Public bug reported: Scheduled-For: Backlog Upstream: tbd Debian: 1:9.4p1-1 Ubuntu: 1:9.3p1-1ubuntu3
The NOT SERVER TEAM team has maintained this package in the past and may be handling this merge. If it turns out this needs a sync rather than a merge, please change the tag 'needs-merge' to 'needs-sync', and (optionally) update the title as desired. ### New Debian Changes ### openssh (1:9.4p1-1) unstable; urgency=medium * New upstream release (https://www.openssh.com/releasenotes.html#9.4p1): - ssh-agent(1): PKCS#11 modules must now be specified by their full paths. Previously dlopen(3) could search for them in system library directories. - ssh(1): allow forwarding Unix Domain sockets via ssh -W. - ssh(1): add support for configuration tags to ssh(1). This adds a ssh_config(5) 'Tag' directive and corresponding 'Match tag' predicate that may be used to select blocks of configuration similar to the pf.conf(5) keywords of the same name. - ssh(1): add a 'match localnetwork' predicate. This allows matching on the addresses of available network interfaces and may be used to vary the effective client configuration based on network location. - ssh(1), sshd(8), ssh-keygen(1): infrastructure support for KRL extensions. This defines wire formats for optional KRL extensions and implements parsing of the new submessages. No actual extensions are supported at this point. - sshd(8): AuthorizedPrincipalsCommand and AuthorizedKeysCommand now accept two additional %-expansion sequences: %D which expands to the routing domain of the connected session and %C which expands to the addresses and port numbers for the source and destination of the connection. - ssh-keygen(1): increase the default work factor (rounds) for the bcrypt KDF used to derive symmetric encryption keys for passphrase protected key files by 50%. - ssh-agent(1): improve isolation between loaded PKCS#11 modules by running separate ssh-pkcs11-helpers for each loaded provider. - ssh(1): make -f (fork after authentication) work correctly with multiplexed connections, including ControlPersist (closes: #348741). - ssh(1): make ConnectTimeout apply to multiplexing sockets and not just to network connections. - ssh-agent(1), ssh(1): improve defences against invalid PKCS#11 modules being loaded by checking that the requested module contains the required symbol before loading it. - sshd(8): fix AuthorizedPrincipalsCommand when AuthorizedKeysCommand appears before it in sshd_config. Since OpenSSH 8.7 the AuthorizedPrincipalsCommand directive was incorrectly ignored in this situation. - sshd(8), ssh(1), ssh-keygen(1): remove vestigial support for KRL signatures. When the KRL format was originally defined, it included support for signing of KRL objects. However, the code to sign KRLs and verify KRL signatues was never completed in OpenSSH. This release removes the partially-implemented code to verify KRLs. All OpenSSH tools now ignore KRL_SECTION_SIGNATURE sections in KRL files. - All: fix a number of memory leaks and unreachable/harmless integer overflows. - ssh-agent(1), ssh(1): don't truncate strings logged from PKCS#11 modules. - sshd(8), ssh(1): better validate CASignatureAlgorithms in ssh_config and sshd_config. Previously this directive would accept certificate algorithm names, but these were unusable in practice as OpenSSH does not support CA chains. - ssh(1): make `ssh -Q CASignatureAlgorithms` only list signature algorithms that are valid for CA signing. Previous behaviour was to list all signing algorithms, including certificate algorithms. - ssh-keyscan(1): gracefully handle systems where rlimits or the maximum number of open files is larger than INT_MAX. - ssh-keygen(1): fix 'no comment' not showing on when running `ssh-keygen -l` on multiple keys where one has a comment and other following keys do not. bz3580 - scp(1), sftp(1): adjust ftruncate() logic to handle servers that reorder requests. Previously, if the server reordered requests then the resultant file would be erroneously truncated. - ssh(1): don't incorrectly disable hostname canonicalization when CanonicalizeHostname=yes and ProxyJump was explicitly set to 'none'. - scp(1): when copying local->remote, check that the source file exists before opening an SFTP connection to the server (closes: #59255). - sshd(8): provide a replacement for the SELinux matchpathcon() function, which is deprecated. - All: relax libcrypto version checks for OpenSSL >=3 (closes: #1035623). Beyond OpenSSL 3.0, the ABI compatibility guarantees are wider (only the library major must match instead of major and minor in earlier versions). - ssh-copy-id(1): Special case OpenWrt instead of Dropbear (LP: #1966886). -- Colin Watson <cjwat...@debian.org> Sat, 02 Sep 2023 21:02:53 +0100 openssh (1:9.3p2-1) unstable; urgency=high * New upstream release (https://www.openssh.com/releasenotes.html#9.3p2): - [CVE-2023-38408] Fix a condition where specific libraries loaded via ssh-agent(1)'s PKCS#11 support could be abused to achieve remote code execution via a forwarded agent socket. -- Colin Watson <cjwat...@debian.org> Wed, 19 Jul 2023 22:49:14 +0100 openssh (1:9.3p1-1) unstable; urgency=medium * Debconf translations: - Romanian (thanks, Remus-Gabriel Chelu; closes: #1033178). * Properly fix date of 1:3.0.2p1-2 changelog entry (closes: #1034425). * New upstream release (https://www.openssh.com/releasenotes.html#9.3p1): - [CVE-2023-28531] ssh-add(1): when adding smartcard keys to ssh-agent(1) with the per-hop destination constraints (ssh-add -h ...) added in OpenSSH 8.9, a logic error prevented the constraints from being communicated to the agent. This resulted in the keys being added without constraints. The common cases of non-smartcard keys and keys without destination constraints are unaffected. This problem was ### Old Ubuntu Delta ### openssh (1:9.3p1-1ubuntu3) mantic; urgency=medium * d/p/fix-authorized-principals-command.patch: Fix the situation where sshd ignores AuthorizedPrincipalsCommand if AuthorizedKeysCommand is also set by checking if the value pointed to by the pointer 'charptr' is NULL. (LP: #2031942) -- Michal Maloszewski <michal.maloszew...@canonical.com> Thu, 24 Aug 2023 15:20:27 +0200 openssh (1:9.3p1-1ubuntu2) mantic; urgency=medium * SECURITY UPDATE: remote code execution relating to PKCS#11 providers - debian/patches/CVE-2023-38408-1.patch: terminate process if requested to load a PKCS#11 provider that isn't a PKCS#11 provider in ssh-pkcs11.c. - debian/patches/CVE-2023-38408-2.patch: disallow remote addition of FIDO/PKCS11 provider in ssh-agent.1, ssh-agent.c. - debian/patches/CVE-2023-38408-3.patch: ensure FIDO/PKCS11 libraries contain expected symbols in misc.c, misc.h, ssh-pkcs11.c, ssh-sk.c. - CVE-2023-38408 -- Marc Deslauriers <marc.deslauri...@ubuntu.com> Mon, 24 Jul 2023 15:01:06 -0400 openssh (1:9.3p1-1ubuntu1) mantic; urgency=medium * Merge with Debian unstable (LP: #2025664). Remaining changes: - debian/rules: modify dh_installsystemd invocations for socket-activated sshd - debian/openssh-server.postinst: handle migration of sshd_config options to systemd socket options on upgrade. - debian/README.Debian: document systemd socket activation. - debian/patches/socket-activation-documentation.patch: Document in sshd_config(5) that ListenAddress and Port no longer work. - debian/openssh-server.templates: include debconf prompt explaining when migration cannot happen due to multiple ListenAddress values - debian/.gitignore: drop file - debian/openssh-server.postrm: remove systemd drop-ins for socket-activated sshd on purge - debian/openssh-server.ucf-md5sum: update for Ubuntu delta - debian/openssh-server.tmpfile,debian/systemd/ssh.service: Move /run/sshd creation out of the systemd unit to a tmpfile config so that sshd can be run manually if necessary without having to create this directory by hand. - debian/patches/systemd-socket-activation.patch: Fix sshd re-execution behavior when socket activation is used - debian/tests/systemd-socket-activation: Add autopkgtest for systemd socket activation functionality. - d/p/test-set-UsePAM-no-on-some-tests.patch: set UsePAM=no for some tests - Ensure smooth upgrade path from versions affected by LP: #2020474: + debian/openssh-server.postint: do not try to restart systemd units, and instead indicate that a reboot is required + debian/tests/systemd-socket-activation: Reboot the testbed before starting the test + debian/rules: Do not stop ssh.socket on upgrade -- Nick Rosbrook <nick.rosbr...@canonical.com> Mon, 03 Jul 2023 11:34:47 -0400 ** Affects: openssh (Ubuntu) Importance: Undecided Status: New ** Tags: needs-merge upgrade-software-version -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/2040406 Title: Merge openssh from Debian unstable for noble Status in openssh package in Ubuntu: New Bug description: Scheduled-For: Backlog Upstream: tbd Debian: 1:9.4p1-1 Ubuntu: 1:9.3p1-1ubuntu3 The NOT SERVER TEAM team has maintained this package in the past and may be handling this merge. If it turns out this needs a sync rather than a merge, please change the tag 'needs-merge' to 'needs-sync', and (optionally) update the title as desired. ### New Debian Changes ### openssh (1:9.4p1-1) unstable; urgency=medium * New upstream release (https://www.openssh.com/releasenotes.html#9.4p1): - ssh-agent(1): PKCS#11 modules must now be specified by their full paths. Previously dlopen(3) could search for them in system library directories. - ssh(1): allow forwarding Unix Domain sockets via ssh -W. - ssh(1): add support for configuration tags to ssh(1). This adds a ssh_config(5) 'Tag' directive and corresponding 'Match tag' predicate that may be used to select blocks of configuration similar to the pf.conf(5) keywords of the same name. - ssh(1): add a 'match localnetwork' predicate. This allows matching on the addresses of available network interfaces and may be used to vary the effective client configuration based on network location. - ssh(1), sshd(8), ssh-keygen(1): infrastructure support for KRL extensions. This defines wire formats for optional KRL extensions and implements parsing of the new submessages. No actual extensions are supported at this point. - sshd(8): AuthorizedPrincipalsCommand and AuthorizedKeysCommand now accept two additional %-expansion sequences: %D which expands to the routing domain of the connected session and %C which expands to the addresses and port numbers for the source and destination of the connection. - ssh-keygen(1): increase the default work factor (rounds) for the bcrypt KDF used to derive symmetric encryption keys for passphrase protected key files by 50%. - ssh-agent(1): improve isolation between loaded PKCS#11 modules by running separate ssh-pkcs11-helpers for each loaded provider. - ssh(1): make -f (fork after authentication) work correctly with multiplexed connections, including ControlPersist (closes: #348741). - ssh(1): make ConnectTimeout apply to multiplexing sockets and not just to network connections. - ssh-agent(1), ssh(1): improve defences against invalid PKCS#11 modules being loaded by checking that the requested module contains the required symbol before loading it. - sshd(8): fix AuthorizedPrincipalsCommand when AuthorizedKeysCommand appears before it in sshd_config. Since OpenSSH 8.7 the AuthorizedPrincipalsCommand directive was incorrectly ignored in this situation. - sshd(8), ssh(1), ssh-keygen(1): remove vestigial support for KRL signatures. When the KRL format was originally defined, it included support for signing of KRL objects. However, the code to sign KRLs and verify KRL signatues was never completed in OpenSSH. This release removes the partially-implemented code to verify KRLs. All OpenSSH tools now ignore KRL_SECTION_SIGNATURE sections in KRL files. - All: fix a number of memory leaks and unreachable/harmless integer overflows. - ssh-agent(1), ssh(1): don't truncate strings logged from PKCS#11 modules. - sshd(8), ssh(1): better validate CASignatureAlgorithms in ssh_config and sshd_config. Previously this directive would accept certificate algorithm names, but these were unusable in practice as OpenSSH does not support CA chains. - ssh(1): make `ssh -Q CASignatureAlgorithms` only list signature algorithms that are valid for CA signing. Previous behaviour was to list all signing algorithms, including certificate algorithms. - ssh-keyscan(1): gracefully handle systems where rlimits or the maximum number of open files is larger than INT_MAX. - ssh-keygen(1): fix 'no comment' not showing on when running `ssh-keygen -l` on multiple keys where one has a comment and other following keys do not. bz3580 - scp(1), sftp(1): adjust ftruncate() logic to handle servers that reorder requests. Previously, if the server reordered requests then the resultant file would be erroneously truncated. - ssh(1): don't incorrectly disable hostname canonicalization when CanonicalizeHostname=yes and ProxyJump was explicitly set to 'none'. - scp(1): when copying local->remote, check that the source file exists before opening an SFTP connection to the server (closes: #59255). - sshd(8): provide a replacement for the SELinux matchpathcon() function, which is deprecated. - All: relax libcrypto version checks for OpenSSL >=3 (closes: #1035623). Beyond OpenSSL 3.0, the ABI compatibility guarantees are wider (only the library major must match instead of major and minor in earlier versions). - ssh-copy-id(1): Special case OpenWrt instead of Dropbear (LP: #1966886). -- Colin Watson <cjwat...@debian.org> Sat, 02 Sep 2023 21:02:53 +0100 openssh (1:9.3p2-1) unstable; urgency=high * New upstream release (https://www.openssh.com/releasenotes.html#9.3p2): - [CVE-2023-38408] Fix a condition where specific libraries loaded via ssh-agent(1)'s PKCS#11 support could be abused to achieve remote code execution via a forwarded agent socket. -- Colin Watson <cjwat...@debian.org> Wed, 19 Jul 2023 22:49:14 +0100 openssh (1:9.3p1-1) unstable; urgency=medium * Debconf translations: - Romanian (thanks, Remus-Gabriel Chelu; closes: #1033178). * Properly fix date of 1:3.0.2p1-2 changelog entry (closes: #1034425). * New upstream release (https://www.openssh.com/releasenotes.html#9.3p1): - [CVE-2023-28531] ssh-add(1): when adding smartcard keys to ssh-agent(1) with the per-hop destination constraints (ssh-add -h ...) added in OpenSSH 8.9, a logic error prevented the constraints from being communicated to the agent. This resulted in the keys being added without constraints. The common cases of non-smartcard keys and keys without destination constraints are unaffected. This problem was ### Old Ubuntu Delta ### openssh (1:9.3p1-1ubuntu3) mantic; urgency=medium * d/p/fix-authorized-principals-command.patch: Fix the situation where sshd ignores AuthorizedPrincipalsCommand if AuthorizedKeysCommand is also set by checking if the value pointed to by the pointer 'charptr' is NULL. (LP: #2031942) -- Michal Maloszewski <michal.maloszew...@canonical.com> Thu, 24 Aug 2023 15:20:27 +0200 openssh (1:9.3p1-1ubuntu2) mantic; urgency=medium * SECURITY UPDATE: remote code execution relating to PKCS#11 providers - debian/patches/CVE-2023-38408-1.patch: terminate process if requested to load a PKCS#11 provider that isn't a PKCS#11 provider in ssh-pkcs11.c. - debian/patches/CVE-2023-38408-2.patch: disallow remote addition of FIDO/PKCS11 provider in ssh-agent.1, ssh-agent.c. - debian/patches/CVE-2023-38408-3.patch: ensure FIDO/PKCS11 libraries contain expected symbols in misc.c, misc.h, ssh-pkcs11.c, ssh-sk.c. - CVE-2023-38408 -- Marc Deslauriers <marc.deslauri...@ubuntu.com> Mon, 24 Jul 2023 15:01:06 -0400 openssh (1:9.3p1-1ubuntu1) mantic; urgency=medium * Merge with Debian unstable (LP: #2025664). Remaining changes: - debian/rules: modify dh_installsystemd invocations for socket-activated sshd - debian/openssh-server.postinst: handle migration of sshd_config options to systemd socket options on upgrade. - debian/README.Debian: document systemd socket activation. - debian/patches/socket-activation-documentation.patch: Document in sshd_config(5) that ListenAddress and Port no longer work. - debian/openssh-server.templates: include debconf prompt explaining when migration cannot happen due to multiple ListenAddress values - debian/.gitignore: drop file - debian/openssh-server.postrm: remove systemd drop-ins for socket-activated sshd on purge - debian/openssh-server.ucf-md5sum: update for Ubuntu delta - debian/openssh-server.tmpfile,debian/systemd/ssh.service: Move /run/sshd creation out of the systemd unit to a tmpfile config so that sshd can be run manually if necessary without having to create this directory by hand. - debian/patches/systemd-socket-activation.patch: Fix sshd re-execution behavior when socket activation is used - debian/tests/systemd-socket-activation: Add autopkgtest for systemd socket activation functionality. - d/p/test-set-UsePAM-no-on-some-tests.patch: set UsePAM=no for some tests - Ensure smooth upgrade path from versions affected by LP: #2020474: + debian/openssh-server.postint: do not try to restart systemd units, and instead indicate that a reboot is required + debian/tests/systemd-socket-activation: Reboot the testbed before starting the test + debian/rules: Do not stop ssh.socket on upgrade -- Nick Rosbrook <nick.rosbr...@canonical.com> Mon, 03 Jul 2023 11:34:47 -0400 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2040406/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
