Accepted openssh 1:7.3p1-1 (source) into unstable
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 07 Aug 2016 22:45:26 +0100
Source: openssh
Binary: openssh-client openssh-client-ssh1 openssh-server openssh-sftp-server ssh ssh-krb5 ssh-askpass-gnome openssh-client-udeb openssh-server-udeb
Architecture: source
Version: 1:7.3p1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Description:
openssh-client - secure shell (SSH) client, for secure access to remote machines
openssh-client-ssh1 - secure shell (SSH) client for legacy SSH1 protocol
openssh-client-udeb - secure shell client for the Debian installer (udeb)
openssh-server - secure shell (SSH) server, for secure access from remote machines
openssh-server-udeb - secure shell server for the Debian installer (udeb)
openssh-sftp-server - secure shell (SSH) sftp server module, for SFTP access from remot
ssh - secure shell client and server (metapackage)
ssh-askpass-gnome - interactive X program to prompt users for a passphrase for ssh-ad
ssh-krb5 - secure shell client and server (transitional package)
Closes: 337041 396295 407088 536031
Changes:
openssh (1:7.3p1-1) unstable; urgency=medium
.
* New upstream release (http://www.openssh.com/txt/release-7.3):
- SECURITY: sshd(8): Mitigate a potential denial-of-service attack
against the system's crypt(3) function via sshd(8). An attacker could
send very long passwords that would cause excessive CPU use in
crypt(3). sshd(8) now refuses to accept password authentication
requests of length greater than 1024 characters.
- SECURITY: ssh(1), sshd(8): Fix observable timing weakness in the CBC
padding oracle countermeasures. Note that CBC ciphers are disabled by
default and only included for legacy compatibility.
- SECURITY: ssh(1), sshd(8): Improve operation ordering of MAC
verification for Encrypt-then-MAC (EtM) mode transport MAC algorithms
to verify the MAC before decrypting any ciphertext. This removes the
possibility of timing differences leaking facts about the plaintext,
though no such leakage has been observed.
- ssh(1): Add a ProxyJump option and corresponding -J command-line flag
to allow simplified indirection through a one or more SSH bastions or
"jump hosts".
- ssh(1): Add an IdentityAgent option to allow specifying specific agent
sockets instead of accepting one from the environment.
- ssh(1): Allow ExitOnForwardFailure and ClearAllForwardings to be
optionally overridden when using ssh -W.
- ssh(1), sshd(8): Implement support for the IUTF8 terminal mode as per
draft-sgtatham-secsh-iutf8-00 (closes: #337041, LP: #394570).
- ssh(1), sshd(8): Add support for additional fixed Diffie-Hellman 2K,
4K and 8K groups from draft-ietf-curdle-ssh-kex-sha2-03.
- ssh-keygen(1), ssh(1), sshd(8): Support SHA256 and SHA512 RSA
signatures in certificates.
- ssh(1): Add an Include directive for ssh_config(5) files (closes:
#536031).
- ssh(1): Permit UTF-8 characters in pre-authentication banners sent
from the server.
- ssh(1), sshd(8): Reduce the syslog level of some relatively common
protocol events from LOG_CRIT.
- sshd(8): Refuse AuthenticationMethods="" in configurations and accept
AuthenticationMethods=any for the default behaviour of not requiring
multiple authentication.
- sshd(8): Remove obsolete and misleading "POSSIBLE BREAK-IN ATTEMPT!"
message when forward and reverse DNS don't match.
- ssh(1): Deduplicate LocalForward and RemoteForward entries to fix
failures when both ExitOnForwardFailure and hostname canonicalisation
are enabled.
- sshd(8): Remove fallback from moduli to obsolete "primes" file that
was deprecated in 2001 (LP: #1528251).
- sshd_config(5): Correct description of UseDNS: it affects ssh hostname
processing for authorized_keys, not known_hosts.
- sshd(8): Send ClientAliveInterval pings when a time-based RekeyLimit
is set; previously keepalive packets were not being sent.
- sshd(8): Whitelist more architectures to enable the seccomp-bpf
sandbox.
- scp(1): Respect the local user's LC_CTYPE locale (closes: #396295).
- Take character display widths into account for the progressmeter
(closes: #407088).
Checksums-Sha1:
1696e0c90be02c5ab37c283422be50c5c9c3de67 2884 openssh_7.3p1-1.dsc
bfade84283fcba885e2084343ab19a08c7d123a5 1522617 openssh_7.3p1.orig.tar.gz
e384b5ef8d31c23bdab9cdd216284500ffc1f942 153400 openssh_7.3p1-1.debian.tar.xz
Checksums-Sha256:
61e8414cb2ed2a72ee15053511d3a2f55ace4b8fb76fff2d901ec67d4a1cf5ba 2884 openssh_7.3p1-1.dsc
3ffb989a6dcaa69594c3b550d4855a5a2e1718ccdde7f5e36387b424220fbecc 1522617 openssh_7.3p1.orig.tar.gz
a9a96b33427697afb344d6c82078abc54da411f108b19949c9f3378b947b4971 153400 openssh_7.3p1-1.debian.tar.xz
Files:
f4140e6c58f897bebd9db969be5c63fc 2884 net standard openssh_7.3p1-1.dsc
dfadd9f035d38ce5d58a3bf130b86d08 1522617 net standard openssh_7.3p1.orig.tar.gz
28764a8e122da612b35b36bcbf23b2cf 153400 net standard openssh_7.3p1-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Colin Watson <cjwatson@debian.org> -- Debian developer
iQIVAwUBV6etsTk1h9l9hlALAQiPUQ/+IC9t/bgqKFE73f34nVZZ1zuONs4+ykn6
7asE52PNycFrZ7mt3vvxrrSgDAh5ixJhWKZQP6tfhX6d4QMi3hFM0MNNpVF+eqE3
FynWWwqpkT/wEenj88hngmHSZb9heYCtXri6D1AzpKYbsQFEIQkMPO48mllxBmbj
aQVjm5UKbfZrFjrayNE4XC0Aqkhlc2HOPKTtNexZb4xantsAkJcyE/oDztI8rbcn
56cTxiMpsHmJ8dlO6tvZTYwOqwso7S+H/A3u3923mKfswyrHpIjCYjq9eAQuDlCD
mjSUWdQIW0YlQ/Hfws2lX8mUopw8eKwCWovrF0y/XHZTXqtU+3jkWlliZCjJYh0o
6u9FntqHlP7nuVLsw8Ek/4QfB2uvuckMBaAt+2EoWtCJfvS/1SxyHkXSXpGPpLhO
WtmwYVLRlv0a5adUXLgbAPJKDh6k2XTXpyoif4gZHU+zfLCHt8PE98heZCCou7QN
GN7H/WuF6LxooWqUv7fERyjG5wAGt3DH+aUoExPY++uovLlo7jLE94XtSyEV67yL
Qa3Ek57IBXaMhMGLJmV5v/Ut5xRd58YuCvDIGsFqwTTKfjzXGO05qLqgUogJftgJ
JEGXDqSwUplEaQUzOR86CGKXeNcUMRe2RkVbBqj7bxguL6/NI5rf7DMtApqiTlgx
UT1nfn54N9M=
=DYzz
-----END PGP SIGNATURE-----