--- Begin Message ---
Source: openssh
Source-Version: 1:7.5p1-1
We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 407754@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated openssh package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 02 Apr 2017 02:58:01 +0100
Source: openssh
Binary: openssh-client openssh-client-ssh1 openssh-server openssh-sftp-server ssh ssh-krb5 ssh-askpass-gnome openssh-client-udeb openssh-server-udeb
Architecture: source
Version: 1:7.5p1-1
Distribution: experimental
Urgency: medium
Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Description:
openssh-client - secure shell (SSH) client, for secure access to remote machines
openssh-client-ssh1 - secure shell (SSH) client for legacy SSH1 protocol
openssh-client-udeb - secure shell client for the Debian installer (udeb)
openssh-server - secure shell (SSH) server, for secure access from remote machines
openssh-server-udeb - secure shell server for the Debian installer (udeb)
openssh-sftp-server - secure shell (SSH) sftp server module, for SFTP access from remot
ssh - secure shell client and server (metapackage)
ssh-askpass-gnome - interactive X program to prompt users for a passphrase for ssh-ad
ssh-krb5 - secure shell client and server (transitional package)
Closes: 407754
Changes:
openssh (1:7.5p1-1) experimental; urgency=medium
.
* New upstream release (https://www.openssh.com/txt/release-7.5):
- SECURITY: ssh(1), sshd(8): Fix weakness in CBC padding oracle
countermeasures that allowed a variant of the attack fixed in OpenSSH
7.3 to proceed. Note that the OpenSSH client disables CBC ciphers by
default, sshd offers them as lowest-preference options and will remove
them by default entirely in the next release.
- This release deprecates the sshd_config UsePrivilegeSeparation option,
thereby making privilege separation mandatory (closes: #407754).
- The format of several log messages emitted by the packet code has
changed to include additional information about the user and their
authentication state. Software that monitors ssh/sshd logs may need
to account for these changes.
- ssh(1), sshd(8): Support "=-" syntax to easily remove methods from
algorithm lists, e.g. Ciphers=-*cbc.
- sshd(1): Fix NULL dereference crash when key exchange start messages
are sent out of sequence.
- ssh(1), sshd(8): Allow form-feed characters to appear in configuration
files.
- sshd(8): Fix regression in OpenSSH 7.4 support for the server-sig-algs
extension, where SHA2 RSA signature methods were not being correctly
advertised.
- ssh(1), ssh-keygen(1): Fix a number of case-sensitivity bugs in
known_hosts processing.
- ssh(1): Allow ssh to use certificates accompanied by a private key
file but no corresponding plain *.pub public key.
- ssh(1): When updating hostkeys using the UpdateHostKeys option, accept
RSA keys if HostkeyAlgorithms contains any RSA keytype. Previously,
ssh could ignore RSA keys when only the ssh-rsa-sha2-* methods were
enabled in HostkeyAlgorithms and not the old ssh-rsa method.
- ssh(1): Detect and report excessively long configuration file lines.
- Merge a number of fixes found by Coverity and reported via Redhat and
FreeBSD. Includes fixes for some memory and file descriptor leaks in
error paths.
- ssh(1), sshd(8): When logging long messages to stderr, don't truncate
"\r\n" if the length of the message exceeds the buffer.
- ssh(1): Fully quote [host]:port in generated ProxyJump/-J command-
line; avoid confusion over IPv6 addresses and shells that treat square
bracket characters specially.
- Fix various fallout and sharp edges caused by removing SSH protocol 1
support from the server, including the server banner string being
incorrectly terminated with only \n (instead of \r\n), confusing error
messages from ssh-keyscan, and a segfault in sshd if protocol v.1 was
enabled for the client and sshd_config contained references to legacy
keys.
- ssh(1), sshd(8): Free fd_set on connection timeout.
- sftp(1): Fix division by zero crash in "df" output when server returns
zero total filesystem blocks/inodes.
- ssh(1), ssh-add(1), ssh-keygen(1), sshd(8): Translate OpenSSL errors
encountered during key loading to more meaningful error codes.
- ssh-keygen(1): Sanitise escape sequences in key comments sent to
printf but preserve valid UTF-8 when the locale supports it.
- ssh(1), sshd(8): Return reason for port forwarding failures where
feasible rather than always "administratively prohibited".
- sshd(8): Fix deadlock when AuthorizedKeysCommand or
AuthorizedPrincipalsCommand produces a lot of output and a key is
matched early.
- ssh(1): Fix typo in ~C error message for bad port forward
cancellation.
- ssh(1): Show a useful error message when included config files can't
be opened.
- sshd_config(5): Repair accidentally-deleted mention of %k token in
AuthorizedKeysCommand.
- sshd(8): Remove vestiges of previously removed LOGIN_PROGRAM.
- ssh-agent(1): Relax PKCS#11 whitelist to include libexec and common
32-bit compatibility library directories.
- sftp-client(1): Fix non-exploitable integer overflow in SSH2_FXP_NAME
response handling.
- ssh-agent(1): Fix regression in 7.4 of deleting PKCS#11-hosted keys.
It was not possible to delete them except by specifying their full
physical path.
- sshd(8): Avoid sandbox errors for Linux S390 systems using an ICA
crypto coprocessor.
- sshd(8): Fix non-exploitable weakness in seccomp-bpf sandbox arg
inspection.
- ssh-keygen(1), ssh(1), sftp(1): Fix output truncation for various that
contain non-printable characters where the codeset in use is ASCII.
Checksums-Sha1:
ddce7153910c7aeb43d48a47a4d18ec40fad1099 2956 openssh_7.5p1-1.dsc
5e8f185d00afb4f4f89801e9b0f8b9cee9d87ebd 1510857 openssh_7.5p1.orig.tar.gz
88420027705762e4d7c4e1a144b7b37775fa318f 157812 openssh_7.5p1-1.debian.tar.xz
063371cf5f4f563b4b1285565d6ea30af44c89ba 13616 openssh_7.5p1-1_source.buildinfo
Checksums-Sha256:
eec9cbf9c0a4bc6c112c84253421764bccc8770d201fdca49296f7a5689d7f24 2956 openssh_7.5p1-1.dsc
9846e3c5fab9f0547400b4d2c017992f914222b3fd1f8eee6c7dc6bc5e59f9f0 1510857 openssh_7.5p1.orig.tar.gz
0e4f0eb5ca2b13322714df84d1a1a89b607fb2ffee2a351e323b8de762912846 157812 openssh_7.5p1-1.debian.tar.xz
b8cf2538e18470f2831d04240b5932d4f6b3c63c31616f83ef635cf9a2c120f5 13616 openssh_7.5p1-1_source.buildinfo
Files:
d83d6a57d0cfcc923b20a3a7527c2b0b 2956 net standard openssh_7.5p1-1.dsc
652fdc7d8392f112bef11cacf7e69e23 1510857 net standard openssh_7.5p1.orig.tar.gz
a3e04ea3ff23c40617c5f286525017a8 157812 net standard openssh_7.5p1-1.debian.tar.xz
88f2b0df582f39aa0fc40e4d0cd360ba 13616 net standard openssh_7.5p1-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
Comment: Colin Watson <cjwatson@debian.org> -- Debian developer
iQIzBAEBCAAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAljgZHAACgkQOTWH2X2G
UAu+/BAAmR59fYtRWBdNS+LHr6Ckp0fuTfBC3jJFhLjz1DUwzudevgNEFsh0ieml
1pu6fbYspcd1QLXbNneJnm5IcW6w30R0BuF6Q68h7Ca305R4BeofJIO/mGhmyILS
B9/rSfF86Hs5NBKJKyBUd5zcjvZ8kvYWoaTxSPXJzQON8lcpIJhBp6/Rw0UatlAi
udRdlrFBfjt8f1AZvY8JU1cY6Qt3ryjoLU2YU+8nR9B4iz+RBP5rZhNTde4lYv5a
nTmlGGZgRItJF9Iz/4JTy7XlV5JA+k4Ss1ThgL/5Gwqdm8sqtwwboxd1fxvITcJN
DtfNk5tA5DdJV7d4NgnWozQex54L2hFNUcNORYnIjPnh7d+B7vLeR0221gcn7cTd
CGj0DZ7KgW8zg6dT5qya+ms9NTACZ5rxY0aWmJ01vo/3PDTuQ9YhHqMWXD8lvACB
RNhhm/VzDLVVCWIkTAMdOYTsgVeAmBidGE87VVD5QiWp2nYW7j1ZED64HmbY6uy9
xFYPvZrxiopz5KW38ti9PkaQ2+GwsUlpIALhzZ3xIIxpEtN++Wfpiu3RyhS7d06L
7LoDi21RjYU5NO/PkoP0isudlyM1lAZKZ+QDhKHUQSfifH7YdfDKIC2EVNmp5GdN
bM3x+7bV9GOeyYR9lXzNAvdsVK4M3gA97TeNwp+8WkgX6Zj8YG4=
=ReDu
-----END PGP SIGNATURE-----
--- End Message ---