Back to openssh PTS page

Accepted openssh 1:7.5p1-1 (source) into experimental



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 02 Apr 2017 02:58:01 +0100
Source: openssh
Binary: openssh-client openssh-client-ssh1 openssh-server openssh-sftp-server ssh ssh-krb5 ssh-askpass-gnome openssh-client-udeb openssh-server-udeb
Architecture: source
Version: 1:7.5p1-1
Distribution: experimental
Urgency: medium
Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Description:
 openssh-client - secure shell (SSH) client, for secure access to remote machines
 openssh-client-ssh1 - secure shell (SSH) client for legacy SSH1 protocol
 openssh-client-udeb - secure shell client for the Debian installer (udeb)
 openssh-server - secure shell (SSH) server, for secure access from remote machines
 openssh-server-udeb - secure shell server for the Debian installer (udeb)
 openssh-sftp-server - secure shell (SSH) sftp server module, for SFTP access from remot
 ssh        - secure shell client and server (metapackage)
 ssh-askpass-gnome - interactive X program to prompt users for a passphrase for ssh-ad
 ssh-krb5   - secure shell client and server (transitional package)
Closes: 407754
Changes:
 openssh (1:7.5p1-1) experimental; urgency=medium
 .
   * New upstream release (https://www.openssh.com/txt/release-7.5):
     - SECURITY: ssh(1), sshd(8): Fix weakness in CBC padding oracle
       countermeasures that allowed a variant of the attack fixed in OpenSSH
       7.3 to proceed.  Note that the OpenSSH client disables CBC ciphers by
       default, sshd offers them as lowest-preference options and will remove
       them by default entirely in the next release.
     - This release deprecates the sshd_config UsePrivilegeSeparation option,
       thereby making privilege separation mandatory (closes: #407754).
     - The format of several log messages emitted by the packet code has
       changed to include additional information about the user and their
       authentication state.  Software that monitors ssh/sshd logs may need
       to account for these changes.
     - ssh(1), sshd(8): Support "=-" syntax to easily remove methods from
       algorithm lists, e.g. Ciphers=-*cbc.
     - sshd(1): Fix NULL dereference crash when key exchange start messages
       are sent out of sequence.
     - ssh(1), sshd(8): Allow form-feed characters to appear in configuration
       files.
     - sshd(8): Fix regression in OpenSSH 7.4 support for the server-sig-algs
       extension, where SHA2 RSA signature methods were not being correctly
       advertised.
     - ssh(1), ssh-keygen(1): Fix a number of case-sensitivity bugs in
       known_hosts processing.
     - ssh(1): Allow ssh to use certificates accompanied by a private key
       file but no corresponding plain *.pub public key.
     - ssh(1): When updating hostkeys using the UpdateHostKeys option, accept
       RSA keys if HostkeyAlgorithms contains any RSA keytype.  Previously,
       ssh could ignore RSA keys when only the ssh-rsa-sha2-* methods were
       enabled in HostkeyAlgorithms and not the old ssh-rsa method.
     - ssh(1): Detect and report excessively long configuration file lines.
     - Merge a number of fixes found by Coverity and reported via Redhat and
       FreeBSD.  Includes fixes for some memory and file descriptor leaks in
       error paths.
     - ssh(1), sshd(8): When logging long messages to stderr, don't truncate
       "\r\n" if the length of the message exceeds the buffer.
     - ssh(1): Fully quote [host]:port in generated ProxyJump/-J command-
       line; avoid confusion over IPv6 addresses and shells that treat square
       bracket characters specially.
     - Fix various fallout and sharp edges caused by removing SSH protocol 1
       support from the server, including the server banner string being
       incorrectly terminated with only \n (instead of \r\n), confusing error
       messages from ssh-keyscan, and a segfault in sshd if protocol v.1 was
       enabled for the client and sshd_config contained references to legacy
       keys.
     - ssh(1), sshd(8): Free fd_set on connection timeout.
     - sftp(1): Fix division by zero crash in "df" output when server returns
       zero total filesystem blocks/inodes.
     - ssh(1), ssh-add(1), ssh-keygen(1), sshd(8): Translate OpenSSL errors
       encountered during key loading to more meaningful error codes.
     - ssh-keygen(1): Sanitise escape sequences in key comments sent to
       printf but preserve valid UTF-8 when the locale supports it.
     - ssh(1), sshd(8): Return reason for port forwarding failures where
       feasible rather than always "administratively prohibited".
     - sshd(8): Fix deadlock when AuthorizedKeysCommand or
       AuthorizedPrincipalsCommand produces a lot of output and a key is
       matched early.
     - ssh(1): Fix typo in ~C error message for bad port forward
       cancellation.
     - ssh(1): Show a useful error message when included config files can't
       be opened.
     - sshd_config(5): Repair accidentally-deleted mention of %k token in
       AuthorizedKeysCommand.
     - sshd(8): Remove vestiges of previously removed LOGIN_PROGRAM.
     - ssh-agent(1): Relax PKCS#11 whitelist to include libexec and common
       32-bit compatibility library directories.
     - sftp-client(1): Fix non-exploitable integer overflow in SSH2_FXP_NAME
       response handling.
     - ssh-agent(1): Fix regression in 7.4 of deleting PKCS#11-hosted keys.
       It was not possible to delete them except by specifying their full
       physical path.
     - sshd(8): Avoid sandbox errors for Linux S390 systems using an ICA
       crypto coprocessor.
     - sshd(8): Fix non-exploitable weakness in seccomp-bpf sandbox arg
       inspection.
     - ssh-keygen(1), ssh(1), sftp(1): Fix output truncation for various that
       contain non-printable characters where the codeset in use is ASCII.
Checksums-Sha1:
 ddce7153910c7aeb43d48a47a4d18ec40fad1099 2956 openssh_7.5p1-1.dsc
 5e8f185d00afb4f4f89801e9b0f8b9cee9d87ebd 1510857 openssh_7.5p1.orig.tar.gz
 88420027705762e4d7c4e1a144b7b37775fa318f 157812 openssh_7.5p1-1.debian.tar.xz
 063371cf5f4f563b4b1285565d6ea30af44c89ba 13616 openssh_7.5p1-1_source.buildinfo
Checksums-Sha256:
 eec9cbf9c0a4bc6c112c84253421764bccc8770d201fdca49296f7a5689d7f24 2956 openssh_7.5p1-1.dsc
 9846e3c5fab9f0547400b4d2c017992f914222b3fd1f8eee6c7dc6bc5e59f9f0 1510857 openssh_7.5p1.orig.tar.gz
 0e4f0eb5ca2b13322714df84d1a1a89b607fb2ffee2a351e323b8de762912846 157812 openssh_7.5p1-1.debian.tar.xz
 b8cf2538e18470f2831d04240b5932d4f6b3c63c31616f83ef635cf9a2c120f5 13616 openssh_7.5p1-1_source.buildinfo
Files:
 d83d6a57d0cfcc923b20a3a7527c2b0b 2956 net standard openssh_7.5p1-1.dsc
 652fdc7d8392f112bef11cacf7e69e23 1510857 net standard openssh_7.5p1.orig.tar.gz
 a3e04ea3ff23c40617c5f286525017a8 157812 net standard openssh_7.5p1-1.debian.tar.xz
 88f2b0df582f39aa0fc40e4d0cd360ba 13616 net standard openssh_7.5p1-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----
Comment: Colin Watson <cjwatson@debian.org> -- Debian developer

iQIzBAEBCAAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAljgZHAACgkQOTWH2X2G
UAu+/BAAmR59fYtRWBdNS+LHr6Ckp0fuTfBC3jJFhLjz1DUwzudevgNEFsh0ieml
1pu6fbYspcd1QLXbNneJnm5IcW6w30R0BuF6Q68h7Ca305R4BeofJIO/mGhmyILS
B9/rSfF86Hs5NBKJKyBUd5zcjvZ8kvYWoaTxSPXJzQON8lcpIJhBp6/Rw0UatlAi
udRdlrFBfjt8f1AZvY8JU1cY6Qt3ryjoLU2YU+8nR9B4iz+RBP5rZhNTde4lYv5a
nTmlGGZgRItJF9Iz/4JTy7XlV5JA+k4Ss1ThgL/5Gwqdm8sqtwwboxd1fxvITcJN
DtfNk5tA5DdJV7d4NgnWozQex54L2hFNUcNORYnIjPnh7d+B7vLeR0221gcn7cTd
CGj0DZ7KgW8zg6dT5qya+ms9NTACZ5rxY0aWmJ01vo/3PDTuQ9YhHqMWXD8lvACB
RNhhm/VzDLVVCWIkTAMdOYTsgVeAmBidGE87VVD5QiWp2nYW7j1ZED64HmbY6uy9
xFYPvZrxiopz5KW38ti9PkaQ2+GwsUlpIALhzZ3xIIxpEtN++Wfpiu3RyhS7d06L
7LoDi21RjYU5NO/PkoP0isudlyM1lAZKZ+QDhKHUQSfifH7YdfDKIC2EVNmp5GdN
bM3x+7bV9GOeyYR9lXzNAvdsVK4M3gA97TeNwp+8WkgX6Zj8YG4=
=ReDu
-----END PGP SIGNATURE-----