** Changed in: openssh (Ubuntu) Milestone: ubuntu-24.10-beta => None
** Description changed: Scheduled-For: Backlog Upstream: tbd - Debian: 1:9.7p1-4 + Debian: 1:9.7p1-4 Ubuntu: 1:9.6p1-3ubuntu13 - - NOT SERVER TEAM has maintained this package's merge in the past. + Other teams have maintained this package's merge in the past. If it turns out this needs a sync rather than a merge, please change the tag 'needs-merge' to 'needs-sync', and (optionally) update the title as desired. If this merge pulls in a new upstream version, also consider adding an entry to the Oracular Release Notes: https://discourse.ubuntu.com/c/release/38 - ### New Debian Changes ### openssh (1:9.7p1-4) unstable; urgency=medium - * Rework systemd readiness notification and socket activation patches to - not link against libsystemd (the former via an upstream patch). - * Force -fzero-call-used-regs=used not to be used on ppc64el (it's - unsupported, but configure fails to detect this). - - -- Colin Watson <cjwat...@debian.org> Wed, 03 Apr 2024 12:06:08 +0100 + * Rework systemd readiness notification and socket activation patches to + not link against libsystemd (the former via an upstream patch). + * Force -fzero-call-used-regs=used not to be used on ppc64el (it's + unsupported, but configure fails to detect this). + + -- Colin Watson <cjwat...@debian.org> Wed, 03 Apr 2024 12:06:08 +0100 openssh (1:9.7p1-3) unstable; urgency=medium - * Fix gssapi-keyex declaration further (thanks, Andreas Hasenack; - LP: #2053146). - * Extend -fzero-call-used-regs check to catch m68k gcc bug (closes: - #1067243). - * debian/tests/regress: Set a different IP address for UNKNOWN. - * Re-enable ssh-askpass-gnome on all architectures. - * regress: Redirect conch stdin from /dev/zero (re-enables conch interop - tests). - * Drop 'Work around RSA SHA-2 signature issues in conch' patch (no longer - needed now that Twisted is fixed). - - -- Colin Watson <cjwat...@debian.org> Sun, 31 Mar 2024 11:55:38 +0100 + * Fix gssapi-keyex declaration further (thanks, Andreas Hasenack; + LP: #2053146). + * Extend -fzero-call-used-regs check to catch m68k gcc bug (closes: + #1067243). + * debian/tests/regress: Set a different IP address for UNKNOWN. + * Re-enable ssh-askpass-gnome on all architectures. + * regress: Redirect conch stdin from /dev/zero (re-enables conch interop + tests). + * Drop 'Work around RSA SHA-2 signature issues in conch' patch (no longer + needed now that Twisted is fixed). + + -- Colin Watson <cjwat...@debian.org> Sun, 31 Mar 2024 11:55:38 +0100 openssh (1:9.7p1-2) unstable; urgency=medium - [ Simon McVittie ] - * d/control, d/rules: Disable ssh-askpass-gnome on 32-bit, except i386 - (closes: #1066847). - - -- Colin Watson <cjwat...@debian.org> Thu, 14 Mar 2024 11:45:12 +0000 + [ Simon McVittie ] + * d/control, d/rules: Disable ssh-askpass-gnome on 32-bit, except i386 + (closes: #1066847). + + -- Colin Watson <cjwat...@debian.org> Thu, 14 Mar 2024 11:45:12 +0000 openssh (1:9.7p1-1) unstable; urgency=medium - * Add the isolation-container restriction to the 'regress' autopkgtest. - Our setup code wants to ensure that the haveged service is running, and - furthermore at least the agent-subprocess test assumes that there's an - init to reap zombie processes and doesn't work in (e.g.) - autopkgtest-virt-unshare. - * New upstream release (https://www.openssh.com/releasenotes.html#9.7p1): - - ssh(1), sshd(8): add a 'global' ChannelTimeout type that watches all - open channels and will close all open channels if there is no traffic - on any of them for the specified interval. This is in addition to the - existing per-channel timeouts added recently. - This supports situations like having both session and x11 forwarding - channels open where one may be idle for an extended period but the - other is actively used. The global timeout could close both channels - when both have been idle for too long (closes: #165185). - - All: make DSA key support compile-time optional, defaulting to on. - - sshd(8): don't append an unnecessary space to the end of subsystem - arguments (bz3667) - - ssh(1): fix the multiplexing 'channel proxy' mode, broken when - keystroke timing obfuscation was added. (GHPR#463) - - ssh(1), sshd(8): fix spurious configuration parsing errors when - options that accept array arguments are overridden (bz3657). - - ssh-agent(1): fix potential spin in signal handler (bz3670) - - Many fixes to manual pages and other documentation. - - Greatly improve interop testing against PuTTY. - * Skip utimensat test on ZFS, since it seems to leave the atime set to 0. - * Allow passing extra options to debian/tests/regress, for debugging. - * Fix gssapi-keyex declaration, broken when rebasing onto 8.9p1 - (LP: #2053146). - - -- Colin Watson <cjwat...@debian.org> Thu, 14 Mar 2024 10:47:58 +0000 + * Add the isolation-container restriction to the 'regress' autopkgtest. + Our setup code wants to ensure that the haveged service is running, and + furthermore at least the agent-subprocess test assumes that there's an + init to reap zombie processes and doesn't work in (e.g.) + autopkgtest-virt-unshare. + * New upstream release (https://www.openssh.com/releasenotes.html#9.7p1): + - ssh(1), sshd(8): add a 'global' ChannelTimeout type that watches all + open channels and will close all open channels if there is no traffic + on any of them for the specified interval. This is in addition to the + existing per-channel timeouts added recently. + This supports situations like having both session and x11 forwarding + channels open where one may be idle for an extended period but the + other is actively used. The global timeout could close both channels + when both have been idle for too long (closes: #165185). + - All: make DSA key support compile-time optional, defaulting to on. + - sshd(8): don't append an unnecessary space to the end of subsystem + arguments (bz3667) + - ssh(1): fix the multiplexing 'channel proxy' mode, broken when + keystroke timing obfuscation was added. (GHPR#463) + - ssh(1), sshd(8): fix spurious configuration parsing errors when + options that accept array arguments are overridden (bz3657). + - ssh-agent(1): fix potential spin in signal handler (bz3670) + - Many fixes to manual pages and other documentation. + - Greatly improve interop testing against PuTTY. + * Skip utimensat test on ZFS, since it seems to leave the atime set to 0. + * Allow passing extra options to debian/tests/regress, for debugging. + * Fix gssapi-keyex declaration, broken when rebasing onto 8.9p1 + (LP: #2053146). + + -- Colin Watson <cjwat...@debian.org> Thu, 14 Mar 2024 10:47:58 +0000 openssh (1:9.6p1-5) unstable; urgency=medium - * Restore systemd template unit for per-connection sshd instances, - although without any corresponding .socket unit for now; this is mainly - for use with the forthcoming systemd-ssh-generator (closes: #1061516). - It's now called sshd@.service, since unlike the main service there's no - need to be concerned about compatibility with the slightly confusing - 'ssh' service name that Debian has traditionally used. - - -- Colin Watson <cjwat...@debian.org> Wed, 06 Mar 2024 09:45:56 +0000 + * Restore systemd template unit for per-connection sshd instances, + although without any corresponding .socket unit for now; this is mainly + for use with the forthcoming systemd-ssh-generator (closes: #1061516). + It's now called sshd@.service, since unlike the main service there's no + need to be concerned about compatibility with the slightly confusing + 'ssh' service name that Debian has traditionally used. + + -- Colin Watson <cjwat...@debian.org> Wed, 06 Mar 2024 09:45:56 +0000 openssh (1:9.6p1-4) unstable; urgency=medium - * Add sshd_config checksums for 1:9.2p1-1 to ucf reference file, and add a - test to ensure it doesn't get out of date again. - * Drop manual adjustment of OpenSSL dependencies; OpenSSH relaxed its - checks for OpenSSL >= 3 in 9.4p1. - * Build-depend on pkgconf rather than pkg-config. - * Adjust debian/copyright to handle the 'placed in the public domain' - status of rijndael.* more explicitly. - - -- Colin Watson <cjwat...@debian.org> Mon, 26 Feb 2024 12:26:57 +0000 + * Add sshd_config checksums for 1:9.2p1-1 to ucf reference file, and add a + test to ensure it doesn't get out of date again. + * Drop manual adjustment of OpenSSL dependencies; OpenSSH relaxed its + checks for OpenSSL >= 3 in 9.4p1. + * Build-depend on pkgconf rather than pkg-config. + * Adjust debian/copyright to handle the 'placed in the public domain' + status of rijndael.* more explicitly. + + -- Colin Watson <cjwat...@debian.org> Mon, 26 Feb 2024 12:26:57 +0000 openssh (1:9.6p1-3) unstable; urgency=medium - * Allow passing extra ssh-agent arguments via - '/usr/lib/openssh/agent-launch start', making it possible to override - things like identity lifetime using a systemd drop-in unit (closes: - #1059639). - * Don't try to start rescue-ssh.target in postinst (LP: #2047082). - - -- Colin Watson <cjwat...@debian.org> Wed, 17 Jan 2024 22:50:07 +0000 + * Allow passing extra ssh-agent arguments via + '/usr/lib/openssh/agent-launch start', making it possible to override + things like identity lifetime using a systemd drop-in unit (closes: + #1059639). + * Don't try to start rescue-ssh.target in postinst (LP: #2047082). + + -- Colin Watson <cjwat...@debian.org> Wed, 17 Jan 2024 22:50:07 +0000 openssh (1:9.6p1-2) unstable; urgency=medium - - ### Old Ubuntu Delta ### openssh (1:9.6p1-3ubuntu13) noble; urgency=medium - [ Marco Trevisan (Treviño) ] - * debian: Remove dependency on libsystemd - As per the xz backdoor we learned that the least dependencies sshd have, - the best it is, so avoid to plug libsystemd (which also brings various - other dependencies) inside sshd for no reason: - - - d/p/systemd-readiness.patch: Use upstream patch with no libsystemd - dependency - - d/p/systemd-socket-activation.patch: Import patch from debian that - mimics the libsystemd sd_listen_fds() code, as refactored by Colin - Watson. - - d/control: Remove dependencies on libsystemd-dev | libelogind-dev - - d/rules: Drop --with-systemd flag (new options are used by default) - - [ Nick Rosbrook ] - * debian/patches: only set PAM_RHOST if remote host is not 'UNKNOWN' - (LP: #2060150) - * debian/openssh-server.postinst: don't re-enable ssh.socket if it was disabled - (LP: #2059874) - * d/p/sshd-socket-generator.patch: do not always ignore ListenStream=22 - (LP: #2059872) - - -- Nick Rosbrook <en...@ubuntu.com> Fri, 05 Apr 2024 15:30:31 -0400 + [ Marco Trevisan (Treviño) ] + * debian: Remove dependency on libsystemd + As per the xz backdoor we learned that the least dependencies sshd have, + the best it is, so avoid to plug libsystemd (which also brings various + other dependencies) inside sshd for no reason: + + - d/p/systemd-readiness.patch: Use upstream patch with no libsystemd + dependency + - d/p/systemd-socket-activation.patch: Import patch from debian that + mimics the libsystemd sd_listen_fds() code, as refactored by Colin + Watson. + - d/control: Remove dependencies on libsystemd-dev | libelogind-dev + - d/rules: Drop --with-systemd flag (new options are used by default) + + [ Nick Rosbrook ] + * debian/patches: only set PAM_RHOST if remote host is not 'UNKNOWN' + (LP: #2060150) + * debian/openssh-server.postinst: don't re-enable ssh.socket if it was disabled + (LP: #2059874) + * d/p/sshd-socket-generator.patch: do not always ignore ListenStream=22 + (LP: #2059872) + + -- Nick Rosbrook <en...@ubuntu.com> Fri, 05 Apr 2024 15:30:31 -0400 openssh (1:9.6p1-3ubuntu12) noble; urgency=medium - * No-change rebuild for CVE-2024-3094 - - -- Steve Langasek <steve.langa...@ubuntu.com> Sun, 31 Mar 2024 + * No-change rebuild for CVE-2024-3094 + + -- Steve Langasek <steve.langa...@ubuntu.com> Sun, 31 Mar 2024 09:23:28 +0000 openssh (1:9.6p1-3ubuntu11) noble; urgency=medium - * d/t/ssh-gssapi: make the test a bit more rebust (LP: #2058276): - - deal with return codes - - match a more specific success expression from the logs - - add klist output in the case of failure - - -- Andreas Hasenack <andr...@canonical.com> Mon, 18 Mar 2024 10:25:15 + * d/t/ssh-gssapi: make the test a bit more rebust (LP: #2058276): + - deal with return codes + - match a more specific success expression from the logs + - add klist output in the case of failure + + -- Andreas Hasenack <andr...@canonical.com> Mon, 18 Mar 2024 10:25:15 -0300 openssh (1:9.6p1-3ubuntu10) noble; urgency=medium - * Build again with gnome. - - -- Matthias Klose <d...@ubuntu.com> Sat, 16 Mar 2024 19:30:41 +0100 + * Build again with gnome. + + -- Matthias Klose <d...@ubuntu.com> Sat, 16 Mar 2024 19:30:41 +0100 openssh (1:9.6p1-3ubuntu9) noble; urgency=medium - * d/p/gssapi.patch: fix method_gsskeyex structure and - userauth_gsskeyex function regarding changes introduced in upstream - commit dbb339f015c33d63484261d140c84ad875a9e548 ('prepare for - multiple names for authmethods') (LP: #2053146) - * d/t/{ssh-gssapi,util}: ssh-gssapi DEP8 test for gssapi-with-mic - and gssapi-keyex authentication methods - - -- Andreas Hasenack <andr...@canonical.com> Fri, 15 Mar 2024 16:18:01 + * d/p/gssapi.patch: fix method_gsskeyex structure and + userauth_gsskeyex function regarding changes introduced in upstream + commit dbb339f015c33d63484261d140c84ad875a9e548 ('prepare for + multiple names for authmethods') (LP: #2053146) + * d/t/{ssh-gssapi,util}: ssh-gssapi DEP8 test for gssapi-with-mic + and gssapi-keyex authentication methods + + -- Andreas Hasenack <andr...@canonical.com> Fri, 15 Mar 2024 16:18:01 -0300 openssh (1:9.6p1-3ubuntu8) noble; urgency=medium - * No-change rebuild against libcom-err2 - - -- Steve Langasek <steve.langa...@ubuntu.com> Tue, 12 Mar 2024 + * No-change rebuild against libcom-err2 + + -- Steve Langasek <steve.langa...@ubuntu.com> Tue, 12 Mar 2024 20:34:07 +0000 openssh (1:9.6p1-3ubuntu7) noble; urgency=medium - * No-change rebuild against libglib2.0-0t64 - - -- Steve Langasek <steve.langa...@ubuntu.com> Mon, 11 Mar 2024 + * No-change rebuild against libglib2.0-0t64 + + -- Steve Langasek <steve.langa...@ubuntu.com> Mon, 11 Mar 2024 23:25:42 +0000 openssh (1:9.6p1-3ubuntu6) noble; urgency=medium - * No-change rebuild against libglib2.0-0t64 - - -- Steve Langasek <steve.langa...@ubuntu.com> Fri, 08 Mar 2024 + * No-change rebuild against libglib2.0-0t64 + + -- Steve Langasek <steve.langa...@ubuntu.com> Fri, 08 Mar 2024 06:32:05 +0000 openssh (1:9.6p1-3ubuntu5) noble; urgency=medium - * debian/systemd/ssh.service: restore RuntimeDirectory=sshd (LP: #2055806) - We started using a tmpfile in Ubuntu when we invoked sshd -G in - openssh-server.postinst as a part of migration to systemd socket activation. - Since we use a generator now, instead of invoking sshd -G, we no longer need - this change. - - -- Nick Rosbrook <en...@ubuntu.com> Thu, 07 Mar 2024 13:59:57 -0500 + * debian/systemd/ssh.service: restore RuntimeDirectory=sshd (LP: #2055806) + We started using a tmpfile in Ubuntu when we invoked sshd -G in + openssh-server.postinst as a part of migration to systemd socket activation. + Since we use a generator now, instead of invoking sshd -G, we no longer need + this change. + + -- Nick Rosbrook <en...@ubuntu.com> Thu, 07 Mar 2024 13:59:57 -0500 openssh (1:9.6p1-3ubuntu5~ppa2) noble; urgency=medium - * Build without gnome. - - -- Matthias Klose <d...@ubuntu.com> Tue, 05 Mar 2024 15:53:05 +0100 + * Build without gnome. + + -- Matthias Klose <d...@ubuntu.com> Tue, 05 Mar 2024 15:53:05 +0100 openssh (1:9.6p1-3ubuntu4) noble; urgency=medium - * No-change rebuild against libssl3t64 - - -- Steve Langasek <steve.langa...@ubuntu.com> Mon, 04 Mar 2024 + * No-change rebuild against libssl3t64 + + -- Steve Langasek <steve.langa...@ubuntu.com> Mon, 04 Mar 2024 20:31:25 +0000 openssh (1:9.6p1-3ubuntu3) noble; urgency=medium - * Add sshd-socket-generator to generate ssh.socket drop-in configuration - instead of doing one-time generation on package upgrade: - - debian/control: Build-Depends: systemd-dev - - d/p/sshd-socket-generator.patch: add generator for socket activation - - debian/openssh-server.install: install sshd-socket-generator - - debian/openssh-server.postinst: handle migration to sshd-socket-generator - - d/t/sshd-socket-generator: add dep8 test for sshd-socket-generator - - ssh.socket: adjust unit for socket activation by default - - debian/README.Debian: update ssh.socket documentation - - debian/rules: explicitly enable LTO - The armhf build was not using LTO, which made sshd-socket-generator FTBFS. - This change ensures that all arches are using LTO. - * Drop the following changes related to previous ssh socket activation approach: - - debian/openssh-server.postrm: remove systemd drop-ins for - socket-activated sshd on purge - - debian/openssh-server.templates: include debconf prompt explaining - when migration cannot happen due to multiple ListenAddress values - - debian/openssh-server.postinst: handle migration of sshd_config options - to systemd socket options on upgrade. - - debian/patches/socket-activation-documentation.patch: Document in - sshd_config(5) that ListenAddress and Port no longer work. - * debian/openssh-server.ucf-md5sum: update for new Ubuntu delta - - -- Nick Rosbrook <en...@ubuntu.com> Wed, 21 Feb 2024 12:51:30 -0500 + * Add sshd-socket-generator to generate ssh.socket drop-in configuration + instead of doing one-time generation on package upgrade: + - debian/control: Build-Depends: systemd-dev + - d/p/sshd-socket-generator.patch: add generator for socket activation + - debian/openssh-server.install: install sshd-socket-generator + - debian/openssh-server.postinst: handle migration to sshd-socket-generator + - d/t/sshd-socket-generator: add dep8 test for sshd-socket-generator + - ssh.socket: adjust unit for socket activation by default + - debian/README.Debian: update ssh.socket documentation + - debian/rules: explicitly enable LTO + The armhf build was not using LTO, which made sshd-socket-generator FTBFS. + This change ensures that all arches are using LTO. + * Drop the following changes related to previous ssh socket activation approach: + - debian/openssh-server.postrm: remove systemd drop-ins for + socket-activated sshd on purge + - debian/openssh-server.templates: include debconf prompt explaining + when migration cannot happen due to multiple ListenAddress values + - debian/openssh-server.postinst: handle migration of sshd_config options + to systemd socket options on upgrade. + - debian/patches/socket-activation-documentation.patch: Document in + sshd_config(5) that ListenAddress and Port no longer work. + * debian/openssh-server.ucf-md5sum: update for new Ubuntu delta + + -- Nick Rosbrook <en...@ubuntu.com> Wed, 21 Feb 2024 12:51:30 -0500 openssh (1:9.6p1-3ubuntu2) noble; urgency=medium - [ Marco Trevisan (Treviño) ] - * debian/patches: Immediately report interactive instructions to PAM clients - * debian/patches: sshconnect2: Write kbd-interactive messages as utf-8 - - -- Julian Andres Klode <juli...@ubuntu.com> Thu, 15 Feb 2024 11:13:03 + [ Marco Trevisan (Treviño) ] + * debian/patches: Immediately report interactive instructions to PAM clients + * debian/patches: sshconnect2: Write kbd-interactive messages as utf-8 + + -- Julian Andres Klode <juli...@ubuntu.com> Thu, 15 Feb 2024 11:13:03 +0100 openssh (1:9.6p1-3ubuntu1) noble; urgency=medium - * Merge with Debian unstable (LP: #2040406). Remaining changes: - - debian/rules: modify dh_installsystemd invocations for - socket-activated sshd. - - debian/openssh-server.postinst: handle migration of sshd_config - options to systemd socket options on upgrade. - - debian/README.Debian: document systemd socket activation. - - debian/patches/socket-activation-documentation.patch: Document - in sshd_config(5) that ListenAddress and Port no longer work. - - debian/openssh-server.templates: include debconf prompt - explaining when migration cannot happen due to multiple - ListenAddress values. - - debian/.gitignore: drop file. - - debian/openssh-server.postrm: remove systemd drop-ins for - socket-activated sshd on purge. - - debian/openssh-server.ucf-md5sum: update for Ubuntu delta - - debian/openssh-server.tmpfile,debian/systemd/ssh.service: Move - /run/sshd creation out of the systemd unit to a tmpfile config - so that sshd can be run manually if necessary without having to - create this directory by hand. - - debian/patches/systemd-socket-activation.patch: Fix sshd - re-execution behavior when socket activation is used. - - debian/tests/systemd-socket-activation: Add autopkgtest - for systemd socket activation functionality. - - d/p/test-set-UsePAM-no-on-some-tests.patch: set UsePAM=no - for some tests. - * Dropped changes, fixed upstream: - - d/p/fix-ftbfs-with-zlib13.patch: fix ftbfs when using zlib 1.3 - (LP #2049552) - - -- Miriam España Acebal <miriam.esp...@canonical.com> Mon, 29 Jan 2024 + * Merge with Debian unstable (LP: #2040406). Remaining changes: + - debian/rules: modify dh_installsystemd invocations for + socket-activated sshd. + - debian/openssh-server.postinst: handle migration of sshd_config + options to systemd socket options on upgrade. + - debian/README.Debian: document systemd socket activation. + - debian/patches/socket-activation-documentation.patch: Document + in sshd_config(5) that ListenAddress and Port no longer work. + - debian/openssh-server.templates: include debconf prompt + explaining when migration cannot happen due to multiple + ListenAddress values. + - debian/.gitignore: drop file. + - debian/openssh-server.postrm: remove systemd drop-ins for + socket-activated sshd on purge. + - debian/openssh-server.ucf-md5sum: update for Ubuntu delta + - debian/openssh-server.tmpfile,debian/systemd/ssh.service: Move + /run/sshd creation out of the systemd unit to a tmpfile config + so that sshd can be run manually if necessary without having to + create this directory by hand. + - debian/patches/systemd-socket-activation.patch: Fix sshd + re-execution behavior when socket activation is used. + - debian/tests/systemd-socket-activation: Add autopkgtest + for systemd socket activation functionality. + - d/p/test-set-UsePAM-no-on-some-tests.patch: set UsePAM=no + for some tests. + * Dropped changes, fixed upstream: + - d/p/fix-ftbfs-with-zlib13.patch: fix ftbfs when using zlib 1.3 + (LP #2049552) + + -- Miriam España Acebal <miriam.esp...@canonical.com> Mon, 29 Jan 2024 11:16:31 +0100 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2064435 Title: Merge openssh from Debian unstable for oracular To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2064435/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs