** Tags removed: needs-merge -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/2085261
Title: Merge openssh from Debian unstable for plucky Status in openssh package in Ubuntu: Fix Released Bug description: Scheduled-For: Backlog Upstream: tbd Debian: 1:9.9p1-2 Ubuntu: 1:9.7p1-7ubuntu4 foundations team has maintained this package's merge in the past. If it turns out this needs a sync rather than a merge, please change the tag 'needs-merge' to 'needs-sync', and (optionally) update the title as desired. If this merge pulls in a new upstream version, also consider adding an entry to the Jammy Release Notes: https://discourse.ubuntu.com/c/release/38 ### New Debian Changes ### openssh (1:9.9p1-2) unstable; urgency=medium * Don't prefer host-bound public key signatures if there was no initial host key, as is the case when using GSS-API key exchange (closes: #1041521). * Use runuser rather than sudo in autopkgtests where possible, avoiding a dependency. -- Colin Watson <cjwat...@debian.org> Mon, 21 Oct 2024 18:24:07 +0100 openssh (1:9.9p1-1) unstable; urgency=medium * Alias the old Debian-specific SetupTimeOut client option to ConnectTimeout rather than to ServerAliveInterval. * New upstream release (https://www.openssh.com/releasenotes.html#9.9p1): - ssh(1): remove support for pre-authentication compression. - ssh(1), sshd(8): processing of the arguments to the 'Match' configuration directive now follows more shell-like rules for quoted strings, including allowing nested quotes and /-escaped characters. - ssh(1), sshd(8): add support for a new hybrid post-quantum key exchange based on the FIPS 203 Module-Lattice Key Enapsulation mechanism (ML-KEM) combined with X25519 ECDH as described by https://datatracker.ietf.org/doc/html/draft-kampanakis-curdle-ssh-pq-ke-03 This algorithm 'mlkem768x25519-sha256' is available by default. - ssh(1): the ssh_config 'Include' directive can now expand environment as well as the same set of %-tokens 'Match Exec' supports. - sshd(8): add a sshd_config 'RefuseConnection' option that, if set will terminate the connection at the first authentication request. - sshd(8): add a 'refuseconnection' penalty class to sshd_config PerSourcePenalties that is applied when a connection is dropped by the new RefuseConnection keyword. - sshd(8): add a 'Match invalid-user' predicate to sshd_config Match options that matches when the target username is not valid on the server. - ssh(1), sshd(8): update the Streamlined NTRUPrime code to a substantially faster implementation. - ssh(1), sshd(8): the hybrid Streamlined NTRUPrime/X25519 key exchange algorithm now has an IANA-assigned name in addition to the '@openssh.com' vendor extension name. This algorithm is now also available under this name 'sntrup761x25519-sha512' - ssh(1), sshd(8), ssh-agent(1): prevent private keys from being included in core dump files for most of their lifespans. This is in addition to pre-existing controls in ssh-agent(1) and sshd(8) that prevented coredumps. - All: convert key handling to use the libcrypto EVP_PKEY API, with the exception of DSA. - sshd(8): add a random amount of jitter (up to 4 seconds) to the grace login time to make its expiry unpredictable. - sshd(8): fix regression introduced in openssh-9.8 that swapped the order of source and destination addresses in some sshd log messages. - sshd(8): do not apply authorized_keys options when signature verification fails. Prevents more restrictive key options being incorrectly applied to subsequent keys in authorized_keys. - ssh-keygen(1): include pathname in some of ssh-keygen's passphrase prompts. Helps the user know what's going on when ssh-keygen is invoked via other tools. - ssh(1), ssh-add(1): make parsing user@host consistently look for the last '@' in the string rather than the first. This makes it possible to more consistently use usernames that contain '@' characters. - ssh(1), sshd(8): be more strict in parsing key type names. Only allow short names (e.g 'rsa') in user-interface code and require full SSH protocol names (e.g. 'ssh-rsa') everywhere else. - regress: many performance and correctness improvements to the re-keying regression test. - ssh-keygen(1): clarify that ed25519 is the default key type generated and clarify that rsa-sha2-512 is the default signature scheme when RSA is in use. - sshd(8): fix minor memory leak in Subsystem option parsing. - All: additional hardening and consistency checks for the sshbuf code. - sshd(8): reduce default logingrace penalty to ensure that a single forgotten login that times out will be below the penalty threshold. - ssh(1): fix proxy multiplexing (-O proxy) bug. If a mux started with ControlPersist then later has a forwarding added using mux proxy connection and the forwarding was used, then when the mux proxy session terminated, the mux master process would issue a bad message that terminated the connection. - Sync contrib/ssh-copy-id to the latest upstream version. - sshd(8): restore audit call before exit that regressed in openssh-9.8. Fixes an issue where the SSH_CONNECTION_ABANDON event was not recorded. - Fix detection of setres*id on GNU/Hurd. -- Colin Watson <cjwat...@debian.org> Mon, 23 Sep 2024 21:09:59 -0700 openssh (1:9.8p1-8) unstable; urgency=medium * Source-only reupload. -- Colin Watson <cjwat...@debian.org> Fri, 30 Aug 2024 00:38:26 +0100 openssh (1:9.8p1-7) unstable; urgency=medium * Adjust description line-wrapping so that lintian recognizes that openssh-client-gssapi is an intentionally empty package. -- Colin Watson <cjwat...@debian.org> Thu, 29 Aug 2024 14:17:13 +0100 openssh (1:9.8p1-6) unstable; urgency=medium * Upload with binaries to satisfy Debian archive NEW checks. ### Old Ubuntu Delta ### openssh (1:9.7p1-7ubuntu4) oracular; urgency=medium * Explicitly listen on IPv4 by default, with socket-activated sshd (LP: #2080216) - d/systemd/ssh.socket: explicitly listen on ipv4 by default - d/t/sshd-socket-generator: update for new defaults and AddressFamily - sshd-socket-generator: handle new ssh.socket default settings * d/p/systemd-socket-activation.patch: always close newsock fd before re-exec -- Nick Rosbrook <en...@ubuntu.com> Tue, 01 Oct 2024 14:45:28 -0400 openssh (1:9.7p1-7ubuntu3) oracular; urgency=medium * sshd-socket-generator: do not parse server match config (LP: #2076023) -- Nick Rosbrook <en...@ubuntu.com> Tue, 27 Aug 2024 15:54:41 -0400 openssh (1:9.7p1-7ubuntu2) oracular; urgency=medium * d/p/test-set-UsePAM-no-on-some-tests.patch: restore patch This was mistakenly dropped in the merge from Debian after testing locally only. -- Nick Rosbrook <en...@ubuntu.com> Wed, 31 Jul 2024 10:20:23 -0400 openssh (1:9.7p1-7ubuntu1) oracular; urgency=medium * Merge with Debian unstable (LP: #2064435). Remaining changes: - Make systemd socket activation the default: + debian/rules: modify dh_installsystemd invocations for socket-activated sshd + debian/README.Debian: document systemd socket activation. + debian/patches/systemd-socket-activation.patch: Fix sshd re-execution behavior when socket activation is used + debian/tests/systemd-socket-activation: Add autopkgtest for systemd socket activation functionality. + debian/control: Build-Depends: systemd-dev + d/p/sshd-socket-generator.patch: add generator for socket activation + debian/openssh-server.install: install sshd-socket-generator + debian/openssh-server.postinst: handle migration to sshd-socket-generator + d/t/sshd-socket-generator: add dep8 test for sshd-socket-generator + ssh.socket: adjust unit for socket activation by default + debian/rules: explicitly enable LTO - debian/.gitignore: drop file - debian/openssh-server.ucf-md5sum: update for Ubuntu delta - debian/patches: Immediately report interactive instructions to PAM clients - debian/patches: sshconnect2: Write kbd-interactive messages as utf-8 - d/t/ssh-gssapi: disable -e in cleanup() - SECURITY UPDATE: timing attack against echo-off password entry + debian/patches/CVE-2024-39894.patch: don't rely on channel_did_enqueue in clientloop.c + CVE-2024-39894 * Dropped changes, included in Debian: - debian/patches: only set PAM_RHOST if remote host is not 'UNKNOWN' - Remove deprecated user_readenv=1 setting (LP #2059859): + d/openssh-server.sshd.pam.in: drop user_readenv=1, which was deprecated by pam_env upstream. Openssh has the SendEnv and AcceptEnv configuration options that can be used to replace this feature, and are in the default config already + d/NEWS: update about this change in behavior - debian: Remove dependency on libsystemd - d/p/gssapi.patch: fix method_gsskeyex structure and userauth_gsskeyex function regarding changes introduced in upstream commit dbb339f015c33d63484261d140c84ad875a9e548 ('prepare for multiple names for authmethods') (LP #2053146) - d/t/{ssh-gssapi,util}: ssh-gssapi DEP8 test for gssapi-with-mic and gssapi-keyex authentication methods - SECURITY UPDATE: remote code execution via signal handler race condition (LP #2070497) + debian/patches/CVE-2024-6387.patch: don't log in sshsigdie() in log.c. + CVE-2024-6387 * Dropped changes, no longer needed: - debian/openssh-server.postinst: ucf workaround for LP #1968873 [affected upgrade path not supported] - d/p/test-set-UsePAM-no-on-some-tests.patch: set UsePAM=no for some tests. -- Nick Rosbrook <en...@ubuntu.com> Mon, 29 Jul 2024 15:19:02 -0400 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2085261/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
