ubuntu/+source/openssh:ubuntu/feisty-devel

Last commit made on 2008-10-01
Get this branch:
git clone -b ubuntu/feisty-devel https://git.launchpad.net/ubuntu/+source/openssh
Members of Ubuntu Server Dev import team can upload to this branch. Log in for directions.

Branch merges

Branch information

Name:
ubuntu/feisty-devel
Repository:
lp:ubuntu/+source/openssh

Recent commits

1740796... by Kees Cook on 2008-09-29

Import patches-unapplied version 1:4.3p2-8ubuntu1.5 to ubuntu/feisty-security

Imported using git-ubuntu import.

Changelog parent: a7b71ee019e766cb29aef25e5116ef1508ff09a6

New changelog entries:
  * SECURITY UPDATE: block signal handler crash DoS.
  * log.c: backport upstream corrections, thanks to Florian Weimer.
  * References
    CVE-2008-4109

a7b71ee... by Jamie Strandboge on 2008-05-14

Import patches-unapplied version 1:4.3p2-8ubuntu1.4 to ubuntu/feisty-security

Imported using git-ubuntu import.

Changelog parent: 49dab57172fb27431c21ed7b099aae90bf18477a

New changelog entries:
  * Add a FILES section to ssh-vulnkey(1) (thanks, Hugh Daniel).
  * ssh-vulnkey handles options in authorized_keys (LP: #230029), and treats
    # as introducing a comment even if it is preceded by whitespace (thanks
    Colin Watson).

49dab57... by Jamie Strandboge on 2008-05-13

Import patches-unapplied version 1:4.3p2-8ubuntu1.3 to ubuntu/feisty-security

Imported using git-ubuntu import.

Changelog parent: 9b27e60ff6efc17b34547115251c1d03990d0cca

New changelog entries:
  * Mitigate OpenSSL security vulnerability thank to Colin Watson:
    - Add key blacklisting support. Keys listed in
      /etc/ssh/blacklist.TYPE-LENGTH will be rejected for authentication by
      sshd, unless "PermitBlacklistedKeys yes" is set in
      /etc/ssh/sshd_config.
    - Add a new program, ssh-vulnkey, which can be used to check keys
      against these blacklists.
    - Depend on openssh-blacklist.
    - Force dependencies on libssl0.9.8 / libcrypto0.9.8-udeb to at least
      0.9.8c-4ubuntu0.3.
    - Automatically regenerate known-compromised host keys, with a
      critical-priority debconf note. (I regret that there was no time to
      gather translations.)
  * added README.compromised-keys thanks to Colin Watson
  * References
    CVE-2008-0166
    http://www.ubuntu.com/usn/usn-612-1

9b27e60... by Kees Cook on 2008-04-01

Import patches-unapplied version 1:4.3p2-8ubuntu1.2 to ubuntu/feisty-security

Imported using git-ubuntu import.

Changelog parent: a7c92db04ce1b1f66b644304b9e9d810ae9a3cb4

New changelog entries:
  * SECURITY UPDATE: X11 forward hijacking via alternate address families.
  * channels.c: upstream fixes, patched inline. Thanks to Nicolas Valcarcel
    (LP: #210175).
  * References
    CVE-2008-1483

a7c92db... by Kees Cook on 2008-01-09

Import patches-unapplied version 1:4.3p2-8ubuntu1.1 to ubuntu/feisty-security

Imported using git-ubuntu import.

Changelog parent: 6acddbaea60ba8a1ef4e1306c217b9adbfb3e7be

New changelog entries:
  * SECURITY UPDATE: trusted cookie leak when untrusted cookie cannot be
    generated.
  * clientloop.c: Applied patch according to openssh upstream (LP: #162171),
    thanks to Stephan Hermann.
  * References:
    CVE-2007-4752
    http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=444738
    http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/clientloop.c.diff?r1=1.180&r2=1.181

6acddba... by Colin Watson on 2007-02-19

Import patches-unapplied version 1:4.3p2-8ubuntu1 to ubuntu/feisty

Imported using git-ubuntu import.

Changelog parent: e7b80c3001a890710cda652c8446234a9a617421

New changelog entries:
  * Resynchronise with Debian. Remaining changes:
    - Add /sbin, /usr/sbin, and /usr/local/sbin to the default path.
    - Use LSB init script functions.
    - Increase MAX_SESSIONS to 64.
    - Remove stop links from rc0 and rc6.
  * Build position-independent executables (only for debs, not for udebs) to
    take advantage of address space layout randomisation (thanks, Kees
    Cook).
  * Set Maintainer to me.
  [ Vincent Untz ]
  * Give the ssh-askpass-gnome window a default icon; remove unnecessary
    icon extension from .desktop file (closes:
    https://launchpad.net/bugs/27152).
  [ Colin Watson ]
  * Drop versioning on ssh/ssh-krb5 Replaces, as otherwise it isn't
    sufficient to replace conffiles (closes: #402804).
  * Make GSSAPICleanupCreds a compatibility alias for
    GSSAPICleanupCredentials. Mark GSSUseSessionCCache and
    GSSAPIUseSessionCredCache as known-but-unsupported options, and migrate
    away from them on upgrade.
  * It turns out that the people who told me that removing a conffile in the
    preinst was sufficient to have dpkg replace it without prompting when
    moving a conffile between packages were very much mistaken. As far as I
    can tell, the only way to do this reliably is to write out the desired
    new text of the conffile in the preinst. This is gross, and requires
    shipping the text of all conffiles in the preinst too, but there's
    nothing for it. Fortunately this nonsense is only required for smooth
    upgrades from sarge.
  * debconf template translations:
    - Add Romanian (thanks, Stan Ioan-Eugen; closes: #403528).

e7b80c3... by Colin Watson on 2006-12-11

Import patches-unapplied version 1:4.3p2-7ubuntu1 to ubuntu/feisty

Imported using git-ubuntu import.

Changelog parent: 72139b168c8252a92d59034c5c63f8753b4da1be

New changelog entries:
  * Resynchronise with Debian. Remaining changes:
    - Add /sbin, /usr/sbin, and /usr/local/sbin to the default path.
    - Use LSB init script functions.
    - Increase MAX_SESSIONS to 64.
    - Remove stop links from rc0 and rc6.
  [ Colin Watson ]
  * Ignore errors from usermod when changing sshd's shell, since it will
    fail if the sshd user is not local (closes: #398436).
  * Remove version control tags from /etc/ssh/moduli and /etc/ssh/ssh_config
    to avoid unnecessary conffile resolution steps for administrators
    (thanks, Jari Aalto; closes: #335259).
  * Fix quoting error in configure.ac and regenerate configure (thanks, Ben
    Pfaff; closes: #391248).
  * When installing openssh-client or openssh-server from scratch, remove
    any unchanged conffiles from the pre-split ssh package to work around a
    bug in sarge's dpkg (thanks, Justin Pryzby and others; closes: #335276).
  [ Russ Allbery ]
  * Create transitional ssh-krb5 package which enables GSSAPI configuration
    in sshd_config (closes: #390986).
  * Default client to attempting GSSAPI authentication.
  * Remove obsolete GSSAPINoMICAuthentication from sshd_config if it's
    found.
  * Add ssh -K option, the converse of -k, to enable GSSAPI credential
    delegation (closes: #401483).

72139b1... by Colin Watson on 2006-11-27

Import patches-unapplied version 1:4.3p2-6ubuntu1 to ubuntu/feisty

Imported using git-ubuntu import.

Changelog parent: 891bef0d2423a8437ec00b46138b99307e0f67dc

New changelog entries:
  * Resynchronise with Debian. Remaining changes:
    - Add /sbin, /usr/sbin, and /usr/local/sbin to the default path.
    - Use LSB init script functions.
    - Increase MAX_SESSIONS to 64.
    - Remove stop links from rc0 and rc6.
  * Acknowledge NMU (thanks, Manoj; closes: #394795).
  * Backport from 4.5p1:
    - Fix a bug in the sshd privilege separation monitor that weakened its
      verification of successful authentication. This bug is not known to be
      exploitable in the absence of additional vulnerabilities.
  * openssh-server Suggests: molly-guard (closes: #395473).
  * debconf template translations:
    - Update German (thanks, Helge Kreutzmann; closes: #395947).
  * NMU to update SELinux patch, bringing it in line with current selinux
    releases. The patch for this NMU is simply the Bug#394795 patch,
    and no other changes. (closes: #394795)

891bef0... by Colin Watson on 2006-10-05

Import patches-unapplied version 1:4.3p2-5ubuntu1 to ubuntu/edgy

Imported using git-ubuntu import.

Changelog parent: 1d4fb0d11110722933dbd74235de63e134c8ddd2

New changelog entries:
  * Resynchronise with Debian.
  * Remove ssh/insecure_telnetd check altogether (closes: #391081).
  * debconf template translations:
    - Update Danish (thanks, Claus Hindsgaul; closes: #390612).

1d4fb0d... by Colin Watson on 2006-09-29

Import patches-unapplied version 1:4.3p2-4ubuntu1 to ubuntu/edgy

Imported using git-ubuntu import.

Changelog parent: 2efa7c85c7f44957cbc499aa3f17cc45073e0909

New changelog entries:
  * Resynchronise with Debian.
  * Backport from 4.4p1 (since I don't have an updated version of the GSSAPI
    patch yet):
    - CVE-2006-4924: Fix a pre-authentication denial of service found by
      Tavis Ormandy, that would cause sshd(8) to spin until the login grace
      time expired (closes: #389995).
    - CVE-2006-5051: Fix an unsafe signal hander reported by Mark Dowd. The
      signal handler was vulnerable to a race condition that could be
      exploited to perform a pre-authentication denial of service. On
      portable OpenSSH, this vulnerability could theoretically lead to
      pre-authentication remote code execution if GSSAPI authentication is
      enabled, but the likelihood of successful exploitation appears remote.
  * Read /etc/default/locale as well as /etc/environment (thanks, Raphaël
    Hertzog; closes: #369395).
  * Remove no-longer-used ssh/insecure_rshd debconf template.
  * Make ssh/insecure_telnetd Type: error (closes: #388946).
  * debconf template translations:
    - Update Portuguese (thanks, Rui Branco; closes: #381942).
    - Update Spanish (thanks, Javier Fernández-Sanguino Peña;
      closes: #382966).
  * Document KeepAlive->TCPKeepAlive renaming in sshd_config(5) (closes:
    https://launchpad.net/bugs/50702).
  * Change sshd user's shell to /usr/sbin/nologin (closes: #366541).
    Introduces dependency on passwd for usermod.
  * debconf template translations:
    - Update French (thanks, Denis Barbier; closes: #368503).
    - Update Dutch (thanks, Bart Cornelis; closes: #375100).
    - Update Japanese (thanks, Kenshi Muto; closes: #379950).