Last commit made on 2017-06-06
Get this branch:
git clone -b debian/experimental https://git.launchpad.net/ubuntu/+source/openssh
Members of Ubuntu Server Dev import team can upload to this branch. Log in for directions.

Branch merges

Branch information


Recent commits

e7c9fd6... by Colin Watson on 2017-06-06

Import patches-unapplied version 1:7.5p1-4 to debian/experimental

Imported using git-ubuntu import.

Changelog parent: 1601afa223bc935cee4688c481d60c99e3e90a28

New changelog entries:
  * Drop README.Debian section on privilege separation, as it's no longer
  * Only call "initctl set-env" from agent-launch if $UPSTART_SESSION is set
    (LP: #1689299).
  * Fix incoming compression statistics (thanks, Russell Coker; closes:
  * Relicense debian/* under a two-clause BSD licence for bidirectional
    compatibility with upstream, with permission from Matthew Vernon and

1601afa... by Colin Watson on 2017-05-02

Import patches-unapplied version 1:7.5p1-3 to debian/experimental

Imported using git-ubuntu import.

Changelog parent: f733ac73e291d0c2ded570132cf7f5ecbf948c22

New changelog entries:
  * Fix debian/adjust-openssl-dependencies to account for preferring
  * Adjust OpenSSL dependencies for openssh-client-ssh1 too.
  * Fix purge failure when /etc/ssh has already somehow been removed
    (LP: #1682817).
  * Ensure that /etc/ssh exists before trying to create /etc/ssh/sshd_config
    (LP: #1685022).

f733ac7... by Colin Watson on 2017-04-02

Import patches-unapplied version 1:7.5p1-2 to debian/experimental

Imported using git-ubuntu import.

Changelog parent: 15663217edcca1156b584fc75564bebccf4cdd33

New changelog entries:
  * Add missing header on Linux/s390.
  * Fix syntax error on Linux/X32.

1566321... by Colin Watson on 2017-04-02

Import patches-unapplied version 1:7.5p1-1 to debian/experimental

Imported using git-ubuntu import.

Changelog parent: 2d6a7b7a356d897d168dc051cab091e02ee05f47

New changelog entries:
  * New upstream release (https://www.openssh.com/txt/release-7.5):
    - SECURITY: ssh(1), sshd(8): Fix weakness in CBC padding oracle
      countermeasures that allowed a variant of the attack fixed in OpenSSH
      7.3 to proceed. Note that the OpenSSH client disables CBC ciphers by
      default, sshd offers them as lowest-preference options and will remove
      them by default entirely in the next release.
    - This release deprecates the sshd_config UsePrivilegeSeparation option,
      thereby making privilege separation mandatory (closes: #407754).
    - The format of several log messages emitted by the packet code has
      changed to include additional information about the user and their
      authentication state. Software that monitors ssh/sshd logs may need
      to account for these changes.
    - ssh(1), sshd(8): Support "=-" syntax to easily remove methods from
      algorithm lists, e.g. Ciphers=-*cbc.
    - sshd(1): Fix NULL dereference crash when key exchange start messages
      are sent out of sequence.
    - ssh(1), sshd(8): Allow form-feed characters to appear in configuration
    - sshd(8): Fix regression in OpenSSH 7.4 support for the server-sig-algs
      extension, where SHA2 RSA signature methods were not being correctly
    - ssh(1), ssh-keygen(1): Fix a number of case-sensitivity bugs in
      known_hosts processing.
    - ssh(1): Allow ssh to use certificates accompanied by a private key
      file but no corresponding plain *.pub public key.
    - ssh(1): When updating hostkeys using the UpdateHostKeys option, accept
      RSA keys if HostkeyAlgorithms contains any RSA keytype. Previously,
      ssh could ignore RSA keys when only the ssh-rsa-sha2-* methods were
      enabled in HostkeyAlgorithms and not the old ssh-rsa method.
    - ssh(1): Detect and report excessively long configuration file lines.
    - Merge a number of fixes found by Coverity and reported via Redhat and
      FreeBSD. Includes fixes for some memory and file descriptor leaks in
      error paths.
    - ssh(1), sshd(8): When logging long messages to stderr, don't truncate
      "\r\n" if the length of the message exceeds the buffer.
    - ssh(1): Fully quote [host]:port in generated ProxyJump/-J command-
      line; avoid confusion over IPv6 addresses and shells that treat square
      bracket characters specially.
    - Fix various fallout and sharp edges caused by removing SSH protocol 1
      support from the server, including the server banner string being
      incorrectly terminated with only \n (instead of \r\n), confusing error
      messages from ssh-keyscan, and a segfault in sshd if protocol v.1 was
      enabled for the client and sshd_config contained references to legacy
    - ssh(1), sshd(8): Free fd_set on connection timeout.
    - sftp(1): Fix division by zero crash in "df" output when server returns
      zero total filesystem blocks/inodes.
    - ssh(1), ssh-add(1), ssh-keygen(1), sshd(8): Translate OpenSSL errors
      encountered during key loading to more meaningful error codes.
    - ssh-keygen(1): Sanitise escape sequences in key comments sent to
      printf but preserve valid UTF-8 when the locale supports it.
    - ssh(1), sshd(8): Return reason for port forwarding failures where
      feasible rather than always "administratively prohibited".
    - sshd(8): Fix deadlock when AuthorizedKeysCommand or
      AuthorizedPrincipalsCommand produces a lot of output and a key is
      matched early.
    - ssh(1): Fix typo in ~C error message for bad port forward
    - ssh(1): Show a useful error message when included config files can't
      be opened.
    - sshd_config(5): Repair accidentally-deleted mention of %k token in
    - sshd(8): Remove vestiges of previously removed LOGIN_PROGRAM.
    - ssh-agent(1): Relax PKCS#11 whitelist to include libexec and common
      32-bit compatibility library directories.
    - sftp-client(1): Fix non-exploitable integer overflow in SSH2_FXP_NAME
      response handling.
    - ssh-agent(1): Fix regression in 7.4 of deleting PKCS#11-hosted keys.
      It was not possible to delete them except by specifying their full
      physical path.
    - sshd(8): Avoid sandbox errors for Linux S390 systems using an ICA
      crypto coprocessor.
    - sshd(8): Fix non-exploitable weakness in seccomp-bpf sandbox arg
    - ssh-keygen(1), ssh(1), sftp(1): Fix output truncation for various that
      contain non-printable characters where the codeset in use is ASCII.

2d6a7b7... by Colin Watson on 2017-03-30

Import patches-unapplied version 1:7.4p1-10 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 94a006df0dee470be9fb627968eaa05377579243

New changelog entries:
  * Move privilege separation directory and PID file from /var/run/ to /run/
    (closes: #760422, #856825).
  * Unbreak Unix domain socket forwarding for root (closes: #858252).

94a006d... by Colin Watson on 2017-03-16

Import patches-unapplied version 1:7.4p1-9 to debian/sid

Imported using git-ubuntu import.

Changelog parent: caf5e54529906c23d6564b94d0ac5a79dae88f48

New changelog entries:
  * Fix null pointer dereference in ssh-keygen; this fixes an autopkgtest
    regression introduced in 1:7.4p1-8.

caf5e54... by Colin Watson on 2017-03-14

Import patches-unapplied version 1:7.4p1-8 to debian/sid

Imported using git-ubuntu import.

Changelog parent: cff7b0b8b7d65a13457fa19cd04efe1e6f336650

New changelog entries:
  * Fix ssh-keygen -H accidentally corrupting known_hosts that contained
    already-hashed entries (closes: #851734, LP: #1668093).
  * Fix ssh-keyscan to correctly hash hosts with a port number (closes:
    #857736, LP: #1670745).

cff7b0b... by Colin Watson on 2017-03-05

Import patches-unapplied version 1:7.4p1-7 to debian/sid

Imported using git-ubuntu import.

Changelog parent: e5871a1970dbd5e633e2e58cc3e3aa72364669fd

New changelog entries:
  * Don't set "PermitRootLogin yes" on fresh installations (regression
    introduced in 1:7.4p1-1; closes: #852781).
  * Restore reading authorized_keys2 by default. Upstream seems to intend
    to gradually phase this out, so don't assume that this will remain the
    default forever. However, we were late in adopting the upstream
    sshd_config changes, so it makes sense to extend the grace period
    (closes: #852320).

e5871a1... by Colin Watson on 2017-01-16

Import patches-unapplied version 1:7.4p1-6 to debian/sid

Imported using git-ubuntu import.

Changelog parent: e95a9b2d2e8d1db50334c83a31be63dceecd3a79

New changelog entries:
  * Remove temporary file on exit from postinst (closes: #850275).
  * Remove LOGIN_PROGRAM and LOGIN_NO_ENDOPT definitions, since UseLogin is
  * Document sshd_config changes that may be needed following the removal of
    protocol 1 support from sshd (closes: #851573).
  * Remove ssh_host_dsa_key from HostKey default (closes: #850614).
  * Fix rekeying failure with GSSAPI key exchange (thanks, Harald Barth;
    closes: #819361, LP: #1608965).

e95a9b2... by Colin Watson on 2017-01-03

Import patches-unapplied version 1:7.4p1-5 to debian/sid

Imported using git-ubuntu import.

Changelog parent: dbc2736c096741cf45bee5db8fb7fb8c65b483f3

New changelog entries:
  * Create mux socket for regression tests in a temporary directory.
  * Work around clock_gettime kernel bug on Linux x32 (closes: #849923).