Public bug reported: Scheduled-For: ubuntu-later Upstream: tbd Debian: 1:9.0p1-1 Ubuntu: 1:9.0p1-1ubuntu7
### New Debian Changes ### openssh (1:9.0p1-1) unstable; urgency=medium * New upstream release (https://www.openssh.com/releasenotes.html#9.0p1): - scp(1): Use the SFTP protocol by default (closes: #144579, #204546, #327019). This changes scp's quoting semantics by no longer performing wildcard expansion using the remote shell, and (with some server versions) no longer expanding ~user paths. The -O option is available to use the old protocol. See NEWS.Debian for more details. - ssh(1), sshd(8): use the hybrid Streamlined NTRU Prime + x25519 key exchange method by default ('sntrup761x25519-sha...@openssh.com'). The NTRU algorithm is believed to resist attacks enabled by future quantum computers and is paired with the X25519 ECDH key exchange (the previous default) as a backstop against any weaknesses in NTRU Prime that may be discovered in the future. The combination ensures that the hybrid exchange offers at least as good security as the status quo. - sftp-server(8): support the 'copy-data' extension to allow server- side copying of files/data, following the design in draft-ietf-secsh-filexfer-extensions-00. - sftp(1): add a 'cp' command to allow the sftp client to perform server-side file copies. - ssh(1), sshd(8): upstream: fix poll(2) spin when a channel's output fd closes without data in the channel buffer (closes: #1007822). - sshd(8): pack pollfd array in server listen/accept loop. Could cause the server to hang/spin when MaxStartups > RLIMIT_NOFILE. - ssh-keygen(1): avoid NULL deref via the find-principals and check-novalidate operations. bz3409 and GHPR307 respectively. - scp(1): fix a memory leak in argument processing. - sshd(8): don't try to resolve ListenAddress directives in the sshd re-exec path. They are unused after re-exec and parsing errors (possible for example if the host's network configuration changed) could prevent connections from being accepted. - sshd(8): when refusing a public key authentication request from a client for using an unapproved or unsupported signature algorithm include the algorithm name in the log message to make debugging easier. - ssh(1), sshd(8): Fix possible integer underflow in scan_scaled(3) parsing of K/M/G/etc quantities. - sshd(8): default to not using sandbox when cross compiling. On most systems poll(2) does not work when the number of FDs is reduced with setrlimit, so assume it doesn't when cross compiling and we can't run the test. * Remove obsolete FAQ, removed from openssh.com in 2016. -- Colin Watson <cjwat...@debian.org> Sat, 09 Apr 2022 14:14:10 +0100 openssh (1:8.9p1-3) unstable; urgency=medium * Allow ppoll_time64 in seccomp filter (closes: #1006445). -- Colin Watson <cjwat...@debian.org> Fri, 25 Feb 2022 23:30:49 +0000 openssh (1:8.9p1-2) unstable; urgency=medium * Improve detection of -fzero-call-used-regs=all support. -- Colin Watson <cjwat...@debian.org> Thu, 24 Feb 2022 16:09:56 +0000 openssh (1:8.9p1-1) unstable; urgency=medium * New upstream release (https://www.openssh.com/releasenotes.html#8.9p1): - sshd(8): fix an integer overflow in the user authentication path that, in conjunction with other logic errors, could have yielded unauthenticated access under difficult to exploit conditions. - sshd(8), portable OpenSSH only: this release removes in-built support for MD5-hashed passwords. - ssh(1), sshd(8), ssh-add(1), ssh-agent(1): add a system for restricting forwarding and use of keys added to ssh-agent(1). - ssh(1), sshd(8): add the sntrup761x25519-sha...@openssh.com hybrid ECDH/x25519 + Streamlined NTRU Prime post-quantum KEX to the default KEXAlgorithms list (after the ECDH methods but before the prime-group DH ones). The next release of OpenSSH is likely to make this key exchange the default method. - ssh-keygen(1): when downloading resident keys from a FIDO token, pass back the user ID that was used when the key was created and append it to the filename the key is written to (if it is not the default). Avoids keys being clobbered if the user created multiple resident keys with the same application string but different user IDs. - ssh-keygen(1), ssh(1), ssh-agent(1): better handling for FIDO keys on tokens that provide user verification (UV) on the device itself, including biometric keys, avoiding unnecessary PIN prompts. - ssh-keygen(1): add 'ssh-keygen -Y match-principals' operation to perform matching of principals names against an allowed signers file. To be used towards a TOFU model for SSH signatures in git. - ssh-add(1), ssh-agent(1): allow pin-required FIDO keys to be added to ssh-agent(1). $SSH_ASKPASS will be used to request the PIN at authentication time. - ssh-keygen(1): allow selection of hash at sshsig signing time (either sha512 (default) or sha256). - ssh(1), sshd(8): read network data directly to the packet input buffer instead indirectly via a small stack buffer. Provides a modest performance improvement. - ssh(1), sshd(8): read data directly to the channel input buffer, providing a similar modest performance improvement. - ssh(1): extend the PubkeyAuthentication configuration directive to accept yes|no|unbound|host-bound to allow control over one of the protocol extensions used to implement agent-restricted keys. - sshd(8): document that CASignatureAlgorithms, ExposeAuthInfo and PubkeyAuthOptions can be used in a Match block. - sshd(8): fix possible string truncation when constructing paths to .rhosts/.shosts files with very long user home directory names. ### Old Ubuntu Delta ### openssh (1:9.0p1-1ubuntu7) kinetic; urgency=medium * Update list of stock sshd_config checksums to include those from jammy and kinetic. * Add a workaround for LP: #1990863 (now fixed in livecd-rootfs) to avoid spurious ucf prompts on upgrade. * Move /run/sshd creation out of the systemd unit to a tmpfile config so that sshd can be run manually if necessary without having to create this directory by hand. LP: #1991283. [ Nick Rosbrook ] * debian/openssh-server.postinst: Fix addresses.conf generation when only non-default Port is used in /etc/ssh/sshd_config (LP: #1991199). -- Steve Langasek <vor...@debian.org> Mon, 26 Sep 2022 21:55:14 +0000 openssh (1:9.0p1-1ubuntu6) kinetic; urgency=medium * Fix syntax error in postinst :/ -- Steve Langasek <vor...@debian.org> Fri, 23 Sep 2022 19:51:32 +0000 openssh (1:9.0p1-1ubuntu5) kinetic; urgency=medium * Correctly handle the case of new installs, and correctly apply systemd unit overrides on upgrade from existing kinetic systems. -- Steve Langasek <vor...@debian.org> Fri, 23 Sep 2022 19:45:18 +0000 openssh (1:9.0p1-1ubuntu4) kinetic; urgency=medium * Don't migrate users to socket activation if multiple ListenAddresses might make sshd unreliable on boot. * Fix regexp bug that prevented proper migration of IPv6 address settings. -- Steve Langasek <vor...@debian.org> Fri, 23 Sep 2022 19:35:37 +0000 openssh (1:9.0p1-1ubuntu3) kinetic; urgency=medium * Document in the default sshd_config file the changes in behavior triggered by use of socket-based activation. -- Steve Langasek <steve.langa...@ubuntu.com> Fri, 26 Aug 2022 00:40:11 +0000 openssh (1:9.0p1-1ubuntu2) kinetic; urgency=medium * Fix manpage to not claim socket-based activation is the default on Debian! -- Steve Langasek <steve.langa...@ubuntu.com> Fri, 26 Aug 2022 00:21:42 +0000 openssh (1:9.0p1-1ubuntu1) kinetic; urgency=medium * debian/patches/systemd-socket-activation.patch: support systemd socket activation. * debian/systemd/ssh.socket, debian/systemd/ssh.service: use socket activation by default. * debian/rules: rejigger dh_installsystemd invocations so ssh.service and ssh.socket don't fight. * debian/openssh-server.postinst: handle migration of sshd_config options to systemd socket options on upgrade. * debian/README.Debian: document systemd socket activation. * debian/patches/socket-activation-documentation.patch: Document in sshd_config(5) that ListenAddress and Port no longer work. * debian/openssh-server.templates, debian/openssh-server.postinst: include debconf warning about possible service failure with multiple ListenAddress settings. -- Steve Langasek <steve.langa...@ubuntu.com> Fri, 19 Aug 2022 20:43:16 +0000 ** Affects: openssh (Ubuntu) Importance: Undecided Status: Incomplete ** Tags: needs-merge upgrade-software-version ** Changed in: openssh (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1993427 Title: Merge openssh from Debian unstable for l-series Status in openssh package in Ubuntu: Incomplete Bug description: Scheduled-For: ubuntu-later Upstream: tbd Debian: 1:9.0p1-1 Ubuntu: 1:9.0p1-1ubuntu7 ### New Debian Changes ### openssh (1:9.0p1-1) unstable; urgency=medium * New upstream release (https://www.openssh.com/releasenotes.html#9.0p1): - scp(1): Use the SFTP protocol by default (closes: #144579, #204546, #327019). This changes scp's quoting semantics by no longer performing wildcard expansion using the remote shell, and (with some server versions) no longer expanding ~user paths. The -O option is available to use the old protocol. See NEWS.Debian for more details. - ssh(1), sshd(8): use the hybrid Streamlined NTRU Prime + x25519 key exchange method by default ('sntrup761x25519-sha...@openssh.com'). The NTRU algorithm is believed to resist attacks enabled by future quantum computers and is paired with the X25519 ECDH key exchange (the previous default) as a backstop against any weaknesses in NTRU Prime that may be discovered in the future. The combination ensures that the hybrid exchange offers at least as good security as the status quo. - sftp-server(8): support the 'copy-data' extension to allow server- side copying of files/data, following the design in draft-ietf-secsh-filexfer-extensions-00. - sftp(1): add a 'cp' command to allow the sftp client to perform server-side file copies. - ssh(1), sshd(8): upstream: fix poll(2) spin when a channel's output fd closes without data in the channel buffer (closes: #1007822). - sshd(8): pack pollfd array in server listen/accept loop. Could cause the server to hang/spin when MaxStartups > RLIMIT_NOFILE. - ssh-keygen(1): avoid NULL deref via the find-principals and check-novalidate operations. bz3409 and GHPR307 respectively. - scp(1): fix a memory leak in argument processing. - sshd(8): don't try to resolve ListenAddress directives in the sshd re-exec path. They are unused after re-exec and parsing errors (possible for example if the host's network configuration changed) could prevent connections from being accepted. - sshd(8): when refusing a public key authentication request from a client for using an unapproved or unsupported signature algorithm include the algorithm name in the log message to make debugging easier. - ssh(1), sshd(8): Fix possible integer underflow in scan_scaled(3) parsing of K/M/G/etc quantities. - sshd(8): default to not using sandbox when cross compiling. On most systems poll(2) does not work when the number of FDs is reduced with setrlimit, so assume it doesn't when cross compiling and we can't run the test. * Remove obsolete FAQ, removed from openssh.com in 2016. -- Colin Watson <cjwat...@debian.org> Sat, 09 Apr 2022 14:14:10 +0100 openssh (1:8.9p1-3) unstable; urgency=medium * Allow ppoll_time64 in seccomp filter (closes: #1006445). -- Colin Watson <cjwat...@debian.org> Fri, 25 Feb 2022 23:30:49 +0000 openssh (1:8.9p1-2) unstable; urgency=medium * Improve detection of -fzero-call-used-regs=all support. -- Colin Watson <cjwat...@debian.org> Thu, 24 Feb 2022 16:09:56 +0000 openssh (1:8.9p1-1) unstable; urgency=medium * New upstream release (https://www.openssh.com/releasenotes.html#8.9p1): - sshd(8): fix an integer overflow in the user authentication path that, in conjunction with other logic errors, could have yielded unauthenticated access under difficult to exploit conditions. - sshd(8), portable OpenSSH only: this release removes in-built support for MD5-hashed passwords. - ssh(1), sshd(8), ssh-add(1), ssh-agent(1): add a system for restricting forwarding and use of keys added to ssh-agent(1). - ssh(1), sshd(8): add the sntrup761x25519-sha...@openssh.com hybrid ECDH/x25519 + Streamlined NTRU Prime post-quantum KEX to the default KEXAlgorithms list (after the ECDH methods but before the prime-group DH ones). The next release of OpenSSH is likely to make this key exchange the default method. - ssh-keygen(1): when downloading resident keys from a FIDO token, pass back the user ID that was used when the key was created and append it to the filename the key is written to (if it is not the default). Avoids keys being clobbered if the user created multiple resident keys with the same application string but different user IDs. - ssh-keygen(1), ssh(1), ssh-agent(1): better handling for FIDO keys on tokens that provide user verification (UV) on the device itself, including biometric keys, avoiding unnecessary PIN prompts. - ssh-keygen(1): add 'ssh-keygen -Y match-principals' operation to perform matching of principals names against an allowed signers file. To be used towards a TOFU model for SSH signatures in git. - ssh-add(1), ssh-agent(1): allow pin-required FIDO keys to be added to ssh-agent(1). $SSH_ASKPASS will be used to request the PIN at authentication time. - ssh-keygen(1): allow selection of hash at sshsig signing time (either sha512 (default) or sha256). - ssh(1), sshd(8): read network data directly to the packet input buffer instead indirectly via a small stack buffer. Provides a modest performance improvement. - ssh(1), sshd(8): read data directly to the channel input buffer, providing a similar modest performance improvement. - ssh(1): extend the PubkeyAuthentication configuration directive to accept yes|no|unbound|host-bound to allow control over one of the protocol extensions used to implement agent-restricted keys. - sshd(8): document that CASignatureAlgorithms, ExposeAuthInfo and PubkeyAuthOptions can be used in a Match block. - sshd(8): fix possible string truncation when constructing paths to .rhosts/.shosts files with very long user home directory names. ### Old Ubuntu Delta ### openssh (1:9.0p1-1ubuntu7) kinetic; urgency=medium * Update list of stock sshd_config checksums to include those from jammy and kinetic. * Add a workaround for LP: #1990863 (now fixed in livecd-rootfs) to avoid spurious ucf prompts on upgrade. * Move /run/sshd creation out of the systemd unit to a tmpfile config so that sshd can be run manually if necessary without having to create this directory by hand. LP: #1991283. [ Nick Rosbrook ] * debian/openssh-server.postinst: Fix addresses.conf generation when only non-default Port is used in /etc/ssh/sshd_config (LP: #1991199). -- Steve Langasek <vor...@debian.org> Mon, 26 Sep 2022 21:55:14 +0000 openssh (1:9.0p1-1ubuntu6) kinetic; urgency=medium * Fix syntax error in postinst :/ -- Steve Langasek <vor...@debian.org> Fri, 23 Sep 2022 19:51:32 +0000 openssh (1:9.0p1-1ubuntu5) kinetic; urgency=medium * Correctly handle the case of new installs, and correctly apply systemd unit overrides on upgrade from existing kinetic systems. -- Steve Langasek <vor...@debian.org> Fri, 23 Sep 2022 19:45:18 +0000 openssh (1:9.0p1-1ubuntu4) kinetic; urgency=medium * Don't migrate users to socket activation if multiple ListenAddresses might make sshd unreliable on boot. * Fix regexp bug that prevented proper migration of IPv6 address settings. -- Steve Langasek <vor...@debian.org> Fri, 23 Sep 2022 19:35:37 +0000 openssh (1:9.0p1-1ubuntu3) kinetic; urgency=medium * Document in the default sshd_config file the changes in behavior triggered by use of socket-based activation. -- Steve Langasek <steve.langa...@ubuntu.com> Fri, 26 Aug 2022 00:40:11 +0000 openssh (1:9.0p1-1ubuntu2) kinetic; urgency=medium * Fix manpage to not claim socket-based activation is the default on Debian! -- Steve Langasek <steve.langa...@ubuntu.com> Fri, 26 Aug 2022 00:21:42 +0000 openssh (1:9.0p1-1ubuntu1) kinetic; urgency=medium * debian/patches/systemd-socket-activation.patch: support systemd socket activation. * debian/systemd/ssh.socket, debian/systemd/ssh.service: use socket activation by default. * debian/rules: rejigger dh_installsystemd invocations so ssh.service and ssh.socket don't fight. * debian/openssh-server.postinst: handle migration of sshd_config options to systemd socket options on upgrade. * debian/README.Debian: document systemd socket activation. * debian/patches/socket-activation-documentation.patch: Document in sshd_config(5) that ListenAddress and Port no longer work. * debian/openssh-server.templates, debian/openssh-server.postinst: include debconf warning about possible service failure with multiple ListenAddress settings. -- Steve Langasek <steve.langa...@ubuntu.com> Fri, 19 Aug 2022 20:43:16 +0000 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1993427/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
