Bug#865986: stretch-pu: package openssh/1:7.4p1-10+deb9u2
Control: tags -1 + pending On Sat, 2017-11-18 at 10:14 +, Colin Watson wrote: > On Fri, Nov 17, 2017 at 11:25:33AM +0100, Julien Cristau wrote: > > Looks fine to me, go ahead. > > Uploaded, thanks. Flagged for acceptance. Regards, Adam
Bug#865986: stretch-pu: package openssh/1:7.4p1-10+deb9u2
On Fri, Nov 17, 2017 at 11:25:33AM +0100, Julien Cristau wrote: > Looks fine to me, go ahead. Uploaded, thanks. -- Colin Watson [cjwat...@debian.org]
Bug#865986: stretch-pu: package openssh/1:7.4p1-10+deb9u2
Control: tag -1 confirmed On Fri, Oct 6, 2017 at 21:34:59 +0100, Colin Watson wrote: > I got kind of distracted and forgot about this, and in the meantime a > few more bugs have become evident that ought to be fixed in stable, so > here's an extended debdiff for approval. > > * #877800 causes current versions of WinSCP to be unable to connect due >to overly-general version patterns in sshd's bug-compatibility code. > > * #873201 was implicated in a few CVEs a while back in packages using >ssh; I'm not sure whether it *quite* counts as a security >vulnerability in and of itself, but we should fix it anyway. > > (And yes, I'll deal with these in jessie too as necessary as soon as I > summon the energy for oldstable updates.) > > A current version of git introduced a small amount of noise into the > diff, but it's small enough that I don't think it's worth brutalising > the tools to avoid it. > Looks fine to me, go ahead. Cheers, Julien
Bug#865986: stretch-pu: package openssh/1:7.4p1-10+deb9u2
On Fri, Oct 06, 2017 at 09:34:51PM +0100, Colin Watson wrote: > On Mon, Jun 26, 2017 at 01:57:25PM +0200, Cyril Brulebois wrote: > > This looks good to me. I'll wait until the bug fix clears NEW, and until > > you post a final debdiff, targetting stretch, to tag this request with > > the "confirmed" tag. > > I got kind of distracted and forgot about this, and in the meantime a > few more bugs have become evident that ought to be fixed in stable, so > here's an extended debdiff for approval. Could somebody review this, or say that I can upload? I've been getting questions about the WinSCP issue (#877800). Thanks, -- Colin Watson [cjwat...@debian.org]
Bug#865986: stretch-pu: package openssh/1:7.4p1-10+deb9u2
Control: tag -1 - moreinfo On Mon, Jun 26, 2017 at 01:57:25PM +0200, Cyril Brulebois wrote: > Colin Watson (2017-06-26): > > I've committed this patch to master, but it isn't in unstable yet > > because I'm waiting for openssh-ssh1 to clear NEW before I upload > > openssh to unstable again, in order to avoid confusion with versions. > > However, point release dates are close enough that I wanted to seek > > approval for this sooner rather than later. > > I was surprised by the double ExecReload entry at first, but that seems > to be allowed. Moreover, that keeps sshd alive when a typo is willingly > introduced in sshd_config. > > (Granted: Tested on a jessie system only.) > > This looks good to me. I'll wait until the bug fix clears NEW, and until > you post a final debdiff, targetting stretch, to tag this request with > the "confirmed" tag. I got kind of distracted and forgot about this, and in the meantime a few more bugs have become evident that ought to be fixed in stable, so here's an extended debdiff for approval. * #877800 causes current versions of WinSCP to be unable to connect due to overly-general version patterns in sshd's bug-compatibility code. * #873201 was implicated in a few CVEs a while back in packages using ssh; I'm not sure whether it *quite* counts as a security vulnerability in and of itself, but we should fix it anyway. (And yes, I'll deal with these in jessie too as necessary as soon as I summon the energy for oldstable updates.) A current version of git introduced a small amount of noise into the diff, but it's small enough that I don't think it's worth brutalising the tools to avoid it. diff -Nru openssh-7.4p1/debian/.git-dpm openssh-7.4p1/debian/.git-dpm --- openssh-7.4p1/debian/.git-dpm 2017-06-18 01:08:18.0 +0100 +++ openssh-7.4p1/debian/.git-dpm 2017-10-06 20:03:26.0 +0100 @@ -1,6 +1,6 @@ # see git-dpm(1) from git-dpm package -1fbd56e33d641c08a8f573406cf27f9adf667763 -1fbd56e33d641c08a8f573406cf27f9adf667763 +39d60bbd309be74d337685c2da524233652513f4 +39d60bbd309be74d337685c2da524233652513f4 971a7653746a6972b907dfe0ce139c06e4a6f482 971a7653746a6972b907dfe0ce139c06e4a6f482 openssh_7.4p1.orig.tar.gz diff -Nru openssh-7.4p1/debian/changelog openssh-7.4p1/debian/changelog --- openssh-7.4p1/debian/changelog 2017-06-18 01:11:26.0 +0100 +++ openssh-7.4p1/debian/changelog 2017-10-06 20:03:40.0 +0100 @@ -1,3 +1,15 @@ +openssh (1:7.4p1-10+deb9u2) stretch; urgency=medium + + * Test configuration before starting or reloading sshd under systemd +(closes: #865770). + * Adjust compatibility patterns for WinSCP to correctly identify versions +that implement only the legacy DH group exchange scheme (closes: +#877800). + * Make "--" before the hostname terminate argument processing after the +hostname too (closes: #873201). + + -- Colin Watson Fri, 06 Oct 2017 20:03:40 +0100 + openssh (1:7.4p1-10+deb9u1) stretch; urgency=medium * Fix incoming compression statistics (thanks, Russell Coker; closes: diff -Nru openssh-7.4p1/debian/openssh-server.ssh.service openssh-7.4p1/debian/openssh-server.ssh.service --- openssh-7.4p1/debian/openssh-server.ssh.service 2017-06-18 01:08:12.0 +0100 +++ openssh-7.4p1/debian/openssh-server.ssh.service 2017-10-06 20:03:26.0 +0100 @@ -5,7 +5,9 @@ [Service] EnvironmentFile=-/etc/default/ssh +ExecStartPre=/usr/sbin/sshd -t ExecStart=/usr/sbin/sshd -D $SSHD_OPTS +ExecReload=/usr/sbin/sshd -t ExecReload=/bin/kill -HUP $MAINPID KillMode=process Restart=on-failure diff -Nru openssh-7.4p1/debian/patches/auth-log-verbosity.patch openssh-7.4p1/debian/patches/auth-log-verbosity.patch --- openssh-7.4p1/debian/patches/auth-log-verbosity.patch 2017-06-18 01:08:11.0 +0100 +++ openssh-7.4p1/debian/patches/auth-log-verbosity.patch 2017-10-06 20:03:26.0 +0100 @@ -18,7 +18,7 @@ index 57b49f7f..7eb87b35 100644 --- a/auth-options.c +++ b/auth-options.c -@@ -59,9 +59,20 @@ int forced_tun_device = -1; +@@ -59,8 +59,19 @@ int forced_tun_device = -1; /* "principals=" option. */ char *authorized_principals = NULL; @@ -28,17 +28,16 @@ + extern ServerOptions options; - void ++void +auth_start_parse_options(void) +{ + logged_from_hostip = 0; + logged_cert_hostip = 0; +} + -+void + void auth_clear_options(void) { - no_agent_forwarding_flag = 0; @@ -316,10 +327,13 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) /* FALLTHROUGH */ case 0: diff -Nru openssh-7.4p1/debian/patches/dash-dash-before-hostname.patch openssh-7.4p1/debian/patches/dash-dash-before-hostname.patch --- openssh-7.4p1/debian/patches/dash-dash-before-hostname.patch 1970-01-01 01:00:00.0 +0100 +++ openssh-7.4p1/debian/patches/dash-dash-before-hostname.patch 2017-10-06 20:03:26.0 +0100 @@ -0,0 +1,63 @@
Bug#865986: stretch-pu: package openssh/1:7.4p1-10+deb9u2
Cyril Brulebois (2017-06-26): > I was surprised by the double ExecReload entry at first, but that seems > to be allowed. Moreover, that keeps sshd alive when a typo is willingly > introduced in sshd_config. > > (Granted: Tested on a jessie system only.) > > This looks good to me. I'll wait until the bug fix clears NEW, and until > you post a final debdiff, targetting stretch, to tag this request with > the "confirmed" tag. Speaking of jessie, a fix there is welcome as well. Having checked with #debian-release, it would be nice to open a separate bug report to track the jessie-pu one though. Thanks already! KiBi. signature.asc Description: Digital signature
Bug#865986: stretch-pu: package openssh/1:7.4p1-10+deb9u2
Hi Colin, Colin Watson (2017-06-26): > I've committed this patch to master, but it isn't in unstable yet > because I'm waiting for openssh-ssh1 to clear NEW before I upload > openssh to unstable again, in order to avoid confusion with versions. > However, point release dates are close enough that I wanted to seek > approval for this sooner rather than later. I was surprised by the double ExecReload entry at first, but that seems to be allowed. Moreover, that keeps sshd alive when a typo is willingly introduced in sshd_config. (Granted: Tested on a jessie system only.) This looks good to me. I'll wait until the bug fix clears NEW, and until you post a final debdiff, targetting stretch, to tag this request with the "confirmed" tag. KiBi. signature.asc Description: Digital signature
Bug#865986: stretch-pu: package openssh/1:7.4p1-10+deb9u2
Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu I've committed this patch to master, but it isn't in unstable yet because I'm waiting for openssh-ssh1 to clear NEW before I upload openssh to unstable again, in order to avoid confusion with versions. However, point release dates are close enough that I wanted to seek approval for this sooner rather than later. commit 1854b32d1b507510d51f547d24560d412ff3fa11 Author: Colin Watson Date: Mon Jun 26 10:18:26 2017 +0100 Test configuration before starting or reloading sshd under systemd (closes: #865770). diff --git a/debian/changelog b/debian/changelog index c224e40..2229aa0 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +openssh (1:7.4p1-10+deb9u2) UNRELEASED; urgency=medium + + * Test configuration before starting or reloading sshd under systemd +(closes: #865770). + + -- Colin Watson Mon, 26 Jun 2017 10:19:40 +0100 + openssh (1:7.4p1-10+deb9u1) stretch; urgency=medium * Fix incoming compression statistics (thanks, Russell Coker; closes: diff --git a/debian/systemd/ssh.service b/debian/systemd/ssh.service index 3df8c64..c75e590 100644 --- a/debian/systemd/ssh.service +++ b/debian/systemd/ssh.service @@ -5,7 +5,9 @@ ConditionPathExists=!/etc/ssh/sshd_not_to_be_run [Service] EnvironmentFile=-/etc/default/ssh +ExecStartPre=/usr/sbin/sshd -t ExecStart=/usr/sbin/sshd -D $SSHD_OPTS +ExecReload=/usr/sbin/sshd -t ExecReload=/bin/kill -HUP $MAINPID KillMode=process Restart=on-failure Thanks, -- Colin Watson [cjwat...@debian.org]