Accepted openssh 1:8.3p1-1 (source) into unstable
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 07 Jun 2020 13:44:04 +0100
Source: openssh
Architecture: source
Version: 1:8.3p1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Closes: 932071 962035
Changes:
openssh (1:8.3p1-1) unstable; urgency=medium
.
* New upstream release (https://www.openssh.com/txt/release-8.3):
- [SECURITY] scp(1): when receiving files, scp(1) could become
desynchronised if a utimes(2) system call failed. This could allow
file contents to be interpreted as file metadata and thereby permit an
adversary to craft a file system that, when copied with scp(1) in a
configuration that caused utimes(2) to fail (e.g. under a SELinux
policy or syscall sandbox), transferred different file names and
contents to the actual file system layout.
- sftp(1): reject an argument of "-1" in the same way as ssh(1) and
scp(1) do instead of accepting and silently ignoring it.
- sshd(8): make IgnoreRhosts a tri-state option: "yes" to ignore
rhosts/shosts, "no" to allow rhosts/shosts or (new) "shosts-only" to
allow .shosts files but not .rhosts.
- sshd(8): allow the IgnoreRhosts directive to appear anywhere in a
sshd_config, not just before any Match blocks.
- ssh(1): add %TOKEN percent expansion for the LocalForward and
RemoteForward keywords when used for Unix domain socket forwarding.
- all: allow loading public keys from the unencrypted envelope of a
private key file if no corresponding public key file is present.
- ssh(1), sshd(8): prefer to use chacha20 from libcrypto where possible
instead of the (slower) portable C implementation included in OpenSSH.
- ssh-keygen(1): add ability to dump the contents of a binary key
revocation list via "ssh-keygen -lQf /path".
- ssh(1): fix IdentitiesOnly=yes to also apply to keys loaded from a
PKCS11Provider.
- ssh-keygen(1): avoid NULL dereference when trying to convert an
invalid RFC4716 private key.
- scp(1): when performing remote-to-remote copies using "scp -3", start
the second ssh(1) channel with BatchMode=yes enabled to avoid
confusing and non-deterministic ordering of prompts.
- ssh(1), ssh-keygen(1): when signing a challenge using a FIDO token,
perform hashing of the message to be signed in the middleware layer
rather than in OpenSSH code. This permits the use of security key
middlewares that perform the hashing implicitly, such as Windows
Hello.
- ssh(1): fix incorrect error message for "too many known hosts files."
- ssh(1): make failures when establishing "Tunnel" forwarding terminate
the connection when ExitOnForwardFailure is enabled.
- ssh-keygen(1): fix printing of fingerprints on private keys and add a
regression test for same.
- sshd(8): document order of checking AuthorizedKeysFile (first) and
AuthorizedKeysCommand (subsequently, if the file doesn't match).
- sshd(8): document that /etc/hosts.equiv and /etc/shosts.equiv are not
considered for HostbasedAuthentication when the target user is root.
- ssh(1), ssh-keygen(1): fix NULL dereference in private certificate key
parsing.
- ssh(1), sshd(8): more consistency between sets of %TOKENS are accepted
in various configuration options.
- ssh(1), ssh-keygen(1): improve error messages for some common PKCS#11
C_Login failure cases.
- ssh(1), sshd(8): make error messages for problems during SSH banner
exchange consistent with other SSH transport-layer error messages and
ensure they include the relevant IP addresses.
- ssh-keygen(1), ssh-add(1): when downloading FIDO2 resident keys from a
token, don't prompt for a PIN until the token has told us that it
needs one. Avoids double-prompting on devices that implement
on-device authentication (closes: #932071).
- sshd(8), ssh-keygen(1): no-touch-required FIDO certificate option
should be an extension, not a critical option.
- ssh(1), ssh-keygen(1), ssh-add(1): offer a better error message when
trying to use a FIDO key function and SecurityKeyProvider is empty.
- ssh-add(1), ssh-agent(8): ensure that a key lifetime fits within the
values allowed by the wire format (u32). Prevents integer wraparound
of the timeout values.
- ssh(1): detect and prevent trivial configuration loops when using
ProxyJump. bz#3057.
- On platforms that do not support setting process-wide routing domains
(all excepting OpenBSD at present), fail to accept a configuration
attempts to set one at process start time rather than fatally erroring
at run time.
- Fix theoretical infinite loop in the glob(3) replacement
implementation.
* Update GSSAPI key exchange patch from
https://github.com/openssh-gsskex/openssh-gsskex:
- Fix connection through ProxyJump in combination with "GSSAPITrustDNS
yes".
- Enable SHA2-based GSSAPI key exchange methods by default as RFC 8732
was published.
* Fix or suppress various shellcheck errors under debian/.
* Use AUTOPKGTEST_TMP rather than the deprecated ADTTMP.
* Apply upstream patch to fix the handling of Port directives after
Include (closes: #962035, LP: #1876320).
Checksums-Sha1:
ddd6e765c0ffaf1b534c3abb9ebaa2c33034b5e3 3342 openssh_8.3p1-1.dsc
04c7adb9986f16746588db8988b910530c589819 1706358 openssh_8.3p1.orig.tar.gz
e3fdeb7b96543bcc2854614c6163cfe860ba5ec8 683 openssh_8.3p1.orig.tar.gz.asc
973c807463825c92a7a5e4d9ea04791895c36340 176252 openssh_8.3p1-1.debian.tar.xz
Checksums-Sha256:
7a0f9f0001d10bf6270b47e1c0c75d82e118234609bb75233ffd08877d0d3186 3342 openssh_8.3p1-1.dsc
f2befbe0472fe7eb75d23340eb17531cb6b3aac24075e2066b41f814e12387b2 1706358 openssh_8.3p1.orig.tar.gz
c5a5f84a482c93ee59eccb8f9f76b6c70eed56fd9b059fc72b3184effa8135f5 683 openssh_8.3p1.orig.tar.gz.asc
edeb381f43f9b4399fa34f3fab40d60617f3391774304493f2ee7a8dba214ba9 176252 openssh_8.3p1-1.debian.tar.xz
Files:
74ae9d37eabd417685625f1d94e894db 3342 net standard openssh_8.3p1-1.dsc
68d7527bf2672153ca47402f6489a1af 1706358 net standard openssh_8.3p1.orig.tar.gz
59a1a50acf815720d7b60fa8b52df480 683 net standard openssh_8.3p1.orig.tar.gz.asc
9603a58b57661f4e534eab977fb76dd0 176252 net standard openssh_8.3p1-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAl7c4aAACgkQOTWH2X2G
UAux7w/+LLt4ComptUEzWxfAywmT+4uTMSrvdMDZVDztVpSwqMuK5w4czs670Ubj
Pe6GyFmpVbOBCWEASs6yKV3fqUZpjPx/Go2rJDd3f/IPeH1P9xe+f8lM0S2zrkDl
YgjC1Aw7s8JCVACxQrsb2Q8v/EGeNOxFZs2JzWY/TymBOF8gh+I1A2z/JZYq+BLL
0O91lf4EEKMSDxn3ocFxi7ayLJIJbCVoaYouZMLqLuAI+HdSqscw1HmJVmhFM1aL
AkEMy9guFijJRibKHTMrMTXGWgfe+c/zDQy9S39gj4ne/XN+XXCou3+cLkYtAD2X
OS10NpJPG+J7/fM5rmgot1xcecgXeec/Izu0u5PBXYPAOVGIwQcBKzHBTnBXrZyF
0Icu0ELSKkoIvhmLB29muFdXdYdprvNgxkfClXunR3JNIjtPX3XHTusHntdtmXD1
BvmP2i9oz55vKhCQ8ruCnxeGyB86eEtGCeeG22Cc/CGroBrXMm/NXLsXFYXDaiZH
wlb7SzPqGdJZvWxDc7zu7xHtW4EET2+wn+R8NV52410/Ay8YjqAICcyn9pP5Bq+I
pWuytUSxWapzvyBauBfYhJVjUZZhFhCn8PC05j0lPaoCTX6fcazdloGCTMTM+Ca8
iidbSkKa4etNl4T9Vo7G7ZZhFF7pVWgvHIQ5qSwhTfNsVM1hz2M=
=wGau
-----END PGP SIGNATURE-----