Bug#865986: stretch-pu: package openssh/1:7.4p1-10+deb9u2
Control: tags -1 + pending On Sat, 2017-11-18 at 10:14 +, Colin Watson wrote: > On Fri, Nov 17, 2017 at 11:25:33AM +0100, Julien Cristau wrote: > > Looks fine to me, go ahead. > > Uploaded, thanks. Flagged for acceptance. Regards, Adam
Bug#865986: stretch-pu: package openssh/1:7.4p1-10+deb9u2
On Fri, Nov 17, 2017 at 11:25:33AM +0100, Julien Cristau wrote: > Looks fine to me, go ahead. Uploaded, thanks. -- Colin Watson [cjwat...@debian.org]
Bug#865986: stretch-pu: package openssh/1:7.4p1-10+deb9u2
Control: tag -1 confirmed On Fri, Oct 6, 2017 at 21:34:59 +0100, Colin Watson wrote: > I got kind of distracted and forgot about this, and in the meantime a > few more bugs have become evident that ought to be fixed in stable, so > here's an extended debdiff for approval. > > * #877800 causes current versions of WinSCP to be unable to connect due >to overly-general version patterns in sshd's bug-compatibility code. > > * #873201 was implicated in a few CVEs a while back in packages using >ssh; I'm not sure whether it *quite* counts as a security >vulnerability in and of itself, but we should fix it anyway. > > (And yes, I'll deal with these in jessie too as necessary as soon as I > summon the energy for oldstable updates.) > > A current version of git introduced a small amount of noise into the > diff, but it's small enough that I don't think it's worth brutalising > the tools to avoid it. > Looks fine to me, go ahead. Cheers, Julien
Bug#865986: stretch-pu: package openssh/1:7.4p1-10+deb9u2
On Fri, Oct 06, 2017 at 09:34:51PM +0100, Colin Watson wrote: > On Mon, Jun 26, 2017 at 01:57:25PM +0200, Cyril Brulebois wrote: > > This looks good to me. I'll wait until the bug fix clears NEW, and until > > you post a final debdiff, targetting stretch, to tag this request with > > the "confirmed" tag. > > I got kind of distracted and forgot about this, and in the meantime a > few more bugs have become evident that ought to be fixed in stable, so > here's an extended debdiff for approval. Could somebody review this, or say that I can upload? I've been getting questions about the WinSCP issue (#877800). Thanks, -- Colin Watson [cjwat...@debian.org]
Bug#865986: stretch-pu: package openssh/1:7.4p1-10+deb9u2
Control: tag -1 - moreinfo
On Mon, Jun 26, 2017 at 01:57:25PM +0200, Cyril Brulebois wrote:
> Colin Watson (2017-06-26):
> > I've committed this patch to master, but it isn't in unstable yet
> > because I'm waiting for openssh-ssh1 to clear NEW before I upload
> > openssh to unstable again, in order to avoid confusion with versions.
> > However, point release dates are close enough that I wanted to seek
> > approval for this sooner rather than later.
>
> I was surprised by the double ExecReload entry at first, but that seems
> to be allowed. Moreover, that keeps sshd alive when a typo is willingly
> introduced in sshd_config.
>
> (Granted: Tested on a jessie system only.)
>
> This looks good to me. I'll wait until the bug fix clears NEW, and until
> you post a final debdiff, targetting stretch, to tag this request with
> the "confirmed" tag.
I got kind of distracted and forgot about this, and in the meantime a
few more bugs have become evident that ought to be fixed in stable, so
here's an extended debdiff for approval.
* #877800 causes current versions of WinSCP to be unable to connect due
to overly-general version patterns in sshd's bug-compatibility code.
* #873201 was implicated in a few CVEs a while back in packages using
ssh; I'm not sure whether it *quite* counts as a security
vulnerability in and of itself, but we should fix it anyway.
(And yes, I'll deal with these in jessie too as necessary as soon as I
summon the energy for oldstable updates.)
A current version of git introduced a small amount of noise into the
diff, but it's small enough that I don't think it's worth brutalising
the tools to avoid it.
diff -Nru openssh-7.4p1/debian/.git-dpm openssh-7.4p1/debian/.git-dpm
--- openssh-7.4p1/debian/.git-dpm 2017-06-18 01:08:18.0 +0100
+++ openssh-7.4p1/debian/.git-dpm 2017-10-06 20:03:26.0 +0100
@@ -1,6 +1,6 @@
# see git-dpm(1) from git-dpm package
-1fbd56e33d641c08a8f573406cf27f9adf667763
-1fbd56e33d641c08a8f573406cf27f9adf667763
+39d60bbd309be74d337685c2da524233652513f4
+39d60bbd309be74d337685c2da524233652513f4
971a7653746a6972b907dfe0ce139c06e4a6f482
971a7653746a6972b907dfe0ce139c06e4a6f482
openssh_7.4p1.orig.tar.gz
diff -Nru openssh-7.4p1/debian/changelog openssh-7.4p1/debian/changelog
--- openssh-7.4p1/debian/changelog 2017-06-18 01:11:26.0 +0100
+++ openssh-7.4p1/debian/changelog 2017-10-06 20:03:40.0 +0100
@@ -1,3 +1,15 @@
+openssh (1:7.4p1-10+deb9u2) stretch; urgency=medium
+
+ * Test configuration before starting or reloading sshd under systemd
+(closes: #865770).
+ * Adjust compatibility patterns for WinSCP to correctly identify versions
+that implement only the legacy DH group exchange scheme (closes:
+#877800).
+ * Make "--" before the hostname terminate argument processing after the
+hostname too (closes: #873201).
+
+ -- Colin Watson Fri, 06 Oct 2017 20:03:40 +0100
+
openssh (1:7.4p1-10+deb9u1) stretch; urgency=medium
* Fix incoming compression statistics (thanks, Russell Coker; closes:
diff -Nru openssh-7.4p1/debian/openssh-server.ssh.service
openssh-7.4p1/debian/openssh-server.ssh.service
--- openssh-7.4p1/debian/openssh-server.ssh.service 2017-06-18
01:08:12.0 +0100
+++ openssh-7.4p1/debian/openssh-server.ssh.service 2017-10-06
20:03:26.0 +0100
@@ -5,7 +5,9 @@
[Service]
EnvironmentFile=-/etc/default/ssh
+ExecStartPre=/usr/sbin/sshd -t
ExecStart=/usr/sbin/sshd -D $SSHD_OPTS
+ExecReload=/usr/sbin/sshd -t
ExecReload=/bin/kill -HUP $MAINPID
KillMode=process
Restart=on-failure
diff -Nru openssh-7.4p1/debian/patches/auth-log-verbosity.patch
openssh-7.4p1/debian/patches/auth-log-verbosity.patch
--- openssh-7.4p1/debian/patches/auth-log-verbosity.patch 2017-06-18
01:08:11.0 +0100
+++ openssh-7.4p1/debian/patches/auth-log-verbosity.patch 2017-10-06
20:03:26.0 +0100
@@ -18,7 +18,7 @@
index 57b49f7f..7eb87b35 100644
--- a/auth-options.c
+++ b/auth-options.c
-@@ -59,9 +59,20 @@ int forced_tun_device = -1;
+@@ -59,8 +59,19 @@ int forced_tun_device = -1;
/* "principals=" option. */
char *authorized_principals = NULL;
@@ -28,17 +28,16 @@
+
extern ServerOptions options;
- void
++void
+auth_start_parse_options(void)
+{
+ logged_from_hostip = 0;
+ logged_cert_hostip = 0;
+}
+
-+void
+ void
auth_clear_options(void)
{
- no_agent_forwarding_flag = 0;
@@ -316,10 +327,13 @@ auth_parse_options(struct passwd *pw, char *opts, char
*file, u_long linenum)
/* FALLTHROUGH */
case 0:
diff -Nru openssh-7.4p1/debian/patches/dash-dash-before-hostname.patch
openssh-7.4p1/debian/patches/dash-dash-before-hostname.patch
--- openssh-7.4p1/debian/patches/dash-dash-before-hostname.patch
1970-01-01 01:00:00.0 +0100
+++ openssh-7.4p1/debian/patches/dash-dash-before-hostname.patch
2017-10-06 20:03:26.0 +0100
@@ -0,0 +1,63 @@
Bug#865986: stretch-pu: package openssh/1:7.4p1-10+deb9u2
Cyril Brulebois (2017-06-26): > I was surprised by the double ExecReload entry at first, but that seems > to be allowed. Moreover, that keeps sshd alive when a typo is willingly > introduced in sshd_config. > > (Granted: Tested on a jessie system only.) > > This looks good to me. I'll wait until the bug fix clears NEW, and until > you post a final debdiff, targetting stretch, to tag this request with > the "confirmed" tag. Speaking of jessie, a fix there is welcome as well. Having checked with #debian-release, it would be nice to open a separate bug report to track the jessie-pu one though. Thanks already! KiBi. signature.asc Description: Digital signature
Bug#865986: stretch-pu: package openssh/1:7.4p1-10+deb9u2
Hi Colin, Colin Watson (2017-06-26): > I've committed this patch to master, but it isn't in unstable yet > because I'm waiting for openssh-ssh1 to clear NEW before I upload > openssh to unstable again, in order to avoid confusion with versions. > However, point release dates are close enough that I wanted to seek > approval for this sooner rather than later. I was surprised by the double ExecReload entry at first, but that seems to be allowed. Moreover, that keeps sshd alive when a typo is willingly introduced in sshd_config. (Granted: Tested on a jessie system only.) This looks good to me. I'll wait until the bug fix clears NEW, and until you post a final debdiff, targetting stretch, to tag this request with the "confirmed" tag. KiBi. signature.asc Description: Digital signature
Bug#865986: stretch-pu: package openssh/1:7.4p1-10+deb9u2
Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu I've committed this patch to master, but it isn't in unstable yet because I'm waiting for openssh-ssh1 to clear NEW before I upload openssh to unstable again, in order to avoid confusion with versions. However, point release dates are close enough that I wanted to seek approval for this sooner rather than later. commit 1854b32d1b507510d51f547d24560d412ff3fa11 Author: Colin Watson Date: Mon Jun 26 10:18:26 2017 +0100 Test configuration before starting or reloading sshd under systemd (closes: #865770). diff --git a/debian/changelog b/debian/changelog index c224e40..2229aa0 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +openssh (1:7.4p1-10+deb9u2) UNRELEASED; urgency=medium + + * Test configuration before starting or reloading sshd under systemd +(closes: #865770). + + -- Colin Watson Mon, 26 Jun 2017 10:19:40 +0100 + openssh (1:7.4p1-10+deb9u1) stretch; urgency=medium * Fix incoming compression statistics (thanks, Russell Coker; closes: diff --git a/debian/systemd/ssh.service b/debian/systemd/ssh.service index 3df8c64..c75e590 100644 --- a/debian/systemd/ssh.service +++ b/debian/systemd/ssh.service @@ -5,7 +5,9 @@ ConditionPathExists=!/etc/ssh/sshd_not_to_be_run [Service] EnvironmentFile=-/etc/default/ssh +ExecStartPre=/usr/sbin/sshd -t ExecStart=/usr/sbin/sshd -D $SSHD_OPTS +ExecReload=/usr/sbin/sshd -t ExecReload=/bin/kill -HUP $MAINPID KillMode=process Restart=on-failure Thanks, -- Colin Watson [cjwat...@debian.org]
