Update OpenSSH to 6.6

Thank you for taking the time to report this bug and helping to make Ubuntu better.

We're in feature freeze for Trusty now, so I'm not sure this will happen. But I note from the release notes that "This is primarily a bugfix release."

Release notes: http://www.openssh.com/txt/release-6.6
Changelog: ftp://ftp.ca.openbsd.org/pub/OpenBSD/OpenSSH/portable/ChangeLog

Yes, I already have this staged in the Debian git repository and plan to land it.

12:45 <rbasak> cjwatson: any opinion on openssh 6.6? It's "primarily a bugfix release" but it seems quite late now. I
               just triaged bug 1298280.
12:45 <ubottu> bug 1298280 in openssh (Ubuntu) "Update OpenSSH to 6.6" [Wishlist,Triaged]
               https://launchpad.net/bugs/1298280
12:45 <cjwatson> rbasak: I already have it staged and plan to land it

Just as an aside as I'm not sure what the right forum for this should be but maybe Ubuntu can consider updating security packages as a separate update policy for LTS releases.

What I mean by this is given our current security climate, I feel that it's important to make sure people are using the latest packages of openssl, openssh, gnutls etc. It does not be a large list of software packages, just a set of core packages so that we get improved security all around.

Just a thought.

I wouldn't be inclined to take feature releases of openssh. We already
make sure to backport security-relevant changes; openssh upstream are
pretty good about flagging those.

This bug was fixed in the package openssh - 1:6.6p1-1

---------------
openssh (1:6.6p1-1) unstable; urgency=medium

  [ Colin Watson ]
  * Apply various warning-suppression and regression-test fixes to
    gssapi.patch from Damien Miller.
  * New upstream release (http://www.openssh.com/txt/release-6.6,
    LP: #1298280):
    - CVE-2014-2532: sshd(8): when using environment passing with an
      sshd_config(5) AcceptEnv pattern with a wildcard, OpenSSH prior to 6.6
      could be tricked into accepting any environment variable that contains
      the characters before the wildcard character.
  * Re-enable btmp logging, as its permissions were fixed a long time ago in
    response to #370050 (closes: #341883).
  * Change to "PermitRootLogin without-password" for new installations, and
    ask a debconf question when upgrading systems with "PermitRootLogin yes"
    from previous versions (closes: #298138).
  * Debconf translations:
    - Danish (thanks, Joe Hansen).
    - Portuguese (thanks, Américo Monteiro).
    - Russian (thanks, Yuri Kozlov; closes: #742308).
    - Swedish (thanks, Andreas Rönnquist).
    - Japanese (thanks, victory).
    - German (thanks, Stephan Beck; closes: #742541).
    - Italian (thanks, Beatrice Torracca).
  * Don't start ssh-agent from the Upstart user session job if something
    like Xsession has already done so (based on work by Bruno Vasselle;
    LP: #1244736).

  [ Matthew Vernon ]
  * CVE-2014-2653: Fix failure to check SSHFP records if server presents a
    certificate (bug reported by me, patch by upstream's Damien Miller;
    thanks also to Mark Wooding for his help in fixing this) (Closes:
    #742513)

 -- Colin Watson <email address hidden> Fri, 28 Mar 2014 18:04:41 +0000