Your message dated Thu, 30 Aug 2018 15:04:19 +0000 with message-id <[email protected]> and subject line Bug#573316: fixed in openssh 1:7.8p1-1 has caused the Debian Bug report #573316, regarding request for new UnSendEnv directive (or change SendEnv) to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 573316: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=573316 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: openssh-client Version: 1:5.3p1-3 Severity: wishlist The SendEnv directive is particular in the fact that it cannot be overriden, and the feature is documented. Indeed the ssh_config(5) man page says: SendEnv Specifies what variables from the local environ(7) should be sent to the server. Note that environ- ment passing is only supported for protocol 2. The server must also support it, and the server must be configured to accept these environment variables. Refer to AcceptEnv in sshd_config(5) for how to configure the server. Variables are specified by name, which may contain wildcard characters. Multiple environment variables may be separated by whitespace or spread across multiple ^^^^^^^^^^^^^^^^^^^^^^ SendEnv directives. The default is not to send ^^^^^^^^^^^^^^^^^^ any environment variables. This makes difficult to cancel environment variable passing. For instance, Debian has "SendEnv LANG LC_*" in its /etc/ssh/ssh_config and the only way for a user to disable that is to use the -F option with his own config file. Moreover it is not possible to specify a SendEnv directive *except* for some host(s) (note that negated patterns work on pattern-lists only, not on Host). A solution would be an UnSendEnv directive. An environment variable would be sent to the server only if it is specified by SendEnv but not by UnSendEnv. Alternativement, SendEnv could be changed to behave like the other directives: only the first one would be taken into account. But this could break existing config files. -- System Information: Debian Release: squeeze/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 2.6.31-1-amd64 (SMP w/2 CPU cores) Locale: LANG=POSIX, LC_CTYPE=en_US.ISO8859-1 (charmap=ISO-8859-1) Shell: /bin/sh linked to /bin/dash Versions of packages openssh-client depends on: ii adduser 3.112 add and remove users and groups ii debconf [debconf-2.0] 1.5.28 Debian configuration management sy ii dpkg 1.15.5.6 Debian package management system ii libc6 2.10.2-6 Embedded GNU C Library: Shared lib ii libedit2 2.11-20080614-1 BSD editline and history libraries ii libgssapi-krb5-2 1.8+dfsg~alpha1-7 MIT Kerberos runtime libraries - k ii libssl0.9.8 0.9.8m-2 SSL shared libraries ii passwd 1:4.1.4.2-1 change and administer password and ii zlib1g 1:1.2.3.4.dfsg-3 compression library - runtime Versions of packages openssh-client recommends: ii openssh-blacklist 0.4.1 list of default blacklisted OpenSS ii openssh-blacklist-extra 0.4.1 list of non-default blacklisted Op ii xauth 1:1.0.4-1 X authentication utility Versions of packages openssh-client suggests: pn keychain <none> (no description available) pn libpam-ssh <none> (no description available) pn ssh-askpass <none> (no description available) -- no debconf information
--- End Message ---
--- Begin Message ---Source: openssh Source-Version: 1:7.8p1-1 We believe that the bug you reported is fixed in the latest version of openssh, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Colin Watson <[email protected]> (supplier of updated openssh package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Thu, 30 Aug 2018 15:35:27 +0100 Source: openssh Binary: openssh-client openssh-server openssh-sftp-server ssh ssh-askpass-gnome openssh-client-udeb openssh-server-udeb Architecture: source Version: 1:7.8p1-1 Distribution: unstable Urgency: medium Maintainer: Debian OpenSSH Maintainers <[email protected]> Changed-By: Colin Watson <[email protected]> Description: openssh-client - secure shell (SSH) client, for secure access to remote machines openssh-client-udeb - secure shell client for the Debian installer (udeb) openssh-server - secure shell (SSH) server, for secure access from remote machines openssh-server-udeb - secure shell server for the Debian installer (udeb) openssh-sftp-server - secure shell (SSH) sftp server module, for SFTP access from remot ssh - secure shell client and server (metapackage) ssh-askpass-gnome - interactive X program to prompt users for a passphrase for ssh-ad Closes: 573316 905407 907534 Changes: openssh (1:7.8p1-1) unstable; urgency=medium . * New upstream release (https://www.openssh.com/txt/release-7.8, closes: #907534): - ssh-keygen(1): Write OpenSSH format private keys by default instead of using OpenSSL's PEM format (closes: #905407). The OpenSSH format, supported in OpenSSH releases since 2014 and described in the PROTOCOL.key file in the source distribution, offers substantially better protection against offline password guessing and supports key comments in private keys. If necessary, it is possible to write old PEM-style keys by adding "-m PEM" to ssh-keygen's arguments when generating or updating a key. - sshd(8): Remove internal support for S/Key multiple factor authentication. S/Key may still be used via PAM or BSD auth. - ssh(1): Remove vestigial support for running ssh(1) as setuid. This used to be required for hostbased authentication and the (long gone) rhosts-style authentication, but has not been necessary for a long time. Attempting to execute ssh as a setuid binary, or with uid != effective uid will now yield a fatal error at runtime. - sshd(8): The semantics of PubkeyAcceptedKeyTypes and the similar HostbasedAcceptedKeyTypes options have changed. These now specify signature algorithms that are accepted for their respective authentication mechanism, where previously they specified accepted key types. This distinction matters when using the RSA/SHA2 signature algorithms "rsa-sha2-256", "rsa-sha2-512" and their certificate counterparts. Configurations that override these options but omit these algorithm names may cause unexpected authentication failures (no action is required for configurations that accept the default for these options). - sshd(8): The precedence of session environment variables has changed. ~/.ssh/environment and environment="..." options in authorized_keys files can no longer override SSH_* variables set implicitly by sshd. - ssh(1)/sshd(8): The default IPQoS used by ssh/sshd has changed. They will now use DSCP AF21 for interactive traffic and CS1 for bulk. For a detailed rationale, please see the commit message: https://cvsweb.openbsd.org/src/usr.bin/ssh/readconf.c#rev1.284 - ssh(1)/sshd(8): Add new signature algorithms "rsa-sha2-256-cert- [email protected]" and "[email protected]" to explicitly force use of RSA/SHA2 signatures in authentication. - sshd(8): Extend the PermitUserEnvironment option to accept a whitelist of environment variable names in addition to global "yes" or "no" settings. - sshd(8): Add a PermitListen directive to sshd_config(5) and a corresponding permitlisten= authorized_keys option that control which listen addresses and port numbers may be used by remote forwarding (ssh -R ...). - sshd(8): Add some countermeasures against timing attacks used for account validation/enumeration. sshd will enforce a minimum time or each failed authentication attempt consisting of a global 5ms minimum plus an additional per-user 0-4ms delay derived from a host secret. - sshd(8): Add a SetEnv directive to allow an administrator to explicitly specify environment variables in sshd_config. Variables set by SetEnv override the default and client-specified environment. - ssh(1): Add a SetEnv directive to request that the server sets an environment variable in the session. Similar to the existing SendEnv option, these variables are set subject to server configuration. - ssh(1): Allow "SendEnv -PATTERN" to clear environment variables previously marked for sending to the server (closes: #573316). - ssh(1)/sshd(8): Make UID available as a %-expansion everywhere that the username is available currently. - ssh(1): Allow setting ProxyJump=none to disable ProxyJump functionality. - sshd(8): Avoid observable differences in request parsing that could be used to determine whether a target user is valid. - ssh(1)/sshd(8): Fix some memory leaks. - ssh(1): Fix a pwent clobber (introduced in openssh-7.7) that could occur during key loading, manifesting as crash on some platforms. - sshd_config(5): Clarify documentation for AuthenticationMethods option. - ssh(1): Ensure that the public key algorithm sent in a public key SSH_MSG_USERAUTH_REQUEST matches the content of the signature blob. Previously, these could be inconsistent when a legacy or non-OpenSSH ssh-agent returned a RSA/SHA1 signature when asked to make a RSA/SHA2 signature. - sshd(8): Fix failures to read authorized_keys caused by faulty supplemental group caching. - scp(1): Apply umask to directories, fixing potential mkdir/chmod race when copying directory trees. - ssh-keygen(1): Return correct exit code when searching for and hashing known_hosts entries in a single operation. - ssh(1): Prefer the ssh binary pointed to via argv[0] to $PATH when re-executing ssh for ProxyJump. - sshd(8): Do not ban PTY allocation when a sshd session is restricted because the user password is expired as it breaks password change dialog. - ssh(1)/sshd(8): Fix error reporting from select() failures. - ssh(1): Improve documentation for -w (tunnel) flag, emphasising that -w implicitly sets Tunnel=point-to-point. - ssh-agent(1): Implement EMFILE mitigation for ssh-agent. ssh-agent will no longer spin when its file descriptor limit is exceeded. - ssh(1)/sshd(8): Disable SSH2_MSG_DEBUG messages for Twisted Conch clients. Twisted Conch versions that lack a version number in their identification strings will mishandle these messages when running on Python 2.x (https://twistedmatrix.com/trac/ticket/9422). - sftp(1): Notify user immediately when underlying ssh process dies expectedly. - ssh(1)/sshd(8): Fix tunnel forwarding; regression in 7.7 release. - ssh-agent(1): Don't kill ssh-agent's listening socket entirely if it fails to accept(2) a connection. - ssh(1): Add some missing options in the configuration dump output (ssh -G). - sshd(8): Expose details of completed authentication to PAM auth modules via SSH_AUTH_INFO_0 in the PAM environment. * Switch debian/watch to HTTPS. * Temporarily work around https://twistedmatrix.com/trac/ticket/9515 in regression tests. Checksums-Sha1: f7754d84e88db335b8f62a70155a62953f6a0199 3121 openssh_7.8p1-1.dsc 27e267e370315561de96577fccae563bc2c37a60 1548026 openssh_7.8p1.orig.tar.gz 7734c7f9db5051f26ef4e32da44e9df3a52c1c22 683 openssh_7.8p1.orig.tar.gz.asc 19163a9c46b988c47050a642eb4aeb56ed1b52dc 161912 openssh_7.8p1-1.debian.tar.xz 9df3248b61a1f85f6f6e9beb4223b94c0da9112e 14871 openssh_7.8p1-1_source.buildinfo Checksums-Sha256: 8ec0c6c21c59e00899e1102b2641ddfea63b1ca3aade5865db6c5aa6a628e266 3121 openssh_7.8p1-1.dsc 1a484bb15152c183bb2514e112aa30dd34138c3cfb032eee5490a66c507144ca 1548026 openssh_7.8p1.orig.tar.gz 01649b5f618d9f19c861a038b981db456778dd7b38a20d039513e2639a022fe4 683 openssh_7.8p1.orig.tar.gz.asc e9c101ac6c8123a8148702585c67880229a8d472fb74d4a9ad3767a72b3e7592 161912 openssh_7.8p1-1.debian.tar.xz a36fc3140573c86fd10929b5a5ab1ee227e433842050f475912119e93bdbf044 14871 openssh_7.8p1-1_source.buildinfo Files: 1fd95800878abe0c4d423cfa06e8dc25 3121 net standard openssh_7.8p1-1.dsc ce1d090fa6239fd38eb989d5e983b074 1548026 net standard openssh_7.8p1.orig.tar.gz 5d7d65086c1c47b66cc42216eb1f3c34 683 net standard openssh_7.8p1.orig.tar.gz.asc 2a1bb49fc4212a0ef0a2e0903251706e 161912 net standard openssh_7.8p1-1.debian.tar.xz d6be3f9fc74e8d936907910fa968871f 14871 net standard openssh_7.8p1-1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAluIASAACgkQOTWH2X2G UAsFnA//Zgba/rVNCuvBtoLa4tnA8KzmeS9H/GNZIohGHQhCGMhJkP/Yrn2unrKl QgxaUoF0dJEkFLn1fkHhRye+JYyVcDBepXM0UFP/75qE6Vu6Gl+tjBqXFD6tD5U6 gz9IkZ170BOY9iSbW7OKEA0V1j2FoXSAE1dfgGbQ3Utmpg9aQqFzWIk5IjCkwEqI wpM6o7G6hBPI2da0V2kV8ZyZz5QrUez4a1mIQLDB59OZVX1+YKR5SP+6R1RbpMxS 4LB/XFiwcH6AlFwKkf47bfbA6e0dq2V+g5cyotKUaJx5R6tLEginZsrzR0fnNKmU SArjVsmMkAQAEnkwUCz/SgCop2xUMYZt6K2CrH5Bo7bjSK8xHPLN6Tvrd+1T/ee6 m+159AMT1NpMyAnwFawuWGVm86V80FciAHrTYN/c9F4WX66tsn8XX6es61Z/RmWF m/CMpDqFV3ixHySzT3x4W1e+cF8LP2cVtH11n36wyApJER3rbHHFICMTEjmn6wpY CSXx/Tqd71FUX6sQvgPvvCnGZcvvm+KXaDJJgQMwyPuSSFFK47aLq+ytOg2MpqPJ taZWQpTxwW8nNJTsCac8rUOpei0JtmB0j4gbu3MmzVgzC7eda+GsEK0r50jJIK+/ RRGoGttlziP1gpX8baccwpkDRYakrzh362zhEI0a4ixla66SaIk= =mpZO -----END PGP SIGNATURE-----
--- End Message ---
