Last commit made on 2008-10-01
Get this branch:
git clone -b ubuntu/dapper-updates https://git.launchpad.net/ubuntu/+source/openssh
Members of Ubuntu Server Dev import team can upload to this branch. Log in for directions.

Branch merges

Branch information


Recent commits

513b845... by Kees Cook on 2008-09-29

Import patches-unapplied version 1:4.2p1-7ubuntu3.5 to ubuntu/dapper-security

Imported using git-ubuntu import.

Changelog parent: 349331f12cfd95d664f19fe1c5b91fee3f7e5c22

New changelog entries:
  * SECURITY UPDATE: block signal handler crash DoS.
  * log.c: backport upstream corrections, thanks to Florian Weimer.
  * References

349331f... by Colin Watson on 2008-05-17

Import patches-unapplied version 1:4.2p1-7ubuntu3.4 to ubuntu/dapper-security

Imported using git-ubuntu import.

Changelog parent: 5d329e38b1259af9b978fb983543c12223e180a6

New changelog entries:
  * Mitigate OpenSSL security vulnerability (CVE-2008-0166):
    - Add key blacklisting support. Keys listed in
      /etc/ssh/blacklist.TYPE-LENGTH will be rejected for authentication by
      sshd, unless "PermitBlacklistedKeys yes" is set in
    - Add a new program, ssh-vulnkey, which can be used to check keys
      against these blacklists.
    - Depend on openssh-blacklist.

5d329e3... by Kees Cook on 2008-04-01

Import patches-unapplied version 1:4.2p1-7ubuntu3.3 to ubuntu/dapper-security

Imported using git-ubuntu import.

Changelog parent: 75298c79e9096f8f144bb3a3191af6e9ab758ab9

New changelog entries:
  * SECURITY UPDATE: X11 forward hijacking via alternate address families.
  * channels.c: upstream fixes, patched inline. Thanks to Nicolas Valcarcel
    (LP: #210175).
  * References

75298c7... by Kees Cook on 2008-01-09

Import patches-unapplied version 1:4.2p1-7ubuntu3.2 to ubuntu/dapper-security

Imported using git-ubuntu import.

Changelog parent: 872b45f6aac7fcd7ce5817b1cbeeb319142ea06e

New changelog entries:
  * SECURITY UPDATE: trusted cookie leak when untrusted cookie cannot be
  * clientloop.c: Applied patch according to openssh upstream (LP: #162171),
    thanks to Stephan Hermann.
  * References:

872b45f... by Martin Pitt on 2006-10-02

Import patches-unapplied version 1:4.2p1-7ubuntu3.1 to ubuntu/dapper-security

Imported using git-ubuntu import.

Changelog parent: 7e6667783f6328fff22531b339d6e1bb4fe8ed3b

New changelog entries:
  * CVE-2006-4924: Fix a pre-authentication denial of service found by
    Tavis Ormandy, that would cause sshd(8) to spin until the login grace
    time expired.
    Upstream fixes:
  * Fix an unsafe signal hander reported by Mark Dowd. The
    signal handler was vulnerable to a race condition that could be
    exploited to perform a pre-authentication denial of service. [CVE-2006-5051]
    On portable OpenSSH, this vulnerability could theoretically lead to
    pre-authentication remote code execution if GSSAPI authentication is
    enabled, but the likelihood of successful exploitation appears remote.
  * Above patches taken from Debian's 4.3p2-4 version, thanks to Colin Watson
    for backporting them from 4.4p1.
  * packet.c: Fix a NULL dereference crash so that an appropriate error
    message is printed on a protocol error. This is not actually a
    vulnerability, but has been assigned CVE-2006-4925, so let's fix it for
    completeness' sake.
    Taken from upstream CVS:

7e66677... by Colin Watson on 2006-05-17

Import patches-unapplied version 1:4.2p1-7ubuntu3 to ubuntu/dapper

Imported using git-ubuntu import.

Changelog parent: 8b11a29ade34b074fc04f6275cc1d8817de56015

New changelog entries:
  * On '/etc/init.d/ssh restart', create /var/run/sshd before checking the
    server configuration, as otherwise 'sshd -t' will complain about the
    lack of /var/run/sshd (closes: Malone #45234).

8b11a29... by Colin Watson on 2006-05-12

Import patches-unapplied version 1:4.2p1-7ubuntu2 to ubuntu/dapper

Imported using git-ubuntu import.

Changelog parent: ad34150514c6f03c5110f40de409fc67426482c6

New changelog entries:
  * Backport from OpenSSH 4.3 (closes: Malone #25528):
    - Set SO_REUSEADDR on X11 listeners to avoid problems caused by
      lingering sockets from previous session (X11 applications can
      sometimes not connect to

ad34150... by Colin Watson on 2006-03-01

Import patches-unapplied version 1:4.2p1-7ubuntu1 to ubuntu/dapper

Imported using git-ubuntu import.

Changelog parent: c56287d6ffe914bc67b3bb532b5166198a38c300

New changelog entries:
  * Resynchronise with Debian.
  * I accidentally applied the default $PATH change in 1:4.2p1-6 to the udeb
    rather than the deb. Fixed.
  * Sync default values of $PATH from shadow 1:4.0.12-6, adding /usr/bin/X11
    to the normal and superuser paths and /usr/games to the normal path.
  * When the client receives a signal, don't fatal() with "Killed by signal
    %d." (which produces unhelpful noise on stderr and causes confusion for
    users of some applications that wrap ssh); instead, generate a debug
    message and exit with the traditional status (closes: #313371).
  * debconf template translations:
    - Add Swedish (thanks, Daniel Nylander; closes: #333133).
    - Update Spanish (thanks, Javier Fernández-Sanguino Peña;
      closes: #341371).
    - Correct erroneously-changed Last-Translator headers in Greek and
      Spanish translations.

c56287d... by Martin Pitt on 2006-02-20

Import patches-unapplied version 1:4.2p1-5ubuntu2 to ubuntu/dapper

Imported using git-ubuntu import.

Changelog parent: d200ad971406bdf4a0a63d383a349d6c64bc66d8

New changelog entries:
  * SECURITY UPDATE: Shell code injection with crafted file names in scp.
  * Ported upstream patch from 4.3p2 to replace system() call with a proper
    exec() call; this avoids expanding shell metacharacters in local-to-local
    or remote-to-remote copies.
  * CVE-2006-0225

d200ad9... by Colin Watson on 2005-10-31

Import patches-unapplied version 1:4.2p1-5ubuntu1 to ubuntu/dapper

Imported using git-ubuntu import.

Changelog parent: fbef8cdcb6187bd382103833c21da8513f795c8a

New changelog entries:
  * Resynchronise with Debian.
  * Add a CVE name to the 1:4.0p1-1 changelog entry.
  * Build-depend on libselinux1-dev on armeb.
  * Only send GSSAPI proposal if GSSAPIAuthentication is enabled.
  * Build-depend on libssl-dev (>= 0.9.8-1) to cope with surprise OpenSSL
    transition, since otherwise who knows what the buildds will do. If
    you're building openssh yourself, you can safely ignore this and use an
    older libssl-dev.
  * Initialise token to GSS_C_EMPTY_BUFFER in ssh_gssapi_check_mechanism
    (closes: #328606).
  * Add prototype for ssh_gssapi_server_mechanisms (closes: #328372).
  * Interoperate with ssh-krb5 << 3.8.1p1-1 servers, which used a slightly
    different version of the gssapi authentication method (thanks, Aaron M.
    Ucko; closes: #328388).
  * Explicitly tell po2debconf to use the 'popular' output encoding, so that
    the woody-compatibility hack works even with po-debconf 0.9.0.
  * Annotate 1:4.2p1-1 changelog with CVE references.
  * Add remaining pieces of Kerberos support (closes: #152657, #275472):
    - Add GSSAPI key exchange support from
      http://www.sxw.org.uk/computing/patches/openssh.html (thanks, Stephen
    - Build-depend on libkrb5-dev and configure --with-kerberos5=/usr.
    - openssh-client and openssh-server replace ssh-krb5.
    - Update commented-out Kerberos/GSSAPI options in default sshd_config.
  * New upstream release.
    - SECURITY (CAN-2005-2797): Fix a bug introduced in OpenSSH 4.0 that
      caused GatewayPorts to be incorrectly activated for dynamic ("-D")
      port forwardings when no listen address was explicitly specified
      (closes: #326065).
    - SECURITY (CAN-2005-2798): Fix improper delegation of GSSAPI
      credentials. This code is only built in openssh-krb5, not openssh, but
      I mention the CVE reference here anyway for completeness.
    - Add a new compression method ("Compression delayed") that delays zlib
      compression until after authentication, eliminating the risk of zlib
      vulnerabilities being exploited by unauthenticated users. Note that
      users of OpenSSH versions earlier than 3.5 will need to disable
      compression on the client or set "Compression yes" (losing this
      security benefit) on the server.
    - Increase the default size of new RSA/DSA keys generated by ssh-keygen
      from 1024 to 2048 bits (closes: #181162).
    - Many bugfixes and improvements to connection multiplexing.
    - Don't pretend to accept $HOME (closes: #208648).
  * debian/rules: Resynchronise CFLAGS with that generated by configure.
  * openssh-client and openssh-server conflict with pre-split ssh to avoid
    problems when ssh is left un-upgraded (closes: #324695).
  * Set X11Forwarding to yes in the default sshd_config (new installs only).
    At least when X11UseLocalhost is turned on, which is the default, the
    security risks of using X11 forwarding are risks to the client, not to
    the server (closes: #320104).