Author: Ubuntu Git Importer
Author Date: 2018-09-13 11:26:53 UTC

DSC file for 1:7.2p2-4ubuntu2.5

Author: Karl Stenerud
Author Date: 2018-08-21 17:45:26 UTC

Import patches-unapplied version 1:7.2p2-4ubuntu2.5 to ubuntu/xenial-proposed

Imported using git-ubuntu import.

Upload parent: 5c1b475e48084fa29210e93681329901fcbc9186

Author: Karl Stenerud
Author Date: 2018-08-21 17:45:26 UTC

Import patches-unapplied version 1:7.2p2-4ubuntu2.5 to ubuntu/xenial-proposed

Imported using git-ubuntu import.

Upload parent: 5c1b475e48084fa29210e93681329901fcbc9186

Author: Karl Stenerud
Author Date: 2018-08-21 17:45:26 UTC

Import patches-unapplied version 1:7.2p2-4ubuntu2.5 to ubuntu/xenial-proposed

Imported using git-ubuntu import.

Upload parent: 5c1b475e48084fa29210e93681329901fcbc9186

Author: Ubuntu Git Importer
Author Date: 2018-09-03 17:10:14 UTC

DSC file for 1:7.8p1-1

Author: Colin Watson
Author Date: 2018-08-30 14:35:27 UTC

Import patches-applied version 1:7.8p1-1 to applied/debian/sid

Imported using git-ubuntu import.

Changelog parent: b900a0f45f45ebd9922a48f6b7efcdd098b21fa3
Unapplied parent: 309157500b452796cd3f2083781eb6cd0ec7e924

New changelog entries:
  * New upstream release (https://www.openssh.com/txt/release-7.8, closes:
    #907534):
    - ssh-keygen(1): Write OpenSSH format private keys by default instead of
      using OpenSSL's PEM format (closes: #905407). The OpenSSH format,
      supported in OpenSSH releases since 2014 and described in the
      PROTOCOL.key file in the source distribution, offers substantially
      better protection against offline password guessing and supports key
      comments in private keys. If necessary, it is possible to write old
      PEM-style keys by adding "-m PEM" to ssh-keygen's arguments when
      generating or updating a key.
    - sshd(8): Remove internal support for S/Key multiple factor
      authentication. S/Key may still be used via PAM or BSD auth.
    - ssh(1): Remove vestigial support for running ssh(1) as setuid. This
      used to be required for hostbased authentication and the (long gone)
      rhosts-style authentication, but has not been necessary for a long
      time. Attempting to execute ssh as a setuid binary, or with uid !=
      effective uid will now yield a fatal error at runtime.
    - sshd(8): The semantics of PubkeyAcceptedKeyTypes and the similar
      HostbasedAcceptedKeyTypes options have changed. These now specify
      signature algorithms that are accepted for their respective
      authentication mechanism, where previously they specified accepted key
      types. This distinction matters when using the RSA/SHA2 signature
      algorithms "rsa-sha2-256", "rsa-sha2-512" and their certificate
      counterparts. Configurations that override these options but omit
      these algorithm names may cause unexpected authentication failures (no
      action is required for configurations that accept the default for
      these options).
    - sshd(8): The precedence of session environment variables has changed.
      ~/.ssh/environment and environment="..." options in authorized_keys
      files can no longer override SSH_* variables set implicitly by sshd.
    - ssh(1)/sshd(8): The default IPQoS used by ssh/sshd has changed. They
      will now use DSCP AF21 for interactive traffic and CS1 for bulk. For
      a detailed rationale, please see the commit message:
      https://cvsweb.openbsd.org/src/usr.bin/ssh/readconf.c#rev1.284
    - ssh(1)/sshd(8): Add new signature algorithms "rsa-sha2-256-cert-
      v01@openssh.com" and "rsa-sha2-512-cert-v01@openssh.com" to explicitly
      force use of RSA/SHA2 signatures in authentication.
    - sshd(8): Extend the PermitUserEnvironment option to accept a whitelist
      of environment variable names in addition to global "yes" or "no"
      settings.
    - sshd(8): Add a PermitListen directive to sshd_config(5) and a
      corresponding permitlisten= authorized_keys option that control which
      listen addresses and port numbers may be used by remote forwarding
      (ssh -R ...).
    - sshd(8): Add some countermeasures against timing attacks used for
      account validation/enumeration. sshd will enforce a minimum time or
      each failed authentication attempt consisting of a global 5ms minimum
      plus an additional per-user 0-4ms delay derived from a host secret.
    - sshd(8): Add a SetEnv directive to allow an administrator to
      explicitly specify environment variables in sshd_config. Variables
      set by SetEnv override the default and client-specified environment.
    - ssh(1): Add a SetEnv directive to request that the server sets an
      environment variable in the session. Similar to the existing SendEnv
      option, these variables are set subject to server configuration.
    - ssh(1): Allow "SendEnv -PATTERN" to clear environment variables
      previously marked for sending to the server (closes: #573316).
    - ssh(1)/sshd(8): Make UID available as a %-expansion everywhere that
      the username is available currently.
    - ssh(1): Allow setting ProxyJump=none to disable ProxyJump
      functionality.
    - sshd(8): Avoid observable differences in request parsing that could be
      used to determine whether a target user is valid.
    - ssh(1)/sshd(8): Fix some memory leaks.
    - ssh(1): Fix a pwent clobber (introduced in openssh-7.7) that could
      occur during key loading, manifesting as crash on some platforms.
    - sshd_config(5): Clarify documentation for AuthenticationMethods
      option.
    - ssh(1): Ensure that the public key algorithm sent in a public key
      SSH_MSG_USERAUTH_REQUEST matches the content of the signature blob.
      Previously, these could be inconsistent when a legacy or non-OpenSSH
      ssh-agent returned a RSA/SHA1 signature when asked to make a RSA/SHA2
      signature.
    - sshd(8): Fix failures to read authorized_keys caused by faulty
      supplemental group caching.
    - scp(1): Apply umask to directories, fixing potential mkdir/chmod race
      when copying directory trees.
    - ssh-keygen(1): Return correct exit code when searching for and hashing
      known_hosts entries in a single operation.
    - ssh(1): Prefer the ssh binary pointed to via argv[0] to $PATH when
      re-executing ssh for ProxyJump.
    - sshd(8): Do not ban PTY allocation when a sshd session is restricted
      because the user password is expired as it breaks password change
      dialog.
    - ssh(1)/sshd(8): Fix error reporting from select() failures.
    - ssh(1): Improve documentation for -w (tunnel) flag, emphasising that
      -w implicitly sets Tunnel=point-to-point.
    - ssh-agent(1): Implement EMFILE mitigation for ssh-agent. ssh-agent
      will no longer spin when its file descriptor limit is exceeded.
    - ssh(1)/sshd(8): Disable SSH2_MSG_DEBUG messages for Twisted Conch
      clients. Twisted Conch versions that lack a version number in their
      identification strings will mishandle these messages when running on
      Python 2.x (https://twistedmatrix.com/trac/ticket/9422).
    - sftp(1): Notify user immediately when underlying ssh process dies
      expectedly.
    - ssh(1)/sshd(8): Fix tunnel forwarding; regression in 7.7 release.
    - ssh-agent(1): Don't kill ssh-agent's listening socket entirely if it
      fails to accept(2) a connection.
    - ssh(1): Add some missing options in the configuration dump output (ssh
      -G).
    - sshd(8): Expose details of completed authentication to PAM auth
      modules via SSH_AUTH_INFO_0 in the PAM environment.
  * Switch debian/watch to HTTPS.
  * Temporarily work around https://twistedmatrix.com/trac/ticket/9515 in
    regression tests.

Author: Colin Watson
Author Date: 2018-08-30 14:35:27 UTC

Import patches-applied version 1:7.8p1-1 to applied/debian/sid

Imported using git-ubuntu import.

Changelog parent: b900a0f45f45ebd9922a48f6b7efcdd098b21fa3
Unapplied parent: 309157500b452796cd3f2083781eb6cd0ec7e924

New changelog entries:
  * New upstream release (https://www.openssh.com/txt/release-7.8, closes:
    #907534):
    - ssh-keygen(1): Write OpenSSH format private keys by default instead of
      using OpenSSL's PEM format (closes: #905407). The OpenSSH format,
      supported in OpenSSH releases since 2014 and described in the
      PROTOCOL.key file in the source distribution, offers substantially
      better protection against offline password guessing and supports key
      comments in private keys. If necessary, it is possible to write old
      PEM-style keys by adding "-m PEM" to ssh-keygen's arguments when
      generating or updating a key.
    - sshd(8): Remove internal support for S/Key multiple factor
      authentication. S/Key may still be used via PAM or BSD auth.
    - ssh(1): Remove vestigial support for running ssh(1) as setuid. This
      used to be required for hostbased authentication and the (long gone)
      rhosts-style authentication, but has not been necessary for a long
      time. Attempting to execute ssh as a setuid binary, or with uid !=
      effective uid will now yield a fatal error at runtime.
    - sshd(8): The semantics of PubkeyAcceptedKeyTypes and the similar
      HostbasedAcceptedKeyTypes options have changed. These now specify
      signature algorithms that are accepted for their respective
      authentication mechanism, where previously they specified accepted key
      types. This distinction matters when using the RSA/SHA2 signature
      algorithms "rsa-sha2-256", "rsa-sha2-512" and their certificate
      counterparts. Configurations that override these options but omit
      these algorithm names may cause unexpected authentication failures (no
      action is required for configurations that accept the default for
      these options).
    - sshd(8): The precedence of session environment variables has changed.
      ~/.ssh/environment and environment="..." options in authorized_keys
      files can no longer override SSH_* variables set implicitly by sshd.
    - ssh(1)/sshd(8): The default IPQoS used by ssh/sshd has changed. They
      will now use DSCP AF21 for interactive traffic and CS1 for bulk. For
      a detailed rationale, please see the commit message:
      https://cvsweb.openbsd.org/src/usr.bin/ssh/readconf.c#rev1.284
    - ssh(1)/sshd(8): Add new signature algorithms "rsa-sha2-256-cert-
      v01@openssh.com" and "rsa-sha2-512-cert-v01@openssh.com" to explicitly
      force use of RSA/SHA2 signatures in authentication.
    - sshd(8): Extend the PermitUserEnvironment option to accept a whitelist
      of environment variable names in addition to global "yes" or "no"
      settings.
    - sshd(8): Add a PermitListen directive to sshd_config(5) and a
      corresponding permitlisten= authorized_keys option that control which
      listen addresses and port numbers may be used by remote forwarding
      (ssh -R ...).
    - sshd(8): Add some countermeasures against timing attacks used for
      account validation/enumeration. sshd will enforce a minimum time or
      each failed authentication attempt consisting of a global 5ms minimum
      plus an additional per-user 0-4ms delay derived from a host secret.
    - sshd(8): Add a SetEnv directive to allow an administrator to
      explicitly specify environment variables in sshd_config. Variables
      set by SetEnv override the default and client-specified environment.
    - ssh(1): Add a SetEnv directive to request that the server sets an
      environment variable in the session. Similar to the existing SendEnv
      option, these variables are set subject to server configuration.
    - ssh(1): Allow "SendEnv -PATTERN" to clear environment variables
      previously marked for sending to the server (closes: #573316).
    - ssh(1)/sshd(8): Make UID available as a %-expansion everywhere that
      the username is available currently.
    - ssh(1): Allow setting ProxyJump=none to disable ProxyJump
      functionality.
    - sshd(8): Avoid observable differences in request parsing that could be
      used to determine whether a target user is valid.
    - ssh(1)/sshd(8): Fix some memory leaks.
    - ssh(1): Fix a pwent clobber (introduced in openssh-7.7) that could
      occur during key loading, manifesting as crash on some platforms.
    - sshd_config(5): Clarify documentation for AuthenticationMethods
      option.
    - ssh(1): Ensure that the public key algorithm sent in a public key
      SSH_MSG_USERAUTH_REQUEST matches the content of the signature blob.
      Previously, these could be inconsistent when a legacy or non-OpenSSH
      ssh-agent returned a RSA/SHA1 signature when asked to make a RSA/SHA2
      signature.
    - sshd(8): Fix failures to read authorized_keys caused by faulty
      supplemental group caching.
    - scp(1): Apply umask to directories, fixing potential mkdir/chmod race
      when copying directory trees.
    - ssh-keygen(1): Return correct exit code when searching for and hashing
      known_hosts entries in a single operation.
    - ssh(1): Prefer the ssh binary pointed to via argv[0] to $PATH when
      re-executing ssh for ProxyJump.
    - sshd(8): Do not ban PTY allocation when a sshd session is restricted
      because the user password is expired as it breaks password change
      dialog.
    - ssh(1)/sshd(8): Fix error reporting from select() failures.
    - ssh(1): Improve documentation for -w (tunnel) flag, emphasising that
      -w implicitly sets Tunnel=point-to-point.
    - ssh-agent(1): Implement EMFILE mitigation for ssh-agent. ssh-agent
      will no longer spin when its file descriptor limit is exceeded.
    - ssh(1)/sshd(8): Disable SSH2_MSG_DEBUG messages for Twisted Conch
      clients. Twisted Conch versions that lack a version number in their
      identification strings will mishandle these messages when running on
      Python 2.x (https://twistedmatrix.com/trac/ticket/9422).
    - sftp(1): Notify user immediately when underlying ssh process dies
      expectedly.
    - ssh(1)/sshd(8): Fix tunnel forwarding; regression in 7.7 release.
    - ssh-agent(1): Don't kill ssh-agent's listening socket entirely if it
      fails to accept(2) a connection.
    - ssh(1): Add some missing options in the configuration dump output (ssh
      -G).
    - sshd(8): Expose details of completed authentication to PAM auth
      modules via SSH_AUTH_INFO_0 in the PAM environment.
  * Switch debian/watch to HTTPS.
  * Temporarily work around https://twistedmatrix.com/trac/ticket/9515 in
    regression tests.

Author: Colin Watson
Author Date: 2018-08-30 14:35:27 UTC

Import patches-unapplied version 1:7.8p1-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 8eb0683ac4352aae1f74630d1c3887d58882ec79

New changelog entries:
  * New upstream release (https://www.openssh.com/txt/release-7.8, closes:
    #907534):
    - ssh-keygen(1): Write OpenSSH format private keys by default instead of
      using OpenSSL's PEM format (closes: #905407). The OpenSSH format,
      supported in OpenSSH releases since 2014 and described in the
      PROTOCOL.key file in the source distribution, offers substantially
      better protection against offline password guessing and supports key
      comments in private keys. If necessary, it is possible to write old
      PEM-style keys by adding "-m PEM" to ssh-keygen's arguments when
      generating or updating a key.
    - sshd(8): Remove internal support for S/Key multiple factor
      authentication. S/Key may still be used via PAM or BSD auth.
    - ssh(1): Remove vestigial support for running ssh(1) as setuid. This
      used to be required for hostbased authentication and the (long gone)
      rhosts-style authentication, but has not been necessary for a long
      time. Attempting to execute ssh as a setuid binary, or with uid !=
      effective uid will now yield a fatal error at runtime.
    - sshd(8): The semantics of PubkeyAcceptedKeyTypes and the similar
      HostbasedAcceptedKeyTypes options have changed. These now specify
      signature algorithms that are accepted for their respective
      authentication mechanism, where previously they specified accepted key
      types. This distinction matters when using the RSA/SHA2 signature
      algorithms "rsa-sha2-256", "rsa-sha2-512" and their certificate
      counterparts. Configurations that override these options but omit
      these algorithm names may cause unexpected authentication failures (no
      action is required for configurations that accept the default for
      these options).
    - sshd(8): The precedence of session environment variables has changed.
      ~/.ssh/environment and environment="..." options in authorized_keys
      files can no longer override SSH_* variables set implicitly by sshd.
    - ssh(1)/sshd(8): The default IPQoS used by ssh/sshd has changed. They
      will now use DSCP AF21 for interactive traffic and CS1 for bulk. For
      a detailed rationale, please see the commit message:
      https://cvsweb.openbsd.org/src/usr.bin/ssh/readconf.c#rev1.284
    - ssh(1)/sshd(8): Add new signature algorithms "rsa-sha2-256-cert-
      v01@openssh.com" and "rsa-sha2-512-cert-v01@openssh.com" to explicitly
      force use of RSA/SHA2 signatures in authentication.
    - sshd(8): Extend the PermitUserEnvironment option to accept a whitelist
      of environment variable names in addition to global "yes" or "no"
      settings.
    - sshd(8): Add a PermitListen directive to sshd_config(5) and a
      corresponding permitlisten= authorized_keys option that control which
      listen addresses and port numbers may be used by remote forwarding
      (ssh -R ...).
    - sshd(8): Add some countermeasures against timing attacks used for
      account validation/enumeration. sshd will enforce a minimum time or
      each failed authentication attempt consisting of a global 5ms minimum
      plus an additional per-user 0-4ms delay derived from a host secret.
    - sshd(8): Add a SetEnv directive to allow an administrator to
      explicitly specify environment variables in sshd_config. Variables
      set by SetEnv override the default and client-specified environment.
    - ssh(1): Add a SetEnv directive to request that the server sets an
      environment variable in the session. Similar to the existing SendEnv
      option, these variables are set subject to server configuration.
    - ssh(1): Allow "SendEnv -PATTERN" to clear environment variables
      previously marked for sending to the server (closes: #573316).
    - ssh(1)/sshd(8): Make UID available as a %-expansion everywhere that
      the username is available currently.
    - ssh(1): Allow setting ProxyJump=none to disable ProxyJump
      functionality.
    - sshd(8): Avoid observable differences in request parsing that could be
      used to determine whether a target user is valid.
    - ssh(1)/sshd(8): Fix some memory leaks.
    - ssh(1): Fix a pwent clobber (introduced in openssh-7.7) that could
      occur during key loading, manifesting as crash on some platforms.
    - sshd_config(5): Clarify documentation for AuthenticationMethods
      option.
    - ssh(1): Ensure that the public key algorithm sent in a public key
      SSH_MSG_USERAUTH_REQUEST matches the content of the signature blob.
      Previously, these could be inconsistent when a legacy or non-OpenSSH
      ssh-agent returned a RSA/SHA1 signature when asked to make a RSA/SHA2
      signature.
    - sshd(8): Fix failures to read authorized_keys caused by faulty
      supplemental group caching.
    - scp(1): Apply umask to directories, fixing potential mkdir/chmod race
      when copying directory trees.
    - ssh-keygen(1): Return correct exit code when searching for and hashing
      known_hosts entries in a single operation.
    - ssh(1): Prefer the ssh binary pointed to via argv[0] to $PATH when
      re-executing ssh for ProxyJump.
    - sshd(8): Do not ban PTY allocation when a sshd session is restricted
      because the user password is expired as it breaks password change
      dialog.
    - ssh(1)/sshd(8): Fix error reporting from select() failures.
    - ssh(1): Improve documentation for -w (tunnel) flag, emphasising that
      -w implicitly sets Tunnel=point-to-point.
    - ssh-agent(1): Implement EMFILE mitigation for ssh-agent. ssh-agent
      will no longer spin when its file descriptor limit is exceeded.
    - ssh(1)/sshd(8): Disable SSH2_MSG_DEBUG messages for Twisted Conch
      clients. Twisted Conch versions that lack a version number in their
      identification strings will mishandle these messages when running on
      Python 2.x (https://twistedmatrix.com/trac/ticket/9422).
    - sftp(1): Notify user immediately when underlying ssh process dies
      expectedly.
    - ssh(1)/sshd(8): Fix tunnel forwarding; regression in 7.7 release.
    - ssh-agent(1): Don't kill ssh-agent's listening socket entirely if it
      fails to accept(2) a connection.
    - ssh(1): Add some missing options in the configuration dump output (ssh
      -G).
    - sshd(8): Expose details of completed authentication to PAM auth
      modules via SSH_AUTH_INFO_0 in the PAM environment.
  * Switch debian/watch to HTTPS.
  * Temporarily work around https://twistedmatrix.com/trac/ticket/9515 in
    regression tests.

Author: Colin Watson
Author Date: 2018-08-30 14:35:27 UTC

Import patches-unapplied version 1:7.8p1-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 8eb0683ac4352aae1f74630d1c3887d58882ec79

New changelog entries:
  * New upstream release (https://www.openssh.com/txt/release-7.8, closes:
    #907534):
    - ssh-keygen(1): Write OpenSSH format private keys by default instead of
      using OpenSSL's PEM format (closes: #905407). The OpenSSH format,
      supported in OpenSSH releases since 2014 and described in the
      PROTOCOL.key file in the source distribution, offers substantially
      better protection against offline password guessing and supports key
      comments in private keys. If necessary, it is possible to write old
      PEM-style keys by adding "-m PEM" to ssh-keygen's arguments when
      generating or updating a key.
    - sshd(8): Remove internal support for S/Key multiple factor
      authentication. S/Key may still be used via PAM or BSD auth.
    - ssh(1): Remove vestigial support for running ssh(1) as setuid. This
      used to be required for hostbased authentication and the (long gone)
      rhosts-style authentication, but has not been necessary for a long
      time. Attempting to execute ssh as a setuid binary, or with uid !=
      effective uid will now yield a fatal error at runtime.
    - sshd(8): The semantics of PubkeyAcceptedKeyTypes and the similar
      HostbasedAcceptedKeyTypes options have changed. These now specify
      signature algorithms that are accepted for their respective
      authentication mechanism, where previously they specified accepted key
      types. This distinction matters when using the RSA/SHA2 signature
      algorithms "rsa-sha2-256", "rsa-sha2-512" and their certificate
      counterparts. Configurations that override these options but omit
      these algorithm names may cause unexpected authentication failures (no
      action is required for configurations that accept the default for
      these options).
    - sshd(8): The precedence of session environment variables has changed.
      ~/.ssh/environment and environment="..." options in authorized_keys
      files can no longer override SSH_* variables set implicitly by sshd.
    - ssh(1)/sshd(8): The default IPQoS used by ssh/sshd has changed. They
      will now use DSCP AF21 for interactive traffic and CS1 for bulk. For
      a detailed rationale, please see the commit message:
      https://cvsweb.openbsd.org/src/usr.bin/ssh/readconf.c#rev1.284
    - ssh(1)/sshd(8): Add new signature algorithms "rsa-sha2-256-cert-
      v01@openssh.com" and "rsa-sha2-512-cert-v01@openssh.com" to explicitly
      force use of RSA/SHA2 signatures in authentication.
    - sshd(8): Extend the PermitUserEnvironment option to accept a whitelist
      of environment variable names in addition to global "yes" or "no"
      settings.
    - sshd(8): Add a PermitListen directive to sshd_config(5) and a
      corresponding permitlisten= authorized_keys option that control which
      listen addresses and port numbers may be used by remote forwarding
      (ssh -R ...).
    - sshd(8): Add some countermeasures against timing attacks used for
      account validation/enumeration. sshd will enforce a minimum time or
      each failed authentication attempt consisting of a global 5ms minimum
      plus an additional per-user 0-4ms delay derived from a host secret.
    - sshd(8): Add a SetEnv directive to allow an administrator to
      explicitly specify environment variables in sshd_config. Variables
      set by SetEnv override the default and client-specified environment.
    - ssh(1): Add a SetEnv directive to request that the server sets an
      environment variable in the session. Similar to the existing SendEnv
      option, these variables are set subject to server configuration.
    - ssh(1): Allow "SendEnv -PATTERN" to clear environment variables
      previously marked for sending to the server (closes: #573316).
    - ssh(1)/sshd(8): Make UID available as a %-expansion everywhere that
      the username is available currently.
    - ssh(1): Allow setting ProxyJump=none to disable ProxyJump
      functionality.
    - sshd(8): Avoid observable differences in request parsing that could be
      used to determine whether a target user is valid.
    - ssh(1)/sshd(8): Fix some memory leaks.
    - ssh(1): Fix a pwent clobber (introduced in openssh-7.7) that could
      occur during key loading, manifesting as crash on some platforms.
    - sshd_config(5): Clarify documentation for AuthenticationMethods
      option.
    - ssh(1): Ensure that the public key algorithm sent in a public key
      SSH_MSG_USERAUTH_REQUEST matches the content of the signature blob.
      Previously, these could be inconsistent when a legacy or non-OpenSSH
      ssh-agent returned a RSA/SHA1 signature when asked to make a RSA/SHA2
      signature.
    - sshd(8): Fix failures to read authorized_keys caused by faulty
      supplemental group caching.
    - scp(1): Apply umask to directories, fixing potential mkdir/chmod race
      when copying directory trees.
    - ssh-keygen(1): Return correct exit code when searching for and hashing
      known_hosts entries in a single operation.
    - ssh(1): Prefer the ssh binary pointed to via argv[0] to $PATH when
      re-executing ssh for ProxyJump.
    - sshd(8): Do not ban PTY allocation when a sshd session is restricted
      because the user password is expired as it breaks password change
      dialog.
    - ssh(1)/sshd(8): Fix error reporting from select() failures.
    - ssh(1): Improve documentation for -w (tunnel) flag, emphasising that
      -w implicitly sets Tunnel=point-to-point.
    - ssh-agent(1): Implement EMFILE mitigation for ssh-agent. ssh-agent
      will no longer spin when its file descriptor limit is exceeded.
    - ssh(1)/sshd(8): Disable SSH2_MSG_DEBUG messages for Twisted Conch
      clients. Twisted Conch versions that lack a version number in their
      identification strings will mishandle these messages when running on
      Python 2.x (https://twistedmatrix.com/trac/ticket/9422).
    - sftp(1): Notify user immediately when underlying ssh process dies
      expectedly.
    - ssh(1)/sshd(8): Fix tunnel forwarding; regression in 7.7 release.
    - ssh-agent(1): Don't kill ssh-agent's listening socket entirely if it
      fails to accept(2) a connection.
    - ssh(1): Add some missing options in the configuration dump output (ssh
      -G).
    - sshd(8): Expose details of completed authentication to PAM auth
      modules via SSH_AUTH_INFO_0 in the PAM environment.
  * Switch debian/watch to HTTPS.
  * Temporarily work around https://twistedmatrix.com/trac/ticket/9515 in
    regression tests.

Author: Colin Watson
Author Date: 2018-08-17 13:09:32 UTC

Import patches-unapplied version 1:7.7p1-4 to debian/sid

Imported using git-ubuntu import.

Changelog parent: ae80699317094c1deba08dfc4c3b21322b9567e6

New changelog entries:
  * Apply upstream patch to delay bailout for invalid authenticating user
    until after the packet containing the request has been fully parsed
    (closes: #906236).

Author: Colin Watson
Author Date: 2018-08-17 13:09:32 UTC

Import patches-unapplied version 1:7.7p1-4 to debian/sid

Imported using git-ubuntu import.

Changelog parent: ae80699317094c1deba08dfc4c3b21322b9567e6

New changelog entries:
  * Apply upstream patch to delay bailout for invalid authenticating user
    until after the packet containing the request has been fully parsed
    (closes: #906236).

Author: Colin Watson
Author Date: 2018-08-17 13:09:32 UTC

Import patches-unapplied version 1:7.7p1-4 to debian/sid

Imported using git-ubuntu import.

Changelog parent: ae80699317094c1deba08dfc4c3b21322b9567e6

New changelog entries:
  * Apply upstream patch to delay bailout for invalid authenticating user
    until after the packet containing the request has been fully parsed
    (closes: #906236).

Author: Colin Watson
Author Date: 2018-08-17 13:09:32 UTC

Import patches-unapplied version 1:7.7p1-4 to debian/sid

Imported using git-ubuntu import.

Changelog parent: ae80699317094c1deba08dfc4c3b21322b9567e6

New changelog entries:
  * Apply upstream patch to delay bailout for invalid authenticating user
    until after the packet containing the request has been fully parsed
    (closes: #906236).

Author: Ubuntu Git Importer
Author Date: 2018-04-07 16:03:10 UTC

pristine-tar data for openssh_7.7p1.orig.tar.gz

Author: Colin Watson
Author Date: 2018-03-01 15:17:53 UTC

Import patches-unapplied version 1:7.4p1-10+deb9u3 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 12ea1e41915c46ce4f3b5e09adca87ec5a2998b3

New changelog entries:
  * CVE-2017-15906: sftp-server(8): In read-only mode, sftp-server was
    incorrectly permitting creation of zero-length files. Reported by Michal
    Zalewski.

Author: Colin Watson
Author Date: 2018-03-01 15:17:53 UTC

Import patches-applied version 1:7.4p1-10+deb9u3 to applied/debian/sid

Imported using git-ubuntu import.

Changelog parent: 6b81aed5fd636c2a87ad2b6ae565eb8070a1867b
Unapplied parent: c66f85b1d536aba24af81b09c02b13cac5d50d99

New changelog entries:
  * CVE-2017-15906: sftp-server(8): In read-only mode, sftp-server was
    incorrectly permitting creation of zero-length files. Reported by Michal
    Zalewski.

Author: Ubuntu Git Importer
Author Date: 2018-03-07 13:44:20 UTC

pristine-tar data for openssh_7.6p1.orig.tar.gz

Author: Colin Watson
Author Date: 2018-02-10 02:31:46 UTC

Import patches-unapplied version 1:7.6p1-4 to debian/sid

Imported using git-ubuntu import.

Changelog parent: f2c6c36a53248355c46609e8c5cbb431c83542d9

New changelog entries:
  * Move VCS to salsa.debian.org.
  * Add a preseeding-only openssh-server/password-authentication debconf
    template that can be used to disable password authentication (closes:
    #878945).

Author: Colin Watson
Author Date: 2018-02-10 02:31:46 UTC

Import patches-unapplied version 1:7.6p1-4 to debian/sid

Imported using git-ubuntu import.

Changelog parent: f2c6c36a53248355c46609e8c5cbb431c83542d9

New changelog entries:
  * Move VCS to salsa.debian.org.
  * Add a preseeding-only openssh-server/password-authentication debconf
    template that can be used to disable password authentication (closes:
    #878945).

Author: Colin Watson
Author Date: 2018-02-10 02:31:46 UTC

Import patches-unapplied version 1:7.6p1-4 to debian/sid

Imported using git-ubuntu import.

Changelog parent: f2c6c36a53248355c46609e8c5cbb431c83542d9

New changelog entries:
  * Move VCS to salsa.debian.org.
  * Add a preseeding-only openssh-server/password-authentication debconf
    template that can be used to disable password authentication (closes:
    #878945).

Author: Marc Deslauriers
Author Date: 2018-01-15 16:28:55 UTC

Import patches-unapplied version 1:6.6p1-2ubuntu2.10 to ubuntu/trusty-security

Imported using git-ubuntu import.

Changelog parent: 8815edb59856a6bd040de7166e24479e4880b885

New changelog entries:
  * SECURITY UPDATE: untrusted search path when loading PKCS#11 modules
    - debian/patches/CVE-2016-10009.patch: add a whitelist of paths from
      which ssh-agent will load a PKCS#11 module in ssh-agent.1,
      ssh-agent.c.
    - debian/patches/CVE-2016-10009-2.patch: fix deletion of PKCS#11 keys
      in ssh-agent.c.
    - debian/patches/CVE-2016-10009-3.patch: relax whitelist in
      ssh-agent.c.
    - debian/patches/CVE-2016-10009-4.patch: add missing label in
      ssh-agent.c.
    - CVE-2016-10009
  * SECURITY UPDATE: local information disclosure via effects of realloc on
    buffer contents
    - debian/patches/CVE-2016-10011.patch: pre-allocate the buffer used for
      loading keys in authfile.c.
    - CVE-2016-10011
  * SECURITY UPDATE: local privilege escalation via incorrect bounds check
    in shared memory manager
    - debian/patches/CVE-2016-10012-1-2.patch: remove support for
      pre-authentication compression in kex.c, kex.h, Makefile.in,
      monitor.c, monitor.h, monitor_wrap.c, monitor_wrap.h, myproposal.h,
      packet.c, servconf.c, sshd.c, sshd_config.5.
    - debian/patches/CVE-2016-10012-3.patch: put back some pre-auth zlib
      bits in kex.c, kex.h, packet.c.
    - CVE-2016-10012
  * SECURITY UPDATE: DoS via zero-length file creation in readonly mode
    - debian/patches/CVE-2017-15906.patch: disallow creation of empty files
      in sftp-server.c.
    - CVE-2017-15906

Author: Marc Deslauriers
Author Date: 2018-01-15 16:28:55 UTC

Import patches-unapplied version 1:6.6p1-2ubuntu2.10 to ubuntu/trusty-security

Imported using git-ubuntu import.

Changelog parent: 8815edb59856a6bd040de7166e24479e4880b885

New changelog entries:
  * SECURITY UPDATE: untrusted search path when loading PKCS#11 modules
    - debian/patches/CVE-2016-10009.patch: add a whitelist of paths from
      which ssh-agent will load a PKCS#11 module in ssh-agent.1,
      ssh-agent.c.
    - debian/patches/CVE-2016-10009-2.patch: fix deletion of PKCS#11 keys
      in ssh-agent.c.
    - debian/patches/CVE-2016-10009-3.patch: relax whitelist in
      ssh-agent.c.
    - debian/patches/CVE-2016-10009-4.patch: add missing label in
      ssh-agent.c.
    - CVE-2016-10009
  * SECURITY UPDATE: local information disclosure via effects of realloc on
    buffer contents
    - debian/patches/CVE-2016-10011.patch: pre-allocate the buffer used for
      loading keys in authfile.c.
    - CVE-2016-10011
  * SECURITY UPDATE: local privilege escalation via incorrect bounds check
    in shared memory manager
    - debian/patches/CVE-2016-10012-1-2.patch: remove support for
      pre-authentication compression in kex.c, kex.h, Makefile.in,
      monitor.c, monitor.h, monitor_wrap.c, monitor_wrap.h, myproposal.h,
      packet.c, servconf.c, sshd.c, sshd_config.5.
    - debian/patches/CVE-2016-10012-3.patch: put back some pre-auth zlib
      bits in kex.c, kex.h, packet.c.
    - CVE-2016-10012
  * SECURITY UPDATE: DoS via zero-length file creation in readonly mode
    - debian/patches/CVE-2017-15906.patch: disallow creation of empty files
      in sftp-server.c.
    - CVE-2017-15906

Author: Marc Deslauriers
Author Date: 2018-01-15 14:50:38 UTC

Import patches-unapplied version 1:7.2p2-4ubuntu2.4 to ubuntu/xenial-security

Imported using git-ubuntu import.

Changelog parent: 2b85b955d24dcb5b06ecc205e3685dc2098b65a1

New changelog entries:
  * SECURITY UPDATE: untrusted search path when loading PKCS#11 modules
    - debian/patches/CVE-2016-10009.patch: add a whitelist of paths from
      which ssh-agent will load a PKCS#11 module in ssh-agent.1,
      ssh-agent.c.
    - debian/patches/CVE-2016-10009-2.patch: fix deletion of PKCS#11 keys
      in ssh-agent.c.
    - debian/patches/CVE-2016-10009-3.patch: relax whitelist in
      ssh-agent.c.
    - debian/patches/CVE-2016-10009-4.patch: add missing label in
      ssh-agent.c.
    - CVE-2016-10009
  * SECURITY UPDATE: local privilege escalation via socket permissions when
    privilege separation is disabled
    - debian/patches/CVE-2016-10010.patch: disable Unix-domain socket
      forwarding when privsep is disabled in serverloop.c.
    - debian/patches/CVE-2016-10010-2.patch: unbreak Unix domain socket
      forwarding for root in serverloop.c.
    - CVE-2016-10010
  * SECURITY UPDATE: local information disclosure via effects of realloc on
    buffer contents
    - debian/patches/CVE-2016-10011-pre.patch: split allocation out of
      sshbuf_reserve() in sshbuf.c, sshbuf.h.
    - debian/patches/CVE-2016-10011.patch: pre-allocate the buffer used for
      loading keys in authfile.c.
    - CVE-2016-10011
  * SECURITY UPDATE: local privilege escalation via incorrect bounds check
    in shared memory manager
    - debian/patches/CVE-2016-10012-1.patch: remove support for
      pre-authentication compression in Makefile.in, monitor.c, monitor.h,
      monitor_mm.c, monitor_mm.h, monitor_wrap.h, myproposal.h, opacket.h,
      packet.c, packet.h, servconf.c, sshconnect2.c, sshd.c.
    - debian/patches/CVE-2016-10012-2.patch: restore pre-auth compression
      support in the client in kex.c, kex.h, packet.c, servconf.c,
      sshconnect2.c, sshd_config.5.
    - debian/patches/CVE-2016-10012-3.patch: put back some pre-auth zlib
      bits in kex.c, kex.h, packet.c.
    - CVE-2016-10012
  * SECURITY UPDATE: DoS via zero-length file creation in readonly mode
    - debian/patches/CVE-2017-15906.patch: disallow creation of empty files
      in sftp-server.c.
    - CVE-2017-15906

Author: Marc Deslauriers
Author Date: 2018-01-15 16:28:55 UTC

Import patches-unapplied version 1:6.6p1-2ubuntu2.10 to ubuntu/trusty-security

Imported using git-ubuntu import.

Changelog parent: 8815edb59856a6bd040de7166e24479e4880b885

New changelog entries:
  * SECURITY UPDATE: untrusted search path when loading PKCS#11 modules
    - debian/patches/CVE-2016-10009.patch: add a whitelist of paths from
      which ssh-agent will load a PKCS#11 module in ssh-agent.1,
      ssh-agent.c.
    - debian/patches/CVE-2016-10009-2.patch: fix deletion of PKCS#11 keys
      in ssh-agent.c.
    - debian/patches/CVE-2016-10009-3.patch: relax whitelist in
      ssh-agent.c.
    - debian/patches/CVE-2016-10009-4.patch: add missing label in
      ssh-agent.c.
    - CVE-2016-10009
  * SECURITY UPDATE: local information disclosure via effects of realloc on
    buffer contents
    - debian/patches/CVE-2016-10011.patch: pre-allocate the buffer used for
      loading keys in authfile.c.
    - CVE-2016-10011
  * SECURITY UPDATE: local privilege escalation via incorrect bounds check
    in shared memory manager
    - debian/patches/CVE-2016-10012-1-2.patch: remove support for
      pre-authentication compression in kex.c, kex.h, Makefile.in,
      monitor.c, monitor.h, monitor_wrap.c, monitor_wrap.h, myproposal.h,
      packet.c, servconf.c, sshd.c, sshd_config.5.
    - debian/patches/CVE-2016-10012-3.patch: put back some pre-auth zlib
      bits in kex.c, kex.h, packet.c.
    - CVE-2016-10012
  * SECURITY UPDATE: DoS via zero-length file creation in readonly mode
    - debian/patches/CVE-2017-15906.patch: disallow creation of empty files
      in sftp-server.c.
    - CVE-2017-15906

Author: Marc Deslauriers
Author Date: 2018-01-16 13:28:47 UTC

Import patches-unapplied version 1:7.5p1-10ubuntu0.1 to ubuntu/artful-security

Imported using git-ubuntu import.

Changelog parent: c931f6058b13a610b1e16d3734d1070f262e6383

New changelog entries:
  * SECURITY UPDATE: DoS via zero-length file creation in readonly mode
    - debian/patches/CVE-2017-15906.patch: disallow creation of empty files
      in sftp-server.c.
    - CVE-2017-15906

Author: Marc Deslauriers
Author Date: 2018-01-16 13:28:47 UTC

Import patches-unapplied version 1:7.5p1-10ubuntu0.1 to ubuntu/artful-security

Imported using git-ubuntu import.

Changelog parent: c931f6058b13a610b1e16d3734d1070f262e6383

New changelog entries:
  * SECURITY UPDATE: DoS via zero-length file creation in readonly mode
    - debian/patches/CVE-2017-15906.patch: disallow creation of empty files
      in sftp-server.c.
    - CVE-2017-15906

Author: Marc Deslauriers
Author Date: 2018-01-16 13:28:47 UTC

Import patches-unapplied version 1:7.5p1-10ubuntu0.1 to ubuntu/artful-security

Imported using git-ubuntu import.

Changelog parent: c931f6058b13a610b1e16d3734d1070f262e6383

New changelog entries:
  * SECURITY UPDATE: DoS via zero-length file creation in readonly mode
    - debian/patches/CVE-2017-15906.patch: disallow creation of empty files
      in sftp-server.c.
    - CVE-2017-15906

Author: Colin Watson
Author Date: 2017-11-18 10:56:29 UTC

Import patches-unapplied version 1:6.7p1-5+deb8u4 to debian/jessie

Imported using git-ubuntu import.

Changelog parent: d993ca8d18840e83906a039d8e21899bfe301faf

New changelog entries:
  * Test configuration before starting or reloading sshd under systemd
    (closes: #865770).
  * Make "--" before the hostname terminate argument processing after the
    hostname too (closes: #873201).

Author: Colin Watson
Author Date: 2017-11-18 10:56:29 UTC

Import patches-applied version 1:6.7p1-5+deb8u4 to applied/debian/jessie

Imported using git-ubuntu import.

Changelog parent: 6837b65d638f49f7169ecb1d24dcb54d4fd5712b
Unapplied parent: 4f46b69ded18ce196025a25e2064a5a10cf12794

New changelog entries:
  * Test configuration before starting or reloading sshd under systemd
    (closes: #865770).
  * Make "--" before the hostname terminate argument processing after the
    hostname too (closes: #873201).

Author: Colin Watson
Author Date: 2017-09-01 10:17:19 UTC

Import patches-unapplied version 1:7.5p1-10 to debian/sid

Imported using git-ubuntu import.

Changelog parent: b1b5c75268ff4438e33357c24800d1b0d0ecb731

New changelog entries:
  * Tell haveged to create the pid file we expect.
  * Give up and use systemctl to start haveged if running under systemd;
    this shouldn't be necessary, but I can't seem to get things working in
    the Ubuntu autopkgtest environment otherwise.

Author: Colin Watson
Author Date: 2017-09-01 10:17:19 UTC

Import patches-unapplied version 1:7.5p1-10 to debian/sid

Imported using git-ubuntu import.

Changelog parent: b1b5c75268ff4438e33357c24800d1b0d0ecb731

New changelog entries:
  * Tell haveged to create the pid file we expect.
  * Give up and use systemctl to start haveged if running under systemd;
    this shouldn't be necessary, but I can't seem to get things working in
    the Ubuntu autopkgtest environment otherwise.

Author: Colin Watson
Author Date: 2017-06-06 14:17:58 UTC

Import patches-applied version 1:7.5p1-4 to applied/debian/experimental

Imported using git-ubuntu import.

Changelog parent: 43ca0c5b69c3fa3e5a18e4cc51544e368c313235
Unapplied parent: edb0b57886219246524fd714e2a0bc94dfe6f242

New changelog entries:
  * Drop README.Debian section on privilege separation, as it's no longer
    optional.
  * Only call "initctl set-env" from agent-launch if $UPSTART_SESSION is set
    (LP: #1689299).
  * Fix incoming compression statistics (thanks, Russell Coker; closes:
    #797964).
  * Relicense debian/* under a two-clause BSD licence for bidirectional
    compatibility with upstream, with permission from Matthew Vernon and
    others.

Author: Colin Watson
Author Date: 2017-06-06 14:17:58 UTC

Import patches-unapplied version 1:7.5p1-4 to debian/experimental

Imported using git-ubuntu import.

Changelog parent: 1601afa223bc935cee4688c481d60c99e3e90a28

New changelog entries:
  * Drop README.Debian section on privilege separation, as it's no longer
    optional.
  * Only call "initctl set-env" from agent-launch if $UPSTART_SESSION is set
    (LP: #1689299).
  * Fix incoming compression statistics (thanks, Russell Coker; closes:
    #797964).
  * Relicense debian/* under a two-clause BSD licence for bidirectional
    compatibility with upstream, with permission from Matthew Vernon and
    others.

Author: Dimitri John Ledkov
Author Date: 2017-05-03 15:29:20 UTC

Import patches-unapplied version 1:7.4p1-10ubuntu0.1 to ubuntu/zesty-proposed

Imported using git-ubuntu import.

Changelog parent: 2d6a7b7a356d897d168dc051cab091e02ee05f47

New changelog entries:
  * s390x: Fix failing to connect to systems that enable ICA crypto
    coprocessor. Cherrypick upstream fixes to big endian sanboxing code,
    and allow hw acceleration in the sandbox. This fixes sandbox errors
    when system is enabled to use ICA crypto coprocessor. LP: #1686618

Author: Dimitri John Ledkov
Author Date: 2017-05-03 15:29:20 UTC

Import patches-unapplied version 1:7.4p1-10ubuntu0.1 to ubuntu/zesty-proposed

Imported using git-ubuntu import.

Changelog parent: 2d6a7b7a356d897d168dc051cab091e02ee05f47

New changelog entries:
  * s390x: Fix failing to connect to systems that enable ICA crypto
    coprocessor. Cherrypick upstream fixes to big endian sanboxing code,
    and allow hw acceleration in the sandbox. This fixes sandbox errors
    when system is enabled to use ICA crypto coprocessor. LP: #1686618

Author:  Christian Ehrhardt 
Author Date: 2017-03-15 13:25:22 UTC

Import patches-unapplied version 1:7.3p1-1ubuntu0.1 to ubuntu/yakkety-proposed

Imported using git-ubuntu import.

Changelog parent: 226f77ba212482d0ed31bfd38da81801fcd7ca87

New changelog entries:
  * Fix ssh-keygen -H accidentally corrupting known_hosts that contained
    already-hashed entries (LP: #1668093).
  * Fix ssh-keyscan to correctly hash hosts with a port number (LP: #1670745).

Author:  Christian Ehrhardt 
Author Date: 2017-03-15 13:25:22 UTC

Import patches-unapplied version 1:7.3p1-1ubuntu0.1 to ubuntu/yakkety-proposed

Imported using git-ubuntu import.

Changelog parent: 226f77ba212482d0ed31bfd38da81801fcd7ca87

New changelog entries:
  * Fix ssh-keygen -H accidentally corrupting known_hosts that contained
    already-hashed entries (LP: #1668093).
  * Fix ssh-keyscan to correctly hash hosts with a port number (LP: #1670745).

Author:  Christian Ehrhardt 
Author Date: 2017-03-15 13:25:22 UTC

Import patches-unapplied version 1:7.3p1-1ubuntu0.1 to ubuntu/yakkety-proposed

Imported using git-ubuntu import.

Changelog parent: 226f77ba212482d0ed31bfd38da81801fcd7ca87

New changelog entries:
  * Fix ssh-keygen -H accidentally corrupting known_hosts that contained
    already-hashed entries (LP: #1668093).
  * Fix ssh-keyscan to correctly hash hosts with a port number (LP: #1670745).

Author: Colin Watson
Author Date: 2017-03-30 10:19:04 UTC

Import patches-unapplied version 1:7.4p1-10 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 94a006df0dee470be9fb627968eaa05377579243

New changelog entries:
  * Move privilege separation directory and PID file from /var/run/ to /run/
    (closes: #760422, #856825).
  * Unbreak Unix domain socket forwarding for root (closes: #858252).

Author: Marc Deslauriers
Author Date: 2016-08-11 12:44:39 UTC

Import patches-unapplied version 1:5.9p1-5ubuntu1.10 to ubuntu/precise-security

Imported using git-ubuntu import.

Changelog parent: 0d8db84deca89c690a603a7f6f5904ede638d7e8

New changelog entries:
  * SECURITY UPDATE: user enumeration via covert timing channel
    - debian/patches/CVE-2016-6210-1.patch: determine appropriate salt for
      invalid users in auth-passwd.c, openbsd-compat/xcrypt.c.
    - debian/patches/CVE-2016-6210-2.patch: mitigate timing of disallowed
      users PAM logins in auth-pam.c.
    - debian/patches/CVE-2016-6210-3.patch: search users for one with a
      valid salt in openbsd-compat/xcrypt.c.
    - CVE-2016-6210
  * SECURITY UPDATE: denial of service via long passwords
    - debian/patches/CVE-2016-6515.patch: skip passwords longer than 1k in
      length in auth-passwd.c.
    - CVE-2016-6515

Author: Marc Deslauriers
Author Date: 2016-08-11 12:44:39 UTC

Import patches-unapplied version 1:5.9p1-5ubuntu1.10 to ubuntu/precise-security

Imported using git-ubuntu import.

Changelog parent: 0d8db84deca89c690a603a7f6f5904ede638d7e8

New changelog entries:
  * SECURITY UPDATE: user enumeration via covert timing channel
    - debian/patches/CVE-2016-6210-1.patch: determine appropriate salt for
      invalid users in auth-passwd.c, openbsd-compat/xcrypt.c.
    - debian/patches/CVE-2016-6210-2.patch: mitigate timing of disallowed
      users PAM logins in auth-pam.c.
    - debian/patches/CVE-2016-6210-3.patch: search users for one with a
      valid salt in openbsd-compat/xcrypt.c.
    - CVE-2016-6210
  * SECURITY UPDATE: denial of service via long passwords
    - debian/patches/CVE-2016-6515.patch: skip passwords longer than 1k in
      length in auth-passwd.c.
    - CVE-2016-6515

Author: Marc Deslauriers
Author Date: 2016-08-11 12:44:39 UTC

Import patches-unapplied version 1:5.9p1-5ubuntu1.10 to ubuntu/precise-security

Imported using git-ubuntu import.

Changelog parent: 0d8db84deca89c690a603a7f6f5904ede638d7e8

New changelog entries:
  * SECURITY UPDATE: user enumeration via covert timing channel
    - debian/patches/CVE-2016-6210-1.patch: determine appropriate salt for
      invalid users in auth-passwd.c, openbsd-compat/xcrypt.c.
    - debian/patches/CVE-2016-6210-2.patch: mitigate timing of disallowed
      users PAM logins in auth-pam.c.
    - debian/patches/CVE-2016-6210-3.patch: search users for one with a
      valid salt in openbsd-compat/xcrypt.c.
    - CVE-2016-6210
  * SECURITY UPDATE: denial of service via long passwords
    - debian/patches/CVE-2016-6515.patch: skip passwords longer than 1k in
      length in auth-passwd.c.
    - CVE-2016-6515

Author: Colin Watson
Author Date: 2016-08-07 21:45:26 UTC

Import patches-unapplied version 1:7.3p1-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 500332226cc5dd797169826a715b044d77b16fc8

New changelog entries:
  * New upstream release (http://www.openssh.com/txt/release-7.3):
    - SECURITY: sshd(8): Mitigate a potential denial-of-service attack
      against the system's crypt(3) function via sshd(8). An attacker could
      send very long passwords that would cause excessive CPU use in
      crypt(3). sshd(8) now refuses to accept password authentication
      requests of length greater than 1024 characters.
    - SECURITY: ssh(1), sshd(8): Fix observable timing weakness in the CBC
      padding oracle countermeasures. Note that CBC ciphers are disabled by
      default and only included for legacy compatibility.
    - SECURITY: ssh(1), sshd(8): Improve operation ordering of MAC
      verification for Encrypt-then-MAC (EtM) mode transport MAC algorithms
      to verify the MAC before decrypting any ciphertext. This removes the
      possibility of timing differences leaking facts about the plaintext,
      though no such leakage has been observed.
    - ssh(1): Add a ProxyJump option and corresponding -J command-line flag
      to allow simplified indirection through a one or more SSH bastions or
      "jump hosts".
    - ssh(1): Add an IdentityAgent option to allow specifying specific agent
      sockets instead of accepting one from the environment.
    - ssh(1): Allow ExitOnForwardFailure and ClearAllForwardings to be
      optionally overridden when using ssh -W.
    - ssh(1), sshd(8): Implement support for the IUTF8 terminal mode as per
      draft-sgtatham-secsh-iutf8-00 (closes: #337041, LP: #394570).
    - ssh(1), sshd(8): Add support for additional fixed Diffie-Hellman 2K,
      4K and 8K groups from draft-ietf-curdle-ssh-kex-sha2-03.
    - ssh-keygen(1), ssh(1), sshd(8): Support SHA256 and SHA512 RSA
      signatures in certificates.
    - ssh(1): Add an Include directive for ssh_config(5) files (closes:
      #536031).
    - ssh(1): Permit UTF-8 characters in pre-authentication banners sent
      from the server.
    - ssh(1), sshd(8): Reduce the syslog level of some relatively common
      protocol events from LOG_CRIT.
    - sshd(8): Refuse AuthenticationMethods="" in configurations and accept
      AuthenticationMethods=any for the default behaviour of not requiring
      multiple authentication.
    - sshd(8): Remove obsolete and misleading "POSSIBLE BREAK-IN ATTEMPT!"
      message when forward and reverse DNS don't match.
    - ssh(1): Deduplicate LocalForward and RemoteForward entries to fix
      failures when both ExitOnForwardFailure and hostname canonicalisation
      are enabled.
    - sshd(8): Remove fallback from moduli to obsolete "primes" file that
      was deprecated in 2001 (LP: #1528251).
    - sshd_config(5): Correct description of UseDNS: it affects ssh hostname
      processing for authorized_keys, not known_hosts.
    - sshd(8): Send ClientAliveInterval pings when a time-based RekeyLimit
      is set; previously keepalive packets were not being sent.
    - sshd(8): Whitelist more architectures to enable the seccomp-bpf
      sandbox.
    - scp(1): Respect the local user's LC_CTYPE locale (closes: #396295).
    - Take character display widths into account for the progressmeter
      (closes: #407088).

Author: Salvatore Bonaccorso
Author Date: 2016-04-14 07:39:14 UTC

Import patches-unapplied version 1:6.0p1-4+deb7u4 to debian/wheezy

Imported using git-ubuntu import.

Changelog parent: e9a8f23e7053a2f886cf8ed43ca87cde9b44f710

New changelog entries:
  * Non-maintainer upload by the Security Team.
  * CVE-2015-8325: Ignore PAM environment vars when UseLogin=yes

Author: Salvatore Bonaccorso
Author Date: 2016-04-14 07:39:14 UTC

Import patches-applied version 1:6.0p1-4+deb7u4 to applied/debian/wheezy

Imported using git-ubuntu import.

Changelog parent: 6aa89eab95a8f49213952d8a2c3487c66fe88f98
Unapplied parent: 6dcab59711f77dffe3f00c8825747c7eed51d40c

New changelog entries:
  * Non-maintainer upload by the Security Team.
  * CVE-2015-8325: Ignore PAM environment vars when UseLogin=yes

Author: Marc Deslauriers
Author Date: 2016-05-05 11:54:01 UTC

Import patches-unapplied version 1:6.9p1-2ubuntu0.2 to ubuntu/wily-security

Imported using git-ubuntu import.

Changelog parent: af0404663af0762cd28b204ba97227cefa303bd1

New changelog entries:
  * SECURITY UPDATE: privilege escalation via environment files when
    UseLogin is configured
    - debian/patches/CVE-2015-8325.patch: ignore PAM environment vars when
      UseLogin is enabled in session.c.
    - CVE-2015-8325
  * SECURITY UPDATE: denial of service via cradted network traffic
    - debian/patches/CVE-2016-1907.patch: fix OOB read in packet code in
      packet.c.
    - CVE-2016-1907
  * SECURITY UPDATE: fallback from untrusted X11-forwarding to trusted
    - debian/patches/CVE-2016-1908-1.patch: use stack memory in
      clientloop.c.
    - debian/patches/CVE-2016-1908-2.patch: eliminate fallback in
      clientloop.c, clientloop.h, mux.c, ssh.c.
    - CVE-2016-1908
  * SECURITY UPDATE: shell-command restrictions bypass via crafted X11
    forwarding data
    - debian/patches/CVE-2016-3115.patch: sanitise characters destined for
      xauth in session.c.
    - CVE-2016-3115

Author: Marc Deslauriers
Author Date: 2016-05-05 11:54:01 UTC

Import patches-unapplied version 1:6.9p1-2ubuntu0.2 to ubuntu/wily-security

Imported using git-ubuntu import.

Changelog parent: af0404663af0762cd28b204ba97227cefa303bd1

New changelog entries:
  * SECURITY UPDATE: privilege escalation via environment files when
    UseLogin is configured
    - debian/patches/CVE-2015-8325.patch: ignore PAM environment vars when
      UseLogin is enabled in session.c.
    - CVE-2015-8325
  * SECURITY UPDATE: denial of service via cradted network traffic
    - debian/patches/CVE-2016-1907.patch: fix OOB read in packet code in
      packet.c.
    - CVE-2016-1907
  * SECURITY UPDATE: fallback from untrusted X11-forwarding to trusted
    - debian/patches/CVE-2016-1908-1.patch: use stack memory in
      clientloop.c.
    - debian/patches/CVE-2016-1908-2.patch: eliminate fallback in
      clientloop.c, clientloop.h, mux.c, ssh.c.
    - CVE-2016-1908
  * SECURITY UPDATE: shell-command restrictions bypass via crafted X11
    forwarding data
    - debian/patches/CVE-2016-3115.patch: sanitise characters destined for
      xauth in session.c.
    - CVE-2016-3115

Author: Marc Deslauriers
Author Date: 2016-05-05 11:54:01 UTC

Import patches-unapplied version 1:6.9p1-2ubuntu0.2 to ubuntu/wily-security

Imported using git-ubuntu import.

Changelog parent: af0404663af0762cd28b204ba97227cefa303bd1

New changelog entries:
  * SECURITY UPDATE: privilege escalation via environment files when
    UseLogin is configured
    - debian/patches/CVE-2015-8325.patch: ignore PAM environment vars when
      UseLogin is enabled in session.c.
    - CVE-2015-8325
  * SECURITY UPDATE: denial of service via cradted network traffic
    - debian/patches/CVE-2016-1907.patch: fix OOB read in packet code in
      packet.c.
    - CVE-2016-1907
  * SECURITY UPDATE: fallback from untrusted X11-forwarding to trusted
    - debian/patches/CVE-2016-1908-1.patch: use stack memory in
      clientloop.c.
    - debian/patches/CVE-2016-1908-2.patch: eliminate fallback in
      clientloop.c, clientloop.h, mux.c, ssh.c.
    - CVE-2016-1908
  * SECURITY UPDATE: shell-command restrictions bypass via crafted X11
    forwarding data
    - debian/patches/CVE-2016-3115.patch: sanitise characters destined for
      xauth in session.c.
    - CVE-2016-3115

Author: Colin Watson
Author Date: 2016-04-15 15:40:07 UTC

Import patches-unapplied version 1:7.2p2-4 to debian/sid

Imported using git-ubuntu import.

Changelog parent: f1922cb23326618db9ab52158d24fd1a07db52de

New changelog entries:
  * Drop dependency on libnss-files-udeb (closes: #819686).
  * Policy version 3.9.7: no changes required.

Author: Mathieu Trudel-Lapierre
Author Date: 2016-01-26 15:38:35 UTC

Import patches-unapplied version 1:6.6p1-2ubuntu2.6 to ubuntu/trusty-proposed

Imported using git-ubuntu import.

Changelog parent: f9c816c12b5b33107203e4f8ec2ea7910b3f6543

New changelog entries:
  * debian/control, debian/rules: enable libaudit support. (LP: #1478087)

Author: Marc Deslauriers
Author Date: 2016-01-13 15:47:46 UTC

Import patches-unapplied version 1:6.7p1-5ubuntu1.4 to ubuntu/vivid-security

Imported using git-ubuntu import.

Changelog parent: 014b4a3ff90ed457cfc5bafeec140f17779cda91

New changelog entries:
  * SECURITY UPDATE: information leak and overflow in roaming support
    - debian/patches/CVE-2016-077x.patch: completely disable roaming option
      in readconf.c.
    - CVE-2016-0777
    - CVE-2016-0778

Author: Marc Deslauriers
Author Date: 2016-01-13 15:47:46 UTC

Import patches-unapplied version 1:6.7p1-5ubuntu1.4 to ubuntu/vivid-security

Imported using git-ubuntu import.

Changelog parent: 014b4a3ff90ed457cfc5bafeec140f17779cda91

New changelog entries:
  * SECURITY UPDATE: information leak and overflow in roaming support
    - debian/patches/CVE-2016-077x.patch: completely disable roaming option
      in readconf.c.
    - CVE-2016-0777
    - CVE-2016-0778

Author: Marc Deslauriers
Author Date: 2016-01-13 15:47:46 UTC

Import patches-unapplied version 1:6.7p1-5ubuntu1.4 to ubuntu/vivid-security

Imported using git-ubuntu import.

Changelog parent: 014b4a3ff90ed457cfc5bafeec140f17779cda91

New changelog entries:
  * SECURITY UPDATE: information leak and overflow in roaming support
    - debian/patches/CVE-2016-077x.patch: completely disable roaming option
      in readconf.c.
    - CVE-2016-0777
    - CVE-2016-0778

Author: Colin Watson
Author Date: 2015-09-10 11:26:11 UTC

Import patches-unapplied version 1:6.9p1-2 to debian/sid

Imported using git-ubuntu import.

Changelog parent: d6420725be6749fe2f8b0eed37cbd862f3aff6a6

New changelog entries:
  [ Colin Watson ]
  * mention-ssh-keygen-on-keychange.patch: Move example ssh-keygen
    invocation onto a separate line to make it easier to copy and paste
    (LP: #1491532).
  [ Tyler Hicks ]
  * Build with audit support on Linux (closes: #797727, LP: #1478087).

Author: Colin Watson
Author Date: 2015-09-10 11:26:11 UTC

Import patches-unapplied version 1:6.9p1-2 to debian/sid

Imported using git-ubuntu import.

Changelog parent: d6420725be6749fe2f8b0eed37cbd862f3aff6a6

New changelog entries:
  [ Colin Watson ]
  * mention-ssh-keygen-on-keychange.patch: Move example ssh-keygen
    invocation onto a separate line to make it easier to copy and paste
    (LP: #1491532).
  [ Tyler Hicks ]
  * Build with audit support on Linux (closes: #797727, LP: #1478087).

Author: Martin Pitt
Author Date: 2015-04-09 07:20:36 UTC

Import patches-unapplied version 1:6.7p1-5ubuntu1 to ubuntu/vivid-proposed

Imported using git-ubuntu import.

Changelog parent: 05f02a8a3fd0f86043560cd2ad422a5af1f733c6

New changelog entries:
  * openssh-server.postinst: Quiesce "Unable to connect to Upstart" error
    message from initctl if upstart is installed, but not the current init
    system. (LP: #1440070)
  * openssh-server.postinst: Fix version comparisons of upgrade adjustments to
    not apply to fresh installs.

Author: Martin Pitt
Author Date: 2015-04-09 07:20:36 UTC

Import patches-unapplied version 1:6.7p1-5ubuntu1 to ubuntu/vivid-proposed

Imported using git-ubuntu import.

Changelog parent: 05f02a8a3fd0f86043560cd2ad422a5af1f733c6

New changelog entries:
  * openssh-server.postinst: Quiesce "Unable to connect to Upstart" error
    message from initctl if upstart is installed, but not the current init
    system. (LP: #1440070)
  * openssh-server.postinst: Fix version comparisons of upgrade adjustments to
    not apply to fresh installs.

Author: Colin Watson
Author Date: 2014-10-03 11:23:57 UTC

Import patches-unapplied version 1:6.6p1-8 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 9024265b5ca71bce46a376cca92fa3ecb7bb44fd

New changelog entries:
  * Make the if-up hook use "reload" rather than "restart" if the system was
    booted using systemd (closes: #756547).
  * Show fingerprints of new keys after creating them in the postinst
    (closes: #762128).
  * Policy version 3.9.6: no changes required.
  * Don't link /usr/share/doc/ssh to openssh-client, as this is not safe
    between Architecture: all and Architecture: any binary packages (closes:
    #763375).

Author: Colin Watson
Author Date: 2014-10-03 11:23:57 UTC

Import patches-unapplied version 1:6.6p1-8 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 9024265b5ca71bce46a376cca92fa3ecb7bb44fd

New changelog entries:
  * Make the if-up hook use "reload" rather than "restart" if the system was
    booted using systemd (closes: #756547).
  * Show fingerprints of new keys after creating them in the postinst
    (closes: #762128).
  * Policy version 3.9.6: no changes required.
  * Don't link /usr/share/doc/ssh to openssh-client, as this is not safe
    between Architecture: all and Architecture: any binary packages (closes:
    #763375).

Author: Colin Watson
Author Date: 2014-10-03 11:23:57 UTC

Import patches-unapplied version 1:6.6p1-8 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 9024265b5ca71bce46a376cca92fa3ecb7bb44fd

New changelog entries:
  * Make the if-up hook use "reload" rather than "restart" if the system was
    booted using systemd (closes: #756547).
  * Show fingerprints of new keys after creating them in the postinst
    (closes: #762128).
  * Policy version 3.9.6: no changes required.
  * Don't link /usr/share/doc/ssh to openssh-client, as this is not safe
    between Architecture: all and Architecture: any binary packages (closes:
    #763375).

Author: Colin Watson
Author Date: 2014-04-03 00:05:27 UTC

Import patches-applied version 1:5.5p1-6+squeeze5 to applied/debian/squeeze

Imported using git-ubuntu import.

Changelog parent: 71dc730097933fc3a9c39dfe94b6f76593b12bca
Unapplied parent: 619cc926af608777df93d1d14451a6cdfc8465bb

New changelog entries:
  * CVE-2014-2532: Disallow invalid characters in environment variable names
    to prevent bypassing AcceptEnv wildcard restrictions.
  * CVE-2014-2653: Attempt SSHFP lookup even if server presents a
    certificate (closes: #742513).

Author: Colin Watson
Author Date: 2014-04-03 00:05:27 UTC

Import patches-unapplied version 1:5.5p1-6+squeeze5 to debian/squeeze

Imported using git-ubuntu import.

Changelog parent: 5d2b040428a7af04a8f6518caaadb47112fd3168

New changelog entries:
  * CVE-2014-2532: Disallow invalid characters in environment variable names
    to prevent bypassing AcceptEnv wildcard restrictions.
  * CVE-2014-2653: Attempt SSHFP lookup even if server presents a
    certificate (closes: #742513).

Author: Colin Watson
Author Date: 2014-05-02 08:53:07 UTC

Import patches-unapplied version 1:6.2p2-6ubuntu0.5 to ubuntu/saucy-proposed

Imported using git-ubuntu import.

Changelog parent: b22b989400911aec4cb50cd30e135617a5582d2e

New changelog entries:
  * Force ssh-agent Upstart job to use sh syntax regardless of the user's
    shell (thanks, Steffen Stempel; LP: #1312928).

Author: Colin Watson
Author Date: 2014-05-02 08:53:07 UTC

Import patches-unapplied version 1:6.2p2-6ubuntu0.5 to ubuntu/saucy-proposed

Imported using git-ubuntu import.

Changelog parent: b22b989400911aec4cb50cd30e135617a5582d2e

New changelog entries:
  * Force ssh-agent Upstart job to use sh syntax regardless of the user's
    shell (thanks, Steffen Stempel; LP: #1312928).

Author: Louis Bouchard
Author Date: 2014-04-22 13:28:40 UTC

Import patches-unapplied version 1:5.9p1-5ubuntu1.4 to ubuntu/precise-proposed

Imported using git-ubuntu import.

Changelog parent: 7f37ffb759821df55913da5781887e7ee02ec61f

New changelog entries:
  * Re-enable btmp logging, as its permissions were fixed a long time ago.
    Backport from Debian and Trusty. (LP: #743858)

Author: Louis Bouchard
Author Date: 2014-04-22 14:52:59 UTC

Import patches-unapplied version 1:6.2p2-6ubuntu0.4 to ubuntu/saucy-proposed

Imported using git-ubuntu import.

Changelog parent: 24d9eea4a7ee1c02394ae190ed3cc5a3ebe3a4eb

New changelog entries:
  * Re-enable btmp logging, as its permissions were fixed a long time ago.
    Backport from Debian and Trusty. (LP: #743858)

Author: Colin Watson
Author Date: 2014-04-14 11:20:48 UTC

Import patches-unapplied version 1:6.6p1-2ubuntu1 to ubuntu/trusty-proposed

Imported using git-ubuntu import.

Changelog parent: 1de88f18ffa2120cdf2e0825f4f081910c57d26e

New changelog entries:
  * Upload from Debian git repository to fix a release-critical bug.
  * Debconf translations:
    - French (thanks, Étienne Gilli; closes: #743242).
  * Never signal the service supervisor with SIGSTOP more than once, to
    prevent a hang on re-exec (thanks, Robie Basak; LP: #1306877).

Author: Marc Deslauriers
Author Date: 2014-04-07 13:35:55 UTC

Import patches-unapplied version 1:6.0p1-3ubuntu1.2 to ubuntu/quantal-security

Imported using git-ubuntu import.

Changelog parent: d551d6a14bf146dad78310342784e6734009221c

New changelog entries:
  * SECURITY UPDATE: failure to check SSHFP records if server presents a
    certificate
    - debian/patches/CVE-2014-2653.patch: fix logic in sshconnect.c.
    - CVE-2014-2653

Author: Marc Deslauriers
Author Date: 2014-04-07 13:32:06 UTC

Import patches-unapplied version 1:6.2p2-6ubuntu0.3 to ubuntu/saucy-security

Imported using git-ubuntu import.

Changelog parent: 6c14194051147ea65a08bb435675ed53a31a3b6a

New changelog entries:
  * SECURITY UPDATE: failure to check SSHFP records if server presents a
    certificate
    - debian/patches/CVE-2014-2653.patch: fix logic in sshconnect.c.
    - CVE-2014-2653

Author: Marc Deslauriers
Author Date: 2014-04-07 13:35:55 UTC

Import patches-unapplied version 1:6.0p1-3ubuntu1.2 to ubuntu/quantal-security

Imported using git-ubuntu import.

Changelog parent: d551d6a14bf146dad78310342784e6734009221c

New changelog entries:
  * SECURITY UPDATE: failure to check SSHFP records if server presents a
    certificate
    - debian/patches/CVE-2014-2653.patch: fix logic in sshconnect.c.
    - CVE-2014-2653

Author: Marc Deslauriers
Author Date: 2014-04-07 13:35:55 UTC

Import patches-unapplied version 1:6.0p1-3ubuntu1.2 to ubuntu/quantal-security

Imported using git-ubuntu import.

Changelog parent: d551d6a14bf146dad78310342784e6734009221c

New changelog entries:
  * SECURITY UPDATE: failure to check SSHFP records if server presents a
    certificate
    - debian/patches/CVE-2014-2653.patch: fix logic in sshconnect.c.
    - CVE-2014-2653

Author: Marc Deslauriers
Author Date: 2014-03-21 15:07:31 UTC

Import patches-unapplied version 1:5.3p1-3ubuntu7.1 to ubuntu/lucid-security

Imported using git-ubuntu import.

Changelog parent: 7b05a0bf78223073c4de3210e2965d161f1e3b0d

New changelog entries:
  * SECURITY UPDATE: AcceptEnv wildcard environment restrictions bypass
    - debian/patches/CVE-2014-2532.patch: don't allow invalid chars in
      session.c.
    - CVE-2014-2532

Author: Marc Deslauriers
Author Date: 2014-03-21 15:07:31 UTC

Import patches-unapplied version 1:5.3p1-3ubuntu7.1 to ubuntu/lucid-security

Imported using git-ubuntu import.

Changelog parent: 7b05a0bf78223073c4de3210e2965d161f1e3b0d

New changelog entries:
  * SECURITY UPDATE: AcceptEnv wildcard environment restrictions bypass
    - debian/patches/CVE-2014-2532.patch: don't allow invalid chars in
      session.c.
    - CVE-2014-2532

Author: Marc Deslauriers
Author Date: 2014-03-21 15:07:31 UTC

Import patches-unapplied version 1:5.3p1-3ubuntu7.1 to ubuntu/lucid-security

Imported using git-ubuntu import.

Changelog parent: 7b05a0bf78223073c4de3210e2965d161f1e3b0d

New changelog entries:
  * SECURITY UPDATE: AcceptEnv wildcard environment restrictions bypass
    - debian/patches/CVE-2014-2532.patch: don't allow invalid chars in
      session.c.
    - CVE-2014-2532

Author: Colin Watson
Author Date: 2013-07-02 21:54:49 UTC

Import patches-unapplied version 1:6.2p2-6 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 85a198a5d21103ae85a6346421c07fcb114480ea

New changelog entries:
  * Update config.guess and config.sub automatically at build time.
    dh_autoreconf does not take care of that by default because openssh does
    not use automake.

Author: Colin Watson
Author Date: 2013-03-25 16:58:04 UTC

Import patches-unapplied version 1:6.1p1-4 to debian/experimental

Imported using git-ubuntu import.

Changelog parent: b0cb85fb9c4ebf1d98655f871ce454db10320051

New changelog entries:
  [ Gunnar Hjalmarsson ]
  * debian/openssh-server.sshd.pam: Explicitly state that ~/.pam_environment
    should be read, and move the pam_env calls from "auth" to "session" so
    that it's also read when $HOME is encrypted (LP: #952185).
  [ Stéphane Graber ]
  * Add ssh-agent upstart user job. This implements something similar to
    the 90x11-common_ssh-agent Xsession script. That is, start ssh-agent
    and set the appropriate environment variables (closes: #703906).

Author: Colin Watson
Author Date: 2013-03-25 16:58:04 UTC

Import patches-unapplied version 1:6.1p1-4 to debian/experimental

Imported using git-ubuntu import.

Changelog parent: b0cb85fb9c4ebf1d98655f871ce454db10320051

New changelog entries:
  [ Gunnar Hjalmarsson ]
  * debian/openssh-server.sshd.pam: Explicitly state that ~/.pam_environment
    should be read, and move the pam_env calls from "auth" to "session" so
    that it's also read when $HOME is encrypted (LP: #952185).
  [ Stéphane Graber ]
  * Add ssh-agent upstart user job. This implements something similar to
    the 90x11-common_ssh-agent Xsession script. That is, start ssh-agent
    and set the appropriate environment variables (closes: #703906).

Author: Colin Watson
Author Date: 2013-03-25 16:58:04 UTC

Import patches-unapplied version 1:6.1p1-4 to debian/experimental

Imported using git-ubuntu import.

Changelog parent: b0cb85fb9c4ebf1d98655f871ce454db10320051

New changelog entries:
  [ Gunnar Hjalmarsson ]
  * debian/openssh-server.sshd.pam: Explicitly state that ~/.pam_environment
    should be read, and move the pam_env calls from "auth" to "session" so
    that it's also read when $HOME is encrypted (LP: #952185).
  [ Stéphane Graber ]
  * Add ssh-agent upstart user job. This implements something similar to
    the 90x11-common_ssh-agent Xsession script. That is, start ssh-agent
    and set the appropriate environment variables (closes: #703906).

Author: Colin Watson
Author Date: 2012-08-30 23:46:54 UTC

Import patches-unapplied version 1:6.0p1-3ubuntu1 to ubuntu/quantal

Imported using git-ubuntu import.

Changelog parent: 70f1cb2b6a1d11110e0ef2cd259a6445eaf0a829

New changelog entries:
  * Resynchronise with Debian. Remaining changes:
    - Add support for registering ConsoleKit sessions on login.
    - Drop openssh-blacklist and openssh-blacklist-extra to Suggests.
    - Convert to Upstart. The init script is still here for the benefit of
      people running sshd in chroots.
    - Install apport hook.
    - Add mention of ssh-keygen in ssh connect warning.

Author: Colin Watson
Author Date: 2012-04-02 10:43:31 UTC

Import patches-unapplied version 1:5.9p1-5ubuntu1 to ubuntu/precise

Imported using git-ubuntu import.

Changelog parent: a7ab0a248f719c14aeb65ada89a2459ff11a74af

New changelog entries:
  * Resynchronise with Debian. Remaining changes:
    - Add support for registering ConsoleKit sessions on login.
    - Drop openssh-blacklist and openssh-blacklist-extra to Suggests.
    - Convert to Upstart. The init script is still here for the benefit of
      people running sshd in chroots.
    - Install apport hook.
    - Add mention of ssh-keygen in ssh connect warning.
  * Sync up pkg-config variable used in configure's ConsoleKit test with
    that used for libedit.

Author: Colin Watson
Author Date: 2011-07-29 15:56:27 UTC

Import patches-unapplied version 1:5.8p1-7ubuntu1 to ubuntu/oneiric

Imported using git-ubuntu import.

Changelog parent: 82899b2a78e280972a4ae664909700a9ee013814

New changelog entries:
  * Resynchronise with Debian. Remaining changes:
    - Add support for registering ConsoleKit sessions on login.
    - Drop openssh-blacklist and openssh-blacklist-extra to Suggests.
    - Convert to Upstart. The init script is still here for the benefit of
      people running sshd in chroots.
    - Install apport hook.
    - Add mention of ssh-keygen in ssh connect warning.

Author: Colin Watson
Author Date: 2011-07-29 15:56:27 UTC

Import patches-unapplied version 1:5.8p1-7ubuntu1 to ubuntu/oneiric

Imported using git-ubuntu import.

Changelog parent: 82899b2a78e280972a4ae664909700a9ee013814

New changelog entries:
  * Resynchronise with Debian. Remaining changes:
    - Add support for registering ConsoleKit sessions on login.
    - Drop openssh-blacklist and openssh-blacklist-extra to Suggests.
    - Convert to Upstart. The init script is still here for the benefit of
      people running sshd in chroots.
    - Install apport hook.
    - Add mention of ssh-keygen in ssh connect warning.

Author: Clint Byrum
Author Date: 2011-06-11 15:06:02 UTC

Import patches-unapplied version 1:5.5p1-4ubuntu6 to ubuntu/maverick-proposed

Imported using git-ubuntu import.

Changelog parent: d1eae4b6ff15a0514a73f1cbdd8ddcf9baf565bb

New changelog entries:
  [ Clint Byrum ]
  * debian/openssh-server.ssh.init: Adding upstart awareness that will
    call /lib/init/upstart-job when script is run outside of a chroot.
    While this fixes LP: #531912, the change should be reverted when
    upstart gains chroot session support.
  [ Colin Watson ]
  * Only do the above if /etc/init/ssh.conf still exists, since apparently
    some people have been removing it.

Author: Clint Byrum
Author Date: 2011-06-11 15:06:02 UTC

Import patches-unapplied version 1:5.5p1-4ubuntu6 to ubuntu/maverick-proposed

Imported using git-ubuntu import.

Changelog parent: d1eae4b6ff15a0514a73f1cbdd8ddcf9baf565bb

New changelog entries:
  [ Clint Byrum ]
  * debian/openssh-server.ssh.init: Adding upstart awareness that will
    call /lib/init/upstart-job when script is run outside of a chroot.
    While this fixes LP: #531912, the change should be reverted when
    upstart gains chroot session support.
  [ Colin Watson ]
  * Only do the above if /etc/init/ssh.conf still exists, since apparently
    some people have been removing it.

Author: Clint Byrum
Author Date: 2011-06-11 15:06:02 UTC

Import patches-unapplied version 1:5.5p1-4ubuntu6 to ubuntu/maverick-proposed

Imported using git-ubuntu import.

Changelog parent: d1eae4b6ff15a0514a73f1cbdd8ddcf9baf565bb

New changelog entries:
  [ Clint Byrum ]
  * debian/openssh-server.ssh.init: Adding upstart awareness that will
    call /lib/init/upstart-job when script is run outside of a chroot.
    While this fixes LP: #531912, the change should be reverted when
    upstart gains chroot session support.
  [ Colin Watson ]
  * Only do the above if /etc/init/ssh.conf still exists, since apparently
    some people have been removing it.

Author: Clint Byrum
Author Date: 2011-06-11 05:46:07 UTC

Import patches-unapplied version 1:5.3p1-3ubuntu7 to ubuntu/lucid-proposed

Imported using git-ubuntu import.

Changelog parent: 7bd95092480267a8f2bae97184c0225dea5f2cd6

New changelog entries:
  [ Clint Byrum ]
  * debian/openssh-server.ssh.init: Adding upstart awareness that will
    call /lib/init/upstart-job when script is run outside of a chroot.
    While this fixes LP: #531912, the change should be reverted when
    upstart gains chroot session support.
  [ Colin Watson ]
  * Only do the above if /etc/init/ssh.conf still exists, since apparently
    some people have been removing it.

Author: Clint Byrum
Author Date: 2011-04-01 23:05:43 UTC

Import patches-unapplied version 1:5.8p1-1ubuntu3 to ubuntu/natty

Imported using git-ubuntu import.

Changelog parent: 9cd08ca94527ef262c1a9362052d4c498a1fd089

New changelog entries:
  * Start on runlevel [2345] so that switching back to runlevel 2
    from single user mode starts ssh again. (LP: #747756)

Author: Clint Byrum
Author Date: 2011-04-01 23:05:43 UTC

Import patches-unapplied version 1:5.8p1-1ubuntu3 to ubuntu/natty

Imported using git-ubuntu import.

Changelog parent: 9cd08ca94527ef262c1a9362052d4c498a1fd089

New changelog entries:
  * Start on runlevel [2345] so that switching back to runlevel 2
    from single user mode starts ssh again. (LP: #747756)

Author: Colin Watson
Author Date: 2011-03-02 10:53:07 UTC

Import patches-unapplied version 1:4.7p1-8ubuntu3 to ubuntu/hardy-proposed

Imported using git-ubuntu import.

Changelog parent: 212e8d7bcfb933f9410b93bb5f4fb7a152778e19

New changelog entries:
  * Merge 1:4.7p1-8ubuntu1.1 and 1:4.7p1-8ubuntu1.2 from hardy-security.

Author: Colin Watson
Author Date: 2011-03-02 10:53:07 UTC

Import patches-unapplied version 1:4.7p1-8ubuntu3 to ubuntu/hardy-proposed

Imported using git-ubuntu import.

Changelog parent: 212e8d7bcfb933f9410b93bb5f4fb7a152778e19

New changelog entries:
  * Merge 1:4.7p1-8ubuntu1.1 and 1:4.7p1-8ubuntu1.2 from hardy-security.

Author: Colin Watson
Author Date: 2011-03-02 10:53:07 UTC

Import patches-unapplied version 1:4.7p1-8ubuntu3 to ubuntu/hardy-proposed

Imported using git-ubuntu import.

Changelog parent: 212e8d7bcfb933f9410b93bb5f4fb7a152778e19

New changelog entries:
  * Merge 1:4.7p1-8ubuntu1.1 and 1:4.7p1-8ubuntu1.2 from hardy-security.

Author: Colin Watson
Author Date: 2010-09-14 17:50:57 UTC

Import patches-unapplied version 1:5.5p1-4ubuntu4 to ubuntu/maverick

Imported using git-ubuntu import.

Changelog parent: b4dce181fd26df4cd944e8c9e3e864b5ac350afe

New changelog entries:
  * Fix stray hyphen in the title of ssh-import-id(1).

Author: Colin Watson
Author Date: 2010-03-08 15:24:44 UTC

Import patches-unapplied version 1:5.3p1-3ubuntu3 to ubuntu/lucid

Imported using git-ubuntu import.

Changelog parent: 138dde9fa10f4213498a59654f0add82161514c5

New changelog entries:
  * Fix syntax error in openssh-server apport hook (LP: #534365).

Author: Loïc Minier
Author Date: 2009-10-21 12:48:08 UTC

Import patches-unapplied version 1:5.1p1-6ubuntu2 to ubuntu/karmic

Imported using git-ubuntu import.

Changelog parent: 2fe1ab23d7e0bc61fc4c62df15a28dc8ca152fc9

New changelog entries:
  * No change rebuild to fix misbuilt binaries on armel.

Author: Loïc Minier
Author Date: 2009-10-21 12:48:08 UTC

Import patches-unapplied version 1:5.1p1-6ubuntu2 to ubuntu/karmic

Imported using git-ubuntu import.

Changelog parent: 2fe1ab23d7e0bc61fc4c62df15a28dc8ca152fc9

New changelog entries:
  * No change rebuild to fix misbuilt binaries on armel.

Author: Colin Watson
Author Date: 2009-01-28 14:34:21 UTC

Import patches-unapplied version 1:5.1p1-5ubuntu1 to ubuntu/jaunty

Imported using git-ubuntu import.

Changelog parent: 1965acc334acc3b9f7ad07c1f3351683bcdb72ee

New changelog entries:
  * Resynchronise with Debian. Remaining changes:
    - Add support for registering ConsoleKit sessions on login.
    - Drop openssh-blacklist and openssh-blacklist-extra to Suggests; they
      take up a lot of CD space, and I suspect that rolling them out in
      security updates has covered most affected systems now.
    - Add ufw integration.

Author: Colin Watson
Author Date: 2009-01-28 14:34:21 UTC

Import patches-unapplied version 1:5.1p1-5ubuntu1 to ubuntu/jaunty

Imported using git-ubuntu import.

Changelog parent: 1965acc334acc3b9f7ad07c1f3351683bcdb72ee

New changelog entries:
  * Resynchronise with Debian. Remaining changes:
    - Add support for registering ConsoleKit sessions on login.
    - Drop openssh-blacklist and openssh-blacklist-extra to Suggests; they
      take up a lot of CD space, and I suspect that rolling them out in
      security updates has covered most affected systems now.
    - Add ufw integration.

Author: Colin Watson
Author Date: 2009-01-14 00:34:08 UTC

Import patches-applied version 1:5.1p1-5 to applied/debian/sid

Imported using git-ubuntu import.

Changelog parent: 76608748d9c1a6ad0b95732c54f20dfae877a2a1
Unapplied parent: 1965acc334acc3b9f7ad07c1f3351683bcdb72ee

New changelog entries:
  * Backport from upstream CVS (Markus Friedl):
    - packet_disconnect() on padding error, too. Should reduce the success
      probability for the CPNI-957037 Plaintext Recovery Attack to 2^-18.
  * Check that /var/run/sshd.pid exists and that the process ID listed there
    corresponds to sshd before running '/etc/init.d/ssh reload' from if-up
    script; SIGHUP is racy if called at boot before sshd has a chance to
    install its signal handler, but fortunately the pid file is written
    after that which lets us avoid the race (closes: #502444).
  * While the above is a valuable sanity-check, it turns out that it doesn't
    really fix the bug (thanks to Kevin Price for testing), so for the
    meantime we'll just use '/etc/init.d/ssh restart', even though it is
    unfortunately heavyweight.

Author: Colin Watson
Author Date: 2009-01-14 00:34:08 UTC

Import patches-unapplied version 1:5.1p1-5 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 62d764b487833e122207945cd32b7d7afab81bb4

New changelog entries:
  * Backport from upstream CVS (Markus Friedl):
    - packet_disconnect() on padding error, too. Should reduce the success
      probability for the CPNI-957037 Plaintext Recovery Attack to 2^-18.
  * Check that /var/run/sshd.pid exists and that the process ID listed there
    corresponds to sshd before running '/etc/init.d/ssh reload' from if-up
    script; SIGHUP is racy if called at boot before sshd has a chance to
    install its signal handler, but fortunately the pid file is written
    after that which lets us avoid the race (closes: #502444).
  * While the above is a valuable sanity-check, it turns out that it doesn't
    really fix the bug (thanks to Kevin Price for testing), so for the
    meantime we'll just use '/etc/init.d/ssh restart', even though it is
    unfortunately heavyweight.

Author: Colin Watson
Author Date: 2008-10-13 18:40:53 UTC

Import patches-unapplied version 1:5.1p1-3ubuntu1 to ubuntu/intrepid

Imported using git-ubuntu import.

Changelog parent: aef3bb03ecf2557aa0ddcbfec2a0a9b2574c0848

New changelog entries:
  * Resynchronise with Debian. Remaining changes:
    - Add support for registering ConsoleKit sessions on login.
    - Drop openssh-blacklist and openssh-blacklist-extra to Suggests; they
      take up a lot of CD space, and I suspect that rolling them out in
      security updates has covered most affected systems now.
    - Add ufw integration.