Update OpenSSH to 6.6

Bug #1298280 reported by cc on 2014-03-27
This bug affects 2 people
Affects Status Importance Assigned to Milestone
openssh (Ubuntu)
Colin Watson

Bug Description

6.6 was just released and fixes some regressions in 6.5. Given that 14.04 is not released yet, it would be great to get to the latest and greatest version.

CVE References

Robie Basak (racb) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better.

We're in feature freeze for Trusty now, so I'm not sure this will happen. But I note from the release notes that "This is primarily a bugfix release."

Release notes: http://www.openssh.com/txt/release-6.6
Changelog: ftp://ftp.ca.openbsd.org/pub/OpenBSD/OpenSSH/portable/ChangeLog

tags: removed: regression-proposed
summary: - Update OpenSSH for Tahir to 6.6
+ Update OpenSSH to 6.6
Changed in openssh (Ubuntu):
status: New → Triaged
importance: Undecided → Wishlist
Colin Watson (cjwatson) wrote :

Yes, I already have this staged in the Debian git repository and plan to land it.

Changed in openssh (Ubuntu):
assignee: nobody → Colin Watson (cjwatson)
Robie Basak (racb) wrote :

12:45 <rbasak> cjwatson: any opinion on openssh 6.6? It's "primarily a bugfix release" but it seems quite late now. I
               just triaged bug 1298280.
12:45 <ubottu> bug 1298280 in openssh (Ubuntu) "Update OpenSSH to 6.6" [Wishlist,Triaged]
12:45 <cjwatson> rbasak: I already have it staged and plan to land it

Colin Watson (cjwatson) on 2014-03-27
Changed in openssh (Ubuntu):
status: Triaged → Fix Committed
cc (codecrumb) wrote :

Just as an aside as I'm not sure what the right forum for this should be but maybe Ubuntu can consider updating security packages as a separate update policy for LTS releases.

What I mean by this is given our current security climate, I feel that it's important to make sure people are using the latest packages of openssl, openssh, gnutls etc. It does not be a large list of software packages, just a set of core packages so that we get improved security all around.

Just a thought.

I wouldn't be inclined to take feature releases of openssh. We already
make sure to backport security-relevant changes; openssh upstream are
pretty good about flagging those.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openssh - 1:6.6p1-1

openssh (1:6.6p1-1) unstable; urgency=medium

  [ Colin Watson ]
  * Apply various warning-suppression and regression-test fixes to
    gssapi.patch from Damien Miller.
  * New upstream release (http://www.openssh.com/txt/release-6.6,
    LP: #1298280):
    - CVE-2014-2532: sshd(8): when using environment passing with an
      sshd_config(5) AcceptEnv pattern with a wildcard, OpenSSH prior to 6.6
      could be tricked into accepting any environment variable that contains
      the characters before the wildcard character.
  * Re-enable btmp logging, as its permissions were fixed a long time ago in
    response to #370050 (closes: #341883).
  * Change to "PermitRootLogin without-password" for new installations, and
    ask a debconf question when upgrading systems with "PermitRootLogin yes"
    from previous versions (closes: #298138).
  * Debconf translations:
    - Danish (thanks, Joe Hansen).
    - Portuguese (thanks, Américo Monteiro).
    - Russian (thanks, Yuri Kozlov; closes: #742308).
    - Swedish (thanks, Andreas Rönnquist).
    - Japanese (thanks, victory).
    - German (thanks, Stephan Beck; closes: #742541).
    - Italian (thanks, Beatrice Torracca).
  * Don't start ssh-agent from the Upstart user session job if something
    like Xsession has already done so (based on work by Bruno Vasselle;
    LP: #1244736).

  [ Matthew Vernon ]
  * CVE-2014-2653: Fix failure to check SSHFP records if server presents a
    certificate (bug reported by me, patch by upstream's Damien Miller;
    thanks also to Mark Wooding for his help in fixing this) (Closes:

 -- Colin Watson <email address hidden> Fri, 28 Mar 2014 18:04:41 +0000

Changed in openssh (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers