** Changed in: openssh (Ubuntu)
Milestone: ubuntu-24.10-beta => None
** Description changed:
Scheduled-For: Backlog
Upstream: tbd
- Debian: 1:9.7p1-4
+ Debian: 1:9.7p1-4
Ubuntu: 1:9.6p1-3ubuntu13
-
- NOT SERVER TEAM has maintained this package's merge in the past.
+ Other teams have maintained this package's merge in the past.
If it turns out this needs a sync rather than a merge, please change the
tag 'needs-merge' to 'needs-sync', and (optionally) update the title as
desired.
If this merge pulls in a new upstream version, also consider adding an
entry to the Oracular Release Notes:
https://discourse.ubuntu.com/c/release/38
-
### New Debian Changes ###
openssh (1:9.7p1-4) unstable; urgency=medium
- * Rework systemd readiness notification and socket activation patches to
- not link against libsystemd (the former via an upstream patch).
- * Force -fzero-call-used-regs=used not to be used on ppc64el (it's
- unsupported, but configure fails to detect this).
-
- -- Colin Watson <[email protected]> Wed, 03 Apr 2024 12:06:08 +0100
+ * Rework systemd readiness notification and socket activation patches to
+ not link against libsystemd (the former via an upstream patch).
+ * Force -fzero-call-used-regs=used not to be used on ppc64el (it's
+ unsupported, but configure fails to detect this).
+
+ -- Colin Watson <[email protected]> Wed, 03 Apr 2024 12:06:08 +0100
openssh (1:9.7p1-3) unstable; urgency=medium
- * Fix gssapi-keyex declaration further (thanks, Andreas Hasenack;
- LP: #2053146).
- * Extend -fzero-call-used-regs check to catch m68k gcc bug (closes:
- #1067243).
- * debian/tests/regress: Set a different IP address for UNKNOWN.
- * Re-enable ssh-askpass-gnome on all architectures.
- * regress: Redirect conch stdin from /dev/zero (re-enables conch interop
- tests).
- * Drop 'Work around RSA SHA-2 signature issues in conch' patch (no longer
- needed now that Twisted is fixed).
-
- -- Colin Watson <[email protected]> Sun, 31 Mar 2024 11:55:38 +0100
+ * Fix gssapi-keyex declaration further (thanks, Andreas Hasenack;
+ LP: #2053146).
+ * Extend -fzero-call-used-regs check to catch m68k gcc bug (closes:
+ #1067243).
+ * debian/tests/regress: Set a different IP address for UNKNOWN.
+ * Re-enable ssh-askpass-gnome on all architectures.
+ * regress: Redirect conch stdin from /dev/zero (re-enables conch interop
+ tests).
+ * Drop 'Work around RSA SHA-2 signature issues in conch' patch (no longer
+ needed now that Twisted is fixed).
+
+ -- Colin Watson <[email protected]> Sun, 31 Mar 2024 11:55:38 +0100
openssh (1:9.7p1-2) unstable; urgency=medium
- [ Simon McVittie ]
- * d/control, d/rules: Disable ssh-askpass-gnome on 32-bit, except i386
- (closes: #1066847).
-
- -- Colin Watson <[email protected]> Thu, 14 Mar 2024 11:45:12 +0000
+ [ Simon McVittie ]
+ * d/control, d/rules: Disable ssh-askpass-gnome on 32-bit, except i386
+ (closes: #1066847).
+
+ -- Colin Watson <[email protected]> Thu, 14 Mar 2024 11:45:12 +0000
openssh (1:9.7p1-1) unstable; urgency=medium
- * Add the isolation-container restriction to the 'regress' autopkgtest.
- Our setup code wants to ensure that the haveged service is running, and
- furthermore at least the agent-subprocess test assumes that there's an
- init to reap zombie processes and doesn't work in (e.g.)
- autopkgtest-virt-unshare.
- * New upstream release (https://www.openssh.com/releasenotes.html#9.7p1):
- - ssh(1), sshd(8): add a 'global' ChannelTimeout type that watches all
- open channels and will close all open channels if there is no traffic
- on any of them for the specified interval. This is in addition to the
- existing per-channel timeouts added recently.
- This supports situations like having both session and x11 forwarding
- channels open where one may be idle for an extended period but the
- other is actively used. The global timeout could close both channels
- when both have been idle for too long (closes: #165185).
- - All: make DSA key support compile-time optional, defaulting to on.
- - sshd(8): don't append an unnecessary space to the end of subsystem
- arguments (bz3667)
- - ssh(1): fix the multiplexing 'channel proxy' mode, broken when
- keystroke timing obfuscation was added. (GHPR#463)
- - ssh(1), sshd(8): fix spurious configuration parsing errors when
- options that accept array arguments are overridden (bz3657).
- - ssh-agent(1): fix potential spin in signal handler (bz3670)
- - Many fixes to manual pages and other documentation.
- - Greatly improve interop testing against PuTTY.
- * Skip utimensat test on ZFS, since it seems to leave the atime set to 0.
- * Allow passing extra options to debian/tests/regress, for debugging.
- * Fix gssapi-keyex declaration, broken when rebasing onto 8.9p1
- (LP: #2053146).
-
- -- Colin Watson <[email protected]> Thu, 14 Mar 2024 10:47:58 +0000
+ * Add the isolation-container restriction to the 'regress' autopkgtest.
+ Our setup code wants to ensure that the haveged service is running, and
+ furthermore at least the agent-subprocess test assumes that there's an
+ init to reap zombie processes and doesn't work in (e.g.)
+ autopkgtest-virt-unshare.
+ * New upstream release (https://www.openssh.com/releasenotes.html#9.7p1):
+ - ssh(1), sshd(8): add a 'global' ChannelTimeout type that watches all
+ open channels and will close all open channels if there is no traffic
+ on any of them for the specified interval. This is in addition to the
+ existing per-channel timeouts added recently.
+ This supports situations like having both session and x11 forwarding
+ channels open where one may be idle for an extended period but the
+ other is actively used. The global timeout could close both channels
+ when both have been idle for too long (closes: #165185).
+ - All: make DSA key support compile-time optional, defaulting to on.
+ - sshd(8): don't append an unnecessary space to the end of subsystem
+ arguments (bz3667)
+ - ssh(1): fix the multiplexing 'channel proxy' mode, broken when
+ keystroke timing obfuscation was added. (GHPR#463)
+ - ssh(1), sshd(8): fix spurious configuration parsing errors when
+ options that accept array arguments are overridden (bz3657).
+ - ssh-agent(1): fix potential spin in signal handler (bz3670)
+ - Many fixes to manual pages and other documentation.
+ - Greatly improve interop testing against PuTTY.
+ * Skip utimensat test on ZFS, since it seems to leave the atime set to 0.
+ * Allow passing extra options to debian/tests/regress, for debugging.
+ * Fix gssapi-keyex declaration, broken when rebasing onto 8.9p1
+ (LP: #2053146).
+
+ -- Colin Watson <[email protected]> Thu, 14 Mar 2024 10:47:58 +0000
openssh (1:9.6p1-5) unstable; urgency=medium
- * Restore systemd template unit for per-connection sshd instances,
- although without any corresponding .socket unit for now; this is mainly
- for use with the forthcoming systemd-ssh-generator (closes: #1061516).
- It's now called [email protected], since unlike the main service there's no
- need to be concerned about compatibility with the slightly confusing
- 'ssh' service name that Debian has traditionally used.
-
- -- Colin Watson <[email protected]> Wed, 06 Mar 2024 09:45:56 +0000
+ * Restore systemd template unit for per-connection sshd instances,
+ although without any corresponding .socket unit for now; this is mainly
+ for use with the forthcoming systemd-ssh-generator (closes: #1061516).
+ It's now called [email protected], since unlike the main service there's no
+ need to be concerned about compatibility with the slightly confusing
+ 'ssh' service name that Debian has traditionally used.
+
+ -- Colin Watson <[email protected]> Wed, 06 Mar 2024 09:45:56 +0000
openssh (1:9.6p1-4) unstable; urgency=medium
- * Add sshd_config checksums for 1:9.2p1-1 to ucf reference file, and add a
- test to ensure it doesn't get out of date again.
- * Drop manual adjustment of OpenSSL dependencies; OpenSSH relaxed its
- checks for OpenSSL >= 3 in 9.4p1.
- * Build-depend on pkgconf rather than pkg-config.
- * Adjust debian/copyright to handle the 'placed in the public domain'
- status of rijndael.* more explicitly.
-
- -- Colin Watson <[email protected]> Mon, 26 Feb 2024 12:26:57 +0000
+ * Add sshd_config checksums for 1:9.2p1-1 to ucf reference file, and add a
+ test to ensure it doesn't get out of date again.
+ * Drop manual adjustment of OpenSSL dependencies; OpenSSH relaxed its
+ checks for OpenSSL >= 3 in 9.4p1.
+ * Build-depend on pkgconf rather than pkg-config.
+ * Adjust debian/copyright to handle the 'placed in the public domain'
+ status of rijndael.* more explicitly.
+
+ -- Colin Watson <[email protected]> Mon, 26 Feb 2024 12:26:57 +0000
openssh (1:9.6p1-3) unstable; urgency=medium
- * Allow passing extra ssh-agent arguments via
- '/usr/lib/openssh/agent-launch start', making it possible to override
- things like identity lifetime using a systemd drop-in unit (closes:
- #1059639).
- * Don't try to start rescue-ssh.target in postinst (LP: #2047082).
-
- -- Colin Watson <[email protected]> Wed, 17 Jan 2024 22:50:07 +0000
+ * Allow passing extra ssh-agent arguments via
+ '/usr/lib/openssh/agent-launch start', making it possible to override
+ things like identity lifetime using a systemd drop-in unit (closes:
+ #1059639).
+ * Don't try to start rescue-ssh.target in postinst (LP: #2047082).
+
+ -- Colin Watson <[email protected]> Wed, 17 Jan 2024 22:50:07 +0000
openssh (1:9.6p1-2) unstable; urgency=medium
-
-
### Old Ubuntu Delta ###
openssh (1:9.6p1-3ubuntu13) noble; urgency=medium
- [ Marco Trevisan (Treviño) ]
- * debian: Remove dependency on libsystemd
- As per the xz backdoor we learned that the least dependencies sshd have,
- the best it is, so avoid to plug libsystemd (which also brings various
- other dependencies) inside sshd for no reason:
-
- - d/p/systemd-readiness.patch: Use upstream patch with no libsystemd
- dependency
- - d/p/systemd-socket-activation.patch: Import patch from debian that
- mimics the libsystemd sd_listen_fds() code, as refactored by Colin
- Watson.
- - d/control: Remove dependencies on libsystemd-dev | libelogind-dev
- - d/rules: Drop --with-systemd flag (new options are used by default)
-
- [ Nick Rosbrook ]
- * debian/patches: only set PAM_RHOST if remote host is not 'UNKNOWN'
- (LP: #2060150)
- * debian/openssh-server.postinst: don't re-enable ssh.socket if it was
disabled
- (LP: #2059874)
- * d/p/sshd-socket-generator.patch: do not always ignore ListenStream=22
- (LP: #2059872)
-
- -- Nick Rosbrook <[email protected]> Fri, 05 Apr 2024 15:30:31 -0400
+ [ Marco Trevisan (Treviño) ]
+ * debian: Remove dependency on libsystemd
+ As per the xz backdoor we learned that the least dependencies sshd have,
+ the best it is, so avoid to plug libsystemd (which also brings various
+ other dependencies) inside sshd for no reason:
+
+ - d/p/systemd-readiness.patch: Use upstream patch with no libsystemd
+ dependency
+ - d/p/systemd-socket-activation.patch: Import patch from debian that
+ mimics the libsystemd sd_listen_fds() code, as refactored by Colin
+ Watson.
+ - d/control: Remove dependencies on libsystemd-dev | libelogind-dev
+ - d/rules: Drop --with-systemd flag (new options are used by default)
+
+ [ Nick Rosbrook ]
+ * debian/patches: only set PAM_RHOST if remote host is not 'UNKNOWN'
+ (LP: #2060150)
+ * debian/openssh-server.postinst: don't re-enable ssh.socket if it was
disabled
+ (LP: #2059874)
+ * d/p/sshd-socket-generator.patch: do not always ignore ListenStream=22
+ (LP: #2059872)
+
+ -- Nick Rosbrook <[email protected]> Fri, 05 Apr 2024 15:30:31 -0400
openssh (1:9.6p1-3ubuntu12) noble; urgency=medium
- * No-change rebuild for CVE-2024-3094
-
- -- Steve Langasek <[email protected]> Sun, 31 Mar 2024
+ * No-change rebuild for CVE-2024-3094
+
+ -- Steve Langasek <[email protected]> Sun, 31 Mar 2024
09:23:28 +0000
openssh (1:9.6p1-3ubuntu11) noble; urgency=medium
- * d/t/ssh-gssapi: make the test a bit more rebust (LP: #2058276):
- - deal with return codes
- - match a more specific success expression from the logs
- - add klist output in the case of failure
-
- -- Andreas Hasenack <[email protected]> Mon, 18 Mar 2024 10:25:15
+ * d/t/ssh-gssapi: make the test a bit more rebust (LP: #2058276):
+ - deal with return codes
+ - match a more specific success expression from the logs
+ - add klist output in the case of failure
+
+ -- Andreas Hasenack <[email protected]> Mon, 18 Mar 2024 10:25:15
-0300
openssh (1:9.6p1-3ubuntu10) noble; urgency=medium
- * Build again with gnome.
-
- -- Matthias Klose <[email protected]> Sat, 16 Mar 2024 19:30:41 +0100
+ * Build again with gnome.
+
+ -- Matthias Klose <[email protected]> Sat, 16 Mar 2024 19:30:41 +0100
openssh (1:9.6p1-3ubuntu9) noble; urgency=medium
- * d/p/gssapi.patch: fix method_gsskeyex structure and
- userauth_gsskeyex function regarding changes introduced in upstream
- commit dbb339f015c33d63484261d140c84ad875a9e548 ('prepare for
- multiple names for authmethods') (LP: #2053146)
- * d/t/{ssh-gssapi,util}: ssh-gssapi DEP8 test for gssapi-with-mic
- and gssapi-keyex authentication methods
-
- -- Andreas Hasenack <[email protected]> Fri, 15 Mar 2024 16:18:01
+ * d/p/gssapi.patch: fix method_gsskeyex structure and
+ userauth_gsskeyex function regarding changes introduced in upstream
+ commit dbb339f015c33d63484261d140c84ad875a9e548 ('prepare for
+ multiple names for authmethods') (LP: #2053146)
+ * d/t/{ssh-gssapi,util}: ssh-gssapi DEP8 test for gssapi-with-mic
+ and gssapi-keyex authentication methods
+
+ -- Andreas Hasenack <[email protected]> Fri, 15 Mar 2024 16:18:01
-0300
openssh (1:9.6p1-3ubuntu8) noble; urgency=medium
- * No-change rebuild against libcom-err2
-
- -- Steve Langasek <[email protected]> Tue, 12 Mar 2024
+ * No-change rebuild against libcom-err2
+
+ -- Steve Langasek <[email protected]> Tue, 12 Mar 2024
20:34:07 +0000
openssh (1:9.6p1-3ubuntu7) noble; urgency=medium
- * No-change rebuild against libglib2.0-0t64
-
- -- Steve Langasek <[email protected]> Mon, 11 Mar 2024
+ * No-change rebuild against libglib2.0-0t64
+
+ -- Steve Langasek <[email protected]> Mon, 11 Mar 2024
23:25:42 +0000
openssh (1:9.6p1-3ubuntu6) noble; urgency=medium
- * No-change rebuild against libglib2.0-0t64
-
- -- Steve Langasek <[email protected]> Fri, 08 Mar 2024
+ * No-change rebuild against libglib2.0-0t64
+
+ -- Steve Langasek <[email protected]> Fri, 08 Mar 2024
06:32:05 +0000
openssh (1:9.6p1-3ubuntu5) noble; urgency=medium
- * debian/systemd/ssh.service: restore RuntimeDirectory=sshd (LP: #2055806)
- We started using a tmpfile in Ubuntu when we invoked sshd -G in
- openssh-server.postinst as a part of migration to systemd socket
activation.
- Since we use a generator now, instead of invoking sshd -G, we no longer
need
- this change.
-
- -- Nick Rosbrook <[email protected]> Thu, 07 Mar 2024 13:59:57 -0500
+ * debian/systemd/ssh.service: restore RuntimeDirectory=sshd (LP: #2055806)
+ We started using a tmpfile in Ubuntu when we invoked sshd -G in
+ openssh-server.postinst as a part of migration to systemd socket
activation.
+ Since we use a generator now, instead of invoking sshd -G, we no longer
need
+ this change.
+
+ -- Nick Rosbrook <[email protected]> Thu, 07 Mar 2024 13:59:57 -0500
openssh (1:9.6p1-3ubuntu5~ppa2) noble; urgency=medium
- * Build without gnome.
-
- -- Matthias Klose <[email protected]> Tue, 05 Mar 2024 15:53:05 +0100
+ * Build without gnome.
+
+ -- Matthias Klose <[email protected]> Tue, 05 Mar 2024 15:53:05 +0100
openssh (1:9.6p1-3ubuntu4) noble; urgency=medium
- * No-change rebuild against libssl3t64
-
- -- Steve Langasek <[email protected]> Mon, 04 Mar 2024
+ * No-change rebuild against libssl3t64
+
+ -- Steve Langasek <[email protected]> Mon, 04 Mar 2024
20:31:25 +0000
openssh (1:9.6p1-3ubuntu3) noble; urgency=medium
- * Add sshd-socket-generator to generate ssh.socket drop-in configuration
- instead of doing one-time generation on package upgrade:
- - debian/control: Build-Depends: systemd-dev
- - d/p/sshd-socket-generator.patch: add generator for socket activation
- - debian/openssh-server.install: install sshd-socket-generator
- - debian/openssh-server.postinst: handle migration to
sshd-socket-generator
- - d/t/sshd-socket-generator: add dep8 test for sshd-socket-generator
- - ssh.socket: adjust unit for socket activation by default
- - debian/README.Debian: update ssh.socket documentation
- - debian/rules: explicitly enable LTO
- The armhf build was not using LTO, which made sshd-socket-generator
FTBFS.
- This change ensures that all arches are using LTO.
- * Drop the following changes related to previous ssh socket activation
approach:
- - debian/openssh-server.postrm: remove systemd drop-ins for
- socket-activated sshd on purge
- - debian/openssh-server.templates: include debconf prompt explaining
- when migration cannot happen due to multiple ListenAddress values
- - debian/openssh-server.postinst: handle migration of sshd_config options
- to systemd socket options on upgrade.
- - debian/patches/socket-activation-documentation.patch: Document in
- sshd_config(5) that ListenAddress and Port no longer work.
- * debian/openssh-server.ucf-md5sum: update for new Ubuntu delta
-
- -- Nick Rosbrook <[email protected]> Wed, 21 Feb 2024 12:51:30 -0500
+ * Add sshd-socket-generator to generate ssh.socket drop-in configuration
+ instead of doing one-time generation on package upgrade:
+ - debian/control: Build-Depends: systemd-dev
+ - d/p/sshd-socket-generator.patch: add generator for socket activation
+ - debian/openssh-server.install: install sshd-socket-generator
+ - debian/openssh-server.postinst: handle migration to
sshd-socket-generator
+ - d/t/sshd-socket-generator: add dep8 test for sshd-socket-generator
+ - ssh.socket: adjust unit for socket activation by default
+ - debian/README.Debian: update ssh.socket documentation
+ - debian/rules: explicitly enable LTO
+ The armhf build was not using LTO, which made sshd-socket-generator
FTBFS.
+ This change ensures that all arches are using LTO.
+ * Drop the following changes related to previous ssh socket activation
approach:
+ - debian/openssh-server.postrm: remove systemd drop-ins for
+ socket-activated sshd on purge
+ - debian/openssh-server.templates: include debconf prompt explaining
+ when migration cannot happen due to multiple ListenAddress values
+ - debian/openssh-server.postinst: handle migration of sshd_config options
+ to systemd socket options on upgrade.
+ - debian/patches/socket-activation-documentation.patch: Document in
+ sshd_config(5) that ListenAddress and Port no longer work.
+ * debian/openssh-server.ucf-md5sum: update for new Ubuntu delta
+
+ -- Nick Rosbrook <[email protected]> Wed, 21 Feb 2024 12:51:30 -0500
openssh (1:9.6p1-3ubuntu2) noble; urgency=medium
- [ Marco Trevisan (Treviño) ]
- * debian/patches: Immediately report interactive instructions to PAM clients
- * debian/patches: sshconnect2: Write kbd-interactive messages as utf-8
-
- -- Julian Andres Klode <[email protected]> Thu, 15 Feb 2024 11:13:03
+ [ Marco Trevisan (Treviño) ]
+ * debian/patches: Immediately report interactive instructions to PAM clients
+ * debian/patches: sshconnect2: Write kbd-interactive messages as utf-8
+
+ -- Julian Andres Klode <[email protected]> Thu, 15 Feb 2024 11:13:03
+0100
openssh (1:9.6p1-3ubuntu1) noble; urgency=medium
- * Merge with Debian unstable (LP: #2040406). Remaining changes:
- - debian/rules: modify dh_installsystemd invocations for
- socket-activated sshd.
- - debian/openssh-server.postinst: handle migration of sshd_config
- options to systemd socket options on upgrade.
- - debian/README.Debian: document systemd socket activation.
- - debian/patches/socket-activation-documentation.patch: Document
- in sshd_config(5) that ListenAddress and Port no longer work.
- - debian/openssh-server.templates: include debconf prompt
- explaining when migration cannot happen due to multiple
- ListenAddress values.
- - debian/.gitignore: drop file.
- - debian/openssh-server.postrm: remove systemd drop-ins for
- socket-activated sshd on purge.
- - debian/openssh-server.ucf-md5sum: update for Ubuntu delta
- - debian/openssh-server.tmpfile,debian/systemd/ssh.service: Move
- /run/sshd creation out of the systemd unit to a tmpfile config
- so that sshd can be run manually if necessary without having to
- create this directory by hand.
- - debian/patches/systemd-socket-activation.patch: Fix sshd
- re-execution behavior when socket activation is used.
- - debian/tests/systemd-socket-activation: Add autopkgtest
- for systemd socket activation functionality.
- - d/p/test-set-UsePAM-no-on-some-tests.patch: set UsePAM=no
- for some tests.
- * Dropped changes, fixed upstream:
- - d/p/fix-ftbfs-with-zlib13.patch: fix ftbfs when using zlib 1.3
- (LP #2049552)
-
- -- Miriam España Acebal <[email protected]> Mon, 29 Jan 2024
+ * Merge with Debian unstable (LP: #2040406). Remaining changes:
+ - debian/rules: modify dh_installsystemd invocations for
+ socket-activated sshd.
+ - debian/openssh-server.postinst: handle migration of sshd_config
+ options to systemd socket options on upgrade.
+ - debian/README.Debian: document systemd socket activation.
+ - debian/patches/socket-activation-documentation.patch: Document
+ in sshd_config(5) that ListenAddress and Port no longer work.
+ - debian/openssh-server.templates: include debconf prompt
+ explaining when migration cannot happen due to multiple
+ ListenAddress values.
+ - debian/.gitignore: drop file.
+ - debian/openssh-server.postrm: remove systemd drop-ins for
+ socket-activated sshd on purge.
+ - debian/openssh-server.ucf-md5sum: update for Ubuntu delta
+ - debian/openssh-server.tmpfile,debian/systemd/ssh.service: Move
+ /run/sshd creation out of the systemd unit to a tmpfile config
+ so that sshd can be run manually if necessary without having to
+ create this directory by hand.
+ - debian/patches/systemd-socket-activation.patch: Fix sshd
+ re-execution behavior when socket activation is used.
+ - debian/tests/systemd-socket-activation: Add autopkgtest
+ for systemd socket activation functionality.
+ - d/p/test-set-UsePAM-no-on-some-tests.patch: set UsePAM=no
+ for some tests.
+ * Dropped changes, fixed upstream:
+ - d/p/fix-ftbfs-with-zlib13.patch: fix ftbfs when using zlib 1.3
+ (LP #2049552)
+
+ -- Miriam España Acebal <[email protected]> Mon, 29 Jan 2024
11:16:31 +0100
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2064435
Title:
Merge openssh from Debian unstable for oracular
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2064435/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
