--- Begin Message ---
Source: openssh
Source-Version: 1:7.8p1-1
We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 907534@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated openssh package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 30 Aug 2018 15:35:27 +0100
Source: openssh
Binary: openssh-client openssh-server openssh-sftp-server ssh ssh-askpass-gnome openssh-client-udeb openssh-server-udeb
Architecture: source
Version: 1:7.8p1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Description:
openssh-client - secure shell (SSH) client, for secure access to remote machines
openssh-client-udeb - secure shell client for the Debian installer (udeb)
openssh-server - secure shell (SSH) server, for secure access from remote machines
openssh-server-udeb - secure shell server for the Debian installer (udeb)
openssh-sftp-server - secure shell (SSH) sftp server module, for SFTP access from remot
ssh - secure shell client and server (metapackage)
ssh-askpass-gnome - interactive X program to prompt users for a passphrase for ssh-ad
Closes: 573316 905407 907534
Changes:
openssh (1:7.8p1-1) unstable; urgency=medium
.
* New upstream release (https://www.openssh.com/txt/release-7.8, closes:
#907534):
- ssh-keygen(1): Write OpenSSH format private keys by default instead of
using OpenSSL's PEM format (closes: #905407). The OpenSSH format,
supported in OpenSSH releases since 2014 and described in the
PROTOCOL.key file in the source distribution, offers substantially
better protection against offline password guessing and supports key
comments in private keys. If necessary, it is possible to write old
PEM-style keys by adding "-m PEM" to ssh-keygen's arguments when
generating or updating a key.
- sshd(8): Remove internal support for S/Key multiple factor
authentication. S/Key may still be used via PAM or BSD auth.
- ssh(1): Remove vestigial support for running ssh(1) as setuid. This
used to be required for hostbased authentication and the (long gone)
rhosts-style authentication, but has not been necessary for a long
time. Attempting to execute ssh as a setuid binary, or with uid !=
effective uid will now yield a fatal error at runtime.
- sshd(8): The semantics of PubkeyAcceptedKeyTypes and the similar
HostbasedAcceptedKeyTypes options have changed. These now specify
signature algorithms that are accepted for their respective
authentication mechanism, where previously they specified accepted key
types. This distinction matters when using the RSA/SHA2 signature
algorithms "rsa-sha2-256", "rsa-sha2-512" and their certificate
counterparts. Configurations that override these options but omit
these algorithm names may cause unexpected authentication failures (no
action is required for configurations that accept the default for
these options).
- sshd(8): The precedence of session environment variables has changed.
~/.ssh/environment and environment="..." options in authorized_keys
files can no longer override SSH_* variables set implicitly by sshd.
- ssh(1)/sshd(8): The default IPQoS used by ssh/sshd has changed. They
will now use DSCP AF21 for interactive traffic and CS1 for bulk. For
a detailed rationale, please see the commit message:
https://cvsweb.openbsd.org/src/usr.bin/ssh/readconf.c#rev1.284
- ssh(1)/sshd(8): Add new signature algorithms "rsa-sha2-256-cert-
v01@openssh.com" and "rsa-sha2-512-cert-v01@openssh.com" to explicitly
force use of RSA/SHA2 signatures in authentication.
- sshd(8): Extend the PermitUserEnvironment option to accept a whitelist
of environment variable names in addition to global "yes" or "no"
settings.
- sshd(8): Add a PermitListen directive to sshd_config(5) and a
corresponding permitlisten= authorized_keys option that control which
listen addresses and port numbers may be used by remote forwarding
(ssh -R ...).
- sshd(8): Add some countermeasures against timing attacks used for
account validation/enumeration. sshd will enforce a minimum time or
each failed authentication attempt consisting of a global 5ms minimum
plus an additional per-user 0-4ms delay derived from a host secret.
- sshd(8): Add a SetEnv directive to allow an administrator to
explicitly specify environment variables in sshd_config. Variables
set by SetEnv override the default and client-specified environment.
- ssh(1): Add a SetEnv directive to request that the server sets an
environment variable in the session. Similar to the existing SendEnv
option, these variables are set subject to server configuration.
- ssh(1): Allow "SendEnv -PATTERN" to clear environment variables
previously marked for sending to the server (closes: #573316).
- ssh(1)/sshd(8): Make UID available as a %-expansion everywhere that
the username is available currently.
- ssh(1): Allow setting ProxyJump=none to disable ProxyJump
functionality.
- sshd(8): Avoid observable differences in request parsing that could be
used to determine whether a target user is valid.
- ssh(1)/sshd(8): Fix some memory leaks.
- ssh(1): Fix a pwent clobber (introduced in openssh-7.7) that could
occur during key loading, manifesting as crash on some platforms.
- sshd_config(5): Clarify documentation for AuthenticationMethods
option.
- ssh(1): Ensure that the public key algorithm sent in a public key
SSH_MSG_USERAUTH_REQUEST matches the content of the signature blob.
Previously, these could be inconsistent when a legacy or non-OpenSSH
ssh-agent returned a RSA/SHA1 signature when asked to make a RSA/SHA2
signature.
- sshd(8): Fix failures to read authorized_keys caused by faulty
supplemental group caching.
- scp(1): Apply umask to directories, fixing potential mkdir/chmod race
when copying directory trees.
- ssh-keygen(1): Return correct exit code when searching for and hashing
known_hosts entries in a single operation.
- ssh(1): Prefer the ssh binary pointed to via argv[0] to $PATH when
re-executing ssh for ProxyJump.
- sshd(8): Do not ban PTY allocation when a sshd session is restricted
because the user password is expired as it breaks password change
dialog.
- ssh(1)/sshd(8): Fix error reporting from select() failures.
- ssh(1): Improve documentation for -w (tunnel) flag, emphasising that
-w implicitly sets Tunnel=point-to-point.
- ssh-agent(1): Implement EMFILE mitigation for ssh-agent. ssh-agent
will no longer spin when its file descriptor limit is exceeded.
- ssh(1)/sshd(8): Disable SSH2_MSG_DEBUG messages for Twisted Conch
clients. Twisted Conch versions that lack a version number in their
identification strings will mishandle these messages when running on
Python 2.x (https://twistedmatrix.com/trac/ticket/9422).
- sftp(1): Notify user immediately when underlying ssh process dies
expectedly.
- ssh(1)/sshd(8): Fix tunnel forwarding; regression in 7.7 release.
- ssh-agent(1): Don't kill ssh-agent's listening socket entirely if it
fails to accept(2) a connection.
- ssh(1): Add some missing options in the configuration dump output (ssh
-G).
- sshd(8): Expose details of completed authentication to PAM auth
modules via SSH_AUTH_INFO_0 in the PAM environment.
* Switch debian/watch to HTTPS.
* Temporarily work around https://twistedmatrix.com/trac/ticket/9515 in
regression tests.
Checksums-Sha1:
f7754d84e88db335b8f62a70155a62953f6a0199 3121 openssh_7.8p1-1.dsc
27e267e370315561de96577fccae563bc2c37a60 1548026 openssh_7.8p1.orig.tar.gz
7734c7f9db5051f26ef4e32da44e9df3a52c1c22 683 openssh_7.8p1.orig.tar.gz.asc
19163a9c46b988c47050a642eb4aeb56ed1b52dc 161912 openssh_7.8p1-1.debian.tar.xz
9df3248b61a1f85f6f6e9beb4223b94c0da9112e 14871 openssh_7.8p1-1_source.buildinfo
Checksums-Sha256:
8ec0c6c21c59e00899e1102b2641ddfea63b1ca3aade5865db6c5aa6a628e266 3121 openssh_7.8p1-1.dsc
1a484bb15152c183bb2514e112aa30dd34138c3cfb032eee5490a66c507144ca 1548026 openssh_7.8p1.orig.tar.gz
01649b5f618d9f19c861a038b981db456778dd7b38a20d039513e2639a022fe4 683 openssh_7.8p1.orig.tar.gz.asc
e9c101ac6c8123a8148702585c67880229a8d472fb74d4a9ad3767a72b3e7592 161912 openssh_7.8p1-1.debian.tar.xz
a36fc3140573c86fd10929b5a5ab1ee227e433842050f475912119e93bdbf044 14871 openssh_7.8p1-1_source.buildinfo
Files:
1fd95800878abe0c4d423cfa06e8dc25 3121 net standard openssh_7.8p1-1.dsc
ce1d090fa6239fd38eb989d5e983b074 1548026 net standard openssh_7.8p1.orig.tar.gz
5d7d65086c1c47b66cc42216eb1f3c34 683 net standard openssh_7.8p1.orig.tar.gz.asc
2a1bb49fc4212a0ef0a2e0903251706e 161912 net standard openssh_7.8p1-1.debian.tar.xz
d6be3f9fc74e8d936907910fa968871f 14871 net standard openssh_7.8p1-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAluIASAACgkQOTWH2X2G
UAsFnA//Zgba/rVNCuvBtoLa4tnA8KzmeS9H/GNZIohGHQhCGMhJkP/Yrn2unrKl
QgxaUoF0dJEkFLn1fkHhRye+JYyVcDBepXM0UFP/75qE6Vu6Gl+tjBqXFD6tD5U6
gz9IkZ170BOY9iSbW7OKEA0V1j2FoXSAE1dfgGbQ3Utmpg9aQqFzWIk5IjCkwEqI
wpM6o7G6hBPI2da0V2kV8ZyZz5QrUez4a1mIQLDB59OZVX1+YKR5SP+6R1RbpMxS
4LB/XFiwcH6AlFwKkf47bfbA6e0dq2V+g5cyotKUaJx5R6tLEginZsrzR0fnNKmU
SArjVsmMkAQAEnkwUCz/SgCop2xUMYZt6K2CrH5Bo7bjSK8xHPLN6Tvrd+1T/ee6
m+159AMT1NpMyAnwFawuWGVm86V80FciAHrTYN/c9F4WX66tsn8XX6es61Z/RmWF
m/CMpDqFV3ixHySzT3x4W1e+cF8LP2cVtH11n36wyApJER3rbHHFICMTEjmn6wpY
CSXx/Tqd71FUX6sQvgPvvCnGZcvvm+KXaDJJgQMwyPuSSFFK47aLq+ytOg2MpqPJ
taZWQpTxwW8nNJTsCac8rUOpei0JtmB0j4gbu3MmzVgzC7eda+GsEK0r50jJIK+/
RRGoGttlziP1gpX8baccwpkDRYakrzh362zhEI0a4ixla66SaIk=
=mpZO
-----END PGP SIGNATURE-----
--- End Message ---