ubuntu/+source/openssh:ubuntu/feisty

Last commit made on 2007-02-19
Get this branch:
git clone -b ubuntu/feisty https://git.launchpad.net/ubuntu/+source/openssh
Members of Ubuntu Server Dev import team can upload to this branch. Log in for directions.

Branch merges

Branch information

Name:
ubuntu/feisty
Repository:
lp:ubuntu/+source/openssh

Recent commits

6acddba... by Colin Watson on 2007-02-19

Import patches-unapplied version 1:4.3p2-8ubuntu1 to ubuntu/feisty

Imported using git-ubuntu import.

Changelog parent: e7b80c3001a890710cda652c8446234a9a617421

New changelog entries:
  * Resynchronise with Debian. Remaining changes:
    - Add /sbin, /usr/sbin, and /usr/local/sbin to the default path.
    - Use LSB init script functions.
    - Increase MAX_SESSIONS to 64.
    - Remove stop links from rc0 and rc6.
  * Build position-independent executables (only for debs, not for udebs) to
    take advantage of address space layout randomisation (thanks, Kees
    Cook).
  * Set Maintainer to me.
  [ Vincent Untz ]
  * Give the ssh-askpass-gnome window a default icon; remove unnecessary
    icon extension from .desktop file (closes:
    https://launchpad.net/bugs/27152).
  [ Colin Watson ]
  * Drop versioning on ssh/ssh-krb5 Replaces, as otherwise it isn't
    sufficient to replace conffiles (closes: #402804).
  * Make GSSAPICleanupCreds a compatibility alias for
    GSSAPICleanupCredentials. Mark GSSUseSessionCCache and
    GSSAPIUseSessionCredCache as known-but-unsupported options, and migrate
    away from them on upgrade.
  * It turns out that the people who told me that removing a conffile in the
    preinst was sufficient to have dpkg replace it without prompting when
    moving a conffile between packages were very much mistaken. As far as I
    can tell, the only way to do this reliably is to write out the desired
    new text of the conffile in the preinst. This is gross, and requires
    shipping the text of all conffiles in the preinst too, but there's
    nothing for it. Fortunately this nonsense is only required for smooth
    upgrades from sarge.
  * debconf template translations:
    - Add Romanian (thanks, Stan Ioan-Eugen; closes: #403528).

e7b80c3... by Colin Watson on 2006-12-11

Import patches-unapplied version 1:4.3p2-7ubuntu1 to ubuntu/feisty

Imported using git-ubuntu import.

Changelog parent: 72139b168c8252a92d59034c5c63f8753b4da1be

New changelog entries:
  * Resynchronise with Debian. Remaining changes:
    - Add /sbin, /usr/sbin, and /usr/local/sbin to the default path.
    - Use LSB init script functions.
    - Increase MAX_SESSIONS to 64.
    - Remove stop links from rc0 and rc6.
  [ Colin Watson ]
  * Ignore errors from usermod when changing sshd's shell, since it will
    fail if the sshd user is not local (closes: #398436).
  * Remove version control tags from /etc/ssh/moduli and /etc/ssh/ssh_config
    to avoid unnecessary conffile resolution steps for administrators
    (thanks, Jari Aalto; closes: #335259).
  * Fix quoting error in configure.ac and regenerate configure (thanks, Ben
    Pfaff; closes: #391248).
  * When installing openssh-client or openssh-server from scratch, remove
    any unchanged conffiles from the pre-split ssh package to work around a
    bug in sarge's dpkg (thanks, Justin Pryzby and others; closes: #335276).
  [ Russ Allbery ]
  * Create transitional ssh-krb5 package which enables GSSAPI configuration
    in sshd_config (closes: #390986).
  * Default client to attempting GSSAPI authentication.
  * Remove obsolete GSSAPINoMICAuthentication from sshd_config if it's
    found.
  * Add ssh -K option, the converse of -k, to enable GSSAPI credential
    delegation (closes: #401483).

72139b1... by Colin Watson on 2006-11-27

Import patches-unapplied version 1:4.3p2-6ubuntu1 to ubuntu/feisty

Imported using git-ubuntu import.

Changelog parent: 891bef0d2423a8437ec00b46138b99307e0f67dc

New changelog entries:
  * Resynchronise with Debian. Remaining changes:
    - Add /sbin, /usr/sbin, and /usr/local/sbin to the default path.
    - Use LSB init script functions.
    - Increase MAX_SESSIONS to 64.
    - Remove stop links from rc0 and rc6.
  * Acknowledge NMU (thanks, Manoj; closes: #394795).
  * Backport from 4.5p1:
    - Fix a bug in the sshd privilege separation monitor that weakened its
      verification of successful authentication. This bug is not known to be
      exploitable in the absence of additional vulnerabilities.
  * openssh-server Suggests: molly-guard (closes: #395473).
  * debconf template translations:
    - Update German (thanks, Helge Kreutzmann; closes: #395947).
  * NMU to update SELinux patch, bringing it in line with current selinux
    releases. The patch for this NMU is simply the Bug#394795 patch,
    and no other changes. (closes: #394795)

891bef0... by Colin Watson on 2006-10-05

Import patches-unapplied version 1:4.3p2-5ubuntu1 to ubuntu/edgy

Imported using git-ubuntu import.

Changelog parent: 1d4fb0d11110722933dbd74235de63e134c8ddd2

New changelog entries:
  * Resynchronise with Debian.
  * Remove ssh/insecure_telnetd check altogether (closes: #391081).
  * debconf template translations:
    - Update Danish (thanks, Claus Hindsgaul; closes: #390612).

1d4fb0d... by Colin Watson on 2006-09-29

Import patches-unapplied version 1:4.3p2-4ubuntu1 to ubuntu/edgy

Imported using git-ubuntu import.

Changelog parent: 2efa7c85c7f44957cbc499aa3f17cc45073e0909

New changelog entries:
  * Resynchronise with Debian.
  * Backport from 4.4p1 (since I don't have an updated version of the GSSAPI
    patch yet):
    - CVE-2006-4924: Fix a pre-authentication denial of service found by
      Tavis Ormandy, that would cause sshd(8) to spin until the login grace
      time expired (closes: #389995).
    - CVE-2006-5051: Fix an unsafe signal hander reported by Mark Dowd. The
      signal handler was vulnerable to a race condition that could be
      exploited to perform a pre-authentication denial of service. On
      portable OpenSSH, this vulnerability could theoretically lead to
      pre-authentication remote code execution if GSSAPI authentication is
      enabled, but the likelihood of successful exploitation appears remote.
  * Read /etc/default/locale as well as /etc/environment (thanks, Raphaël
    Hertzog; closes: #369395).
  * Remove no-longer-used ssh/insecure_rshd debconf template.
  * Make ssh/insecure_telnetd Type: error (closes: #388946).
  * debconf template translations:
    - Update Portuguese (thanks, Rui Branco; closes: #381942).
    - Update Spanish (thanks, Javier Fernández-Sanguino Peña;
      closes: #382966).
  * Document KeepAlive->TCPKeepAlive renaming in sshd_config(5) (closes:
    https://launchpad.net/bugs/50702).
  * Change sshd user's shell to /usr/sbin/nologin (closes: #366541).
    Introduces dependency on passwd for usermod.
  * debconf template translations:
    - Update French (thanks, Denis Barbier; closes: #368503).
    - Update Dutch (thanks, Bart Cornelis; closes: #375100).
    - Update Japanese (thanks, Kenshi Muto; closes: #379950).

2efa7c8... by Colin Watson on 2006-08-23

Import patches-unapplied version 1:4.3p2-2ubuntu5 to ubuntu/edgy

Imported using git-ubuntu import.

Changelog parent: b66a58503a7d4de982ff78b3997c4da3ddc1263c

New changelog entries:
  * Move sysv-rc versioned dependency from openssh-client to openssh-server
    (closes: Malone #56021).

b66a585... by Colin Watson on 2006-07-21

Import patches-unapplied version 1:4.3p2-2ubuntu4 to ubuntu/edgy

Imported using git-ubuntu import.

Changelog parent: dc70c784d68ea5fff71aff670f5b3d15c1f8d499

New changelog entries:
  * Fix setup_init changes; $2 means something different inside a function.

dc70c78... by Scott James Remnant (Canonical) on 2006-07-21

Import patches-unapplied version 1:4.3p2-2ubuntu3 to ubuntu/edgy

Imported using git-ubuntu import.

Changelog parent: 7cda7b783825f85200a5019e577685e165b270fb

New changelog entries:
  * Add forgotten versioned-dependency on sysv-rc to get new update-rc.d
    behaviour. Go me.

7cda7b7... by Scott James Remnant (Canonical) on 2006-07-20

Import patches-unapplied version 1:4.3p2-2ubuntu2 to ubuntu/edgy

Imported using git-ubuntu import.

Changelog parent: bc6e1ed68794d29e079ddb5173e59e8619cec89a

New changelog entries:
  * Remove stop links from rc0 and rc6

bc6e1ed... by Colin Watson on 2006-06-28

Import patches-unapplied version 1:4.3p2-2ubuntu1 to ubuntu/edgy

Imported using git-ubuntu import.

Changelog parent: 7e6667783f6328fff22531b339d6e1bb4fe8ed3b

New changelog entries:
  * Resynchronise with Debian.
  * Drop direct upgrade compatibility from the Warty preview release.
  * Drop patch to use /usr/bin/xauth instead of /usr/bin/X11/xauth; the
    /usr/bin/X11 symlink should always exist, and using it makes the package
    easier to backport.
  * Include commented-out pam_access example in /etc/pam.d/ssh.
  * On '/etc/init.d/ssh restart', create /var/run/sshd before checking the
    server configuration, as otherwise 'sshd -t' will complain about the
    lack of /var/run/sshd (closes: https://launchpad.net/bugs/45234).
  * debconf template translations:
    - Update Russian (thanks, Yuriy Talakan'; closes: #367143).
    - Update Czech (thanks, Miroslav Kure; closes: #367161).
    - Update Italian (thanks, Luca Monducci; closes: #367186).
    - Update Galician (thanks, Jacobo Tarrio; closes: #367318).
    - Update Swedish (thanks, Daniel Nylander; closes: #367971).
  * New upstream release (closes: #361032).
    - CVE-2006-0225: scp (as does rcp, on which it is based) invoked a
      subshell to perform local to local, and remote to remote copy
      operations. This subshell exposed filenames to shell expansion twice;
      allowing a local attacker to create filenames containing shell
      metacharacters that, if matched by a wildcard, could lead to execution
      of attacker-specified commands with the privilege of the user running
      scp (closes: #349645).
    - Add support for tunneling arbitrary network packets over a connection
      between an OpenSSH client and server via tun(4) virtual network
      interfaces. This allows the use of OpenSSH (4.3+) to create a true VPN
      between the client and server providing real network connectivity at
      layer 2 or 3. This feature is experimental.
    - Reduce default key length for new DSA keys generated by ssh-keygen
      back to 1024 bits. DSA is not specified for longer lengths and does
      not fully benefit from simply making keys longer. As per FIPS 186-2
      Change Notice 1, ssh-keygen will refuse to generate a new DSA key
      smaller or larger than 1024 bits.
    - Fixed X forwarding failing to start when the X11 client is executed in
      background at the time of session exit.
    - Change ssh-keygen to generate a protocol 2 RSA key when invoked
      without arguments (closes: #114894).
    - Fix timing variance for valid vs. invalid accounts when attempting
      Kerberos authentication.
    - Ensure that ssh always returns code 255 on internal error
      (closes: #259865).
    - Cleanup wtmp files on SIGTERM when not using privsep.
    - Set SO_REUSEADDR on X11 listeners to avoid problems caused by
      lingering sockets from previous session (X11 applications can
      sometimes not connect to 127.0.0.1:60xx) (closes:
      https://launchpad.net/bugs/25528).
    - Ensure that fds 0, 1 and 2 are always attached in all programs, by
      duping /dev/null to them if necessary.
    - Xauth list invocation had bogus "." argument.
    - Remove internal assumptions on key exchange hash algorithm and output
      length, preparing OpenSSH for KEX methods with alternate hashes.
    - Ignore junk sent by a server before it sends the "SSH-" banner.
    - Many manual page improvements.
    - Lots of cleanups, including fixes to memory leaks on error paths and
      possible crashes.
  * Update to current GSSAPI patch from
    http://www.sxw.org.uk/computing/patches/openssh-4.3p2-gsskex-20060223.patch
    (closes: #352042).
  * debian/rules: Resynchronise CFLAGS with that generated by configure.
  * Restore pam_nologin to /etc/pam.d/ssh; sshd no longer checks this itself
    when PAM is enabled, but relies on PAM to do it.
  * Rename KeepAlive to TCPKeepAlive in default sshd_config
    (closes: #349896).
  * Rephrase ssh/new_config and ssh/encrypted_host_key_but_no_keygen debconf
    templates to make boolean short descriptions end with a question mark
    and to avoid use of the first person.
  * Ship README.tun.
  * Policy version 3.7.2: no changes required.
  * debconf template translations:
    - Update Italian (thanks, Luca Monducci; closes: #360348).
    - Add Galician (thanks, Jacobo Tarrio; closes: #361220).
  [ Frans Pop ]
  * Use udeb support introduced in debhelper 4.2.0 (available in sarge)
    rather than constructing udebs by steam.
  * Require debhelper 5.0.22, which generates correct shared library
    dependencies for udebs (closes: #360068). This build-dependency can be
    ignored if building on sarge.
  [ Colin Watson ]
  * Switch to debhelper compatibility level 4, since we now require
    debhelper 4 even on sarge anyway for udeb support.