Back to openssh PTS page

Accepted openssh 1:8.1p1-1 (source) into unstable

Hash: SHA256

Format: 1.8
Date: Thu, 10 Oct 2019 10:23:19 +0100
Source: openssh
Architecture: source
Version: 1:8.1p1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian OpenSSH Maintainers <>
Changed-By: Colin Watson <>
Closes: 929669
 openssh (1:8.1p1-1) unstable; urgency=medium
   * New upstream release (
     - ssh(1), sshd(8), ssh-agent(1): Add protection for private keys at rest
       in RAM against speculation and memory side-channel attacks like
       Spectre, Meltdown and Rambleed.  This release encrypts private keys
       when they are not in use with a symmetric key that is derived from a
       relatively large "prekey" consisting of random data (currently 16KB).
     - ssh(1): Allow %n to be expanded in ProxyCommand strings.
     - ssh(1), sshd(8): Allow prepending a list of algorithms to the default
       set by starting the list with the '^' character, e.g.
       "HostKeyAlgorithms ^ssh-ed25519".
     - ssh-keygen(1): Add an experimental lightweight signature and
       verification ability.  Signatures may be made using regular ssh keys
       held on disk or stored in a ssh-agent and verified against an
       authorized_keys-like list of allowed keys.  Signatures embed a
       namespace that prevents confusion and attacks between different usage
       domains (e.g. files vs email).
     - ssh-keygen(1): Print key comment when extracting public key from a
       private key.
     - ssh-keygen(1): Accept the verbose flag when searching for host keys in
       known hosts (i.e. "ssh-keygen -vF host") to print the matching host's
       random-art signature too.
     - All: Support PKCS8 as an optional format for storage of private keys
       to disk.  The OpenSSH native key format remains the default, but PKCS8
       is a superior format to PEM if interoperability with non-OpenSSH
       software is required, as it may use a less insecure key derivation
       function than PEM's.
     - ssh(1): If a PKCS#11 token returns no keys then try to login and
       refetch them.
     - ssh(1): Produce a useful error message if the user's shell is set
       incorrectly during "match exec" processing.
     - sftp(1): Allow the maximum uint32 value for the argument passed to -b
       which allows better error messages from later validation.
     - ssh-keyscan(1): Include SHA2-variant RSA key algorithms in KEX
       proposal; allows ssh-keyscan to harvest keys from servers that disable
       old SHA1 ssh-rsa.
     - sftp(1): Print explicit "not modified" message if a file was requested
       for resumed download but was considered already complete.
     - sftp(1): Fix a typo and make <esc><right> move right to the closest
       end of a word just like <esc><left> moves left to the closest
       beginning of a word.
     - sshd(8): Cap the number of permitopen/permitlisten directives allowed
       to appear on a single authorized_keys line.
     - All: Fix a number of memory leaks (one-off or on exit paths).
     - ssh(1), sshd(8): Check for convtime() refusing to accept times that
       resolve to LONG_MAX.
     - ssh(1): Slightly more instructive error message when the user
       specifies multiple -J options on the command-line (closes: #929669).
     - ssh-agent(1): Process agent requests for RSA certificate private keys
       using correct signature algorithm when requested.
     - sftp(1): Check for user@host when parsing sftp target.  This allows
       user@[] to work without a path.
     - sshd(8): Enlarge format buffer size for certificate serial number so
       the log message can record any 64-bit integer without truncation.
     - sshd(8): For PermitOpen violations add the remote host and port to be
       able to more easily ascertain the source of the request.  Add the same
       logging for PermitListen violations which were not previously logged
       at all.
     - scp(1), sftp(1): Use the correct POSIX format style for left
       justification for the transfer progress meter.
     - sshd(8): When examining a configuration using sshd -T, assume any
       attribute not provided by -C does not match, which allows it to work
       when sshd_config contains a Match directive with or without -C.
     - ssh(1), ssh-keygen(1): Downgrade PKCS#11 "provider returned no slots"
       warning from log level error to debug.  This is common when attempting
       to enumerate keys on smartcard readers with no cards plugged in.
     - ssh(1), ssh-keygen(1): Do not unconditionally log in to PKCS#11
       tokens.  Avoids spurious PIN prompts for keys not selected for
       authentication in ssh(1) and when listing public keys available in a
       token using ssh-keygen(1).
     - ssh(1), sshd(8): Fix typo that prevented detection of Linux VRF.
     - sshd(8): In the Linux seccomp-bpf sandbox, allow mprotect(2) with
       PROT_(READ|WRITE|NONE) only.  This syscall is used by some hardened
       heap allocators.
     - sshd(8): In the Linux seccomp-bpf sandbox, allow the s390-specific
       ioctl for ECC hardware support.
   * Re-enable hardening on hppa, since the corresponding GCC bug is
     apparently fixed.
 76ee07140706169f8e296c1b7d882d7437c437ea 3316 openssh_8.1p1-1.dsc
 c44b96094869f177735ae053d92bd5fcab1319de 1625894 openssh_8.1p1.orig.tar.gz
 8b241dee85731fb19e57622f160a4326da52a7a7 683 openssh_8.1p1.orig.tar.gz.asc
 9bd1e2e574e31e37dcd3e7baf205e7a6c73620da 171604 openssh_8.1p1-1.debian.tar.xz
 01e3152f72f1352078308842357f56f5206edcad7c5228ff8c13be83be69349b 3316 openssh_8.1p1-1.dsc
 02f5dbef3835d0753556f973cd57b4c19b6b1f6cd24c03445e23ac77ca1b93ff 1625894 openssh_8.1p1.orig.tar.gz
 da3f623f0131b55c8199fbbd86be0748d00c6e1e098dfc0ebea664901c9a7ab4 683 openssh_8.1p1.orig.tar.gz.asc
 d93a83ebd34b917a307c2876d7a3ad778277f745f38634b961cba65bf07cd10c 171604 openssh_8.1p1-1.debian.tar.xz
 3ebcb8b9e1ffbfb6c1fb82aa778ea875 3316 net standard openssh_8.1p1-1.dsc
 513694343631a99841e815306806edf0 1625894 net standard openssh_8.1p1.orig.tar.gz
 61e3864f45acc839bec3cb23d532da43 683 net standard openssh_8.1p1.orig.tar.gz.asc
 9da8fed95dc542721ff7f61a190e811d 171604 net standard openssh_8.1p1-1.debian.tar.xz