[Bug 1298280] Re: Update OpenSSH to 6.6
This bug was fixed in the package openssh - 1:6.6p1-1 --- openssh (1:6.6p1-1) unstable; urgency=medium [ Colin Watson ] * Apply various warning-suppression and regression-test fixes to gssapi.patch from Damien Miller. * New upstream release (http://www.openssh.com/txt/release-6.6, LP: #1298280): - CVE-2014-2532: sshd(8): when using environment passing with an sshd_config(5) AcceptEnv pattern with a wildcard, OpenSSH prior to 6.6 could be tricked into accepting any environment variable that contains the characters before the wildcard character. * Re-enable btmp logging, as its permissions were fixed a long time ago in response to #370050 (closes: #341883). * Change to PermitRootLogin without-password for new installations, and ask a debconf question when upgrading systems with PermitRootLogin yes from previous versions (closes: #298138). * Debconf translations: - Danish (thanks, Joe Hansen). - Portuguese (thanks, Américo Monteiro). - Russian (thanks, Yuri Kozlov; closes: #742308). - Swedish (thanks, Andreas Rönnquist). - Japanese (thanks, victory). - German (thanks, Stephan Beck; closes: #742541). - Italian (thanks, Beatrice Torracca). * Don't start ssh-agent from the Upstart user session job if something like Xsession has already done so (based on work by Bruno Vasselle; LP: #1244736). [ Matthew Vernon ] * CVE-2014-2653: Fix failure to check SSHFP records if server presents a certificate (bug reported by me, patch by upstream's Damien Miller; thanks also to Mark Wooding for his help in fixing this) (Closes: #742513) -- Colin Watson cjwat...@debian.org Fri, 28 Mar 2014 18:04:41 + ** Changed in: openssh (Ubuntu) Status: Fix Committed = Fix Released ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2014-2532 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2014-2653 -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1298280 Title: Update OpenSSH to 6.6 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1298280/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1298280] Re: Update OpenSSH to 6.6
Yes, I already have this staged in the Debian git repository and plan to land it. ** Changed in: openssh (Ubuntu) Assignee: (unassigned) = Colin Watson (cjwatson) -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1298280 Title: Update OpenSSH to 6.6 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1298280/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1298280] Re: Update OpenSSH to 6.6
12:45 rbasak cjwatson: any opinion on openssh 6.6? It's primarily a bugfix release but it seems quite late now. I just triaged bug 1298280. 12:45 ubottu bug 1298280 in openssh (Ubuntu) Update OpenSSH to 6.6 [Wishlist,Triaged] https://launchpad.net/bugs/1298280 12:45 cjwatson rbasak: I already have it staged and plan to land it -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1298280 Title: Update OpenSSH to 6.6 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1298280/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1298280] Re: Update OpenSSH to 6.6
** Changed in: openssh (Ubuntu) Status: Triaged = Fix Committed -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1298280 Title: Update OpenSSH to 6.6 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1298280/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1298280] Re: Update OpenSSH to 6.6
Just as an aside as I'm not sure what the right forum for this should be but maybe Ubuntu can consider updating security packages as a separate update policy for LTS releases. What I mean by this is given our current security climate, I feel that it's important to make sure people are using the latest packages of openssl, openssh, gnutls etc. It does not be a large list of software packages, just a set of core packages so that we get improved security all around. Just a thought. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1298280 Title: Update OpenSSH to 6.6 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1298280/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
Re: [Bug 1298280] Re: Update OpenSSH to 6.6
I wouldn't be inclined to take feature releases of openssh. We already make sure to backport security-relevant changes; openssh upstream are pretty good about flagging those. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1298280 Title: Update OpenSSH to 6.6 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1298280/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs