Hash: SHA256

Format: 1.8
Date: Mon, 14 Nov 2022 16:25:45 +0000
Source: openssh
Architecture: source
Version: 1:9.1p1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian OpenSSH Maintainers <>
Changed-By: Colin Watson <>
Closes: 197037 1016340 1021585
 openssh (1:9.1p1-1) unstable; urgency=medium
   [ Markus Teich ]
   * Delete obsolete upstart configuration override.
   [ Colin Watson ]
   * Work around apparent dh-exec regressions (closes: #1016340).
   * Don't install unnecessary *.lo files in openssh-tests.
   * Update Lintian overrides to current syntax.
   * Pass on compiler/linker flags when building debian/keygen-test.
   * Remove obsolete and misleading rcp/rlogin/rsh alternatives, and stop
     providing rsh-client (closes: #197037).
   * Add sshd_config checksums for 1:8.2p1-1 and 1:8.7p1-1 to ucf reference
   * New upstream release (,
     closes: #1021585):
     - ssh-keyscan(1): fix a one-byte overflow in SSH- banner processing.
     - ssh-keygen(1): double free() in error path of file hashing step in
       signing/verify code.
     - ssh-keysign(8): double-free in error path introduced in openssh-8.9.
     - ssh(1), sshd(8): SetEnv directives in ssh_config and sshd_config are
       now first-match-wins to match other directives. Previously if an
       environment variable was multiply specified the last set value would
       have been used.
     - ssh-keygen(8): ssh-keygen -A (generate all default host key types)
       will no longer generate DSA keys, as these are insecure and have not
       been used by default for some years.
     - ssh(1), sshd(8): add a RequiredRSASize directive to set a minimum RSA
       key length. Keys below this length will be ignored for user
       authentication and for host authentication in sshd(8). ssh(1) will
       terminate a connection if the server offers an RSA key that falls
       below this limit, as the SSH protocol does not include the ability to
       retry a failed key exchange.
     - sftp-server(8): add a "" extension
       request that allows the client to obtain user/group names that
       correspond to a set of uids/gids.
     - sftp(1): use "" sftp-server extension
       (when available) to fill in user/group names for directory listings.
     - sftp-server(8): support the "home-directory" extension request defined
       in draft-ietf-secsh-filexfer-extensions-00. This overlaps a bit with
       the existing "", but some other clients support
     - ssh-keygen(1), sshd(8): allow certificate validity intervals, sshsig
       verification times and authorized_keys expiry-time options to accept
       dates in the UTC time zone in addition to the default of interpreting
       them in the system time zone. YYYYMMDD and YYMMDDHHMM[SS] dates/times
       will be interpreted as UTC if suffixed with a 'Z' character. Also
       allow certificate validity intervals to be specified in raw
       seconds-since-epoch as hex value, e.g. -V 0x1234:0x4567890. This is
       intended for use by regress tests and other tools that call ssh-keygen
       as part of a CA workflow.
     - sftp(1): allow arguments to the sftp -D option, e.g. sftp -D
       "/usr/libexec/sftp-server -el debug3".
     - ssh-keygen(1): allow the existing -U (use agent) flag to work with "-Y
       sign" operations, where it will be interpreted to require that the
       private keys is hosted in an agent.
     - ssh-keygen(1): implement the "verify-required" certificate option.
       This was already documented when support for user-verified FIDO keys
       was added, but the ssh-keygen(1) code was missing.
     - ssh-agent(1): hook up the restrict_websafe command-line flag;
       previously the flag was accepted but never actually used.
     - sftp(1): improve filename tab completions: never try to complete names
       to non-existent commands, and better match the completion type (local
       or remote filename) against the argument position being completed.
     - ssh-keygen(1), ssh(1), ssh-agent(1): several fixes to FIDO key
       handling, especially relating to keys that request user-verification.
       These should reduce the number of unnecessary PIN prompts for keys
       that support intrinsic user verification.
     - ssh-keygen(1): when enrolling a FIDO resident key, check if a
       credential with matching application and user ID strings already
       exists and, if so, prompt the user for confirmation before overwriting
       the credential.
     - sshd(8): improve logging of errors when opening authorized_keys files.
     - ssh(1): avoid multiplexing operations that could cause SIGPIPE from
       causing the client to exit early.
     - ssh_config(5), sshd_config(5): clarify that the RekeyLimit directive
       applies to both transmitted and received data.
     - ssh-keygen(1): avoid double fclose() in error path.
     - sshd(8): log an error if pipe() fails while accepting a connection.
     - ssh-keyscan(1): add missing *-sk types to ssh-keyscan manpage.
     - sshd(8): ensure that authentication passwords are cleared from memory
       in error paths.
     - ssh(1), ssh-agent(1): avoid possibility of notifier code executing
     - ssh_config(5): note that the ProxyJump directive also accepts the same
       tokens as ProxyCommand.
     - scp(1): do not ftruncate(3) files early when in sftp mode. The
       previous behaviour of unconditionally truncating the destination file
       would cause "scp ~/foo localhost:foo" and the reverse "scp
       localhost:foo ~/foo" to delete all the contents of their destination.
     - ssh-keygen(1): improve error message when 'ssh-keygen -Y sign' is
       unable to load a private key.
     - sftp(1), scp(1): when performing operations that glob(3) a remote
       path, ensure that the implicit working directory used to construct
       that path escapes glob(3) characters. This prevents glob characters
       from being processed in places they shouldn't, e.g. "cd /tmp/a*/",
       "get *.txt" should have the get operation treat the path "/tmp/a*"
       literally and not attempt to expand it (LP: #1483751).
     - ssh(1), sshd(8): be stricter in which characters will be accepted in
       specifying a mask length; allow only 0-9.
     - ssh-keygen(1): avoid printing hash algorithm twice when dumping a KRL.
     - ssh(1), sshd(8): continue running local I/O for open channels during
       SSH transport rekeying. This should make ~-escapes work in the client
       (e.g. to exit) if the connection happened to have stalled during a
       rekey event.
     - ssh(1), sshd(8): avoid potential poll() spin during rekeying.
     - Further hardening for sshbuf internals: disallow "reparenting" a
       hierarchical sshbuf and zero the entire buffer if reallocation fails.
     - sshd(8): add AUDIT_ARCH_PPC to supported seccomp sandbox
   * Drop patch to work around,
     since the fix for that is in Debian testing.
   * Rewrite gnome-ssh-askpass(1) manual page using mdoc macros, and flesh it
     out a bit more.
   [ Steve Langasek ]
   * Support systemd socket activation.  Migrate any existing inetd-style
     socket activation to systemd socket activation.
   [ Gioele Barabucci ]
   * Remove ancient version constraints.
   * d/openssh-server.{postinst,config}: get_config_option: Replace perl with
 3d09519333c37fc37e447ab2211f880099db487a 3311 openssh_9.1p1-1.dsc
 15545440268967511d3194ebf20bcd0c7ff3fcc9 1838747 openssh_9.1p1.orig.tar.gz
 739873beca6afe4163d79a2168dbe7d313dbce39 833 openssh_9.1p1.orig.tar.gz.asc
 e04988d8ebc3e51dd57438359123cfaec4ebb505 179584 openssh_9.1p1-1.debian.tar.xz
 66cecc01833154ecc84909a16b947e66b800935b58d33c11c45fe84a3026e8af 3311 
 19f85009c7e3e23787f0236fbb1578392ab4d4bf9f8ec5fe6bc1cd7e8bfdd288 1838747 
 abac4673e0862604ab1f69a4597d191940c0cf58679dc5fc81fbdbd8b28ca267 833 
 a6ffc0939c91d636ef4fe6514295de63ac57280a1c2fd207e9914c5618648d0d 179584 
 8bdfe7169b837f30f4a27d44e9bc6086 3311 net standard openssh_9.1p1-1.dsc
 471912038124285c96918882ee190a22 1838747 net standard openssh_9.1p1.orig.tar.gz
 e7e81a9eb2de83e00509ad97aa71f36c 833 net standard openssh_9.1p1.orig.tar.gz.asc
 092d3782dab1f39ef4b668a263b70e48 179584 net standard 



Thank you for your contribution to Debian.

Reply via email to