ubuntu/+source/openssh:applied/ubuntu/dapper

Last commit made on 2006-05-18
Get this branch:
git clone -b applied/ubuntu/dapper https://git.launchpad.net/ubuntu/+source/openssh
Members of Ubuntu Server Dev import team can upload to this branch. Log in for directions.

Branch merges

Branch information

Name:
applied/ubuntu/dapper
Repository:
lp:ubuntu/+source/openssh

Recent commits

f66fbe8... by Colin Watson on 2006-05-17

Import patches-applied version 1:4.2p1-7ubuntu3 to applied/ubuntu/dapper

Imported using git-ubuntu import.

Changelog parent: bc05d8376b18f4805aa6d6e235d80a331f031dac
Unapplied parent: 7e6667783f6328fff22531b339d6e1bb4fe8ed3b

New changelog entries:
  * On '/etc/init.d/ssh restart', create /var/run/sshd before checking the
    server configuration, as otherwise 'sshd -t' will complain about the
    lack of /var/run/sshd (closes: Malone #45234).

7e66677... by Colin Watson on 2006-05-17

Import patches-unapplied version 1:4.2p1-7ubuntu3 to ubuntu/dapper

Imported using git-ubuntu import.

Changelog parent: 8b11a29ade34b074fc04f6275cc1d8817de56015

New changelog entries:
  * On '/etc/init.d/ssh restart', create /var/run/sshd before checking the
    server configuration, as otherwise 'sshd -t' will complain about the
    lack of /var/run/sshd (closes: Malone #45234).

bc05d83... by Colin Watson on 2006-05-12

Import patches-applied version 1:4.2p1-7ubuntu2 to applied/ubuntu/dapper

Imported using git-ubuntu import.

Changelog parent: 938f393583f22e4ce05571a81cc74c47073cfe8b
Unapplied parent: 8b11a29ade34b074fc04f6275cc1d8817de56015

New changelog entries:
  * Backport from OpenSSH 4.3 (closes: Malone #25528):
    - Set SO_REUSEADDR on X11 listeners to avoid problems caused by
      lingering sockets from previous session (X11 applications can
      sometimes not connect to 127.0.0.1:60xx).

8b11a29... by Colin Watson on 2006-05-12

Import patches-unapplied version 1:4.2p1-7ubuntu2 to ubuntu/dapper

Imported using git-ubuntu import.

Changelog parent: ad34150514c6f03c5110f40de409fc67426482c6

New changelog entries:
  * Backport from OpenSSH 4.3 (closes: Malone #25528):
    - Set SO_REUSEADDR on X11 listeners to avoid problems caused by
      lingering sockets from previous session (X11 applications can
      sometimes not connect to 127.0.0.1:60xx).

938f393... by Colin Watson on 2006-03-01

Import patches-applied version 1:4.2p1-7ubuntu1 to applied/ubuntu/dapper

Imported using git-ubuntu import.

Changelog parent: 6bce42ba6446baf712d6b9d73adc98bf3e931d47
Unapplied parent: ad34150514c6f03c5110f40de409fc67426482c6

New changelog entries:
  * Resynchronise with Debian.
  * I accidentally applied the default $PATH change in 1:4.2p1-6 to the udeb
    rather than the deb. Fixed.
  * Sync default values of $PATH from shadow 1:4.0.12-6, adding /usr/bin/X11
    to the normal and superuser paths and /usr/games to the normal path.
  * When the client receives a signal, don't fatal() with "Killed by signal
    %d." (which produces unhelpful noise on stderr and causes confusion for
    users of some applications that wrap ssh); instead, generate a debug
    message and exit with the traditional status (closes: #313371).
  * debconf template translations:
    - Add Swedish (thanks, Daniel Nylander; closes: #333133).
    - Update Spanish (thanks, Javier Fernández-Sanguino Peña;
      closes: #341371).
    - Correct erroneously-changed Last-Translator headers in Greek and
      Spanish translations.

ad34150... by Colin Watson on 2006-03-01

Import patches-unapplied version 1:4.2p1-7ubuntu1 to ubuntu/dapper

Imported using git-ubuntu import.

Changelog parent: c56287d6ffe914bc67b3bb532b5166198a38c300

New changelog entries:
  * Resynchronise with Debian.
  * I accidentally applied the default $PATH change in 1:4.2p1-6 to the udeb
    rather than the deb. Fixed.
  * Sync default values of $PATH from shadow 1:4.0.12-6, adding /usr/bin/X11
    to the normal and superuser paths and /usr/games to the normal path.
  * When the client receives a signal, don't fatal() with "Killed by signal
    %d." (which produces unhelpful noise on stderr and causes confusion for
    users of some applications that wrap ssh); instead, generate a debug
    message and exit with the traditional status (closes: #313371).
  * debconf template translations:
    - Add Swedish (thanks, Daniel Nylander; closes: #333133).
    - Update Spanish (thanks, Javier Fernández-Sanguino Peña;
      closes: #341371).
    - Correct erroneously-changed Last-Translator headers in Greek and
      Spanish translations.

6bce42b... by Martin Pitt on 2006-02-20

Import patches-applied version 1:4.2p1-5ubuntu2 to applied/ubuntu/dapper

Imported using git-ubuntu import.

Changelog parent: 9232a86860802a4ebe86059b24cf93abedc43607
Unapplied parent: c56287d6ffe914bc67b3bb532b5166198a38c300

New changelog entries:
  * SECURITY UPDATE: Shell code injection with crafted file names in scp.
  * Ported upstream patch from 4.3p2 to replace system() call with a proper
    exec() call; this avoids expanding shell metacharacters in local-to-local
    or remote-to-remote copies.
  * CVE-2006-0225

c56287d... by Martin Pitt on 2006-02-20

Import patches-unapplied version 1:4.2p1-5ubuntu2 to ubuntu/dapper

Imported using git-ubuntu import.

Changelog parent: d200ad971406bdf4a0a63d383a349d6c64bc66d8

New changelog entries:
  * SECURITY UPDATE: Shell code injection with crafted file names in scp.
  * Ported upstream patch from 4.3p2 to replace system() call with a proper
    exec() call; this avoids expanding shell metacharacters in local-to-local
    or remote-to-remote copies.
  * CVE-2006-0225

9232a86... by Colin Watson on 2005-10-31

Import patches-applied version 1:4.2p1-5ubuntu1 to applied/ubuntu/dapper

Imported using git-ubuntu import.

Changelog parent: e640c3ddd65cd03bca39941b74f1ad1b47099568
Unapplied parent: d200ad971406bdf4a0a63d383a349d6c64bc66d8

New changelog entries:
  * Resynchronise with Debian.
  * Add a CVE name to the 1:4.0p1-1 changelog entry.
  * Build-depend on libselinux1-dev on armeb.
  * Only send GSSAPI proposal if GSSAPIAuthentication is enabled.
  * Build-depend on libssl-dev (>= 0.9.8-1) to cope with surprise OpenSSL
    transition, since otherwise who knows what the buildds will do. If
    you're building openssh yourself, you can safely ignore this and use an
    older libssl-dev.
  * Initialise token to GSS_C_EMPTY_BUFFER in ssh_gssapi_check_mechanism
    (closes: #328606).
  * Add prototype for ssh_gssapi_server_mechanisms (closes: #328372).
  * Interoperate with ssh-krb5 << 3.8.1p1-1 servers, which used a slightly
    different version of the gssapi authentication method (thanks, Aaron M.
    Ucko; closes: #328388).
  * Explicitly tell po2debconf to use the 'popular' output encoding, so that
    the woody-compatibility hack works even with po-debconf 0.9.0.
  * Annotate 1:4.2p1-1 changelog with CVE references.
  * Add remaining pieces of Kerberos support (closes: #152657, #275472):
    - Add GSSAPI key exchange support from
      http://www.sxw.org.uk/computing/patches/openssh.html (thanks, Stephen
      Frost).
    - Build-depend on libkrb5-dev and configure --with-kerberos5=/usr.
    - openssh-client and openssh-server replace ssh-krb5.
    - Update commented-out Kerberos/GSSAPI options in default sshd_config.
    - Fix HAVE_GSSAPI_KRB5_H/HAVE_GSSAPI_GSSAPI_KRB5_H typos in
      gss-serv-krb5.c.
  * New upstream release.
    - SECURITY (CAN-2005-2797): Fix a bug introduced in OpenSSH 4.0 that
      caused GatewayPorts to be incorrectly activated for dynamic ("-D")
      port forwardings when no listen address was explicitly specified
      (closes: #326065).
    - SECURITY (CAN-2005-2798): Fix improper delegation of GSSAPI
      credentials. This code is only built in openssh-krb5, not openssh, but
      I mention the CVE reference here anyway for completeness.
    - Add a new compression method ("Compression delayed") that delays zlib
      compression until after authentication, eliminating the risk of zlib
      vulnerabilities being exploited by unauthenticated users. Note that
      users of OpenSSH versions earlier than 3.5 will need to disable
      compression on the client or set "Compression yes" (losing this
      security benefit) on the server.
    - Increase the default size of new RSA/DSA keys generated by ssh-keygen
      from 1024 to 2048 bits (closes: #181162).
    - Many bugfixes and improvements to connection multiplexing.
    - Don't pretend to accept $HOME (closes: #208648).
  * debian/rules: Resynchronise CFLAGS with that generated by configure.
  * openssh-client and openssh-server conflict with pre-split ssh to avoid
    problems when ssh is left un-upgraded (closes: #324695).
  * Set X11Forwarding to yes in the default sshd_config (new installs only).
    At least when X11UseLocalhost is turned on, which is the default, the
    security risks of using X11 forwarding are risks to the client, not to
    the server (closes: #320104).

d200ad9... by Colin Watson on 2005-10-31

Import patches-unapplied version 1:4.2p1-5ubuntu1 to ubuntu/dapper

Imported using git-ubuntu import.

Changelog parent: fbef8cdcb6187bd382103833c21da8513f795c8a

New changelog entries:
  * Resynchronise with Debian.
  * Add a CVE name to the 1:4.0p1-1 changelog entry.
  * Build-depend on libselinux1-dev on armeb.
  * Only send GSSAPI proposal if GSSAPIAuthentication is enabled.
  * Build-depend on libssl-dev (>= 0.9.8-1) to cope with surprise OpenSSL
    transition, since otherwise who knows what the buildds will do. If
    you're building openssh yourself, you can safely ignore this and use an
    older libssl-dev.
  * Initialise token to GSS_C_EMPTY_BUFFER in ssh_gssapi_check_mechanism
    (closes: #328606).
  * Add prototype for ssh_gssapi_server_mechanisms (closes: #328372).
  * Interoperate with ssh-krb5 << 3.8.1p1-1 servers, which used a slightly
    different version of the gssapi authentication method (thanks, Aaron M.
    Ucko; closes: #328388).
  * Explicitly tell po2debconf to use the 'popular' output encoding, so that
    the woody-compatibility hack works even with po-debconf 0.9.0.
  * Annotate 1:4.2p1-1 changelog with CVE references.
  * Add remaining pieces of Kerberos support (closes: #152657, #275472):
    - Add GSSAPI key exchange support from
      http://www.sxw.org.uk/computing/patches/openssh.html (thanks, Stephen
      Frost).
    - Build-depend on libkrb5-dev and configure --with-kerberos5=/usr.
    - openssh-client and openssh-server replace ssh-krb5.
    - Update commented-out Kerberos/GSSAPI options in default sshd_config.
    - Fix HAVE_GSSAPI_KRB5_H/HAVE_GSSAPI_GSSAPI_KRB5_H typos in
      gss-serv-krb5.c.
  * New upstream release.
    - SECURITY (CAN-2005-2797): Fix a bug introduced in OpenSSH 4.0 that
      caused GatewayPorts to be incorrectly activated for dynamic ("-D")
      port forwardings when no listen address was explicitly specified
      (closes: #326065).
    - SECURITY (CAN-2005-2798): Fix improper delegation of GSSAPI
      credentials. This code is only built in openssh-krb5, not openssh, but
      I mention the CVE reference here anyway for completeness.
    - Add a new compression method ("Compression delayed") that delays zlib
      compression until after authentication, eliminating the risk of zlib
      vulnerabilities being exploited by unauthenticated users. Note that
      users of OpenSSH versions earlier than 3.5 will need to disable
      compression on the client or set "Compression yes" (losing this
      security benefit) on the server.
    - Increase the default size of new RSA/DSA keys generated by ssh-keygen
      from 1024 to 2048 bits (closes: #181162).
    - Many bugfixes and improvements to connection multiplexing.
    - Don't pretend to accept $HOME (closes: #208648).
  * debian/rules: Resynchronise CFLAGS with that generated by configure.
  * openssh-client and openssh-server conflict with pre-split ssh to avoid
    problems when ssh is left un-upgraded (closes: #324695).
  * Set X11Forwarding to yes in the default sshd_config (new installs only).
    At least when X11UseLocalhost is turned on, which is the default, the
    security risks of using X11 forwarding are risks to the client, not to
    the server (closes: #320104).