Back to openssh PTS page

Accepted openssh 1:7.6p1-1 (source) into unstable



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 06 Oct 2017 12:36:48 +0100
Source: openssh
Binary: openssh-client openssh-server openssh-sftp-server ssh ssh-krb5 ssh-askpass-gnome openssh-client-udeb openssh-server-udeb
Architecture: source
Version: 1:7.6p1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Description:
 openssh-client - secure shell (SSH) client, for secure access to remote machines
 openssh-client-udeb - secure shell client for the Debian installer (udeb)
 openssh-server - secure shell (SSH) server, for secure access from remote machines
 openssh-server-udeb - secure shell server for the Debian installer (udeb)
 openssh-sftp-server - secure shell (SSH) sftp server module, for SFTP access from remot
 ssh        - secure shell client and server (metapackage)
 ssh-askpass-gnome - interactive X program to prompt users for a passphrase for ssh-ad
 ssh-krb5   - secure shell client and server (transitional package)
Closes: 873201 877800
Changes:
 openssh (1:7.6p1-1) unstable; urgency=medium
 .
   * New upstream release (https://www.openssh.com/txt/release-7.6):
     - SECURITY: sftp-server(8): In read-only mode, sftp-server was
       incorrectly permitting creation of zero-length files. Reported by
       Michal Zalewski.
     - ssh(1): Delete SSH protocol version 1 support, associated
       configuration options and documentation (LP: #1584321).
     - ssh(1)/sshd(8): Remove support for the hmac-ripemd160 MAC.
     - ssh(1)/sshd(8): Remove support for the arcfour, blowfish and CAST
       ciphers.
     - Refuse RSA keys <1024 bits in length and improve reporting for keys
       that do not meet this requirement.
     - ssh(1): Do not offer CBC ciphers by default.
     - ssh(1): Add RemoteCommand option to specify a command in the ssh
       config file instead of giving it on the client's command line.  This
       allows the configuration file to specify the command that will be
       executed on the remote host.
     - sshd(8): Add ExposeAuthInfo option that enables writing details of the
       authentication methods used (including public keys where applicable)
       to a file that is exposed via a $SSH_USER_AUTH environment variable in
       the subsequent session.
     - ssh(1): Add support for reverse dynamic forwarding.  In this mode, ssh
       will act as a SOCKS4/5 proxy and forward connections to destinations
       requested by the remote SOCKS client.  This mode is requested using
       extended syntax for the -R and RemoteForward options and, because it
       is implemented solely at the client, does not require the server be
       updated to be supported.
     - sshd(8): Allow LogLevel directive in sshd_config Match blocks.
     - ssh-keygen(1): Allow inclusion of arbitrary string or flag certificate
       extensions and critical options.
     - ssh-keygen(1): Allow ssh-keygen to use a key held in ssh-agent as a CA
       when signing certificates.
     - ssh(1)/sshd(8): Allow IPQoS=none in ssh/sshd to not set an explicit
       ToS/DSCP value and just use the operating system default.
     - ssh-add(1): Add -q option to make ssh-add quiet on success.
     - ssh(1): Expand the StrictHostKeyChecking option with two new settings.
       The first "accept-new" will automatically accept hitherto-unseen keys
       but will refuse connections for changed or invalid hostkeys.  This is
       a safer subset of the current behaviour of StrictHostKeyChecking=no.
       The second setting "off", is a synonym for the current behaviour of
       StrictHostKeyChecking=no: accept new host keys, and continue
       connection for hosts with incorrect hostkeys.  A future release will
       change the meaning of StrictHostKeyChecking=no to the behaviour of
       "accept-new".
     - ssh(1): Add SyslogFacility option to ssh(1) matching the equivalent
       option in sshd(8).
     - ssh(1): Use HostKeyAlias if specified instead of hostname for matching
       host certificate principal names.
     - sftp(1): Implement sorting for globbed ls.
     - ssh(1): Add a user@host prefix to client's "Permission denied"
       messages, useful in particular when using "stacked" connections (e.g.
       ssh -J) where it's not clear which host is denying.
     - ssh(1): Accept unknown EXT_INFO extension values that contain \0
       characters.  These are legal, but would previously cause fatal
       connection errors if received.
     - sftp(1): Print '?' instead of incorrect link count (that the protocol
       doesn't provide) for remote listings.
     - ssh(1): Return failure rather than fatal() for more cases during
       session multiplexing negotiations.  Causes the session to fall back to
       a non-mux connection if they occur.
     - ssh(1): Mention that the server may send debug messages to explain
       public key authentication problems under some circumstances.
     - Translate OpenSSL error codes to better report incorrect passphrase
       errors when loading private keys.
     - sshd(8): Adjust compatibility patterns for WinSCP to correctly
       identify versions that implement only the legacy DH group exchange
       scheme (closes: #877800).
     - ssh(1): Print the "Killed by signal 1" message only at LogLevel
       verbose so that it is not shown at the default level; prevents it from
       appearing during ssh -J and equivalent ProxyCommand configs.
     - ssh-keygen(1): When generating all hostkeys (ssh-keygen -A), clobber
       existing keys if they exist but are zero length.  Zero-length keys
       could previously be made if ssh-keygen failed or was interrupted part
       way through generating them.
     - ssh-keyscan(1): Avoid double-close() on file descriptors.
     - sshd(8): Avoid reliance on shared use of pointers shared between
       monitor and child sshd processes.
     - sshd_config(8): Document available AuthenticationMethods.
     - ssh(1): Avoid truncation in some login prompts.
     - ssh(1): Make "--" before the hostname terminate argument processing
       after the hostname too (closes: #873201).
     - ssh-keygen(1): Switch from aes256-cbc to aes256-ctr for encrypting
       new-style private keys.
     - ssh(1): Warn and do not attempt to use keys when the public and
       private halves do not match.
     - sftp(1): Don't print verbose error message when ssh disconnects from
       under sftp.
     - sshd(8): Fix keepalive scheduling problem: prevent activity on a
       forwarded port from preventing the keepalive from being sent.
     - sshd(8): When started without root privileges, don't require the
       privilege separation user or path to exist.
     - ssh(1)/sshd(8): Correctness fix for channels implementation: accept
       channel IDs greater than 0x7FFFFFFF.
     - sshd(8): Expose list of completed authentication methods to PAM via
       the SSH_AUTH_INFO_0 PAM environment variable.
     - ssh(1)/sshd(8): Fix several problems in the tun/tap forwarding code,
       mostly to do with host/network byte order confusion.
     - sshd(8): Avoid Linux seccomp violations on ppc64le over the socketcall
       syscall.
   * Build-depend on debhelper (>= 9.20160709~) rather than dh-systemd.
   * Change priorities of ssh and ssh-krb5 binary packages to optional, since
     "Priority: extra" is now deprecated.
   * Use HTTPS form of copyright-format URL.
   * Adjust "Running sshd from inittab" instructions in README.Debian to
     recommend using service(8) rather than calling the init script directly.
   * Policy version 4.1.0.
   * Adjust "Per-connection sshd instances with systemd" instructions in
     README.Debian to recommend using a drop-in file rather than copying and
     modifying the ssh.socket unit file.
Checksums-Sha1:
 140fba771bb21c3dffb4c8b62a2c3485d0988b8f 3090 openssh_7.6p1-1.dsc
 a6984bc2c72192bed015c8b879b35dd9f5350b3b 1489788 openssh_7.6p1.orig.tar.gz
 d99b00282e52434f208345067732be87669b3e8e 683 openssh_7.6p1.orig.tar.gz.asc
 0b2c021d483e642a4259d80bc47c234e436d60ed 158944 openssh_7.6p1-1.debian.tar.xz
 e19378e8012d344547c7492b33667969958bdf27 14093 openssh_7.6p1-1_source.buildinfo
Checksums-Sha256:
 27e76de22a0ca589f4756fab8440cb2fb7cf4a8f185d985558194df0eb563716 3090 openssh_7.6p1-1.dsc
 a323caeeddfe145baaa0db16e98d784b1fbc7dd436a6bf1f479dfd5cd1d21723 1489788 openssh_7.6p1.orig.tar.gz
 14e5097d68c73d42afe6314a510e7056b1748ac1d1e19518057b270d19656ad6 683 openssh_7.6p1.orig.tar.gz.asc
 4a34d5d561e495d1b3e45d49b7d5589c25f5af38476baa2f7fce6f1881f47ec6 158944 openssh_7.6p1-1.debian.tar.xz
 d299f289d18777a8aec292212be2344103ef556d8e3b75a5ccc41d388f56b2ae 14093 openssh_7.6p1-1_source.buildinfo
Files:
 71cf8d57a22054894962c434b8899f95 3090 net standard openssh_7.6p1-1.dsc
 06a88699018e5fef13d4655abfed1f63 1489788 net standard openssh_7.6p1.orig.tar.gz
 17179e30530ea7301c8e74279ecbe1fd 683 net standard openssh_7.6p1.orig.tar.gz.asc
 15b94e32ec5f9c7388781b1afc0bc020 158944 net standard openssh_7.6p1-1.debian.tar.xz
 b3009db9ea7684ccff33317e74202cbd 14093 net standard openssh_7.6p1-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAlnXa3sACgkQOTWH2X2G
UAv3pBAAtfK7CHQFj9mJfz0V1qmrWl8JHWi7IbQVrt8ZosWC+0Ztees/54G84zbj
fYbtxPQOYJVFggTs90U40YlCgGuM7Y828Hwc0K90SZOVwndADO8rrg+lxMSl8LFR
N+lDDu2bTWUHd0aM/KwXb8M9GqoD4+MZgQiNmSAogS/KmxQqDwCt6XD6bO57McRs
SLUqVLsLCYUO8dZNkr3axuMFqFiPFuJq8l7nDHfRqTugq1HD1UMrMSBWxMCoHJF7
oB6wCIXwAc166RQzHNdmiGm4oeu9KvPxgvfb4G5hPvAUe6rt20l7OJtzETFyAmel
uG9v1muBsoPMZm5U1aM6kUSSUBAiu5fVa4ssCnDoHa7PM77W4HRDCb1UEqvDhK/1
EgJ2vzWwe0O1ndy3+/36lCAsp4sysM17rVGdimhFFYSBUizq9db/1Ft8S889qGmS
ttolkscfprwMaQEJHBR1WMwHe7bMFGlFLNmsSKnYgPpH3DIg4Ms9kkGO7VEpec4i
64Xqy2Qs78uKD1t9LUnoKqXb0iJHxXYlNItJwmRbm6O1mo1eOOmi2ivL0SsS9A+O
UpNQZD4XD1z+WD3k7UUauEw7DynhFq5R2mt4KDAv+1xZZ65wGbZM2Jgk9exjTDrV
ccrC1eyBwrj7MMkjpNlp5DVTFocmG+XXiG4jr8H8Mj2bVVRNShU=
=yDfM
-----END PGP SIGNATURE-----