lp:ubuntu/hardy-security/openssh
- Get this branch:
- bzr branch lp:ubuntu/hardy-security/openssh
Branch merges
Branch information
Recent revisions
- 36. By Jamie Strandboge
-
* Add a FILES section to ssh-vulnkey(1) (thanks, Hugh Daniel).
* ssh-vulnkey handles options in authorized_keys (LP: #230029), and treats
# as introducing a comment even if it is preceded by whitespace (thanks
Colin Watson) - 35. By Jamie Strandboge
-
* Mitigate OpenSSL security vulnerability thanks to Colin Watson:
- Add key blacklisting support. Keys listed in
/etc/ssh/blacklist. TYPE-LENGTH will be rejected for authentication by
sshd, unless "PermitBlacklistedKeys yes" is set in
/etc/ssh/sshd_ config.
- Add a new program, ssh-vulnkey, which can be used to check keys
against these blacklists.
- Depend on openssh-blacklist.
- Force dependencies on libssl0.9.8 / libcrypto0.9.8-udeb to at least
0.9.8g-4ubuntu3. 1.
- Automatically regenerate known-compromised host keys, with a
critical-priority debconf note. (I regret that there was no time to
gather translations.)
* added README.compromised- keys thanks to Colin Watson
* References
CVE-2008-0166
http://www.ubuntu. com/usn/ usn-612- 1 - 34. By Colin Watson
-
* Resynchronise with Debian. Remaining changes:
- Add support for registering ConsoleKit sessions on login. - 33. By Colin Watson
-
* Resynchronise with Debian. Remaining changes:
- Add support for registering ConsoleKit sessions on login. - 32. By Colin Watson
-
* Resynchronise with Debian. Remaining changes:
- Add support for registering ConsoleKit sessions on login. - 31. By Colin Watson
-
* Resynchronise with Debian. Remaining changes:
- Add support for registering ConsoleKit sessions on login. - 29. By Colin Watson
-
* Improve grammar of ssh-askpass-gnome description.
* Backport from upstream:
- Use the correct packet maximum sizes for remote port and agent
forwarding. Prevents the server from killing the connection if too
much data is queued and an excessively large packet gets sent
(https://bugzilla. mindrot. org/show_ bug.cgi? id=1360).
* Allow passing temporary daemon parameters on the init script's command
line, e.g. '/etc/init.d/ssh start "-o PermitRootLogin=yes"' (thanks,
Marc Haber; closes: #458547). - 28. By Colin Watson
-
* Adjust many relative links in faq.html to point to
http://www.openssh. org/ (thanks, Dan Jacobson; mentioned in #459807).
* Pass --with-mantype=doc to configure rather than build-depending on
groff (closes: #460121).
* Add armel to architecture list for libselinux1-dev build-dependency
(closes: #460136).
* Drop source-compatibility with Debian 3.0:
- Remove support for building with GNOME 1. This allows simplification
of our GNOME build-dependencies (see #460136).
- Remove hacks to support the old PAM configuration scheme.
- Remove compatibility for building without po-debconf.
* Build-depend on libgtk2.0-dev rather than libgnomeui-dev. As far as I
can see, the GTK2 version of ssh-askpass-gnome has never required
libgnomeui-dev. - 27. By Colin Watson
-
* New upstream release (closes: #453367).
- CVE-2007-4752: Prevent ssh(1) from using a trusted X11 cookie if
creation of an untrusted cookie fails; found and fixed by Jan Pechanec
(closes: #444738).
- sshd(8) in new installations defaults to SSH Protocol 2 only. Existing
installations are unchanged.
- The SSH channel window size has been increased, and both ssh(1)
sshd(8) now send window updates more aggressively. These improves
performance on high-BDP (Bandwidth Delay Product) networks.
- ssh(1) and sshd(8) now preserve MAC contexts between packets, which
saves 2 hash calls per packet and results in 12-16% speedup for
arcfour256/hmac-md5.
- A new MAC algorithm has been added, UMAC-64 (RFC4418) as
"<email address hidden>". UMAC-64 has been measured to be approximately
20% faster than HMAC-MD5.
- Failure to establish a ssh(1) TunnelForward is now treated as a fatal
error when the ExitOnForwardFailure option is set.
- ssh(1) returns a sensible exit status if the control master goes away
without passing the full exit status.
- When using a ProxyCommand in ssh(1), set the outgoing hostname with
gethostname(2), allowing hostbased authentication to work.
- Make scp(1) skip FIFOs rather than hanging (closes: #246774).
- Encode non-printing characters in scp(1) filenames. These could cause
copies to be aborted with a "protocol error".
- Handle SIGINT in sshd(8) privilege separation child process to ensure
that wtmp and lastlog records are correctly updated.
- Report GSSAPI mechanism in errors, for libraries that support multiple
mechanisms.
- Improve documentation for ssh-add(1)'s -d option.
- Rearrange and tidy GSSAPI code, removing server-only code being linked
into the client.
- Delay execution of ssh(1)'s LocalCommand until after all forwardings
have been established.
- In scp(1), do not truncate non-regular files.
- Improve exit message from ControlMaster clients.
- Prevent sftp-server(8) from reading until it runs out of buffer space,
whereupon it would exit with a fatal error (closes: #365541).
- pam_end() was not being called if authentication failed
(closes: #405041).
- Manual page datestamps updated (closes: #433181).
* Install the OpenSSH FAQ in /usr/share/doc/openssh- client.
- Includes documentation on copying files with colons using scp
(closes: #303453).
* Create /var/run/sshd on start even if /etc/ssh/sshd_not_ to_be_run exists
(closes: #453285).
* Fix "overriden" typo in ssh(1) (thanks, A. Costa; closes: #390699).
* Refactor debian/rules configure and make invocations to make development
easier.
* Remove the hideously old /etc/ssh/primes on upgrade (closes: #123013).
* Update moduli(5) to revision 1.11 from OpenBSD CVS.
* Document the non-default options we set as standard in ssh_config(5) and
sshd_config(5) (closes: #327886, #345628).
* Recode LICENCE to UTF-8 when concatenating it to debian/copyright.
* Override desktop-file-but- no-dh_desktop- call lintian warning; the
.desktop file is intentionally not installed (see 1:3.8.1p1-10).
* Update copyright dates for Kerberos patch in debian/copyright. head.
* Policy version 3.7.3: no changes required.
Branch metadata
- Branch format:
- Branch format 7
- Repository format:
- Bazaar repository format 2a (needs bzr 1.16 or later)
- Stacked on:
- lp:ubuntu/lucid/openssh