Back to openssh PTS page

Accepted openssh 1:8.3p1-1 (source) into unstable

Hash: SHA256

Format: 1.8
Date: Sun, 07 Jun 2020 13:44:04 +0100
Source: openssh
Architecture: source
Version: 1:8.3p1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian OpenSSH Maintainers <>
Changed-By: Colin Watson <>
Closes: 932071 962035
 openssh (1:8.3p1-1) unstable; urgency=medium
   * New upstream release (
     - [SECURITY] scp(1): when receiving files, scp(1) could become
       desynchronised if a utimes(2) system call failed.  This could allow
       file contents to be interpreted as file metadata and thereby permit an
       adversary to craft a file system that, when copied with scp(1) in a
       configuration that caused utimes(2) to fail (e.g. under a SELinux
       policy or syscall sandbox), transferred different file names and
       contents to the actual file system layout.
     - sftp(1): reject an argument of "-1" in the same way as ssh(1) and
       scp(1) do instead of accepting and silently ignoring it.
     - sshd(8): make IgnoreRhosts a tri-state option: "yes" to ignore
       rhosts/shosts, "no" to allow rhosts/shosts or (new) "shosts-only" to
       allow .shosts files but not .rhosts.
     - sshd(8): allow the IgnoreRhosts directive to appear anywhere in a
       sshd_config, not just before any Match blocks.
     - ssh(1): add %TOKEN percent expansion for the LocalForward and
       RemoteForward keywords when used for Unix domain socket forwarding.
     - all: allow loading public keys from the unencrypted envelope of a
       private key file if no corresponding public key file is present.
     - ssh(1), sshd(8): prefer to use chacha20 from libcrypto where possible
       instead of the (slower) portable C implementation included in OpenSSH.
     - ssh-keygen(1): add ability to dump the contents of a binary key
       revocation list via "ssh-keygen -lQf /path".
     - ssh(1): fix IdentitiesOnly=yes to also apply to keys loaded from a
     - ssh-keygen(1): avoid NULL dereference when trying to convert an
       invalid RFC4716 private key.
     - scp(1): when performing remote-to-remote copies using "scp -3", start
       the second ssh(1) channel with BatchMode=yes enabled to avoid
       confusing and non-deterministic ordering of prompts.
     - ssh(1), ssh-keygen(1): when signing a challenge using a FIDO token,
       perform hashing of the message to be signed in the middleware layer
       rather than in OpenSSH code.  This permits the use of security key
       middlewares that perform the hashing implicitly, such as Windows
     - ssh(1): fix incorrect error message for "too many known hosts files."
     - ssh(1): make failures when establishing "Tunnel" forwarding terminate
       the connection when ExitOnForwardFailure is enabled.
     - ssh-keygen(1): fix printing of fingerprints on private keys and add a
       regression test for same.
     - sshd(8): document order of checking AuthorizedKeysFile (first) and
       AuthorizedKeysCommand (subsequently, if the file doesn't match).
     - sshd(8): document that /etc/hosts.equiv and /etc/shosts.equiv are not
       considered for HostbasedAuthentication when the target user is root.
     - ssh(1), ssh-keygen(1): fix NULL dereference in private certificate key
     - ssh(1), sshd(8): more consistency between sets of %TOKENS are accepted
       in various configuration options.
     - ssh(1), ssh-keygen(1): improve error messages for some common PKCS#11
       C_Login failure cases.
     - ssh(1), sshd(8): make error messages for problems during SSH banner
       exchange consistent with other SSH transport-layer error messages and
       ensure they include the relevant IP addresses.
     - ssh-keygen(1), ssh-add(1): when downloading FIDO2 resident keys from a
       token, don't prompt for a PIN until the token has told us that it
       needs one.  Avoids double-prompting on devices that implement
       on-device authentication (closes: #932071).
     - sshd(8), ssh-keygen(1): no-touch-required FIDO certificate option
       should be an extension, not a critical option.
     - ssh(1), ssh-keygen(1), ssh-add(1): offer a better error message when
       trying to use a FIDO key function and SecurityKeyProvider is empty.
     - ssh-add(1), ssh-agent(8): ensure that a key lifetime fits within the
       values allowed by the wire format (u32).  Prevents integer wraparound
       of the timeout values.
     - ssh(1): detect and prevent trivial configuration loops when using
       ProxyJump. bz#3057.
     - On platforms that do not support setting process-wide routing domains
       (all excepting OpenBSD at present), fail to accept a configuration
       attempts to set one at process start time rather than fatally erroring
       at run time.
     - Fix theoretical infinite loop in the glob(3) replacement
   * Update GSSAPI key exchange patch from
     - Fix connection through ProxyJump in combination with "GSSAPITrustDNS
     - Enable SHA2-based GSSAPI key exchange methods by default as RFC 8732
       was published.
   * Fix or suppress various shellcheck errors under debian/.
   * Use AUTOPKGTEST_TMP rather than the deprecated ADTTMP.
   * Apply upstream patch to fix the handling of Port directives after
     Include (closes: #962035, LP: #1876320).
 ddd6e765c0ffaf1b534c3abb9ebaa2c33034b5e3 3342 openssh_8.3p1-1.dsc
 04c7adb9986f16746588db8988b910530c589819 1706358 openssh_8.3p1.orig.tar.gz
 e3fdeb7b96543bcc2854614c6163cfe860ba5ec8 683 openssh_8.3p1.orig.tar.gz.asc
 973c807463825c92a7a5e4d9ea04791895c36340 176252 openssh_8.3p1-1.debian.tar.xz
 7a0f9f0001d10bf6270b47e1c0c75d82e118234609bb75233ffd08877d0d3186 3342 openssh_8.3p1-1.dsc
 f2befbe0472fe7eb75d23340eb17531cb6b3aac24075e2066b41f814e12387b2 1706358 openssh_8.3p1.orig.tar.gz
 c5a5f84a482c93ee59eccb8f9f76b6c70eed56fd9b059fc72b3184effa8135f5 683 openssh_8.3p1.orig.tar.gz.asc
 edeb381f43f9b4399fa34f3fab40d60617f3391774304493f2ee7a8dba214ba9 176252 openssh_8.3p1-1.debian.tar.xz
 74ae9d37eabd417685625f1d94e894db 3342 net standard openssh_8.3p1-1.dsc
 68d7527bf2672153ca47402f6489a1af 1706358 net standard openssh_8.3p1.orig.tar.gz
 59a1a50acf815720d7b60fa8b52df480 683 net standard openssh_8.3p1.orig.tar.gz.asc
 9603a58b57661f4e534eab977fb76dd0 176252 net standard openssh_8.3p1-1.debian.tar.xz