ubuntu/+source/openssh:ubuntu/edgy-devel

Last commit made on 2008-04-01
Get this branch:
git clone -b ubuntu/edgy-devel https://git.launchpad.net/ubuntu/+source/openssh
Members of Ubuntu Server Dev import team can upload to this branch. Log in for directions.

Branch merges

Branch information

Name:
ubuntu/edgy-devel
Repository:
lp:ubuntu/+source/openssh

Recent commits

52efece... by Kees Cook on 2008-04-01

Import patches-unapplied version 1:4.3p2-5ubuntu1.2 to ubuntu/edgy-security

Imported using git-ubuntu import.

Changelog parent: 2144a46c507b70d19754fb1fa0f5980ea12c7946

New changelog entries:
  * SECURITY UPDATE: X11 forward hijacking via alternate address families.
  * channels.c: upstream fixes, patched inline. Thanks to Nicolas Valcarcel
    (LP: #210175).
  * References
    CVE-2008-1483

2144a46... by Kees Cook on 2008-01-09

Import patches-unapplied version 1:4.3p2-5ubuntu1.1 to ubuntu/edgy-security

Imported using git-ubuntu import.

Changelog parent: 891bef0d2423a8437ec00b46138b99307e0f67dc

New changelog entries:
  * SECURITY UPDATE: trusted cookie leak when untrusted cookie cannot be
    generated.
  * clientloop.c: Applied patch according to openssh upstream (LP: #162171),
    thanks to Stephan Hermann.
  * References:
    CVE-2007-4752
    http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=444738
    http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/clientloop.c.diff?r1=1.180&r2=1.181

891bef0... by Colin Watson on 2006-10-05

Import patches-unapplied version 1:4.3p2-5ubuntu1 to ubuntu/edgy

Imported using git-ubuntu import.

Changelog parent: 1d4fb0d11110722933dbd74235de63e134c8ddd2

New changelog entries:
  * Resynchronise with Debian.
  * Remove ssh/insecure_telnetd check altogether (closes: #391081).
  * debconf template translations:
    - Update Danish (thanks, Claus Hindsgaul; closes: #390612).

1d4fb0d... by Colin Watson on 2006-09-29

Import patches-unapplied version 1:4.3p2-4ubuntu1 to ubuntu/edgy

Imported using git-ubuntu import.

Changelog parent: 2efa7c85c7f44957cbc499aa3f17cc45073e0909

New changelog entries:
  * Resynchronise with Debian.
  * Backport from 4.4p1 (since I don't have an updated version of the GSSAPI
    patch yet):
    - CVE-2006-4924: Fix a pre-authentication denial of service found by
      Tavis Ormandy, that would cause sshd(8) to spin until the login grace
      time expired (closes: #389995).
    - CVE-2006-5051: Fix an unsafe signal hander reported by Mark Dowd. The
      signal handler was vulnerable to a race condition that could be
      exploited to perform a pre-authentication denial of service. On
      portable OpenSSH, this vulnerability could theoretically lead to
      pre-authentication remote code execution if GSSAPI authentication is
      enabled, but the likelihood of successful exploitation appears remote.
  * Read /etc/default/locale as well as /etc/environment (thanks, Raphaël
    Hertzog; closes: #369395).
  * Remove no-longer-used ssh/insecure_rshd debconf template.
  * Make ssh/insecure_telnetd Type: error (closes: #388946).
  * debconf template translations:
    - Update Portuguese (thanks, Rui Branco; closes: #381942).
    - Update Spanish (thanks, Javier Fernández-Sanguino Peña;
      closes: #382966).
  * Document KeepAlive->TCPKeepAlive renaming in sshd_config(5) (closes:
    https://launchpad.net/bugs/50702).
  * Change sshd user's shell to /usr/sbin/nologin (closes: #366541).
    Introduces dependency on passwd for usermod.
  * debconf template translations:
    - Update French (thanks, Denis Barbier; closes: #368503).
    - Update Dutch (thanks, Bart Cornelis; closes: #375100).
    - Update Japanese (thanks, Kenshi Muto; closes: #379950).

2efa7c8... by Colin Watson on 2006-08-23

Import patches-unapplied version 1:4.3p2-2ubuntu5 to ubuntu/edgy

Imported using git-ubuntu import.

Changelog parent: b66a58503a7d4de982ff78b3997c4da3ddc1263c

New changelog entries:
  * Move sysv-rc versioned dependency from openssh-client to openssh-server
    (closes: Malone #56021).

b66a585... by Colin Watson on 2006-07-21

Import patches-unapplied version 1:4.3p2-2ubuntu4 to ubuntu/edgy

Imported using git-ubuntu import.

Changelog parent: dc70c784d68ea5fff71aff670f5b3d15c1f8d499

New changelog entries:
  * Fix setup_init changes; $2 means something different inside a function.

dc70c78... by Scott James Remnant (Canonical) on 2006-07-21

Import patches-unapplied version 1:4.3p2-2ubuntu3 to ubuntu/edgy

Imported using git-ubuntu import.

Changelog parent: 7cda7b783825f85200a5019e577685e165b270fb

New changelog entries:
  * Add forgotten versioned-dependency on sysv-rc to get new update-rc.d
    behaviour. Go me.

7cda7b7... by Scott James Remnant (Canonical) on 2006-07-20

Import patches-unapplied version 1:4.3p2-2ubuntu2 to ubuntu/edgy

Imported using git-ubuntu import.

Changelog parent: bc6e1ed68794d29e079ddb5173e59e8619cec89a

New changelog entries:
  * Remove stop links from rc0 and rc6

bc6e1ed... by Colin Watson on 2006-06-28

Import patches-unapplied version 1:4.3p2-2ubuntu1 to ubuntu/edgy

Imported using git-ubuntu import.

Changelog parent: 7e6667783f6328fff22531b339d6e1bb4fe8ed3b

New changelog entries:
  * Resynchronise with Debian.
  * Drop direct upgrade compatibility from the Warty preview release.
  * Drop patch to use /usr/bin/xauth instead of /usr/bin/X11/xauth; the
    /usr/bin/X11 symlink should always exist, and using it makes the package
    easier to backport.
  * Include commented-out pam_access example in /etc/pam.d/ssh.
  * On '/etc/init.d/ssh restart', create /var/run/sshd before checking the
    server configuration, as otherwise 'sshd -t' will complain about the
    lack of /var/run/sshd (closes: https://launchpad.net/bugs/45234).
  * debconf template translations:
    - Update Russian (thanks, Yuriy Talakan'; closes: #367143).
    - Update Czech (thanks, Miroslav Kure; closes: #367161).
    - Update Italian (thanks, Luca Monducci; closes: #367186).
    - Update Galician (thanks, Jacobo Tarrio; closes: #367318).
    - Update Swedish (thanks, Daniel Nylander; closes: #367971).
  * New upstream release (closes: #361032).
    - CVE-2006-0225: scp (as does rcp, on which it is based) invoked a
      subshell to perform local to local, and remote to remote copy
      operations. This subshell exposed filenames to shell expansion twice;
      allowing a local attacker to create filenames containing shell
      metacharacters that, if matched by a wildcard, could lead to execution
      of attacker-specified commands with the privilege of the user running
      scp (closes: #349645).
    - Add support for tunneling arbitrary network packets over a connection
      between an OpenSSH client and server via tun(4) virtual network
      interfaces. This allows the use of OpenSSH (4.3+) to create a true VPN
      between the client and server providing real network connectivity at
      layer 2 or 3. This feature is experimental.
    - Reduce default key length for new DSA keys generated by ssh-keygen
      back to 1024 bits. DSA is not specified for longer lengths and does
      not fully benefit from simply making keys longer. As per FIPS 186-2
      Change Notice 1, ssh-keygen will refuse to generate a new DSA key
      smaller or larger than 1024 bits.
    - Fixed X forwarding failing to start when the X11 client is executed in
      background at the time of session exit.
    - Change ssh-keygen to generate a protocol 2 RSA key when invoked
      without arguments (closes: #114894).
    - Fix timing variance for valid vs. invalid accounts when attempting
      Kerberos authentication.
    - Ensure that ssh always returns code 255 on internal error
      (closes: #259865).
    - Cleanup wtmp files on SIGTERM when not using privsep.
    - Set SO_REUSEADDR on X11 listeners to avoid problems caused by
      lingering sockets from previous session (X11 applications can
      sometimes not connect to 127.0.0.1:60xx) (closes:
      https://launchpad.net/bugs/25528).
    - Ensure that fds 0, 1 and 2 are always attached in all programs, by
      duping /dev/null to them if necessary.
    - Xauth list invocation had bogus "." argument.
    - Remove internal assumptions on key exchange hash algorithm and output
      length, preparing OpenSSH for KEX methods with alternate hashes.
    - Ignore junk sent by a server before it sends the "SSH-" banner.
    - Many manual page improvements.
    - Lots of cleanups, including fixes to memory leaks on error paths and
      possible crashes.
  * Update to current GSSAPI patch from
    http://www.sxw.org.uk/computing/patches/openssh-4.3p2-gsskex-20060223.patch
    (closes: #352042).
  * debian/rules: Resynchronise CFLAGS with that generated by configure.
  * Restore pam_nologin to /etc/pam.d/ssh; sshd no longer checks this itself
    when PAM is enabled, but relies on PAM to do it.
  * Rename KeepAlive to TCPKeepAlive in default sshd_config
    (closes: #349896).
  * Rephrase ssh/new_config and ssh/encrypted_host_key_but_no_keygen debconf
    templates to make boolean short descriptions end with a question mark
    and to avoid use of the first person.
  * Ship README.tun.
  * Policy version 3.7.2: no changes required.
  * debconf template translations:
    - Update Italian (thanks, Luca Monducci; closes: #360348).
    - Add Galician (thanks, Jacobo Tarrio; closes: #361220).
  [ Frans Pop ]
  * Use udeb support introduced in debhelper 4.2.0 (available in sarge)
    rather than constructing udebs by steam.
  * Require debhelper 5.0.22, which generates correct shared library
    dependencies for udebs (closes: #360068). This build-dependency can be
    ignored if building on sarge.
  [ Colin Watson ]
  * Switch to debhelper compatibility level 4, since we now require
    debhelper 4 even on sarge anyway for udeb support.

7e66677... by Colin Watson on 2006-05-17

Import patches-unapplied version 1:4.2p1-7ubuntu3 to ubuntu/dapper

Imported using git-ubuntu import.

Changelog parent: 8b11a29ade34b074fc04f6275cc1d8817de56015

New changelog entries:
  * On '/etc/init.d/ssh restart', create /var/run/sshd before checking the
    server configuration, as otherwise 'sshd -t' will complain about the
    lack of /var/run/sshd (closes: Malone #45234).