I intend to merge all the Ubuntu changes for my next Debian upload and then sync it, so there's probably no need to pay attention to this.
I'm preparing packaging of OpenSSH 8.8p1, but the current blocker is that this drops the ssh-rsa signature algorithm by default (*not* the public key type), and that needs changes to Twisted and probably lazr.sshserver in order for Launchpad's SSH endpoints to support it; I'd rather not upload a package that would break connectivity to git.launchpad.net etc. out of the box. I'm working on this but don't yet have an ETA. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1946286 Title: Merge openssh from Debian unstable for 22.04 Status in openssh package in Ubuntu: New Bug description: Scheduled-For: 22.12 Upstream: tbd Debian: 1:8.4p1-6 Ubuntu: 1:8.4p1-6ubuntu2 Debian typically updates openssh every 1 months on average, but it was last updated 21.08 and looks overdue. Check back in on this monthly. ### New Debian Changes ### openssh openssh (1:8.4p1-6) unstable; urgency=medium [ Colin Watson ] * Rename ssh group to _ssh (closes: #990456). It's only used by ssh-agent. * debian/tests/regress: Don't fail cleanup if haveged isn't running. * Backport from upstream: - Add includes.h to compat tests (closes: #992134, LP: #1939751). * Use 'command -v' in maintainer scripts rather than 'which'. [ Athos Ribeiro ] * d/systemd/ssh@.service: preserve the systemd managed runtime directory to ensure parallel processes will not disrupt one another when halting (LP: #1905285) (closes: #934663) -- Colin Watson <cjwat...@debian.org> Thu, 19 Aug 2021 11:04:01 +0100 openssh (1:8.4p1-5) unstable; urgency=high * CVE-2021-28041: Fix double free in ssh-agent(1) (closes: #984940). -- Colin Watson <cjwat...@debian.org> Sat, 13 Mar 2021 09:59:40 +0000 openssh (1:8.4p1-4) unstable; urgency=medium * Avoid using libmd's <sha2.h> even if it's installed (closes: #982705). -- Colin Watson <cjwat...@debian.org> Mon, 15 Feb 2021 10:25:17 +0000 openssh (1:8.4p1-3) unstable; urgency=medium * Backport from upstream: - Fix `EOF: command not found` error in ssh-copy-id (closes: #975540). -- Colin Watson <cjwat...@debian.org> Wed, 02 Dec 2020 10:32:23 +0000 openssh (1:8.4p1-2) unstable; urgency=medium * Revert incorrect upstream patch that claimed to fix the seccomp sandbox on x32 but in fact broke it instead. -- Colin Watson <cjwat...@debian.org> Mon, 26 Oct 2020 17:41:13 +0000 openssh (1:8.4p1-1) unstable; urgency=medium * New upstream release (https://www.openssh.com/txt/release-8.4): - [SECURITY] ssh-agent(1): restrict ssh-agent from signing web challenges for FIDO/U2F keys. - [SECURITY] ssh-keygen(1): Enable FIDO 2.1 credProtect extension when generating a FIDO resident key. - ssh-keygen(1): the format of the attestation information optionally recorded when a FIDO key is generated has changed. It now includes the authenticator data needed to validate attestation signatures. - The API between OpenSSH and the FIDO token middleware has changed and the SSH_SK_VERSION_MAJOR version has been incremented as a result. Third-party middleware libraries must support the current API version (7) to work with OpenSSH 8.4. - ssh(1), ssh-keygen(1): support for FIDO keys that require a PIN for each use. These keys may be generated using ssh-keygen using a new 'verify-required' option. When a PIN-required key is used, the user will be prompted for a PIN to complete the signature operation. - sshd(8): authorized_keys now supports a new 'verify-required' option to require FIDO signatures assert that the token verified that the user was present before making the signature. The FIDO protocol supports multiple methods for user-verification, but currently OpenSSH only supports PIN verification. - sshd(8), ssh-keygen(1): add support for verifying FIDO webauthn signatures. Webauthn is a standard for using FIDO keys in web browsers. These signatures are a slightly different format to plain FIDO signatures and thus require explicit support. - ssh(1): allow some keywords to expand shell-style ${ENV} environment variables. The supported keywords are CertificateFile, ControlPath, IdentityAgent and IdentityFile, plus LocalForward and RemoteForward when used for Unix domain socket paths. - ssh(1), ssh-agent(1): allow some additional control over the use of ssh-askpass via a new $SSH_ASKPASS_REQUIRE environment variable, including forcibly enabling and disabling its use (closes: #368657). - ssh(1): allow ssh_config(5)'s AddKeysToAgent keyword accept a time limit for keys in addition to its current flag options. Time-limited keys will automatically be removed from ssh-agent after their expiry time has passed. - scp(1), sftp(1): allow the -A flag to explicitly enable agent forwarding in scp and sftp. The default remains to not forward an agent, even when ssh_config enables it. - ssh(1): add a '%k' TOKEN that expands to the effective HostKey of the destination. This allows, e.g., keeping host keys in individual files using 'UserKnownHostsFile ~/.ssh/known_hosts.d/%k' (closes: #481250). - ssh(1): add %-TOKEN, environment variable and tilde expansion to the UserKnownHostsFile directive, allowing the path to be completed by the configuration. - ssh-keygen(1): allow 'ssh-add -d -' to read keys to be deleted from stdin. - sshd(8): improve logging for MaxStartups connection throttling. sshd will now log when it starts and stops throttling and periodically while in this state. - ssh(1), ssh-keygen(1): better support for multiple attached FIDO tokens. In cases where OpenSSH cannot unambiguously determine which token to direct a request to, the user is now required to select a token by touching it. In cases of operations that require a PIN to be verified, this avoids sending the wrong PIN to the wrong token and ### Old Ubuntu Delta ### openssh (1:8.4p1-6ubuntu2) impish; urgency=medium * Configure with ac_cv_func_closefrom=no to avoid an incompatibility with glibc 2.34's fallback_closefrom function (LP: #1944621) -- William 'jawn-smith' Wilson <william.wil...@canonical.com> Tue, 21 Sep 2021 22:08:39 +0000 openssh (1:8.4p1-6ubuntu1) impish; urgency=low * Merge from Debian unstable (LP: #1941799). Remaining changes: - Cherry-pick seccomp fixes for glibc 2.33 thanks to Dave Jones for reports on armhf. -- William 'jawn-smith' Wilson <william.wil...@canonical.com> Thu, 26 Aug 2021 12:51:02 -0600 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1946286/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
