lp:ubuntu/hardy-security/openssh

Branch merges

Propose for merging

No branches dependent on this one.

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related bugs

Related blueprints

36. By Jamie Strandboge on 2008-05-14

* Add a FILES section to ssh-vulnkey(1) (thanks, Hugh Daniel).
* ssh-vulnkey handles options in authorized_keys (LP: #230029), and treats
  # as introducing a comment even if it is preceded by whitespace (thanks
  Colin Watson)

35. By Jamie Strandboge on 2008-05-12

* Mitigate OpenSSL security vulnerability thanks to Colin Watson:
  - Add key blacklisting support. Keys listed in
    /etc/ssh/blacklist.TYPE-LENGTH will be rejected for authentication by
    sshd, unless "PermitBlacklistedKeys yes" is set in
    /etc/ssh/sshd_config.
  - Add a new program, ssh-vulnkey, which can be used to check keys
    against these blacklists.
  - Depend on openssh-blacklist.
  - Force dependencies on libssl0.9.8 / libcrypto0.9.8-udeb to at least
    0.9.8g-4ubuntu3.1.
  - Automatically regenerate known-compromised host keys, with a
    critical-priority debconf note. (I regret that there was no time to
    gather translations.)
* added README.compromised-keys thanks to Colin Watson
* References
  CVE-2008-0166
  http://www.ubuntu.com/usn/usn-612-1

34. By Colin Watson on 2008-04-06

* Resynchronise with Debian. Remaining changes:
  - Add support for registering ConsoleKit sessions on login.

33. By Colin Watson on 2008-03-31

* Resynchronise with Debian. Remaining changes:
  - Add support for registering ConsoleKit sessions on login.

32. By Colin Watson on 2008-03-30

* Resynchronise with Debian. Remaining changes:
  - Add support for registering ConsoleKit sessions on login.

31. By Colin Watson on 2008-03-22

* Resynchronise with Debian. Remaining changes:
  - Add support for registering ConsoleKit sessions on login.

30. By Colin Watson on 2008-02-13

Add support for registering ConsoleKit sessions on login.

29. By Colin Watson on 2008-02-01

* Improve grammar of ssh-askpass-gnome description.
* Backport from upstream:
  - Use the correct packet maximum sizes for remote port and agent
    forwarding. Prevents the server from killing the connection if too
    much data is queued and an excessively large packet gets sent
    (https://bugzilla.mindrot.org/show_bug.cgi?id=1360).
* Allow passing temporary daemon parameters on the init script's command
  line, e.g. '/etc/init.d/ssh start "-o PermitRootLogin=yes"' (thanks,
  Marc Haber; closes: #458547).

28. By Colin Watson on 2008-01-11

* Adjust many relative links in faq.html to point to
  http://www.openssh.org/ (thanks, Dan Jacobson; mentioned in #459807).
* Pass --with-mantype=doc to configure rather than build-depending on
  groff (closes: #460121).
* Add armel to architecture list for libselinux1-dev build-dependency
  (closes: #460136).
* Drop source-compatibility with Debian 3.0:
  - Remove support for building with GNOME 1. This allows simplification
    of our GNOME build-dependencies (see #460136).
  - Remove hacks to support the old PAM configuration scheme.
  - Remove compatibility for building without po-debconf.
* Build-depend on libgtk2.0-dev rather than libgnomeui-dev. As far as I
  can see, the GTK2 version of ssh-askpass-gnome has never required
  libgnomeui-dev.

27. By Colin Watson on 2007-12-24

* New upstream release (closes: #453367).
  - CVE-2007-4752: Prevent ssh(1) from using a trusted X11 cookie if
    creation of an untrusted cookie fails; found and fixed by Jan Pechanec
    (closes: #444738).
  - sshd(8) in new installations defaults to SSH Protocol 2 only. Existing
    installations are unchanged.
  - The SSH channel window size has been increased, and both ssh(1)
    sshd(8) now send window updates more aggressively. These improves
    performance on high-BDP (Bandwidth Delay Product) networks.
  - ssh(1) and sshd(8) now preserve MAC contexts between packets, which
    saves 2 hash calls per packet and results in 12-16% speedup for
    arcfour256/hmac-md5.
  - A new MAC algorithm has been added, UMAC-64 (RFC4418) as
    "<email address hidden>". UMAC-64 has been measured to be approximately
    20% faster than HMAC-MD5.
  - Failure to establish a ssh(1) TunnelForward is now treated as a fatal
    error when the ExitOnForwardFailure option is set.
  - ssh(1) returns a sensible exit status if the control master goes away
    without passing the full exit status.
  - When using a ProxyCommand in ssh(1), set the outgoing hostname with
    gethostname(2), allowing hostbased authentication to work.
  - Make scp(1) skip FIFOs rather than hanging (closes: #246774).
  - Encode non-printing characters in scp(1) filenames. These could cause
    copies to be aborted with a "protocol error".
  - Handle SIGINT in sshd(8) privilege separation child process to ensure
    that wtmp and lastlog records are correctly updated.
  - Report GSSAPI mechanism in errors, for libraries that support multiple
    mechanisms.
  - Improve documentation for ssh-add(1)'s -d option.
  - Rearrange and tidy GSSAPI code, removing server-only code being linked
    into the client.
  - Delay execution of ssh(1)'s LocalCommand until after all forwardings
    have been established.
  - In scp(1), do not truncate non-regular files.
  - Improve exit message from ControlMaster clients.
  - Prevent sftp-server(8) from reading until it runs out of buffer space,
    whereupon it would exit with a fatal error (closes: #365541).
  - pam_end() was not being called if authentication failed
    (closes: #405041).
  - Manual page datestamps updated (closes: #433181).
* Install the OpenSSH FAQ in /usr/share/doc/openssh-client.
  - Includes documentation on copying files with colons using scp
    (closes: #303453).
* Create /var/run/sshd on start even if /etc/ssh/sshd_not_to_be_run exists
  (closes: #453285).
* Fix "overriden" typo in ssh(1) (thanks, A. Costa; closes: #390699).
* Refactor debian/rules configure and make invocations to make development
  easier.
* Remove the hideously old /etc/ssh/primes on upgrade (closes: #123013).
* Update moduli(5) to revision 1.11 from OpenBSD CVS.
* Document the non-default options we set as standard in ssh_config(5) and
  sshd_config(5) (closes: #327886, #345628).
* Recode LICENCE to UTF-8 when concatenating it to debian/copyright.
* Override desktop-file-but-no-dh_desktop-call lintian warning; the
  .desktop file is intentionally not installed (see 1:3.8.1p1-10).
* Update copyright dates for Kerberos patch in debian/copyright.head.
* Policy version 3.7.3: no changes required.