz/SgCop2xUMYZt6K2CrH5Bo7bjSK8xHPLN6Tvrd+1T/ee6 m+159AMT1NpMyAnwFawuWGVm86V80FciAHrTYN/c9F4WX66tsn8XX6es61Z/RmWF m/CMpDqFV3ixHySzT3x4W1e+cF8LP2cVtH11n36wyApJER3rbHHFICMTEjmn6wpY CSXx/Tqd71FUX6sQvgPvvCnGZcvvm+KXaDJJgQMwyPuSSFFK47aLq+ytOg2MpqPJ taZWQpTxwW8nNJTsCac8rUOpei0JtmB0j4gbu3MmzVgzC7eda+GsEK0r50jJIK+/ RRGoGttlziP1gpX8baccwpkDRYakrzh362zhEI0a4ixla66SaIk= =mpZO -----END PGP SIGNATURE----- Thank you for your contribution to Debian.