Merge openssh from Debian unstable for plucky

Scheduled-For: Backlog
Upstream: tbd
Debian: 1:9.9p1-2
Ubuntu: 1:9.7p1-7ubuntu4

foundations team has maintained this package's merge in the past.

If it turns out this needs a sync rather than a merge, please change the tag 'needs-merge' to 'needs-sync', and (optionally) update the title as desired.

If this merge pulls in a new upstream version, also consider adding an entry to the Jammy Release Notes: https://discourse.ubuntu.com/c/release/38

### New Debian Changes ###

openssh (1:9.9p1-2) unstable; urgency=medium

  * Don't prefer host-bound public key signatures if there was no initial
    host key, as is the case when using GSS-API key exchange (closes:
    #1041521).
  * Use runuser rather than sudo in autopkgtests where possible, avoiding a
    dependency.

 -- Colin Watson <email address hidden> Mon, 21 Oct 2024 18:24:07 +0100

openssh (1:9.9p1-1) unstable; urgency=medium

  * Alias the old Debian-specific SetupTimeOut client option to
    ConnectTimeout rather than to ServerAliveInterval.
  * New upstream release (https://www.openssh.com/releasenotes.html#9.9p1):
    - ssh(1): remove support for pre-authentication compression.
    - ssh(1), sshd(8): processing of the arguments to the 'Match'
      configuration directive now follows more shell-like rules for quoted
      strings, including allowing nested quotes and /-escaped characters.
    - ssh(1), sshd(8): add support for a new hybrid post-quantum key
      exchange based on the FIPS 203 Module-Lattice Key Enapsulation
      mechanism (ML-KEM) combined with X25519 ECDH as described by
      https://datatracker.ietf.org/doc/html/draft-kampanakis-curdle-ssh-pq-ke-03
      This algorithm 'mlkem768x25519-sha256' is available by default.
    - ssh(1): the ssh_config 'Include' directive can now expand environment
      as well as the same set of %-tokens 'Match Exec' supports.
    - sshd(8): add a sshd_config 'RefuseConnection' option that, if set will
      terminate the connection at the first authentication request.
    - sshd(8): add a 'refuseconnection' penalty class to sshd_config
      PerSourcePenalties that is applied when a connection is dropped by the
      new RefuseConnection keyword.
    - sshd(8): add a 'Match invalid-user' predicate to sshd_config Match
      options that matches when the target username is not valid on the
      server.
    - ssh(1), sshd(8): update the Streamlined NTRUPrime code to a
      substantially faster implementation.
    - ssh(1), sshd(8): the hybrid Streamlined NTRUPrime/X25519 key exchange
      algorithm now has an IANA-assigned name in addition to the
      '@openssh.com' vendor extension name. This algorithm is now also
      available under this name 'sntrup761x25519-sha512'
    - ssh(1), sshd(8), ssh-agent(1): prevent private keys from being
      included in core dump files for most of their lifespans. This is in
      addition to pre-existing controls in ssh-agent(1) and sshd(8) that
      prevented coredumps.
    - All: convert key handling to use the libcrypto EVP_PKEY API, with the
      exception of DSA.
    - sshd(8): add a random amount of jitter (up to 4 seconds) to the grace
      login time to make its expiry unpredictable.
    - sshd(8): fix regression introduced in openssh-9.8 that swapped the
      order of source and destination addresses in some sshd log messages.
    - sshd(8): do not apply authorized_keys options when signature
      verification fails. Prevents more restrictive key options being
      incorrectly applied to subsequent keys in authorized_keys.
    - ssh-keygen(1): include pathname in some of ssh-keygen's passphrase
      prompts. Helps the user know what's going on when ssh-keygen is
      invoked via other tools.
    - ssh(1), ssh-add(1): make parsing user@host consistently look for the
      last '@' in the string rather than the first. This makes it possible
      to more consistently use usernames that contain '@' characters.
    - ssh(1), sshd(8): be more strict in parsing key type names. Only allow
      short names (e.g 'rsa') in user-interface code and require full SSH
      protocol names (e.g. 'ssh-rsa') everywhere else.
    - regress: many performance and correctness improvements to the
      re-keying regression test.
    - ssh-keygen(1): clarify that ed25519 is the default key type generated
      and clarify that rsa-sha2-512 is the default signature scheme when RSA
      is in use.
    - sshd(8): fix minor memory leak in Subsystem option parsing.
    - All: additional hardening and consistency checks for the sshbuf code.
    - sshd(8): reduce default logingrace penalty to ensure that a single
      forgotten login that times out will be below the penalty threshold.
    - ssh(1): fix proxy multiplexing (-O proxy) bug. If a mux started with
      ControlPersist then later has a forwarding added using mux proxy
      connection and the forwarding was used, then when the mux proxy
      session terminated, the mux master process would issue a bad message
      that terminated the connection.
    - Sync contrib/ssh-copy-id to the latest upstream version.
    - sshd(8): restore audit call before exit that regressed in openssh-9.8.
      Fixes an issue where the SSH_CONNECTION_ABANDON event was not
      recorded.
    - Fix detection of setres*id on GNU/Hurd.

 -- Colin Watson <email address hidden> Mon, 23 Sep 2024 21:09:59 -0700

openssh (1:9.8p1-8) unstable; urgency=medium

  * Source-only reupload.

 -- Colin Watson <email address hidden> Fri, 30 Aug 2024 00:38:26 +0100

openssh (1:9.8p1-7) unstable; urgency=medium

  * Adjust description line-wrapping so that lintian recognizes that
    openssh-client-gssapi is an intentionally empty package.

 -- Colin Watson <email address hidden> Thu, 29 Aug 2024 14:17:13 +0100

openssh (1:9.8p1-6) unstable; urgency=medium

  * Upload with binaries to satisfy Debian archive NEW checks.

### Old Ubuntu Delta ###

openssh (1:9.7p1-7ubuntu4) oracular; urgency=medium

  * Explicitly listen on IPv4 by default, with socket-activated sshd
    (LP: #2080216)
    - d/systemd/ssh.socket: explicitly listen on ipv4 by default
    - d/t/sshd-socket-generator: update for new defaults and AddressFamily
    - sshd-socket-generator: handle new ssh.socket default settings
  * d/p/systemd-socket-activation.patch: always close newsock fd before re-exec

 -- Nick Rosbrook <email address hidden> Tue, 01 Oct 2024 14:45:28 -0400

openssh (1:9.7p1-7ubuntu3) oracular; urgency=medium

  * sshd-socket-generator: do not parse server match config (LP: #2076023)

 -- Nick Rosbrook <email address hidden> Tue, 27 Aug 2024 15:54:41 -0400

openssh (1:9.7p1-7ubuntu2) oracular; urgency=medium

  * d/p/test-set-UsePAM-no-on-some-tests.patch: restore patch
    This was mistakenly dropped in the merge from Debian after
    testing locally only.

 -- Nick Rosbrook <email address hidden> Wed, 31 Jul 2024 10:20:23 -0400

openssh (1:9.7p1-7ubuntu1) oracular; urgency=medium

  * Merge with Debian unstable (LP: #2064435). Remaining changes:
    - Make systemd socket activation the default:
      + debian/rules: modify dh_installsystemd invocations for
        socket-activated sshd
      + debian/README.Debian: document systemd socket activation.
      + debian/patches/systemd-socket-activation.patch: Fix sshd
        re-execution behavior when socket activation is used
      + debian/tests/systemd-socket-activation: Add autopkgtest for systemd socket
        activation functionality.
      + debian/control: Build-Depends: systemd-dev
      + d/p/sshd-socket-generator.patch: add generator for socket activation
      + debian/openssh-server.install: install sshd-socket-generator
      + debian/openssh-server.postinst: handle migration to sshd-socket-generator
      + d/t/sshd-socket-generator: add dep8 test for sshd-socket-generator
      + ssh.socket: adjust unit for socket activation by default
      + debian/rules: explicitly enable LTO
    - debian/.gitignore: drop file
    - debian/openssh-server.ucf-md5sum: update for Ubuntu delta
    - debian/patches: Immediately report interactive instructions to PAM clients
    - debian/patches: sshconnect2: Write kbd-interactive messages as utf-8
    - d/t/ssh-gssapi: disable -e in cleanup()
    - SECURITY UPDATE: timing attack against echo-off password entry
      + debian/patches/CVE-2024-39894.patch: don't rely on
        channel_did_enqueue in clientloop.c
      + CVE-2024-39894
  * Dropped changes, included in Debian:
    - debian/patches: only set PAM_RHOST if remote host is not 'UNKNOWN'
    - Remove deprecated user_readenv=1 setting (LP #2059859):
      + d/openssh-server.sshd.pam.in: drop user_readenv=1, which was
        deprecated by pam_env upstream. Openssh has the SendEnv and AcceptEnv
        configuration options that can be used to replace this feature, and
        are in the default config already
      + d/NEWS: update about this change in behavior
    - debian: Remove dependency on libsystemd
    - d/p/gssapi.patch: fix method_gsskeyex structure and
      userauth_gsskeyex function regarding changes introduced in upstream
      commit dbb339f015c33d63484261d140c84ad875a9e548 ('prepare for
      multiple names for authmethods') (LP #2053146)
    - d/t/{ssh-gssapi,util}: ssh-gssapi DEP8 test for gssapi-with-mic
      and gssapi-keyex authentication methods
    - SECURITY UPDATE: remote code execution via signal handler race
      condition (LP #2070497)
      + debian/patches/CVE-2024-6387.patch: don't log in sshsigdie() in log.c.
      + CVE-2024-6387
  * Dropped changes, no longer needed:
    - debian/openssh-server.postinst: ucf workaround for LP #1968873
      [affected upgrade path not supported]
    - d/p/test-set-UsePAM-no-on-some-tests.patch: set UsePAM=no
      for some tests.

 -- Nick Rosbrook <email address hidden> Mon, 29 Jul 2024 15:19:02 -0400