This bug was fixed in the package openssh - 1:9.7p1-7ubuntu2
---------------
openssh (1:9.7p1-7ubuntu2) oracular; urgency=medium
* d/p/test-set-UsePAM-no-on-some-tests.patch: restore patch
This was mistakenly dropped in the merge from Debian after
testing locally only.
openssh (1:9.7p1-7ubuntu1) oracular; urgency=medium
* Merge with Debian unstable (LP: #2064435). Remaining changes:
- Make systemd socket activation the default:
+ debian/rules: modify dh_installsystemd invocations for
socket-activated sshd
+ debian/README.Debian: document systemd socket activation.
+ debian/patches/systemd-socket-activation.patch: Fix sshd
re-execution behavior when socket activation is used
+ debian/tests/systemd-socket-activation: Add autopkgtest for systemd
socket
activation functionality.
+ debian/control: Build-Depends: systemd-dev
+ d/p/sshd-socket-generator.patch: add generator for socket activation
+ debian/openssh-server.install: install sshd-socket-generator
+ debian/openssh-server.postinst: handle migration to
sshd-socket-generator
+ d/t/sshd-socket-generator: add dep8 test for sshd-socket-generator
+ ssh.socket: adjust unit for socket activation by default
+ debian/rules: explicitly enable LTO
- debian/.gitignore: drop file
- debian/openssh-server.ucf-md5sum: update for Ubuntu delta
- debian/patches: Immediately report interactive instructions to PAM clients
- debian/patches: sshconnect2: Write kbd-interactive messages as utf-8
- d/t/ssh-gssapi: disable -e in cleanup()
- SECURITY UPDATE: timing attack against echo-off password entry
+ debian/patches/CVE-2024-39894.patch: don't rely on
channel_did_enqueue in clientloop.c
+ CVE-2024-39894
* Dropped changes, included in Debian:
- debian/patches: only set PAM_RHOST if remote host is not "UNKNOWN"
- Remove deprecated user_readenv=1 setting (LP #2059859):
+ d/openssh-server.sshd.pam.in: drop user_readenv=1, which was
deprecated by pam_env upstream. Openssh has the SendEnv and AcceptEnv
configuration options that can be used to replace this feature, and
are in the default config already
+ d/NEWS: update about this change in behavior
- debian: Remove dependency on libsystemd
- d/p/gssapi.patch: fix method_gsskeyex structure and
userauth_gsskeyex function regarding changes introduced in upstream
commit dbb339f015c33d63484261d140c84ad875a9e548 ("prepare for
multiple names for authmethods") (LP #2053146)
- d/t/{ssh-gssapi,util}: ssh-gssapi DEP8 test for gssapi-with-mic
and gssapi-keyex authentication methods
- SECURITY UPDATE: remote code execution via signal handler race
condition (LP #2070497)
+ debian/patches/CVE-2024-6387.patch: don't log in sshsigdie() in log.c.
+ CVE-2024-6387
* Dropped changes, no longer needed:
- debian/openssh-server.postinst: ucf workaround for LP #1968873
[affected upgrade path not supported]
- d/p/test-set-UsePAM-no-on-some-tests.patch: set UsePAM=no
for some tests.
openssh (1:9.7p1-7) unstable; urgency=critical
[ Salvatore Bonaccorso ]
* Disable async-signal-unsafe code from the sshsigdie() function. This is
a minimal workaround for a regression from CVE-2006-5051.
openssh (1:9.7p1-6) unstable; urgency=medium
* Stop reading ~/.pam_environment, which has a history of security
problems and is deprecated by PAM upstream (closes: #1018260).
openssh (1:9.7p1-5) unstable; urgency=medium
[ Colin Watson ]
* Add "After=nss-user-lookup.target" to ssh.service and [email protected]
(closes: #1069706).
* Avoid cleanup of /tmp/sshauth.*, created by sshd if ExposeAuthInfo is
set.
[ Andreas Hasenack ]
* Add autopkgtests for GSSAPI logins, including gssapi-keyex.
[ Luca Boccassi ]
* Install tmpfiles.d to avoid cleanup of ssh-agent socket in /tmp/
(closes: #1070725).
* Only set PAM_RHOST if the remote host is not "UNKNOWN" (thanks, Daan De
Meyer).
openssh (1:9.7p1-4) unstable; urgency=medium
* Rework systemd readiness notification and socket activation patches to
not link against libsystemd (the former via an upstream patch).
* Force -fzero-call-used-regs=used not to be used on ppc64el (it's
unsupported, but configure fails to detect this).
openssh (1:9.7p1-3) unstable; urgency=medium
* Fix gssapi-keyex declaration further (thanks, Andreas Hasenack;
LP: #2053146).
* Extend -fzero-call-used-regs check to catch m68k gcc bug (closes:
#1067243).
* debian/tests/regress: Set a different IP address for UNKNOWN.
* Re-enable ssh-askpass-gnome on all architectures.
* regress: Redirect conch stdin from /dev/zero (re-enables conch interop
tests).
* Drop "Work around RSA SHA-2 signature issues in conch" patch (no longer
needed now that Twisted is fixed).
openssh (1:9.7p1-2) unstable; urgency=medium
[ Simon McVittie ]
* d/control, d/rules: Disable ssh-askpass-gnome on 32-bit, except i386
(closes: #1066847).
openssh (1:9.7p1-1) unstable; urgency=medium
* Add the isolation-container restriction to the "regress" autopkgtest.
Our setup code wants to ensure that the haveged service is running, and
furthermore at least the agent-subprocess test assumes that there's an
init to reap zombie processes and doesn't work in (e.g.)
autopkgtest-virt-unshare.
* New upstream release (https://www.openssh.com/releasenotes.html#9.7p1):
- ssh(1), sshd(8): add a "global" ChannelTimeout type that watches all
open channels and will close all open channels if there is no traffic
on any of them for the specified interval. This is in addition to the
existing per-channel timeouts added recently.
This supports situations like having both session and x11 forwarding
channels open where one may be idle for an extended period but the
other is actively used. The global timeout could close both channels
when both have been idle for too long (closes: #165185).
- All: make DSA key support compile-time optional, defaulting to on.
- sshd(8): don't append an unnecessary space to the end of subsystem
arguments (bz3667)
- ssh(1): fix the multiplexing "channel proxy" mode, broken when
keystroke timing obfuscation was added. (GHPR#463)
- ssh(1), sshd(8): fix spurious configuration parsing errors when
options that accept array arguments are overridden (bz3657).
- ssh-agent(1): fix potential spin in signal handler (bz3670)
- Many fixes to manual pages and other documentation.
- Greatly improve interop testing against PuTTY.
* Skip utimensat test on ZFS, since it seems to leave the atime set to 0.
* Allow passing extra options to debian/tests/regress, for debugging.
* Fix gssapi-keyex declaration, broken when rebasing onto 8.9p1
(LP: #2053146).
openssh (1:9.6p1-5) unstable; urgency=medium
* Restore systemd template unit for per-connection sshd instances,
although without any corresponding .socket unit for now; this is mainly
for use with the forthcoming systemd-ssh-generator (closes: #1061516).
It's now called [email protected], since unlike the main service there's no
need to be concerned about compatibility with the slightly confusing
"ssh" service name that Debian has traditionally used.
openssh (1:9.6p1-4) unstable; urgency=medium
* Add sshd_config checksums for 1:9.2p1-1 to ucf reference file, and add a
test to ensure it doesn't get out of date again.
* Drop manual adjustment of OpenSSL dependencies; OpenSSH relaxed its
checks for OpenSSL >= 3 in 9.4p1.
* Build-depend on pkgconf rather than pkg-config.
* Adjust debian/copyright to handle the "placed in the public domain"
status of rijndael.* more explicitly.
-- Nick Rosbrook <[email protected]> Wed, 31 Jul 2024 10:20:23 -0400
** Changed in: openssh (Ubuntu)
Status: Fix Committed => Fix Released
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-5051
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-39894
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-6387
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2064435
Title:
Merge openssh from Debian unstable for oracular
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2064435/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
