Merge openssh from Debian unstable for oracular

Scheduled-For: Backlog
Upstream: tbd
Debian: 1:9.7p1-4
Ubuntu: 1:9.6p1-3ubuntu13

Other teams have maintained this package's merge in the past.

If it turns out this needs a sync rather than a merge, please change the tag 'needs-merge' to 'needs-sync', and (optionally) update the title as desired.

If this merge pulls in a new upstream version, also consider adding an entry to the Oracular Release Notes: https://discourse.ubuntu.com/c/release/38

### New Debian Changes ###

openssh (1:9.7p1-4) unstable; urgency=medium

  * Rework systemd readiness notification and socket activation patches to
    not link against libsystemd (the former via an upstream patch).
  * Force -fzero-call-used-regs=used not to be used on ppc64el (it's
    unsupported, but configure fails to detect this).

 -- Colin Watson <email address hidden> Wed, 03 Apr 2024 12:06:08 +0100

openssh (1:9.7p1-3) unstable; urgency=medium

  * Fix gssapi-keyex declaration further (thanks, Andreas Hasenack;
    LP: #2053146).
  * Extend -fzero-call-used-regs check to catch m68k gcc bug (closes:
    #1067243).
  * debian/tests/regress: Set a different IP address for UNKNOWN.
  * Re-enable ssh-askpass-gnome on all architectures.
  * regress: Redirect conch stdin from /dev/zero (re-enables conch interop
    tests).
  * Drop 'Work around RSA SHA-2 signature issues in conch' patch (no longer
    needed now that Twisted is fixed).

 -- Colin Watson <email address hidden> Sun, 31 Mar 2024 11:55:38 +0100

openssh (1:9.7p1-2) unstable; urgency=medium

  [ Simon McVittie ]
  * d/control, d/rules: Disable ssh-askpass-gnome on 32-bit, except i386
    (closes: #1066847).

 -- Colin Watson <email address hidden> Thu, 14 Mar 2024 11:45:12 +0000

openssh (1:9.7p1-1) unstable; urgency=medium

  * Add the isolation-container restriction to the 'regress' autopkgtest.
    Our setup code wants to ensure that the haveged service is running, and
    furthermore at least the agent-subprocess test assumes that there's an
    init to reap zombie processes and doesn't work in (e.g.)
    autopkgtest-virt-unshare.
  * New upstream release (https://www.openssh.com/releasenotes.html#9.7p1):
    - ssh(1), sshd(8): add a 'global' ChannelTimeout type that watches all
      open channels and will close all open channels if there is no traffic
      on any of them for the specified interval. This is in addition to the
      existing per-channel timeouts added recently.
      This supports situations like having both session and x11 forwarding
      channels open where one may be idle for an extended period but the
      other is actively used. The global timeout could close both channels
      when both have been idle for too long (closes: #165185).
    - All: make DSA key support compile-time optional, defaulting to on.
    - sshd(8): don't append an unnecessary space to the end of subsystem
      arguments (bz3667)
    - ssh(1): fix the multiplexing 'channel proxy' mode, broken when
      keystroke timing obfuscation was added. (GHPR#463)
    - ssh(1), sshd(8): fix spurious configuration parsing errors when
      options that accept array arguments are overridden (bz3657).
    - ssh-agent(1): fix potential spin in signal handler (bz3670)
    - Many fixes to manual pages and other documentation.
    - Greatly improve interop testing against PuTTY.
  * Skip utimensat test on ZFS, since it seems to leave the atime set to 0.
  * Allow passing extra options to debian/tests/regress, for debugging.
  * Fix gssapi-keyex declaration, broken when rebasing onto 8.9p1
    (LP: #2053146).

 -- Colin Watson <email address hidden> Thu, 14 Mar 2024 10:47:58 +0000

openssh (1:9.6p1-5) unstable; urgency=medium

  * Restore systemd template unit for per-connection sshd instances,
    although without any corresponding .socket unit for now; this is mainly
    for use with the forthcoming systemd-ssh-generator (closes: #1061516).
    It's now called sshd@.service, since unlike the main service there's no
    need to be concerned about compatibility with the slightly confusing
    'ssh' service name that Debian has traditionally used.

 -- Colin Watson <email address hidden> Wed, 06 Mar 2024 09:45:56 +0000

openssh (1:9.6p1-4) unstable; urgency=medium

  * Add sshd_config checksums for 1:9.2p1-1 to ucf reference file, and add a
    test to ensure it doesn't get out of date again.
  * Drop manual adjustment of OpenSSL dependencies; OpenSSH relaxed its
    checks for OpenSSL >= 3 in 9.4p1.
  * Build-depend on pkgconf rather than pkg-config.
  * Adjust debian/copyright to handle the 'placed in the public domain'
    status of rijndael.* more explicitly.

 -- Colin Watson <email address hidden> Mon, 26 Feb 2024 12:26:57 +0000

openssh (1:9.6p1-3) unstable; urgency=medium

  * Allow passing extra ssh-agent arguments via
    '/usr/lib/openssh/agent-launch start', making it possible to override
    things like identity lifetime using a systemd drop-in unit (closes:
    #1059639).
  * Don't try to start rescue-ssh.target in postinst (LP: #2047082).

 -- Colin Watson <email address hidden> Wed, 17 Jan 2024 22:50:07 +0000

openssh (1:9.6p1-2) unstable; urgency=medium

### Old Ubuntu Delta ###

openssh (1:9.6p1-3ubuntu13) noble; urgency=medium

  [ Marco Trevisan (Treviño) ]
  * debian: Remove dependency on libsystemd
    As per the xz backdoor we learned that the least dependencies sshd have,
    the best it is, so avoid to plug libsystemd (which also brings various
    other dependencies) inside sshd for no reason:

    - d/p/systemd-readiness.patch: Use upstream patch with no libsystemd
      dependency
    - d/p/systemd-socket-activation.patch: Import patch from debian that
      mimics the libsystemd sd_listen_fds() code, as refactored by Colin
      Watson.
    - d/control: Remove dependencies on libsystemd-dev | libelogind-dev
    - d/rules: Drop --with-systemd flag (new options are used by default)

  [ Nick Rosbrook ]
  * debian/patches: only set PAM_RHOST if remote host is not 'UNKNOWN'
    (LP: #2060150)
  * debian/openssh-server.postinst: don't re-enable ssh.socket if it was disabled
    (LP: #2059874)
  * d/p/sshd-socket-generator.patch: do not always ignore ListenStream=22
    (LP: #2059872)

 -- Nick Rosbrook <email address hidden> Fri, 05 Apr 2024 15:30:31 -0400

openssh (1:9.6p1-3ubuntu12) noble; urgency=medium

  * No-change rebuild for CVE-2024-3094

 -- Steve Langasek <email address hidden> Sun, 31 Mar 2024 09:23:28 +0000

openssh (1:9.6p1-3ubuntu11) noble; urgency=medium

  * d/t/ssh-gssapi: make the test a bit more rebust (LP: #2058276):
    - deal with return codes
    - match a more specific success expression from the logs
    - add klist output in the case of failure

 -- Andreas Hasenack <email address hidden> Mon, 18 Mar 2024 10:25:15 -0300

openssh (1:9.6p1-3ubuntu10) noble; urgency=medium

  * Build again with gnome.

 -- Matthias Klose <email address hidden> Sat, 16 Mar 2024 19:30:41 +0100

openssh (1:9.6p1-3ubuntu9) noble; urgency=medium

  * d/p/gssapi.patch: fix method_gsskeyex structure and
    userauth_gsskeyex function regarding changes introduced in upstream
    commit dbb339f015c33d63484261d140c84ad875a9e548 ('prepare for
    multiple names for authmethods') (LP: #2053146)
  * d/t/{ssh-gssapi,util}: ssh-gssapi DEP8 test for gssapi-with-mic
    and gssapi-keyex authentication methods

 -- Andreas Hasenack <email address hidden> Fri, 15 Mar 2024 16:18:01 -0300

openssh (1:9.6p1-3ubuntu8) noble; urgency=medium

  * No-change rebuild against libcom-err2

 -- Steve Langasek <email address hidden> Tue, 12 Mar 2024 20:34:07 +0000

openssh (1:9.6p1-3ubuntu7) noble; urgency=medium

  * No-change rebuild against libglib2.0-0t64

 -- Steve Langasek <email address hidden> Mon, 11 Mar 2024 23:25:42 +0000

openssh (1:9.6p1-3ubuntu6) noble; urgency=medium

  * No-change rebuild against libglib2.0-0t64

 -- Steve Langasek <email address hidden> Fri, 08 Mar 2024 06:32:05 +0000

openssh (1:9.6p1-3ubuntu5) noble; urgency=medium

  * debian/systemd/ssh.service: restore RuntimeDirectory=sshd (LP: #2055806)
    We started using a tmpfile in Ubuntu when we invoked sshd -G in
    openssh-server.postinst as a part of migration to systemd socket activation.
    Since we use a generator now, instead of invoking sshd -G, we no longer need
    this change.

 -- Nick Rosbrook <email address hidden> Thu, 07 Mar 2024 13:59:57 -0500

openssh (1:9.6p1-3ubuntu5~ppa2) noble; urgency=medium

  * Build without gnome.

 -- Matthias Klose <email address hidden> Tue, 05 Mar 2024 15:53:05 +0100

openssh (1:9.6p1-3ubuntu4) noble; urgency=medium

  * No-change rebuild against libssl3t64

 -- Steve Langasek <email address hidden> Mon, 04 Mar 2024 20:31:25 +0000

openssh (1:9.6p1-3ubuntu3) noble; urgency=medium

  * Add sshd-socket-generator to generate ssh.socket drop-in configuration
    instead of doing one-time generation on package upgrade:
    - debian/control: Build-Depends: systemd-dev
    - d/p/sshd-socket-generator.patch: add generator for socket activation
    - debian/openssh-server.install: install sshd-socket-generator
    - debian/openssh-server.postinst: handle migration to sshd-socket-generator
    - d/t/sshd-socket-generator: add dep8 test for sshd-socket-generator
    - ssh.socket: adjust unit for socket activation by default
    - debian/README.Debian: update ssh.socket documentation
    - debian/rules: explicitly enable LTO
      The armhf build was not using LTO, which made sshd-socket-generator FTBFS.
      This change ensures that all arches are using LTO.
  * Drop the following changes related to previous ssh socket activation approach:
    - debian/openssh-server.postrm: remove systemd drop-ins for
      socket-activated sshd on purge
    - debian/openssh-server.templates: include debconf prompt explaining
      when migration cannot happen due to multiple ListenAddress values
    - debian/openssh-server.postinst: handle migration of sshd_config options
      to systemd socket options on upgrade.
    - debian/patches/socket-activation-documentation.patch: Document in
      sshd_config(5) that ListenAddress and Port no longer work.
  * debian/openssh-server.ucf-md5sum: update for new Ubuntu delta

 -- Nick Rosbrook <email address hidden> Wed, 21 Feb 2024 12:51:30 -0500

openssh (1:9.6p1-3ubuntu2) noble; urgency=medium

  [ Marco Trevisan (Treviño) ]
  * debian/patches: Immediately report interactive instructions to PAM clients
  * debian/patches: sshconnect2: Write kbd-interactive messages as utf-8

 -- Julian Andres Klode <email address hidden> Thu, 15 Feb 2024 11:13:03 +0100

openssh (1:9.6p1-3ubuntu1) noble; urgency=medium

  * Merge with Debian unstable (LP: #2040406). Remaining changes:
    - debian/rules: modify dh_installsystemd invocations for
      socket-activated sshd.
    - debian/openssh-server.postinst: handle migration of sshd_config
      options to systemd socket options on upgrade.
    - debian/README.Debian: document systemd socket activation.
    - debian/patches/socket-activation-documentation.patch: Document
      in sshd_config(5) that ListenAddress and Port no longer work.
    - debian/openssh-server.templates: include debconf prompt
      explaining when migration cannot happen due to multiple
      ListenAddress values.
    - debian/.gitignore: drop file.
    - debian/openssh-server.postrm: remove systemd drop-ins for
      socket-activated sshd on purge.
    - debian/openssh-server.ucf-md5sum: update for Ubuntu delta
    - debian/openssh-server.tmpfile,debian/systemd/ssh.service: Move
      /run/sshd creation out of the systemd unit to a tmpfile config
      so that sshd can be run manually if necessary without having to
      create this directory by hand.
    - debian/patches/systemd-socket-activation.patch: Fix sshd
      re-execution behavior when socket activation is used.
    - debian/tests/systemd-socket-activation: Add autopkgtest
      for systemd socket activation functionality.
    - d/p/test-set-UsePAM-no-on-some-tests.patch: set UsePAM=no
      for some tests.
  * Dropped changes, fixed upstream:
    - d/p/fix-ftbfs-with-zlib13.patch: fix ftbfs when using zlib 1.3
      (LP #2049552)

 -- Miriam España Acebal <email address hidden> Mon, 29 Jan 2024 11:16:31 +0100