portable OpenSSH

~x-frode/openssh:xenial-hpn-14.10

Git
lp:~x-frode/openssh
xenial-hpn-14.10

Last commit made on 2020-02-14

Get this branch:: git clone -b xenial-hpn-14.10 https://git.launchpad.net/~x-frode/openssh

Only Frode Langelo can upload to this branch. If you are Frode Langelo please log in for upload directions.

Branch merges

Branch information

Name:: xenial-hpn-14.10

Repository:: lp:~x-frode/openssh

Recent commits

d720ca9... by Frode Langelo on 2020-02-14

Add HPN v14.10 patches

2b85b95... by Christian Ehrhardt  on 2017-03-15

Import patches-unapplied version 1:7.2p2-4ubuntu2.2 to ubuntu/xenial-proposed

Imported using git-ubuntu import.

Changelog parent: f681394e4814811c8fcd883209c0895012e264b1

New changelog entries:
  * Fix ssh-keygen -H accidentally corrupting known_hosts that contained
    already-hashed entries (LP: #1668093).
  * Fix ssh-keyscan to correctly hash hosts with a port number (LP: #1670745).

f681394... by Marc Deslauriers on 2016-08-11

Import patches-unapplied version 1:7.2p2-4ubuntu2.1 to ubuntu/xenial-security

Imported using git-ubuntu import.

Changelog parent: 1e769a346ac1551137f07f1dfaa17b97b8c610cb

New changelog entries:
  * SECURITY UPDATE: user enumeration via covert timing channel
    - debian/patches/CVE-2016-6210-1.patch: determine appropriate salt for
      invalid users in auth-passwd.c, openbsd-compat/xcrypt.c.
    - debian/patches/CVE-2016-6210-2.patch: mitigate timing of disallowed
      users PAM logins in auth-pam.c.
    - debian/patches/CVE-2016-6210-3.patch: search users for one with a
      valid salt in openbsd-compat/xcrypt.c.
    - CVE-2016-6210
  * SECURITY UPDATE: denial of service via long passwords
    - debian/patches/CVE-2016-6515.patch: skip passwords longer than 1k in
      length in auth-passwd.c.
    - CVE-2016-6515

1e769a3... by Martin Pitt on 2016-07-31

Import patches-unapplied version 1:7.2p2-4ubuntu2 to ubuntu/xenial-proposed

Imported using git-ubuntu import.

Changelog parent: 10f708de3e0ad3db5ea94906d99f2e168e9e40af

New changelog entries:
  * debian/openssh-server.if-up: Don't block on a finished reload of
    openssh.service, to avoid deadlocking with restarting networking.
    (Closes: #832557, LP: #1584393)

10f708d... by Colin Watson on 2016-04-28

Import patches-unapplied version 1:7.2p2-4ubuntu1 to ubuntu/xenial-proposed

Imported using git-ubuntu import.

Changelog parent: c898ad9d904eaccd57b2881cd517a8e586e118c1

New changelog entries:
  * Backport upstream patch to unbreak authentication using lone certificate
    keys in ssh-agent: when attempting pubkey auth with a certificate, if no
    separate private key is found among the keys then try with the
    certificate key itself (thanks, Paul Querna; LP: #1575961).

c898ad9... by Colin Watson on 2016-04-15

Import patches-unapplied version 1:7.2p2-4 to debian/sid

Imported using git-ubuntu import.

Changelog parent: f1922cb23326618db9ab52158d24fd1a07db52de

New changelog entries:
* Drop dependency on libnss-files-udeb (closes: #819686).
* Policy version 3.9.7: no changes required.

f1922cb... by Colin Watson on 2016-04-13

Import patches-unapplied version 1:7.2p2-3 to debian/sid

Imported using git-ubuntu import.

Changelog parent: c2103d45711713728b0043c9acefc3031e8875be

New changelog entries:
* Change all openssh.org references to openssh.com (closes: #819213).
* CVE-2015-8325: Ignore PAM environment vars when UseLogin=yes.

c2103d4... by Colin Watson on 2016-03-21

Import patches-unapplied version 1:7.2p2-2 to debian/sid

Imported using git-ubuntu import.

Changelog parent: a7348ee9c66b86c9a50a50bb47a0a62368c2e33c

New changelog entries:
  * Fix kexgss_server to cope with DH_GRP_MIN/DH_GRP_MAX being stricter on
    the server end than the client (thanks, Damien Miller; closes: #817870,
    LP: #1558576).

a7348ee... by Colin Watson on 2016-03-10

Import patches-unapplied version 1:7.2p2-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 7ee188cc5aac92f13be290ec4177f345a6fd5aa9

New changelog entries:
  * New upstream release (http://www.openssh.com/txt/release-7.2p2):
    - SECURITY: sshd(8): Sanitise X11 authentication credentials to avoid
      xauth command injection when X11Forwarding is enabled
      (http://www.openssh.com/txt/x11fwd.adv).

7ee188c... by Colin Watson on 2016-03-08

Import patches-unapplied version 1:7.2p1-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: ceb201608cb0655899ec6c88a243d4bc4f807060

New changelog entries:
  * New upstream release (http://www.openssh.com/txt/release-7.2):
    - This release disables a number of legacy cryptographic algorithms by
      default in ssh:
      + Several ciphers blowfish-cbc, cast128-cbc, all arcfour variants and
        the rijndael-cbc aliases for AES.
      + MD5-based and truncated HMAC algorithms.
      These algorithms are already disabled by default in sshd.
    - ssh(1), sshd(8): Remove unfinished and unused roaming code (was
      already forcibly disabled in OpenSSH 7.1p2).
    - ssh(1): Eliminate fallback from untrusted X11 forwarding to trusted
      forwarding when the X server disables the SECURITY extension.
    - ssh(1), sshd(8): Increase the minimum modulus size supported for
      diffie-hellman-group-exchange to 2048 bits.
    - sshd(8): Pre-auth sandboxing is now enabled by default (previous
      releases enabled it for new installations via sshd_config).
    - all: Add support for RSA signatures using SHA-256/512 hash algorithms
      based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt.
    - ssh(1): Add an AddKeysToAgent client option which can be set to 'yes',
      'no', 'ask', or 'confirm', and defaults to 'no'. When enabled, a
      private key that is used during authentication will be added to
      ssh-agent if it is running (with confirmation enabled if set to
      'confirm').
    - sshd(8): Add a new authorized_keys option "restrict" that includes all
      current and future key restrictions (no-*-forwarding, etc.). Also add
      permissive versions of the existing restrictions, e.g. "no-pty" ->
      "pty". This simplifies the task of setting up restricted keys and
      ensures they are maximally-restricted, regardless of any permissions
      we might implement in the future.
    - ssh(1): Add ssh_config CertificateFile option to explicitly list
      certificates.
    - ssh-keygen(1): Allow ssh-keygen to change the key comment for all
      supported formats (closes: #811125).
    - ssh-keygen(1): Allow fingerprinting from standard input, e.g.
      "ssh-keygen -lf -" (closes: #509058).
    - ssh-keygen(1): Allow fingerprinting multiple public keys in a file,
      e.g. "ssh-keygen -lf ~/.ssh/authorized_keys".
    - sshd(8): Support "none" as an argument for sshd_config Foreground and
      ChrootDirectory. Useful inside Match blocks to override a global
      default.
    - ssh-keygen(1): Support multiple certificates (one per line) and
      reading from standard input (using "-f -") for "ssh-keygen -L"
    - ssh-keyscan(1): Add "ssh-keyscan -c ..." flag to allow fetching
      certificates instead of plain keys.
    - ssh(1): Better handle anchored FQDNs (e.g. 'cvs.openbsd.org.') in
      hostname canonicalisation - treat them as already canonical and remove
      the trailing '.' before matching ssh_config.
    - sftp(1): Existing destination directories should not terminate
      recursive uploads (regression in OpenSSH 6.8; LP: #1553378).
  * Use HTTPS for Vcs-* URLs, and link to cgit rather than gitweb.
  * Restore slogin symlinks for compatibility, although they were removed
    upstream.

»