Merge openssh from Debian unstable for oracular
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
openssh (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
Scheduled-For: Backlog
Upstream: tbd
Debian: 1:9.7p1-4
Ubuntu: 1:9.6p1-3ubuntu13
Other teams have maintained this package's merge in the past.
If it turns out this needs a sync rather than a merge, please change the tag 'needs-merge' to 'needs-sync', and (optionally) update the title as desired.
If this merge pulls in a new upstream version, also consider adding an entry to the Oracular Release Notes: https:/
### New Debian Changes ###
openssh (1:9.7p1-4) unstable; urgency=medium
* Rework systemd readiness notification and socket activation patches to
not link against libsystemd (the former via an upstream patch).
* Force -fzero-
unsupported, but configure fails to detect this).
-- Colin Watson <email address hidden> Wed, 03 Apr 2024 12:06:08 +0100
openssh (1:9.7p1-3) unstable; urgency=medium
* Fix gssapi-keyex declaration further (thanks, Andreas Hasenack;
LP: #2053146).
* Extend -fzero-
#1067243).
* debian/
* Re-enable ssh-askpass-gnome on all architectures.
* regress: Redirect conch stdin from /dev/zero (re-enables conch interop
tests).
* Drop 'Work around RSA SHA-2 signature issues in conch' patch (no longer
needed now that Twisted is fixed).
-- Colin Watson <email address hidden> Sun, 31 Mar 2024 11:55:38 +0100
openssh (1:9.7p1-2) unstable; urgency=medium
[ Simon McVittie ]
* d/control, d/rules: Disable ssh-askpass-gnome on 32-bit, except i386
(closes: #1066847).
-- Colin Watson <email address hidden> Thu, 14 Mar 2024 11:45:12 +0000
openssh (1:9.7p1-1) unstable; urgency=medium
* Add the isolation-container restriction to the 'regress' autopkgtest.
Our setup code wants to ensure that the haveged service is running, and
furthermore at least the agent-subprocess test assumes that there's an
init to reap zombie processes and doesn't work in (e.g.)
autopkgtest
* New upstream release (https:/
- ssh(1), sshd(8): add a 'global' ChannelTimeout type that watches all
open channels and will close all open channels if there is no traffic
on any of them for the specified interval. This is in addition to the
existing per-channel timeouts added recently.
This supports situations like having both session and x11 forwarding
channels open where one may be idle for an extended period but the
other is actively used. The global timeout could close both channels
when both have been idle for too long (closes: #165185).
- All: make DSA key support compile-time optional, defaulting to on.
- sshd(8): don't append an unnecessary space to the end of subsystem
arguments (bz3667)
- ssh(1): fix the multiplexing 'channel proxy' mode, broken when
keystroke timing obfuscation was added. (GHPR#463)
- ssh(1), sshd(8): fix spurious configuration parsing errors when
options that accept array arguments are overridden (bz3657).
- ssh-agent(1): fix potential spin in signal handler (bz3670)
- Many fixes to manual pages and other documentation.
- Greatly improve interop testing against PuTTY.
* Skip utimensat test on ZFS, since it seems to leave the atime set to 0.
* Allow passing extra options to debian/
* Fix gssapi-keyex declaration, broken when rebasing onto 8.9p1
(LP: #2053146).
-- Colin Watson <email address hidden> Thu, 14 Mar 2024 10:47:58 +0000
openssh (1:9.6p1-5) unstable; urgency=medium
* Restore systemd template unit for per-connection sshd instances,
although without any corresponding .socket unit for now; this is mainly
for use with the forthcoming systemd-
It's now called sshd@.service, since unlike the main service there's no
need to be concerned about compatibility with the slightly confusing
'ssh' service name that Debian has traditionally used.
-- Colin Watson <email address hidden> Wed, 06 Mar 2024 09:45:56 +0000
openssh (1:9.6p1-4) unstable; urgency=medium
* Add sshd_config checksums for 1:9.2p1-1 to ucf reference file, and add a
test to ensure it doesn't get out of date again.
* Drop manual adjustment of OpenSSL dependencies; OpenSSH relaxed its
checks for OpenSSL >= 3 in 9.4p1.
* Build-depend on pkgconf rather than pkg-config.
* Adjust debian/copyright to handle the 'placed in the public domain'
status of rijndael.* more explicitly.
-- Colin Watson <email address hidden> Mon, 26 Feb 2024 12:26:57 +0000
openssh (1:9.6p1-3) unstable; urgency=medium
* Allow passing extra ssh-agent arguments via
'/usr/
things like identity lifetime using a systemd drop-in unit (closes:
#1059639).
* Don't try to start rescue-ssh.target in postinst (LP: #2047082).
-- Colin Watson <email address hidden> Wed, 17 Jan 2024 22:50:07 +0000
openssh (1:9.6p1-2) unstable; urgency=medium
### Old Ubuntu Delta ###
openssh (1:9.6p1-3ubuntu13) noble; urgency=medium
[ Marco Trevisan (Treviño) ]
* debian: Remove dependency on libsystemd
As per the xz backdoor we learned that the least dependencies sshd have,
the best it is, so avoid to plug libsystemd (which also brings various
other dependencies) inside sshd for no reason:
- d/p/systemd-
dependency
- d/p/systemd-
mimics the libsystemd sd_listen_fds() code, as refactored by Colin
Watson.
- d/control: Remove dependencies on libsystemd-dev | libelogind-dev
- d/rules: Drop --with-systemd flag (new options are used by default)
[ Nick Rosbrook ]
* debian/patches: only set PAM_RHOST if remote host is not 'UNKNOWN'
(LP: #2060150)
* debian/
(LP: #2059874)
* d/p/sshd-
(LP: #2059872)
-- Nick Rosbrook <email address hidden> Fri, 05 Apr 2024 15:30:31 -0400
openssh (1:9.6p1-3ubuntu12) noble; urgency=medium
* No-change rebuild for CVE-2024-3094
-- Steve Langasek <email address hidden> Sun, 31 Mar 2024 09:23:28 +0000
openssh (1:9.6p1-3ubuntu11) noble; urgency=medium
* d/t/ssh-gssapi: make the test a bit more rebust (LP: #2058276):
- deal with return codes
- match a more specific success expression from the logs
- add klist output in the case of failure
-- Andreas Hasenack <email address hidden> Mon, 18 Mar 2024 10:25:15 -0300
openssh (1:9.6p1-3ubuntu10) noble; urgency=medium
* Build again with gnome.
-- Matthias Klose <email address hidden> Sat, 16 Mar 2024 19:30:41 +0100
openssh (1:9.6p1-3ubuntu9) noble; urgency=medium
* d/p/gssapi.patch: fix method_gsskeyex structure and
userauth_
commit dbb339f015c33d6
multiple names for authmethods') (LP: #2053146)
* d/t/{ssh-
and gssapi-keyex authentication methods
-- Andreas Hasenack <email address hidden> Fri, 15 Mar 2024 16:18:01 -0300
openssh (1:9.6p1-3ubuntu8) noble; urgency=medium
* No-change rebuild against libcom-err2
-- Steve Langasek <email address hidden> Tue, 12 Mar 2024 20:34:07 +0000
openssh (1:9.6p1-3ubuntu7) noble; urgency=medium
* No-change rebuild against libglib2.0-0t64
-- Steve Langasek <email address hidden> Mon, 11 Mar 2024 23:25:42 +0000
openssh (1:9.6p1-3ubuntu6) noble; urgency=medium
* No-change rebuild against libglib2.0-0t64
-- Steve Langasek <email address hidden> Fri, 08 Mar 2024 06:32:05 +0000
openssh (1:9.6p1-3ubuntu5) noble; urgency=medium
* debian/
We started using a tmpfile in Ubuntu when we invoked sshd -G in
openssh-
Since we use a generator now, instead of invoking sshd -G, we no longer need
this change.
-- Nick Rosbrook <email address hidden> Thu, 07 Mar 2024 13:59:57 -0500
openssh (1:9.6p1-
* Build without gnome.
-- Matthias Klose <email address hidden> Tue, 05 Mar 2024 15:53:05 +0100
openssh (1:9.6p1-3ubuntu4) noble; urgency=medium
* No-change rebuild against libssl3t64
-- Steve Langasek <email address hidden> Mon, 04 Mar 2024 20:31:25 +0000
openssh (1:9.6p1-3ubuntu3) noble; urgency=medium
* Add sshd-socket-
instead of doing one-time generation on package upgrade:
- debian/control: Build-Depends: systemd-dev
- d/p/sshd-
- debian/
- debian/
- d/t/sshd-
- ssh.socket: adjust unit for socket activation by default
- debian/
- debian/rules: explicitly enable LTO
The armhf build was not using LTO, which made sshd-socket-
This change ensures that all arches are using LTO.
* Drop the following changes related to previous ssh socket activation approach:
- debian/
socket-
- debian/
when migration cannot happen due to multiple ListenAddress values
- debian/
to systemd socket options on upgrade.
- debian/
sshd_
* debian/
-- Nick Rosbrook <email address hidden> Wed, 21 Feb 2024 12:51:30 -0500
openssh (1:9.6p1-3ubuntu2) noble; urgency=medium
[ Marco Trevisan (Treviño) ]
* debian/patches: Immediately report interactive instructions to PAM clients
* debian/patches: sshconnect2: Write kbd-interactive messages as utf-8
-- Julian Andres Klode <email address hidden> Thu, 15 Feb 2024 11:13:03 +0100
openssh (1:9.6p1-3ubuntu1) noble; urgency=medium
* Merge with Debian unstable (LP: #2040406). Remaining changes:
- debian/rules: modify dh_installsystemd invocations for
socket-
- debian/
options to systemd socket options on upgrade.
- debian/
- debian/
in sshd_config(5) that ListenAddress and Port no longer work.
- debian/
explaining when migration cannot happen due to multiple
ListenAddress values.
- debian/.gitignore: drop file.
- debian/
socket-
- debian/
- debian/
/run/sshd creation out of the systemd unit to a tmpfile config
so that sshd can be run manually if necessary without having to
create this directory by hand.
- debian/
re-execution behavior when socket activation is used.
- debian/
for systemd socket activation functionality.
- d/p/test-
for some tests.
* Dropped changes, fixed upstream:
- d/p/fix-
(LP #2049552)
-- Miriam España Acebal <email address hidden> Mon, 29 Jan 2024 11:16:31 +0100
Changed in openssh (Ubuntu): | |
milestone: | none → ubuntu-24.10-beta |
Changed in openssh (Ubuntu): | |
milestone: | ubuntu-24.10-beta → none |
description: | updated |