openssh 1:8.3p1-1 source package in Ubuntu
Changelog
openssh (1:8.3p1-1) unstable; urgency=medium * New upstream release (https://www.openssh.com/txt/release-8.3): - [SECURITY] scp(1): when receiving files, scp(1) could become desynchronised if a utimes(2) system call failed. This could allow file contents to be interpreted as file metadata and thereby permit an adversary to craft a file system that, when copied with scp(1) in a configuration that caused utimes(2) to fail (e.g. under a SELinux policy or syscall sandbox), transferred different file names and contents to the actual file system layout. - sftp(1): reject an argument of "-1" in the same way as ssh(1) and scp(1) do instead of accepting and silently ignoring it. - sshd(8): make IgnoreRhosts a tri-state option: "yes" to ignore rhosts/shosts, "no" to allow rhosts/shosts or (new) "shosts-only" to allow .shosts files but not .rhosts. - sshd(8): allow the IgnoreRhosts directive to appear anywhere in a sshd_config, not just before any Match blocks. - ssh(1): add %TOKEN percent expansion for the LocalForward and RemoteForward keywords when used for Unix domain socket forwarding. - all: allow loading public keys from the unencrypted envelope of a private key file if no corresponding public key file is present. - ssh(1), sshd(8): prefer to use chacha20 from libcrypto where possible instead of the (slower) portable C implementation included in OpenSSH. - ssh-keygen(1): add ability to dump the contents of a binary key revocation list via "ssh-keygen -lQf /path". - ssh(1): fix IdentitiesOnly=yes to also apply to keys loaded from a PKCS11Provider. - ssh-keygen(1): avoid NULL dereference when trying to convert an invalid RFC4716 private key. - scp(1): when performing remote-to-remote copies using "scp -3", start the second ssh(1) channel with BatchMode=yes enabled to avoid confusing and non-deterministic ordering of prompts. - ssh(1), ssh-keygen(1): when signing a challenge using a FIDO token, perform hashing of the message to be signed in the middleware layer rather than in OpenSSH code. This permits the use of security key middlewares that perform the hashing implicitly, such as Windows Hello. - ssh(1): fix incorrect error message for "too many known hosts files." - ssh(1): make failures when establishing "Tunnel" forwarding terminate the connection when ExitOnForwardFailure is enabled. - ssh-keygen(1): fix printing of fingerprints on private keys and add a regression test for same. - sshd(8): document order of checking AuthorizedKeysFile (first) and AuthorizedKeysCommand (subsequently, if the file doesn't match). - sshd(8): document that /etc/hosts.equiv and /etc/shosts.equiv are not considered for HostbasedAuthentication when the target user is root. - ssh(1), ssh-keygen(1): fix NULL dereference in private certificate key parsing. - ssh(1), sshd(8): more consistency between sets of %TOKENS are accepted in various configuration options. - ssh(1), ssh-keygen(1): improve error messages for some common PKCS#11 C_Login failure cases. - ssh(1), sshd(8): make error messages for problems during SSH banner exchange consistent with other SSH transport-layer error messages and ensure they include the relevant IP addresses. - ssh-keygen(1), ssh-add(1): when downloading FIDO2 resident keys from a token, don't prompt for a PIN until the token has told us that it needs one. Avoids double-prompting on devices that implement on-device authentication (closes: #932071). - sshd(8), ssh-keygen(1): no-touch-required FIDO certificate option should be an extension, not a critical option. - ssh(1), ssh-keygen(1), ssh-add(1): offer a better error message when trying to use a FIDO key function and SecurityKeyProvider is empty. - ssh-add(1), ssh-agent(8): ensure that a key lifetime fits within the values allowed by the wire format (u32). Prevents integer wraparound of the timeout values. - ssh(1): detect and prevent trivial configuration loops when using ProxyJump. bz#3057. - On platforms that do not support setting process-wide routing domains (all excepting OpenBSD at present), fail to accept a configuration attempts to set one at process start time rather than fatally erroring at run time. - Fix theoretical infinite loop in the glob(3) replacement implementation. * Update GSSAPI key exchange patch from https://github.com/openssh-gsskex/openssh-gsskex: - Fix connection through ProxyJump in combination with "GSSAPITrustDNS yes". - Enable SHA2-based GSSAPI key exchange methods by default as RFC 8732 was published. * Fix or suppress various shellcheck errors under debian/. * Use AUTOPKGTEST_TMP rather than the deprecated ADTTMP. * Apply upstream patch to fix the handling of Port directives after Include (closes: #962035, LP: #1876320). -- Colin Watson <email address hidden> Sun, 07 Jun 2020 13:44:04 +0100
Upload details
- Uploaded by:
- Debian OpenSSH Maintainers
- Uploaded to:
- Sid
- Original maintainer:
- Debian OpenSSH Maintainers
- Architectures:
- any all
- Section:
- net
- Urgency:
- Medium Urgency
See full publishing history Publishing
Series | Published | Component | Section |
---|
Downloads
File | Size | SHA-256 Checksum |
---|---|---|
openssh_8.3p1-1.dsc | 3.3 KiB | 7a0f9f0001d10bf6270b47e1c0c75d82e118234609bb75233ffd08877d0d3186 |
openssh_8.3p1.orig.tar.gz | 1.6 MiB | f2befbe0472fe7eb75d23340eb17531cb6b3aac24075e2066b41f814e12387b2 |
openssh_8.3p1.orig.tar.gz.asc | 683 bytes | c5a5f84a482c93ee59eccb8f9f76b6c70eed56fd9b059fc72b3184effa8135f5 |
openssh_8.3p1-1.debian.tar.xz | 172.1 KiB | edeb381f43f9b4399fa34f3fab40d60617f3391774304493f2ee7a8dba214ba9 |
Available diffs
No changes file available.
Binary packages built by this source
- openssh-client: No summary available for openssh-client in ubuntu groovy.
No description available for openssh-client in ubuntu groovy.
- openssh-client-dbgsym: No summary available for openssh-client-dbgsym in ubuntu groovy.
No description available for openssh-
client- dbgsym in ubuntu groovy.
- openssh-client-udeb: No summary available for openssh-client-udeb in ubuntu groovy.
No description available for openssh-client-udeb in ubuntu groovy.
- openssh-server: No summary available for openssh-server in ubuntu hirsute.
No description available for openssh-server in ubuntu hirsute.
- openssh-server-dbgsym: No summary available for openssh-server-dbgsym in ubuntu hirsute.
No description available for openssh-
server- dbgsym in ubuntu hirsute.
- openssh-server-udeb: No summary available for openssh-server-udeb in ubuntu hirsute.
No description available for openssh-server-udeb in ubuntu hirsute.
- openssh-sftp-server: No summary available for openssh-sftp-server in ubuntu groovy.
No description available for openssh-sftp-server in ubuntu groovy.
- openssh-sftp-server-dbgsym: No summary available for openssh-sftp-server-dbgsym in ubuntu groovy.
No description available for openssh-
sftp-server- dbgsym in ubuntu groovy.
- openssh-tests: No summary available for openssh-tests in ubuntu groovy.
No description available for openssh-tests in ubuntu groovy.
- openssh-tests-dbgsym: No summary available for openssh-tests-dbgsym in ubuntu hirsute.
No description available for openssh-
tests-dbgsym in ubuntu hirsute.
- ssh: No summary available for ssh in ubuntu groovy.
No description available for ssh in ubuntu groovy.
- ssh-askpass-gnome: No summary available for ssh-askpass-gnome in ubuntu hirsute.
No description available for ssh-askpass-gnome in ubuntu hirsute.
- ssh-askpass-gnome-dbgsym: No summary available for ssh-askpass-gnome-dbgsym in ubuntu groovy.
No description available for ssh-askpass-
gnome-dbgsym in ubuntu groovy.