Last commit made on 2016-01-14
Get this branch:
git clone -b ubuntu/vivid-devel https://git.launchpad.net/ubuntu/+source/openssh
Members of Ubuntu Server Dev import team can upload to this branch. Log in for directions.

Branch merges

Branch information


Recent commits

bcf0974... by Marc Deslauriers on 2016-01-13

Import patches-unapplied version 1:6.7p1-5ubuntu1.4 to ubuntu/vivid-security

Imported using git-ubuntu import.

Changelog parent: 014b4a3ff90ed457cfc5bafeec140f17779cda91

New changelog entries:
  * SECURITY UPDATE: information leak and overflow in roaming support
    - debian/patches/CVE-2016-077x.patch: completely disable roaming option
      in readconf.c.
    - CVE-2016-0777
    - CVE-2016-0778

014b4a3... by Marc Deslauriers on 2015-08-18

Import patches-unapplied version 1:6.7p1-5ubuntu1.3 to ubuntu/vivid-security

Imported using git-ubuntu import.

Changelog parent: 2ee4e60c1db21fa4aa2d00b2a8fc966348ebc2c9

New changelog entries:
  * SECURITY REGRESSION: random auth failures because of uninitialized
    struct field (LP: #1485719)
    - debian/patches/CVE-2015-5600-2.patch:

2ee4e60... by Marc Deslauriers on 2015-08-14

Import patches-unapplied version 1:6.7p1-5ubuntu1.2 to ubuntu/vivid-security

Imported using git-ubuntu import.

Changelog parent: ae5f25d60e1d14b857ddd4819dfda8bc4335e642

New changelog entries:
  * SECURITY UPDATE: possible user impersonation via PAM support
    - debian/patches/pam-security-1.patch: don't resend username to PAM in
      monitor.c, monitor_wrap.c.
    - CVE number pending
  * SECURITY UPDATE: use-after-free in PAM support
    - debian/patches/pam-security-2.patch: fix use after free in monitor.c.
    - CVE number pending
    - debian/patches/CVE-2015-5600.patch: only query each
      keyboard-interactive device once per authentication request in
    - CVE-2015-5600
  * SECURITY UPDATE: X connections access restriction bypass
    - debian/patches/CVE-2015-5352.patch: refuse ForwardX11Trusted=no
      connections attempted after ForwardX11Timeout expires in channels.c,
      channels.h, clientloop.c.
    - CVE-2015-5352

ae5f25d... by Martin Pitt on 2015-04-09

Import patches-unapplied version 1:6.7p1-5ubuntu1 to ubuntu/vivid-proposed

Imported using git-ubuntu import.

Changelog parent: 05f02a8a3fd0f86043560cd2ad422a5af1f733c6

New changelog entries:
  * openssh-server.postinst: Quiesce "Unable to connect to Upstart" error
    message from initctl if upstart is installed, but not the current init
    system. (LP: #1440070)
  * openssh-server.postinst: Fix version comparisons of upgrade adjustments to
    not apply to fresh installs.

05f02a8... by Colin Watson on 2015-03-22

Import patches-unapplied version 1:6.7p1-5 to debian/sid

Imported using git-ubuntu import.

Changelog parent: b36aac0040cc4639ecad0701395076a3aacc6967

New changelog entries:
  * Revert change from previous upload, which causes far more trouble than
    it is worth (closes: #780797):
    - Send/accept only specific known LC_* variables, rather than using a
  * Add a NEWS.Debian entry documenting this reversion, as it is too
    difficult to undo the sshd_config change automatically without
    compounding the problem of (arguably) overwriting user configuration.

b36aac0... by Colin Watson on 2015-03-18

Import patches-unapplied version 1:6.7p1-4 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 74206475ba89b331fc857eaa47ab92b37c7b6651

New changelog entries:
  * Send/accept only specific known LC_* variables, rather than using a
    wildcard (closes: #765633).
  * Document interactions between ListenAddress/Port and ssh.socket in
    README.Debian (closes: #764842).
  * Debconf translations:
    - Brazilian Portuguese (thanks, José de Figueiredo; closes: #771859).

7420647... by Colin Watson on 2014-11-03

Import patches-unapplied version 1:6.7p1-3 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 6343ce920759ee85035f8c883a872cb0633d2aaf

New changelog entries:
  * Debconf translations:
    - Dutch (thanks, Frans Spiesschaert; closes: #765851).
  * Assume that dpkg-statoverride exists and drop the test for an obsolete
    compatibility path.

6343ce9... by Colin Watson on 2014-10-10

Import patches-unapplied version 1:6.7p1-2 to debian/sid

Imported using git-ubuntu import.

Changelog parent: ad72db5881f704dfbc1d6518b8aabe4df7187ffe

New changelog entries:
  * debian/tests/control: Drop isolation-container, since the tests run on a
    high port. They're still not guaranteed to run correctly in an schroot,
    but may manage to work, so this lets the tests at least try to run on

ad72db5... by Colin Watson on 2014-10-09

Import patches-unapplied version 1:6.7p1-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: a94068afc4b1d22ad58528df20c0f370e4eb4657

New changelog entries:
  * New upstream release (http://www.openssh.com/txt/release-6.7):
    - sshd(8): The default set of ciphers and MACs has been altered to
      remove unsafe algorithms. In particular, CBC ciphers and arcfour* are
      disabled by default. The full set of algorithms remains available if
      configured explicitly via the Ciphers and MACs sshd_config options.
    - ssh(1), sshd(8): Add support for Unix domain socket forwarding. A
      remote TCP port may be forwarded to a local Unix domain socket and
      vice versa or both ends may be a Unix domain socket (closes: #236718).
    - ssh(1), ssh-keygen(1): Add support for SSHFP DNS records for ED25519
      key types.
    - sftp(1): Allow resumption of interrupted uploads.
    - ssh(1): When rekeying, skip file/DNS lookups of the hostkey if it is
      the same as the one sent during initial key exchange.
    - sshd(8): Allow explicit ::1 and forwarding bind addresses
      when GatewayPorts=no; allows client to choose address family.
    - sshd(8): Add a sshd_config PermitUserRC option to control whether
      ~/.ssh/rc is executed, mirroring the no-user-rc authorized_keys
    - ssh(1): Add a %C escape sequence for LocalCommand and ControlPath that
      expands to a unique identifer based on a hash of the tuple of (local
      host, remote user, hostname, port). Helps avoid exceeding miserly
      pathname limits for Unix domain sockets in multiplexing control paths.
    - sshd(8): Make the "Too many authentication failures" message include
      the user, source address, port and protocol in a format similar to the
      authentication success / failure messages.
    - Use CLOCK_BOOTTIME in preference to CLOCK_MONOTONIC when it is
      available. It considers time spent suspended, thereby ensuring
      timeouts (e.g. for expiring agent keys) fire correctly (closes:
    - Use prctl() to prevent sftp-server from accessing
  * Restore TCP wrappers support, removed upstream in 6.7. It is true that
    dropping this reduces preauth attack surface in sshd. On the other
    hand, this support seems to be quite widely used, and abruptly dropping
    it (from the perspective of users who don't read openssh-unix-dev) could
    easily cause more serious problems in practice. It's not entirely clear
    what the right long-term answer for Debian is, but it at least probably
    doesn't involve dropping this feature shortly before a freeze.
  * Replace patch to disable OpenSSL version check with an updated version
    of Kurt Roeckx's patch from #732940 to just avoid checking the status
  * Build-depend on a new enough dpkg-dev for dpkg-buildflags, rather than
    simply a new enough dpkg.
  * Simplify debian/rules using /usr/share/dpkg/buildflags.mk.
  * Use Package-Type rather than XC-Package-Type, now that it is an official
  * Run a subset of the upstream regression test suite at package build
    time, and the rest of it under autopkgtest.

a94068a... by Colin Watson on 2014-10-03

Import patches-unapplied version 1:6.6p1-8 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 9024265b5ca71bce46a376cca92fa3ecb7bb44fd

New changelog entries:
  * Make the if-up hook use "reload" rather than "restart" if the system was
    booted using systemd (closes: #756547).
  * Show fingerprints of new keys after creating them in the postinst
    (closes: #762128).
  * Policy version 3.9.6: no changes required.
  * Don't link /usr/share/doc/ssh to openssh-client, as this is not safe
    between Architecture: all and Architecture: any binary packages (closes: