Merge openssh from Debian unstable for noble
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
openssh (Ubuntu) |
Fix Released
|
Undecided
|
Miriam España Acebal |
Bug Description
Scheduled-For: Backlog
Upstream: tbd
Debian: 1:9.4p1-1
Ubuntu: 1:9.3p1-1ubuntu3
The NOT SERVER TEAM team has maintained this package in the past and may be handling this merge.
If it turns out this needs a sync rather than a merge, please change the tag 'needs-merge' to 'needs-sync', and (optionally) update the title as desired.
### New Debian Changes ###
openssh (1:9.4p1-1) unstable; urgency=medium
* New upstream release (https:/
- ssh-agent(1): PKCS#11 modules must now be specified by their full
paths. Previously dlopen(3) could search for them in system library
directories.
- ssh(1): allow forwarding Unix Domain sockets via ssh -W.
- ssh(1): add support for configuration tags to ssh(1). This adds a
ssh_config(5) 'Tag' directive and corresponding 'Match tag' predicate
that may be used to select blocks of configuration similar to the
pf.conf(5) keywords of the same name.
- ssh(1): add a 'match localnetwork' predicate. This allows matching on
the addresses of available network interfaces and may be used to vary
the effective client configuration based on network location.
- ssh(1), sshd(8), ssh-keygen(1): infrastructure support for KRL
extensions. This defines wire formats for optional KRL extensions and
implements parsing of the new submessages. No actual extensions are
supported at this point.
- sshd(8): AuthorizedPrinc
accept two additional %-expansion sequences: %D which expands to the
routing domain of the connected session and %C which expands to the
addresses and port numbers for the source and destination of the
connection.
- ssh-keygen(1): increase the default work factor (rounds) for the
bcrypt KDF used to derive symmetric encryption keys for passphrase
protected key files by 50%.
- ssh-agent(1): improve isolation between loaded PKCS#11 modules by
running separate ssh-pkcs11-helpers for each loaded provider.
- ssh(1): make -f (fork after authentication) work correctly with
multiplexed connections, including ControlPersist (closes: #348741).
- ssh(1): make ConnectTimeout apply to multiplexing sockets and not just
to network connections.
- ssh-agent(1), ssh(1): improve defences against invalid PKCS#11 modules
being loaded by checking that the requested module contains the
required symbol before loading it.
- sshd(8): fix AuthorizedPrinc
appears before it in sshd_config. Since OpenSSH 8.7 the
Authorize
situation.
- sshd(8), ssh(1), ssh-keygen(1): remove vestigial support for KRL
signatures. When the KRL format was originally defined, it included
support for signing of KRL objects. However, the code to sign KRLs and
verify KRL signatues was never completed in OpenSSH. This release
removes the partially-
tools now ignore KRL_SECTION_
- All: fix a number of memory leaks and unreachable/
overflows.
- ssh-agent(1), ssh(1): don't truncate strings logged from PKCS#11
modules.
- sshd(8), ssh(1): better validate CASignatureAlgo
and sshd_config. Previously this directive would accept certificate
algorithm names, but these were unusable in practice as OpenSSH does
not support CA chains.
- ssh(1): make `ssh -Q CASignatureAlgo
algorithms that are valid for CA signing. Previous behaviour was to
list all signing algorithms, including certificate algorithms.
- ssh-keyscan(1): gracefully handle systems where rlimits or the maximum
number of open files is larger than INT_MAX.
- ssh-keygen(1): fix 'no comment' not showing on when running
`ssh-keygen -l` on multiple keys where one has a comment and other
following keys do not. bz3580
- scp(1), sftp(1): adjust ftruncate() logic to handle servers that
reorder requests. Previously, if the server reordered requests then
the resultant file would be erroneously truncated.
- ssh(1): don't incorrectly disable hostname canonicalization when
Canonical
- scp(1): when copying local->remote, check that the source file exists
before opening an SFTP connection to the server (closes: #59255).
- sshd(8): provide a replacement for the SELinux matchpathcon()
function, which is deprecated.
- All: relax libcrypto version checks for OpenSSL >=3 (closes:
#1035623). Beyond OpenSSL 3.0, the ABI compatibility guarantees are
wider (only the library major must match instead of major and minor in
earlier versions).
- ssh-copy-id(1): Special case OpenWrt instead of Dropbear
(LP: #1966886).
-- Colin Watson <email address hidden> Sat, 02 Sep 2023 21:02:53 +0100
openssh (1:9.3p2-1) unstable; urgency=high
* New upstream release (https:/
- [CVE-2023-38408] Fix a condition where specific libraries loaded via
ssh-
execution via a forwarded agent socket.
-- Colin Watson <email address hidden> Wed, 19 Jul 2023 22:49:14 +0100
openssh (1:9.3p1-1) unstable; urgency=medium
* Debconf translations:
- Romanian (thanks, Remus-Gabriel Chelu; closes: #1033178).
* Properly fix date of 1:3.0.2p1-2 changelog entry (closes: #1034425).
* New upstream release (https:/
- [CVE-2023-28531] ssh-add(1): when adding smartcard keys to
ssh-agent(1) with the per-hop destination constraints (ssh-add -h ...)
added in OpenSSH 8.9, a logic error prevented the constraints from
being communicated to the agent. This resulted in the keys being added
without constraints. The common cases of non-smartcard keys and keys
without destination constraints are unaffected. This problem was
### Old Ubuntu Delta ###
openssh (1:9.3p1-1ubuntu3) mantic; urgency=medium
* d/p/fix-
sshd ignores AuthorizedPrinc
is also set by checking if the value pointed to by the pointer
'charptr' is NULL. (LP: #2031942)
-- Michal Maloszewski <email address hidden> Thu, 24 Aug 2023 15:20:27 +0200
openssh (1:9.3p1-1ubuntu2) mantic; urgency=medium
* SECURITY UPDATE: remote code execution relating to PKCS#11 providers
- debian/
to load a PKCS#11 provider that isn't a PKCS#11 provider in
ssh-pkcs11.c.
- debian/
FIDO/PKCS11 provider in ssh-agent.1, ssh-agent.c.
- debian/
contain expected symbols in misc.c, misc.h, ssh-pkcs11.c, ssh-sk.c.
- CVE-2023-38408
-- Marc Deslauriers <email address hidden> Mon, 24 Jul 2023 15:01:06 -0400
openssh (1:9.3p1-1ubuntu1) mantic; urgency=medium
* Merge with Debian unstable (LP: #2025664). Remaining changes:
- debian/rules: modify dh_installsystemd invocations for
socket-
- debian/
to systemd socket options on upgrade.
- debian/
- debian/
sshd_
- debian/
when migration cannot happen due to multiple ListenAddress values
- debian/.gitignore: drop file
- debian/
socket-
- debian/
- debian/
/run/sshd creation out of the systemd unit to a tmpfile config so
that sshd can be run manually if necessary without having to create
this directory by hand.
- debian/
re-execution behavior when socket activation is used
- debian/
activation functionality.
- d/p/test-
- Ensure smooth upgrade path from versions affected by LP: #2020474:
+ debian/
and instead indicate that a reboot is required
+ debian/
+ debian/rules: Do not stop ssh.socket on upgrade
-- Nick Rosbrook <email address hidden> Mon, 03 Jul 2023 11:34:47 -0400
Related branches
- git-ubuntu bot: Approve
- Nick Rosbrook (community): Approve
- Ubuntu Sponsors: Pending requested
- Canonical Server Reporter: Pending requested
-
Diff: 1838 lines (+1213/-112)31 files modifieddebian/README.Debian (+10/-17)
debian/changelog (+299/-0)
debian/control (+2/-1)
debian/openssh-server.postinst (+193/-6)
debian/openssh-server.postrm (+4/-0)
debian/openssh-server.templates (+12/-0)
debian/openssh-server.tmpfile (+2/-0)
debian/openssh-server.ucf-md5sum (+24/-0)
debian/patches/series (+2/-0)
debian/patches/socket-activation-documentation.patch (+50/-0)
debian/patches/systemd-socket-activation.patch (+141/-49)
debian/patches/test-set-UsePAM-no-on-some-tests.patch (+41/-0)
debian/po/cs.po (+26/-1)
debian/po/da.po (+26/-1)
debian/po/de.po (+26/-1)
debian/po/es.po (+26/-1)
debian/po/fr.po (+26/-1)
debian/po/it.po (+26/-1)
debian/po/ja.po (+26/-1)
debian/po/nl.po (+26/-1)
debian/po/pt.po (+26/-1)
debian/po/pt_BR.po (+26/-1)
debian/po/ru.po (+28/-3)
debian/po/sv.po (+26/-1)
debian/po/templates.pot (+27/-2)
debian/po/tr.po (+27/-2)
debian/rules (+2/-2)
debian/systemd/ssh.service (+0/-2)
debian/tests/control (+6/-0)
debian/tests/systemd-socket-activation (+57/-0)
dev/null (+0/-17)
CVE References
Changed in openssh (Ubuntu): | |
status: | New → In Progress |
Current version in Debian Sid is 1:9.6p1-3