Last commit made on 2016-04-16
Get this branch:
git clone -b ubuntu/xenial https://git.launchpad.net/ubuntu/+source/openssh
Members of Ubuntu Server Dev import team can upload to this branch. Log in for directions.

Branch merges

Branch information


Recent commits

c898ad9... by Colin Watson on 2016-04-15

Import patches-unapplied version 1:7.2p2-4 to debian/sid

Imported using git-ubuntu import.

Changelog parent: f1922cb23326618db9ab52158d24fd1a07db52de

New changelog entries:
  * Drop dependency on libnss-files-udeb (closes: #819686).
  * Policy version 3.9.7: no changes required.

f1922cb... by Colin Watson on 2016-04-13

Import patches-unapplied version 1:7.2p2-3 to debian/sid

Imported using git-ubuntu import.

Changelog parent: c2103d45711713728b0043c9acefc3031e8875be

New changelog entries:
  * Change all openssh.org references to openssh.com (closes: #819213).
  * CVE-2015-8325: Ignore PAM environment vars when UseLogin=yes.

c2103d4... by Colin Watson on 2016-03-21

Import patches-unapplied version 1:7.2p2-2 to debian/sid

Imported using git-ubuntu import.

Changelog parent: a7348ee9c66b86c9a50a50bb47a0a62368c2e33c

New changelog entries:
  * Fix kexgss_server to cope with DH_GRP_MIN/DH_GRP_MAX being stricter on
    the server end than the client (thanks, Damien Miller; closes: #817870,
    LP: #1558576).

a7348ee... by Colin Watson on 2016-03-10

Import patches-unapplied version 1:7.2p2-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 7ee188cc5aac92f13be290ec4177f345a6fd5aa9

New changelog entries:
  * New upstream release (http://www.openssh.com/txt/release-7.2p2):
    - SECURITY: sshd(8): Sanitise X11 authentication credentials to avoid
      xauth command injection when X11Forwarding is enabled

7ee188c... by Colin Watson on 2016-03-08

Import patches-unapplied version 1:7.2p1-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: ceb201608cb0655899ec6c88a243d4bc4f807060

New changelog entries:
  * New upstream release (http://www.openssh.com/txt/release-7.2):
    - This release disables a number of legacy cryptographic algorithms by
      default in ssh:
      + Several ciphers blowfish-cbc, cast128-cbc, all arcfour variants and
        the rijndael-cbc aliases for AES.
      + MD5-based and truncated HMAC algorithms.
      These algorithms are already disabled by default in sshd.
    - ssh(1), sshd(8): Remove unfinished and unused roaming code (was
      already forcibly disabled in OpenSSH 7.1p2).
    - ssh(1): Eliminate fallback from untrusted X11 forwarding to trusted
      forwarding when the X server disables the SECURITY extension.
    - ssh(1), sshd(8): Increase the minimum modulus size supported for
      diffie-hellman-group-exchange to 2048 bits.
    - sshd(8): Pre-auth sandboxing is now enabled by default (previous
      releases enabled it for new installations via sshd_config).
    - all: Add support for RSA signatures using SHA-256/512 hash algorithms
      based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt.
    - ssh(1): Add an AddKeysToAgent client option which can be set to 'yes',
      'no', 'ask', or 'confirm', and defaults to 'no'. When enabled, a
      private key that is used during authentication will be added to
      ssh-agent if it is running (with confirmation enabled if set to
    - sshd(8): Add a new authorized_keys option "restrict" that includes all
      current and future key restrictions (no-*-forwarding, etc.). Also add
      permissive versions of the existing restrictions, e.g. "no-pty" ->
      "pty". This simplifies the task of setting up restricted keys and
      ensures they are maximally-restricted, regardless of any permissions
      we might implement in the future.
    - ssh(1): Add ssh_config CertificateFile option to explicitly list
    - ssh-keygen(1): Allow ssh-keygen to change the key comment for all
      supported formats (closes: #811125).
    - ssh-keygen(1): Allow fingerprinting from standard input, e.g.
      "ssh-keygen -lf -" (closes: #509058).
    - ssh-keygen(1): Allow fingerprinting multiple public keys in a file,
      e.g. "ssh-keygen -lf ~/.ssh/authorized_keys".
    - sshd(8): Support "none" as an argument for sshd_config Foreground and
      ChrootDirectory. Useful inside Match blocks to override a global
    - ssh-keygen(1): Support multiple certificates (one per line) and
      reading from standard input (using "-f -") for "ssh-keygen -L"
    - ssh-keyscan(1): Add "ssh-keyscan -c ..." flag to allow fetching
      certificates instead of plain keys.
    - ssh(1): Better handle anchored FQDNs (e.g. 'cvs.openbsd.org.') in
      hostname canonicalisation - treat them as already canonical and remove
      the trailing '.' before matching ssh_config.
    - sftp(1): Existing destination directories should not terminate
      recursive uploads (regression in OpenSSH 6.8; LP: #1553378).
  * Use HTTPS for Vcs-* URLs, and link to cgit rather than gitweb.
  * Restore slogin symlinks for compatibility, although they were removed

ceb2016... by Colin Watson on 2016-01-17

Import patches-unapplied version 1:7.1p2-2 to debian/sid

Imported using git-ubuntu import.

Changelog parent: f0fa6e989c4b36130f71199a054b0a87b4b6dbb0

New changelog entries:
  * Remove protocol 1 host key generation from openssh-server.postinst
    (closes: #811265).

f0fa6e9... by Colin Watson on 2016-01-14

Import patches-unapplied version 1:7.1p2-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: af5f1423c1dfacea6c9fc258f441ea056ad010bc

New changelog entries:
  * New upstream release (http://www.openssh.com/txt/release-7.1p2):
    - CVE-2016-0777, CVE-2016-0778: Disable experimental client-side support
      for roaming, which could be tricked by a malicious server into leaking
      client memory to the server, including private client user keys; this
      information leak is restricted to connections to malicious or
      compromised servers (closes: #810984).
    - SECURITY: Fix an out of-bound read access in the packet handling code.
      Reported by Ben Hawkes.
    - Further use of explicit_bzero has been added in various buffer
      handling code paths to guard against compilers aggressively doing
      dead-store removal.

af5f142... by Colin Watson on 2016-01-04

Import patches-unapplied version 1:7.1p1-6 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 197ff5e108c9ce8b81b55e53cc669e51ecf24d38

New changelog entries:
  [ Colin Watson ]
  * Remove explicit "XS-Testsuite: autopkgtest" from debian/control;
    dpkg-source now figures that out automatically based on the existence of
  * Allow authenticating as root using gssapi-keyex even with
    "PermitRootLogin prohibit-password" (closes: #809695).
  * Shuffle PROPOSAL_KEX_ALGS mangling for GSSAPI key exchange a little
    later in ssh_kex2 so that it's actually effective (closes: #809696).
  [ Michael Biebl ]
  * Don't call sd_notify when sshd is re-execed (closes: #809035).

197ff5e... by Colin Watson on 2015-12-21

Import patches-unapplied version 1:7.1p1-5 to debian/sid

Imported using git-ubuntu import.

Changelog parent: d04289f4b926de8674efc6234000ee574e9ce42f

New changelog entries:
  [ Michael Biebl ]
  * Add systemd readiness notification support (closes: #778913).

d04289f... by Colin Watson on 2015-12-15

Import patches-unapplied version 1:7.1p1-4 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 63627bbe956750c9858dd7b7d09ea8a97f5cbcd3

New changelog entries:
  * Backport upstream patch to unbreak connections with peers that set
    first_kex_follows (LP: #1526357).