[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Accepted openssh 1:7.7p1-1 (source) into unstable

Hash: SHA256

Format: 1.8
Date: Tue, 03 Apr 2018 12:40:24 +0100
Source: openssh
Binary: openssh-client openssh-server openssh-sftp-server ssh ssh-askpass-gnome openssh-client-udeb openssh-server-udeb
Architecture: source
Version: 1:7.7p1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
 openssh-client - secure shell (SSH) client, for secure access to remote machines
 openssh-client-udeb - secure shell client for the Debian installer (udeb)
 openssh-server - secure shell (SSH) server, for secure access from remote machines
 openssh-server-udeb - secure shell server for the Debian installer (udeb)
 openssh-sftp-server - secure shell (SSH) sftp server module, for SFTP access from remot
 ssh        - secure shell client and server (metapackage)
 ssh-askpass-gnome - interactive X program to prompt users for a passphrase for ssh-ad
Closes: 289592
 openssh (1:7.7p1-1) unstable; urgency=medium
   * New upstream release (https://www.openssh.com/txt/release-7.7):
     - ssh(1)/sshd(8): Drop compatibility support for some very old SSH
       implementations, including ssh.com <=2.* and OpenSSH <= 3.*.  These
       versions were all released in or before 2001 and predate the final SSH
       RFCs.  The support in question isn't necessary for RFC-compliant SSH
     - Add experimental support for PQC XMSS keys (Extended Hash-Based
     - sshd(8): Add an "rdomain" criterion for the sshd_config Match keyword
       to allow conditional configuration that depends on which routing
       domain a connection was received on.
     - sshd_config(5): Add an optional rdomain qualifier to the ListenAddress
       directive to allow listening on different routing domains.
     - sshd(8): Add "expiry-time" option for authorized_keys files to allow
       for expiring keys.
     - ssh(1): Add a BindInterface option to allow binding the outgoing
       connection to an interface's address (basically a more usable
       BindAddress; closes: #289592).
     - ssh(1): Expose device allocated for tun/tap forwarding via a new %T
       expansion for LocalCommand.  This allows LocalCommand to be used to
       prepare the interface.
     - sshd(8): Expose the device allocated for tun/tap forwarding via a new
       SSH_TUNNEL environment variable.  This allows automatic setup of the
       interface and surrounding network configuration automatically on the
     - ssh(1)/scp(1)/sftp(1): Add URI support to ssh, sftp and scp, e.g.
       ssh://user@host or sftp://user@host/path.  Additional connection
       parameters described in draft-ietf-secsh-scp-sftp-ssh-uri-04 are not
       implemented since the ssh fingerprint format in the draft uses the
       deprecated MD5 hash with no way to specify any other algorithm.
     - ssh-keygen(1): Allow certificate validity intervals that specify only
       a start or stop time (instead of both or neither).
     - sftp(1): Allow "cd" and "lcd" commands with no explicit path argument.
       lcd will change to the local user's home directory as usual.  cd will
       change to the starting directory for session (because the protocol
       offers no way to obtain the remote user's home directory).
     - sshd(8): When doing a config test with sshd -T, only require the
       attributes that are actually used in Match criteria rather than (an
       incomplete list of) all criteria.
     - ssh(1)/sshd(8): More strictly check signature types during key
       exchange against what was negotiated.  Prevents downgrade of RSA
       signatures made with SHA-256/512 to SHA-1.
     - sshd(8): Fix support for client that advertise a protocol version of
       "1.99" (indicating that they are prepared to accept both SSHv1 and
       SSHv2).  This was broken in OpenSSH 7.6 during the removal of SSHv1
     - ssh(1): Warn when the agent returns a ssh-rsa (SHA1) signature when a
       rsa-sha2-256/512 signature was requested.  This condition is possible
       when an old or non-OpenSSH agent is in use.
     - ssh-agent(1): Fix regression introduced in 7.6 that caused ssh-agent
       to fatally exit if presented an invalid signature request message.
     - sshd_config(5): Accept yes/no flag options case-insensitively, as has
       been the case in ssh_config(5) for a long time (LP: #1656557).
     - ssh(1): Improve error reporting for failures during connection.  Under
       some circumstances misleading errors were being shown.
     - ssh-keyscan(1): Add -D option to allow printing of results directly in
       SSHFP format.
     - ssh(1): Compatibility fix for some servers that erroneously drop the
       connection when the IUTF8 (RFC8160) option is sent.
     - scp(1): Disable RemoteCommand and RequestTTY in the ssh session
       started by scp (sftp was already doing this).
     - ssh-keygen(1): Refuse to create a certificate with an unusable number
       of principals.
     - ssh-keygen(1): Fatally exit if ssh-keygen is unable to write all the
       public key during key generation.  Previously it would silently ignore
       errors writing the comment and terminating newline.
     - ssh(1): Do not modify hostname arguments that are addresses by
       automatically forcing them to lower-case.  Instead canonicalise them
       jo resolve ambiguities (e.g. ::0001 => ::1) before they are matched
       against known_hosts.
     - ssh(1): Don't accept junk after "yes" or "no" responses to hostkey
     - sftp(1): Have sftp print a warning about shell cleanliness when
       decoding the first packet fails, which is usually caused by shells
       polluting stdout of non-interactive startups.
     - ssh(1)/sshd(8): Switch timers in packet code from using wall-clock
       time to monotonic time, allowing the packet layer to better function
       over a clock step and avoiding possible integer overflows during
     - sshd(8): Correctly detect MIPS ABI in use at configure time.  Fixes
       sandbox violations on some environments.
     - Build and link with "retpoline" flags when available to mitigate the
       "branch target injection" style (variant 2) of the Spectre
       branch-prediction vulnerability.
 5c5563bb9a51a7aebf60f8d9c4d209081b4a4bb9 3117 openssh_7.7p1-1.dsc
 446fe9ed171f289f0d62197dffdbfdaaf21c49f2 1536900 openssh_7.7p1.orig.tar.gz
 10cdf3bb5d0be9ca23bdd225b111790168a5c1e7 683 openssh_7.7p1.orig.tar.gz.asc
 6065d37186ae899f9bc596d8ceb8ab1c2b9e0df2 158916 openssh_7.7p1-1.debian.tar.xz
 faebb752536f10b0f63b97f27c122d06da24bcb3 14473 openssh_7.7p1-1_source.buildinfo
 9e625b28a120079a5de0e3d36c1041475a4a75969e206e7f99532089c91f16c0 3117 openssh_7.7p1-1.dsc
 d73be7e684e99efcd024be15a30bffcbe41b012b2f7b3c9084aed621775e6b8f 1536900 openssh_7.7p1.orig.tar.gz
 9a78b5aadf9a43f5367da4989b8ddb6777374a8e5ba6fc19afad072705becaa4 683 openssh_7.7p1.orig.tar.gz.asc
 c8f0fdb4e3f9b0918b42bfa4ec43051ddbde2a5d6584f540762041a040dd5250 158916 openssh_7.7p1-1.debian.tar.xz
 bf383cb8703db19bf059582831b4179b76b7d9f560c22dbe6f519e927a40bfe2 14473 openssh_7.7p1-1_source.buildinfo
 6bfb4ff1339d2e7d2279a2b576b0b26f 3117 net standard openssh_7.7p1-1.dsc
 68ba883aff6958297432e5877e9a0fe2 1536900 net standard openssh_7.7p1.orig.tar.gz
 868c8a3091a7b1500deeb04fcd3383f2 683 net standard openssh_7.7p1.orig.tar.gz.asc
 cf93c60bcd203980beb275b3a7c14345 158916 net standard openssh_7.7p1-1.debian.tar.xz
 04e1c69748d03e7ac09720a673e4248c 14473 net standard openssh_7.7p1-1_source.buildinfo



Reply to: