ubuntu/+source/openssh:applied/ubuntu/hoary-devel

Last commit made on 2006-10-02
Get this branch:
git clone -b applied/ubuntu/hoary-devel https://git.launchpad.net/ubuntu/+source/openssh
Members of Ubuntu Server Dev import team can upload to this branch. Log in for directions.

Branch merges

Branch information

Name:
applied/ubuntu/hoary-devel
Repository:
lp:ubuntu/+source/openssh

Recent commits

dd5de14... by Martin Pitt on 2006-10-02

Import patches-applied version 1:3.9p1-1ubuntu2.3 to applied/ubuntu/hoary-security

Imported using git-ubuntu import.

Changelog parent: 3c76cd129aeaf05612fb3a4eea86f7be6cc38c0e
Unapplied parent: 01b2218cc48aed933f5cfed77da0a7d7e61855d5

New changelog entries:
  * SECURITY UPDATE: Remote DoS.
  * CVE-2006-4924: Fix a pre-authentication denial of service found by
    Tavis Ormandy, that would cause sshd(8) to spin until the login grace
    time expired.
    Upstream fixes:
    http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/deattack.c.diff?r1=1.29&r2=1.30&sortby=date&f=h
    http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/packet.c.diff?r1=1.143&r2=1.144&sortby=date&f=h
    http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/deattack.h.diff?r1=1.9&r2=1.10&sortby=date&f=h
  * Fix an unsafe signal hander reported by Mark Dowd. The
    signal handler was vulnerable to a race condition that could be
    exploited to perform a pre-authentication denial of service. [CVE-2006-5051]
    On portable OpenSSH, this vulnerability could theoretically lead to
    pre-authentication remote code execution if GSSAPI authentication is
    enabled, but the likelihood of successful exploitation appears remote.
    [CVE-2006-5052]
  * Above patches taken from Debian's 4.3p2-4 version, thanks to Colin Watson
    for backporting them from 4.4p1.

01b2218... by Martin Pitt on 2006-10-02

Import patches-unapplied version 1:3.9p1-1ubuntu2.3 to ubuntu/hoary-security

Imported using git-ubuntu import.

Changelog parent: 517594eae2e4eff6a340e53292a7a1f42748ba10

New changelog entries:
  * SECURITY UPDATE: Remote DoS.
  * CVE-2006-4924: Fix a pre-authentication denial of service found by
    Tavis Ormandy, that would cause sshd(8) to spin until the login grace
    time expired.
    Upstream fixes:
    http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/deattack.c.diff?r1=1.29&r2=1.30&sortby=date&f=h
    http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/packet.c.diff?r1=1.143&r2=1.144&sortby=date&f=h
    http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/deattack.h.diff?r1=1.9&r2=1.10&sortby=date&f=h
  * Fix an unsafe signal hander reported by Mark Dowd. The
    signal handler was vulnerable to a race condition that could be
    exploited to perform a pre-authentication denial of service. [CVE-2006-5051]
    On portable OpenSSH, this vulnerability could theoretically lead to
    pre-authentication remote code execution if GSSAPI authentication is
    enabled, but the likelihood of successful exploitation appears remote.
    [CVE-2006-5052]
  * Above patches taken from Debian's 4.3p2-4 version, thanks to Colin Watson
    for backporting them from 4.4p1.

3c76cd1... by Martin Pitt on 2006-02-20

Import patches-applied version 1:3.9p1-1ubuntu2.2 to applied/ubuntu/hoary-security

Imported using git-ubuntu import.

Changelog parent: e65b0263f54d6d2279716579373a7941d77f613e
Unapplied parent: 517594eae2e4eff6a340e53292a7a1f42748ba10

New changelog entries:
  * SECURITY UPDATE: Shell code injection with crafted file names in scp.
  * Ported upstream patch from 4.3p2 to replace system() call with a proper
    exec() call; this avoids expanding shell metacharacters in local-to-local
    or remote-to-remote copies.
  * CVE-2006-0225

517594e... by Martin Pitt on 2006-02-20

Import patches-unapplied version 1:3.9p1-1ubuntu2.2 to ubuntu/hoary-security

Imported using git-ubuntu import.

Changelog parent: 4913cdd4a5ee6526919ba13cdb563efad9c7e788

New changelog entries:
  * SECURITY UPDATE: Shell code injection with crafted file names in scp.
  * Ported upstream patch from 4.3p2 to replace system() call with a proper
    exec() call; this avoids expanding shell metacharacters in local-to-local
    or remote-to-remote copies.
  * CVE-2006-0225

e65b026... by Martin Pitt on 2005-10-17

Import patches-applied version 1:3.9p1-1ubuntu2.1 to applied/ubuntu/hoary-security

Imported using git-ubuntu import.

Changelog parent: 4b4b5b9c86ea9a1140b819dc672c7ba0fd2c6a74
Unapplied parent: 4913cdd4a5ee6526919ba13cdb563efad9c7e788

New changelog entries:
  * SECURITY UPDATE: Information disclosure.
  * gss-serv.c, sshconnect2.c: Do not delegate GSSAPI credentials to log in
    with a different method than GSSAPI.
  * CAN-2005-2798

4913cdd... by Martin Pitt on 2005-10-17

Import patches-unapplied version 1:3.9p1-1ubuntu2.1 to ubuntu/hoary-security

Imported using git-ubuntu import.

Changelog parent: 6ac1c57981395deee16b5535f8d13c89417c0829

New changelog entries:
  * SECURITY UPDATE: Information disclosure.
  * gss-serv.c, sshconnect2.c: Do not delegate GSSAPI credentials to log in
    with a different method than GSSAPI.
  * CAN-2005-2798

4b4b5b9... by Colin Watson on 2005-03-15

Import patches-applied version 1:3.9p1-1ubuntu2 to applied/ubuntu/hoary

Imported using git-ubuntu import.

Changelog parent: 1b47c8f1a006223b0fce36e5282eeaa8ae2fce68
Unapplied parent: 6ac1c57981395deee16b5535f8d13c89417c0829

New changelog entries:
  * Don't ask unnecessary and misplaced ssh/forward_warning debconf note
    (closes: Ubuntu #7363).
  * Resynchronise with Debian.
  * New upstream release.
    - PAM password authentication implemented again (closes: #238699,
      #242119).
    - Implemented the ability to pass selected environment variables between
      the client and the server.
    - Fix ssh-keyscan breakage when remote server doesn't speak SSH protocol
      (closes: #228828).
    - Fix res_query detection (closes: #242462).
    - 'ssh -c' documentation improved (closes: #265627).
  * Pass LANG and LC_* environment variables from the client by default, and
    accept them to the server by default in new installs, although not on
    upgrade (closes: #264024).
  * Build ssh in binary-indep, not binary-arch (thanks, LaMont Jones).
  * Expand on openssh-client package description (closes: #273831).
  * Resynchronise with Debian.
  * We use DH_COMPAT=2, so build-depend on debhelper (>= 2).
  * Fix timing information leak allowing discovery of invalid usernames in
    PAM keyboard-interactive authentication (backported from a patch by
    Darren Tucker; closes: #281595).
  * Make sure that there's a delay in PAM keyboard-interactive
    authentication when PermitRootLogin is not set to yes and the correct
    root password is entered (closes: #248747).
  * Resynchronise with Debian.
  * Enable threading for PAM, on Sam Hartman's advice (closes: #278394).
  * debconf template translations:
    - Update Dutch (thanks, cobaco; closes: #278715).
  * Correct README.Debian's ForwardX11Trusted description (closes: #280190).
  * Resynchronise with Debian.
  * Preserve /etc/ssh/sshd_config ownership/permissions (closes: #276754).
  * Shorten the version string from the form "OpenSSH_3.8.1p1 Debian
    1:3.8.1p1-8.sarge.1" to "OpenSSH_3.8.1p1 Debian-8.sarge.1", as some SSH
    implementations apparently have problems with the long version string.
    This is of course a bug in those implementations, but since the extent
    of the problem is unknown it's best to play safe (closes: #275731).
  * debconf template translations:
    - Add Finnish (thanks, Matti Pöllä; closes: #265339).
    - Update Danish (thanks, Morten Brix Pedersen; closes: #275895).
    - Update French (thanks, Denis Barbier; closes: #276703).
    - Update Japanese (thanks, Kenshi Muto; closes: #277438).

6ac1c57... by Colin Watson on 2005-03-15

Import patches-unapplied version 1:3.9p1-1ubuntu2 to ubuntu/hoary

Imported using git-ubuntu import.

Changelog parent: 3053cc0aa054e1edab75b86126dd2c87a66d3316

New changelog entries:
  * Don't ask unnecessary and misplaced ssh/forward_warning debconf note
    (closes: Ubuntu #7363).
  * Resynchronise with Debian.
  * New upstream release.
    - PAM password authentication implemented again (closes: #238699,
      #242119).
    - Implemented the ability to pass selected environment variables between
      the client and the server.
    - Fix ssh-keyscan breakage when remote server doesn't speak SSH protocol
      (closes: #228828).
    - Fix res_query detection (closes: #242462).
    - 'ssh -c' documentation improved (closes: #265627).
  * Pass LANG and LC_* environment variables from the client by default, and
    accept them to the server by default in new installs, although not on
    upgrade (closes: #264024).
  * Build ssh in binary-indep, not binary-arch (thanks, LaMont Jones).
  * Expand on openssh-client package description (closes: #273831).
  * Resynchronise with Debian.
  * We use DH_COMPAT=2, so build-depend on debhelper (>= 2).
  * Fix timing information leak allowing discovery of invalid usernames in
    PAM keyboard-interactive authentication (backported from a patch by
    Darren Tucker; closes: #281595).
  * Make sure that there's a delay in PAM keyboard-interactive
    authentication when PermitRootLogin is not set to yes and the correct
    root password is entered (closes: #248747).
  * Resynchronise with Debian.
  * Enable threading for PAM, on Sam Hartman's advice (closes: #278394).
  * debconf template translations:
    - Update Dutch (thanks, cobaco; closes: #278715).
  * Correct README.Debian's ForwardX11Trusted description (closes: #280190).
  * Resynchronise with Debian.
  * Preserve /etc/ssh/sshd_config ownership/permissions (closes: #276754).
  * Shorten the version string from the form "OpenSSH_3.8.1p1 Debian
    1:3.8.1p1-8.sarge.1" to "OpenSSH_3.8.1p1 Debian-8.sarge.1", as some SSH
    implementations apparently have problems with the long version string.
    This is of course a bug in those implementations, but since the extent
    of the problem is unknown it's best to play safe (closes: #275731).
  * debconf template translations:
    - Add Finnish (thanks, Matti Pöllä; closes: #265339).
    - Update Danish (thanks, Morten Brix Pedersen; closes: #275895).
    - Update French (thanks, Denis Barbier; closes: #276703).
    - Update Japanese (thanks, Kenshi Muto; closes: #277438).

1b47c8f... by Colin Watson on 2004-10-07

Import patches-applied version 1:3.8.1p1-11ubuntu3 to applied/ubuntu/warty

Imported using git-ubuntu import.

Unapplied parent: 3053cc0aa054e1edab75b86126dd2c87a66d3316

3053cc0... by Colin Watson on 2004-10-07

Import patches-unapplied version 1:3.8.1p1-11ubuntu3 to ubuntu/warty

Imported using git-ubuntu import.