Accepted openssh 1:9.6p1-1 (source) into unstable
- To: debian-devel-changes@lists.debian.org
- Subject: Accepted openssh 1:9.6p1-1 (source) into unstable
- From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
- Date: Mon, 18 Dec 2023 23:12:02 +0000
- Debian: DAK
- Debian-architecture: source
- Debian-archive-action: accept
- Debian-changes: openssh_9.6p1-1_source.changes
- Debian-source: openssh
- Debian-suite: unstable
- Debian-version: 1:9.6p1-1
- Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=ftp-master.debian.org; s=smtpauto.fasolo; h=Date:Message-Id: Content-Transfer-Encoding:Content-Type:Subject:MIME-Version:To:Reply-To:From: Cc:Content-ID:Content-Description:In-Reply-To:References; bh=nQE7qeaSUIQrcy25H6Oz1qXK6jSWid8AJibYXDVp6VI=; b=J7KlpQa9z9ojuJ04ADWhAV7621 CaBe3/0aHHw+qNXSwgpsB5GVljXsKnsapgFsQWKn7GUAwJArYg7B/Za1u4+VEl1wmvNAb1Ht20Y53 EWm8MwjBcGr51JVSmaSsRleAkrMFr1j4R4CZR7BW7TNc7vsDGgkXv29zzXcMWO6bV/O2Nuac7PGyV MYNtxwhyG1hklNSeynMF9nnwr6uRSdptXDY79Yj3CCdcETcx5MziwRfHyKvf5LTr6TYABBTrIWhtj Nf8JcU4mgdtBfnk9j1BH6sr+A4dGWNpFgoRx5I2OdwZDzGciMy7J3bnJP+C+Wc0VTUsVshYp2nors HcXeiAvg==;
- Mail-followup-to: debian-devel@lists.debian.org
- Message-id: <E1rFMmI-00A1rd-Ii@fasolo.debian.org>
- Reply-to: debian-devel@lists.debian.org
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 18 Dec 2023 22:35:25 +0000
Source: openssh
Architecture: source
Version: 1:9.6p1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Closes: 1049995 1057835
Changes:
openssh (1:9.6p1-1) unstable; urgency=medium
.
* Use single quotes in suggested ssh-keygen commands (closes: #1057835).
* Debconf translations:
- Catalan (thanks, Pablo Huguet; closes: #1049995).
* New upstream release (https://www.openssh.com/releasenotes.html#9.6p1):
- [CVE-2023-48795] ssh(1), sshd(8): implement protocol extensions to
thwart the so-called "Terrapin attack" discovered by Fabian Bäumer,
Marcus Brinkmann and Jörg Schwenk. This attack allows a MITM to effect
a limited break of the integrity of the early encrypted SSH transport
protocol by sending extra messages prior to the commencement of
encryption, and deleting an equal number of consecutive messages
immediately after encryption starts. A peer SSH client/server would
not be able to detect that messages were deleted.
- [SECURITY] ssh-agent(1): when adding PKCS#11-hosted private keys while
specifying destination constraints, if the PKCS#11 token returned
multiple keys then only the first key had the constraints applied. Use
of regular private keys, FIDO tokens and unconstrained keys are
unaffected.
- [SECURITY] ssh(1): if an invalid user or hostname that contained shell
metacharacters was passed to ssh(1), and a ProxyCommand, LocalCommand
directive or "match exec" predicate referenced the user or hostname
via %u, %h or similar expansion token, then an attacker who could
supply arbitrary user/hostnames to ssh(1) could potentially perform
command injection depending on what quoting was present in the
user-supplied ssh_config(5) directive. OpenSSH 9.6 now bans most shell
metacharacters from user and hostnames supplied via the command-line.
- ssh(1), sshd(8): the RFC4254 connection/channels protocol provides a
TCP-like window mechanism that limits the amount of data that can be
sent without acceptance from the peer. In cases where this limit was
exceeded by a non-conforming peer SSH implementation, ssh(1)/sshd(8)
previously discarded the extra data. From OpenSSH 9.6, ssh(1)/sshd(8)
will now terminate the connection if a peer exceeds the window limit
by more than a small grace factor. This change should have no effect
of SSH implementations that follow the specification.
- ssh(1): add a %j token that expands to the configured ProxyJump
hostname (or the empty string if this option is not being used) that
can be used in a number of ssh_config(5) keywords.
- ssh(1): add ChannelTimeout support to the client, mirroring the same
option in the server and allowing ssh(1) to terminate quiescent
channels.
- ssh(1), sshd(8), ssh-add(1), ssh-keygen(1): add support for reading
ED25519 private keys in PEM PKCS8 format. Previously only the OpenSSH
private key format was supported.
- ssh(1), sshd(8): introduce a protocol extension to allow renegotiation
of acceptable signature algorithms for public key authentication after
the server has learned the username being used for authentication.
This allows varying sshd_config(5) PubkeyAcceptedAlgorithms in a
"Match user" block.
- ssh-add(1), ssh-agent(1): add an agent protocol extension to allow
specifying certificates when loading PKCS#11 keys. This allows the use
of certificates backed by PKCS#11 private keys in all OpenSSH tools
that support ssh-agent(1). Previously only ssh(1) supported this
use-case.
- ssh(1): when deciding whether to enable the keystroke timing
obfuscation, enable it only if a channel with a TTY is active.
- ssh(1): switch mainloop from poll(3) to ppoll(3) and mask signals
before checking flags set in signal handler. Avoids potential race
condition between signaling ssh to exit and polling.
- ssh(1): when connecting to a destination with both the AddressFamily
and CanonicalizeHostname directives in use, the AddressFamily
directive could be ignored.
- sftp(1): correct handling of the limits@openssh.com option when the
server returned an unexpected message.
- ssh(1): release GSS OIDs only at end of authentication, avoiding
unnecessary init/cleanup cycles.
- ssh_config(5): mention "none" is a valid argument to IdentityFile in
the manual.
- scp(1): improved debugging for paths from the server rejected for not
matching the client's glob(3) pattern in old SCP/RCP protocol mode.
- ssh-agent(1): refuse signing operations on destination-constrained
keys if a previous session-bind operation has failed. This may prevent
a fail-open situation in future if a user uses a mismatched ssh(1)
client and ssh-agent(1) where the client supports a key type that the
agent does not support.
* debian/run-tests: Supply absolute paths to tools.
* debian/run-tests: Enable interop tests for Dropbear.
Checksums-Sha1:
d3eace8dce5cdf66c48c04524170261e07e1c363 3344 openssh_9.6p1-1.dsc
de300d09ec79fdbf37de4e6672cce4161439f2c3 1857862 openssh_9.6p1.orig.tar.gz
63c241035c665da9284965575cd96e0467bf09c1 833 openssh_9.6p1.orig.tar.gz.asc
4e9091137627c3499d4752959c72151302c1edfd 187648 openssh_9.6p1-1.debian.tar.xz
Checksums-Sha256:
a41c76ab7a4a9859911a9544649dbff4d2e2f488ebdda4d716e20b0fbd5f3208 3344 openssh_9.6p1-1.dsc
910211c07255a8c5ad654391b40ee59800710dd8119dd5362de09385aa7a777c 1857862 openssh_9.6p1.orig.tar.gz
9b1e931cbc811f02e91f7eacd55f8211cc45dade11975462f4b0dcdad29927aa 833 openssh_9.6p1.orig.tar.gz.asc
4acec5879df194b4ff45d821a32a97a3bcfc1df70cb6bfa5cc82b41487d94dc9 187648 openssh_9.6p1-1.debian.tar.xz
Files:
5437c48184621f81eb013447ea535a10 3344 net standard openssh_9.6p1-1.dsc
5e90def5af3ffb27e149ca6fff12bef3 1857862 net standard openssh_9.6p1.orig.tar.gz
a9aaf09b36b23327431072ed804d7094 833 net standard openssh_9.6p1.orig.tar.gz.asc
a5b8ac5913fb44b1bbb64146e8d1e2f6 187648 net standard openssh_9.6p1-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAmWAybkACgkQOTWH2X2G
UAvJoxAAm5xDxAmsWRPQP2tVdlLmk0uq9vqgsqQXmUnZb3qMNXVikkNMbilm/s6X
QicZSpZUq5ldOaKt1176NH0FbMbi+72TgM+d8xSaBbaU4U73gFHXIzb0qH+lI9vr
rv0kpM8lhyhmGa1vC39O1Hv1/BFQYENmf3rLpYwS/vkqR+kHyDiOORqMyYobBlXX
sq+bz1tWvgGzJjeEVoWzzov66WZ5MvbE/Se5jlem1+8zLcIfvtPTkcKEVHxpnsyV
Io0bnrAcoGfnpF389oxdgh6FZRYxZxV+rGme1OfbL16Dt4h4Z8p0PGEUI94Kzhxv
ou8fg2HgmHB2RbaaskdMlBRPZWQtE3Hv0/RXGFGzqh43tKiKUhg4kAIgrczuu4nE
u4J1UrmUbIOeyedss1SyxqAC87cyAOCjPXB3Nz8hASZG/9PL3ClFKLM6xYyyL7CT
p/ehPG/fxdYGJk2ySAJPqZeaueQpdeYTEtGu4pnCFXI9RvvEvpa4dTbHArSO1ajp
7QDbdadvP+KL42BGRyChBvKZem0Rpu3YDj6lmnuwEALSomZcbtnFc0PE0kYaibae
NYgXh9hJDTaU6qZlcuuHbpr4F8r7kW9+9fWF7fcWjstt87c281rD0kAwpTdTLnlS
Vyyj5OFB7AePLOUDUDj521Esmy/F4mc2mLvA4Eod3tkIad2yMwA=
=fI/z
-----END PGP SIGNATURE-----