* Changelog:
- [-] old content and logical tag match as expected
- [√] changelog entry correct version and targeted codename
- [√] changelog entries correct
- [√] update-maintainer has been run
* Actual changes:
- [-] no upstream changes to consider
- [-] no further upstream version to consider
- [-] debian changes look safe
* Old Delta:
- [-] dropped changes are ok to be dropped
- [-] nothing else to drop
- [√] changes forwarded upstream/debian (if appropriate)
* New Delta:
- [-] no new patches added
- [√] patches match what was proposed upstream
- [√] patches correctly included in debian/patches/series
- [√] patches have correct DEP3 metadata
* Build/Test:
- [√] build is ok
- [ ] verified PPA package installs/uninstalls
- [ ] autopkgtest against the PPA package passes
- [ ] sanity checks test fine
I seem to be unable to install from the bileto PPA:
$ sudo add-apt-repository -s ppa:ci-train-ppa-service/3962
...
Err:3 http://ppa.launchpad.net/ci-train-ppa-service/3962/ubuntu focal Release
404 Not Found [IP: 91.189.95.83 80]
Reading package lists... Done
E: The repository 'http://ppa.launchpad.net/ci-train-ppa-service/3962/ubuntu focal Release' does not have a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
I tried adding [trusted=yes], but then get this error:
I thought maybe this might be a vpn issue, and tinkered with that a bit but no such luck. If you have advice I can try more. Or maybe setting up a non-bileto PPA might work better?
Anyway, apart from testing the ppa everything else looks good to go, and I know the testing will have to be done for the SRU (and has been requested of the original reporter) so am giving a provisional +1, and trust the testing will be covered separately.
Hi Bryce,
this is a Bionic PPA so add-apt-repo on Focal didn't find binaries
It works fine on Bionic - thereby considering that MP approved, but waiting on the bug for the reporter to classify the severity.
New changelog entries:
* SECURITY UPDATE: Incomplete fix for CVE-2019-6111
- debian/patches/CVE-2019-6111-2.patch: add another fix to the filename
check in scp.c.
- CVE-2019-6111
* Fixed inverted CVE numbers in patch filenames and in previous
changelog.
New changelog entries:
* SECURITY UPDATE: access restrictions bypass in scp
- debian/patches/CVE-2018-20685.patch: disallow empty filenames
or ones that refer to the current directory in scp.c.
- CVE-2018-20685
* SECURITY UPDATE: scp client spoofing via object name
- debian/patches/CVE-2019-6109.patch: make sure the filenames match
the wildcard specified by the user, and add new flag to relax the new
restrictions in scp.c, scp.1.
- CVE-2019-6109
* SECURITY UPDATE: scp client missing received object name validation
- debian/patches/CVE-2019-6111-1.patch: sanitize scp filenames via
snmprintf in atomicio.c, progressmeter.c, progressmeter.h,
scp.c, sftp-client.c.
- debian/patches/CVE-2019-6111-2.patch: force progressmeter updates in
progressmeter.c, progressmeter.h, scp.c, sftp-client.c.
- CVE-2019-6111
New changelog entries:
[ Ryan Finnie ]
* SECURITY UPDATE: OpenSSH User Enumeration Vulnerability (LP: #1794629)
- debian/patches/CVE-2018-15473.patch: delay bailout for invalid
authenticating user until after the packet containing the request
has been fully parsed.
- CVE-2018-15473
New changelog entries:
* Move VCS to salsa.debian.org.
* Add a preseeding-only openssh-server/password-authentication debconf
template that can be used to disable password authentication (closes:
#878945).
New changelog entries:
[ Colin Watson ]
* Remove the decade-old ssh-krb5 transitional package; upgrades of
openssh-server will preserve existing configuration, and new
installations should just enable GSSAPIAuthentication and
GSSAPIKeyExchange in sshd_config (closes: #878626).
* Support the "noudeb" build profile.
* Fix putty-transfer regression test.
[ Anders Kaseorg ]
* debian/systemd/ssh-agent.service: Add missing dbus dependency.
[ Jason Duerstock ]
* Add a "pkg.openssh.nognome" build profile, which disables building the
ssh-askpass-gnome binary package and avoids the build-dependency on
libgtk-3-dev (closes: #883819).
New changelog entries:
* New upstream release (https://www.openssh.com/txt/release-7.6):
- SECURITY: sftp-server(8): In read-only mode, sftp-server was
incorrectly permitting creation of zero-length files. Reported by
Michal Zalewski.
- ssh(1): Delete SSH protocol version 1 support, associated
configuration options and documentation (LP: #1584321).
- ssh(1)/sshd(8): Remove support for the hmac-ripemd160 MAC.
- ssh(1)/sshd(8): Remove support for the arcfour, blowfish and CAST
ciphers.
- Refuse RSA keys <1024 bits in length and improve reporting for keys
that do not meet this requirement.
- ssh(1): Do not offer CBC ciphers by default.
- ssh(1): Add RemoteCommand option to specify a command in the ssh
config file instead of giving it on the client's command line. This
allows the configuration file to specify the command that will be
executed on the remote host.
- sshd(8): Add ExposeAuthInfo option that enables writing details of the
authentication methods used (including public keys where applicable)
to a file that is exposed via a $SSH_USER_AUTH environment variable in
the subsequent session.
- ssh(1): Add support for reverse dynamic forwarding. In this mode, ssh
will act as a SOCKS4/5 proxy and forward connections to destinations
requested by the remote SOCKS client. This mode is requested using
extended syntax for the -R and RemoteForward options and, because it
is implemented solely at the client, does not require the server be
updated to be supported.
- sshd(8): Allow LogLevel directive in sshd_config Match blocks.
- ssh-keygen(1): Allow inclusion of arbitrary string or flag certificate
extensions and critical options.
- ssh-keygen(1): Allow ssh-keygen to use a key held in ssh-agent as a CA
when signing certificates.
- ssh(1)/sshd(8): Allow IPQoS=none in ssh/sshd to not set an explicit
ToS/DSCP value and just use the operating system default.
- ssh-add(1): Add -q option to make ssh-add quiet on success.
- ssh(1): Expand the StrictHostKeyChecking option with two new settings.
The first "accept-new" will automatically accept hitherto-unseen keys
but will refuse connections for changed or invalid hostkeys. This is
a safer subset of the current behaviour of StrictHostKeyChecking=no.
The second setting "off", is a synonym for the current behaviour of
StrictHostKeyChecking=no: accept new host keys, and continue
connection for hosts with incorrect hostkeys. A future release will
change the meaning of StrictHostKeyChecking=no to the behaviour of
"accept-new".
- ssh(1): Add SyslogFacility option to ssh(1) matching the equivalent
option in sshd(8).
- ssh(1): Use HostKeyAlias if specified instead of hostname for matching
host certificate principal names.
- sftp(1): Implement sorting for globbed ls.
- ssh(1): Add a user@host prefix to client's "Permission denied"
messages, useful in particular when using "stacked" connections (e.g.
ssh -J) where it's not clear which host is denying.
- ssh(1): Accept unknown EXT_INFO extension values that contain \0
characters. These are legal, but would previously cause fatal
connection errors if received.
- sftp(1): Print '?' instead of incorrect link count (that the protocol
doesn't provide) for remote listings.
- ssh(1): Return failure rather than fatal() for more cases during
session multiplexing negotiations. Causes the session to fall back to
a non-mux connection if they occur.
- ssh(1): Mention that the server may send debug messages to explain
public key authentication problems under some circumstances.
- Translate OpenSSL error codes to better report incorrect passphrase
errors when loading private keys.
- sshd(8): Adjust compatibility patterns for WinSCP to correctly
identify versions that implement only the legacy DH group exchange
scheme (closes: #877800).
- ssh(1): Print the "Killed by signal 1" message only at LogLevel
verbose so that it is not shown at the default level; prevents it from
appearing during ssh -J and equivalent ProxyCommand configs.
- ssh-keygen(1): When generating all hostkeys (ssh-keygen -A), clobber
existing keys if they exist but are zero length. Zero-length keys
could previously be made if ssh-keygen failed or was interrupted part
way through generating them.
- ssh-keyscan(1): Avoid double-close() on file descriptors.
- sshd(8): Avoid reliance on shared use of pointers shared between
monitor and child sshd processes.
- sshd_config(8): Document available AuthenticationMethods.
- ssh(1): Avoid truncation in some login prompts.
- ssh(1): Make "--" before the hostname terminate argument processing
after the hostname too (closes: #873201).
- ssh-keygen(1): Switch from aes256-cbc to aes256-ctr for encrypting
new-style private keys.
- ssh(1): Warn and do not attempt to use keys when the public and
private halves do not match.
- sftp(1): Don't print verbose error message when ssh disconnects from
under sftp.
- sshd(8): Fix keepalive scheduling problem: prevent activity on a
forwarded port from preventing the keepalive from being sent.
- sshd(8): When started without root privileges, don't require the
privilege separation user or path to exist.
- ssh(1)/sshd(8): Correctness fix for channels implementation: accept
channel IDs greater than 0x7FFFFFFF.
- sshd(8): Expose list of completed authentication methods to PAM via
the SSH_AUTH_INFO_0 PAM environment variable.
- ssh(1)/sshd(8): Fix several problems in the tun/tap forwarding code,
mostly to do with host/network byte order confusion.
- sshd(8): Avoid Linux seccomp violations on ppc64le over the socketcall
syscall.
* Build-depend on debhelper (>= 9.20160709~) rather than dh-systemd.
* Change priorities of ssh and ssh-krb5 binary packages to optional, since
"Priority: extra" is now deprecated.
* Use HTTPS form of copyright-format URL.
* Adjust "Running sshd from inittab" instructions in README.Debian to
recommend using service(8) rather than calling the init script directly.
* Policy version 4.1.0.
* Adjust "Per-connection sshd instances with systemd" instructions in
README.Debian to recommend using a drop-in file rather than copying and
modifying the ssh.socket unit file.
PPA: https:/ /launchpad. net/~ci- train-ppa- service/ +archive/ ubuntu/ 3962