Public bug reported:
Scheduled-For: 22.12
Upstream: tbd
Debian: 1:8.4p1-6
Ubuntu: 1:8.4p1-6ubuntu2
Debian typically updates openssh every 1 months on average, but it was
last updated 21.08 and looks overdue. Check back in on this monthly.
### New Debian Changes ###
openssh
openssh (1:8.4p1-6) unstable; urgency=medium
[ Colin Watson ]
* Rename ssh group to _ssh (closes: #990456). It's only used by
ssh-agent.
* debian/tests/regress: Don't fail cleanup if haveged isn't running.
* Backport from upstream:
- Add includes.h to compat tests (closes: #992134, LP: #1939751).
* Use 'command -v' in maintainer scripts rather than 'which'.
[ Athos Ribeiro ]
* d/systemd/ssh@.service: preserve the systemd managed runtime directory to
ensure parallel processes will not disrupt one another when halting
(LP: #1905285) (closes: #934663)
-- Colin Watson <cjwat...@debian.org> Thu, 19 Aug 2021 11:04:01 +0100
openssh (1:8.4p1-5) unstable; urgency=high
* CVE-2021-28041: Fix double free in ssh-agent(1) (closes: #984940).
-- Colin Watson <cjwat...@debian.org> Sat, 13 Mar 2021 09:59:40 +0000
openssh (1:8.4p1-4) unstable; urgency=medium
* Avoid using libmd's <sha2.h> even if it's installed (closes:
#982705).
-- Colin Watson <cjwat...@debian.org> Mon, 15 Feb 2021 10:25:17 +0000
openssh (1:8.4p1-3) unstable; urgency=medium
* Backport from upstream:
- Fix `EOF: command not found` error in ssh-copy-id (closes: #975540).
-- Colin Watson <cjwat...@debian.org> Wed, 02 Dec 2020 10:32:23 +0000
openssh (1:8.4p1-2) unstable; urgency=medium
* Revert incorrect upstream patch that claimed to fix the seccomp sandbox
on x32 but in fact broke it instead.
-- Colin Watson <cjwat...@debian.org> Mon, 26 Oct 2020 17:41:13 +0000
openssh (1:8.4p1-1) unstable; urgency=medium
* New upstream release (https://www.openssh.com/txt/release-8.4):
- [SECURITY] ssh-agent(1): restrict ssh-agent from signing web
challenges for FIDO/U2F keys.
- [SECURITY] ssh-keygen(1): Enable FIDO 2.1 credProtect extension when
generating a FIDO resident key.
- ssh-keygen(1): the format of the attestation information optionally
recorded when a FIDO key is generated has changed. It now includes the
authenticator data needed to validate attestation signatures.
- The API between OpenSSH and the FIDO token middleware has changed and
the SSH_SK_VERSION_MAJOR version has been incremented as a result.
Third-party middleware libraries must support the current API version
(7) to work with OpenSSH 8.4.
- ssh(1), ssh-keygen(1): support for FIDO keys that require a PIN for
each use. These keys may be generated using ssh-keygen using a new
'verify-required' option. When a PIN-required key is used, the user
will be prompted for a PIN to complete the signature operation.
- sshd(8): authorized_keys now supports a new 'verify-required' option
to require FIDO signatures assert that the token verified that the
user was present before making the signature. The FIDO protocol
supports multiple methods for user-verification, but currently OpenSSH
only supports PIN verification.
- sshd(8), ssh-keygen(1): add support for verifying FIDO webauthn
signatures. Webauthn is a standard for using FIDO keys in web
browsers. These signatures are a slightly different format to plain
FIDO signatures and thus require explicit support.
- ssh(1): allow some keywords to expand shell-style ${ENV} environment
variables. The supported keywords are CertificateFile, ControlPath,
IdentityAgent and IdentityFile, plus LocalForward and RemoteForward
when used for Unix domain socket paths.
- ssh(1), ssh-agent(1): allow some additional control over the use of
ssh-askpass via a new $SSH_ASKPASS_REQUIRE environment variable,
including forcibly enabling and disabling its use (closes: #368657).
- ssh(1): allow ssh_config(5)'s AddKeysToAgent keyword accept a time
limit for keys in addition to its current flag options. Time-limited
keys will automatically be removed from ssh-agent after their expiry
time has passed.
- scp(1), sftp(1): allow the -A flag to explicitly enable agent
forwarding in scp and sftp. The default remains to not forward an
agent, even when ssh_config enables it.
- ssh(1): add a '%k' TOKEN that expands to the effective HostKey of the
destination. This allows, e.g., keeping host keys in individual files
using 'UserKnownHostsFile ~/.ssh/known_hosts.d/%k' (closes: #481250).
- ssh(1): add %-TOKEN, environment variable and tilde expansion to the
UserKnownHostsFile directive, allowing the path to be completed by the
configuration.
- ssh-keygen(1): allow 'ssh-add -d -' to read keys to be deleted from
stdin.
- sshd(8): improve logging for MaxStartups connection throttling. sshd
will now log when it starts and stops throttling and periodically
while in this state.
- ssh(1), ssh-keygen(1): better support for multiple attached FIDO
tokens. In cases where OpenSSH cannot unambiguously determine which
token to direct a request to, the user is now required to select a
token by touching it. In cases of operations that require a PIN to be
verified, this avoids sending the wrong PIN to the wrong token and
### Old Ubuntu Delta ###
openssh (1:8.4p1-6ubuntu2) impish; urgency=medium
* Configure with ac_cv_func_closefrom=no to avoid an incompatibility
with glibc 2.34's fallback_closefrom function (LP: #1944621)
-- William 'jawn-smith' Wilson <william.wil...@canonical.com> Tue, 21
Sep 2021 22:08:39 +0000
openssh (1:8.4p1-6ubuntu1) impish; urgency=low
* Merge from Debian unstable (LP: #1941799). Remaining changes:
- Cherry-pick seccomp fixes for glibc 2.33 thanks to Dave Jones for
reports on armhf.
-- William 'jawn-smith' Wilson <william.wil...@canonical.com> Thu, 26
Aug 2021 12:51:02 -0600
** Affects: openssh (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1946286
Title:
Merge openssh from Debian unstable for 22.04
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1946286/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
