Back to openssh PTS page

Accepted openssh 1:9.2p1-2 (source) into unstable

To: debian-devel-changes@lists.debian.org
Subject: Accepted openssh 1:9.2p1-2 (source) into unstable
From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
Date: Wed, 08 Feb 2023 11:05:43 +0000
Debian: DAK
Debian-architecture: source
Debian-archive-action: accept
Debian-changes: openssh_9.2p1-2_source.changes
Debian-source: openssh
Debian-suite: unstable
Debian-version: 1:9.2p1-2
Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=ftp-master.debian.org; s=smtpauto.fasolo; h=Date:Message-Id: Content-Transfer-Encoding:Content-Type:Subject:MIME-Version:To:Reply-To:From: Cc:Content-ID:Content-Description:In-Reply-To:References; bh=w8Py2cEAgXi0HTp1G4q8/AtnAQYqAOo5m16fFrcgMbE=; b=eQjG3Zrpi354E1UrxZAhCY4+1Q tGsQBsR3uVPIKUmjqOwqowZ7lcD4zcQfc1b0dnfF05+jo/Y7cAbXStu7197YdhOXA0t80u6POkqkv wZArHwxUDsTEuAF3d9ElWroiefqH46xChwWBD2o6v5K5NsFFiCHQGRyMzxiyQRtEZmp4MpmMgt+xC 7QhoX2LinEF8ElBdzmXqlD58/qx1K/2EBCfx/sMYxi3IvHRt5QgFmNXIX6ak9yzI23PY1OgjlVjpd G2QmDjeSxmmc8SG41BvU55Dwu1FnFRBPiqZ9pMuTlmdwcDtcgTDEyA5B2X44BZOSdyCvD7yqANFUH So5KzBxQ==;
Mail-followup-to: debian-devel@lists.debian.org
Message-id: <E1pPiGl-009ikk-I7@fasolo.debian.org>
Reply-to: debian-devel@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 08 Feb 2023 10:43:07 +0000
Source: openssh
Architecture: source
Version: 1:9.2p1-2
Distribution: unstable
Urgency: medium
Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Changes:
 openssh (1:9.2p1-2) unstable; urgency=medium
 .
   * Fix mistakenly-unreleased entry for 1:9.2p1-1 in debian/NEWS.
 .
 openssh (1:9.2p1-1) unstable; urgency=medium
 .
   * Set "UsePAM yes" when running regression tests, to match our default
     sshd configuration.
   * Ignore Lintian error about depending on lsb-base for now, to avoid
     problems with partial upgrades on non-default init systems.
   * New upstream release (https://www.openssh.com/releasenotes.html#9.2p1):
     - [SECURITY] sshd(8): fix a pre-authentication double-free memory fault
       introduced in OpenSSH 9.1. This is not believed to be exploitable, and
       it occurs in the unprivileged pre-auth process that is subject to
       chroot(2) and is further sandboxed on most major platforms.
     - [SECURITY] ssh(8): in OpenSSH releases after 8.7, the PermitRemoteOpen
       option would ignore its first argument unless it was one of the
       special keywords "any" or "none", causing the permission list to fail
       open if only one permission was specified.
     - [SECURITY] ssh(1): if the CanonicalizeHostname and
       CanonicalizePermittedCNAMEs options were enabled, and the system/libc
       resolver did not check that names in DNS responses were valid, then
       use of these options could allow an attacker with control of DNS to
       include invalid characters (possibly including wildcards) in names
       added to known_hosts files when they were updated. These names would
       still have to match the CanonicalizePermittedCNAMEs allow-list, so
       practical exploitation appears unlikely.
     - ssh(1): add a new EnableEscapeCommandline ssh_config(5) option that
       controls whether the client-side ~C escape sequence that provides a
       command-line is available. Among other things, the ~C command-line
       could be used to add additional port-forwards at runtime. This option
       defaults to "no", disabling the ~C command-line that was previously
       enabled by default.
     - sshd(8): add support for channel inactivity timeouts via a new
       sshd_config(5) ChannelTimeout directive. This allows channels that
       have not seen traffic in a configurable interval to be automatically
       closed. Different timeouts may be applied to session, X11, agent and
       TCP forwarding channels.
     - sshd(8): add a sshd_config UnusedConnectionTimeout option to terminate
       client connections that have no open channels for a length of time.
       This complements the ChannelTimeout option above.
     - sshd(8): add a -V (version) option to sshd like the ssh client has.
     - ssh(1): add a "Host" line to the output of ssh -G showing the original
       hostname argument. bz3343
     - scp(1), sftp(1): add a -X option to both scp(1) and sftp(1) to allow
       control over some SFTP protocol parameters: the copy buffer length and
       the number of in-flight requests, both of which are used during
       upload/download. Previously these could be controlled in sftp(1) only.
       This makes them available in both SFTP protocol clients using the same
       option character sequence.
     - ssh-keyscan(1): allow scanning of complete CIDR address ranges, e.g.
       "ssh-keyscan 192.168.0.0/24". If a CIDR range is passed, then it will
       be expanded to all possible addresses in the range including the
       all-0s and all-1s addresses.
     - ssh(1): support dynamic remote port forwarding in escape
       command-line's -R processing.
     - ssh(1): when restoring non-blocking mode to stdio fds, restore exactly
       the flags that ssh started with and don't just clobber them with zero,
       as this could also remove the append flag from the set.
     - ssh(1): avoid printf("%s", NULL) if using UserKnownHostsFile=none and
       a hostkey in one of the system known hosts file changes.
     - scp(1): switch scp from using pipes to a socket-pair for communication
       with its ssh sub-processes, matching how sftp(1) operates.
     - sshd(8): clear signal mask early in main(); sshd may have been started
       with one or more signals masked (sigprocmask(2) is not cleared on
       fork/exec) and this could interfere with various things, e.g. the
       login grace timer. Execution environments that fail to clear the
       signal mask before running sshd are clearly broken, but apparently
       they do exist.
     - ssh(1): warn if no host keys for hostbased auth can be loaded.
     - sshd(8): Add server debugging for hostbased auth that is queued and
       sent to the client after successful authentication, but also logged to
       assist in diagnosis of HostbasedAuthentication problems.
     - ssh(1): document use of the IdentityFile option as being usable to
       list public keys as well as private keys.
     - sshd(8): check for and disallow MaxStartups values less than or equal
       to zero during config parsing, rather than failing later at runtime.
     - ssh-keygen(1): fix parsing of hex cert expiry times specified on the
       command-line when acting as a CA.
     - scp(1): when scp(1) is using the SFTP protocol for transport (the
       default), better match scp/rcp's handling of globs that don't match
       the globbed characters but do match literally (e.g. trying to transfer
       a file named "foo.[1]"). Previously scp(1) in SFTP mode would not
       match these pathnames but legacy scp/rcp mode would.
     - ssh-agent(1): document the "-O no-restrict-websafe" command-line
       option.
     - ssh(1): honour user's umask(2) if it is more restrictive then the ssh
       default (022).
     - sshd(8): allow writev(2) in the Linux seccomp sandbox. This seems to
       be used by recent glibcs at least in some configurations during error
       conditions.
     - sshd(8): simplify handling of SSH_CONNECTION PAM env var, removing
       global variable and checking the return value from pam_putenv.
     - sshd(8): disable SANDBOX_SECCOMP_FILTER_DEBUG that was mistakenly
       enabled during the OpenSSH 9.1 release cycle.
     - sshd(8): defer PRNG seeding until after the initial closefrom(2) call.
       PRNG seeding will initialize OpenSSL, and some engine providers (e.g.
       Intel's QAT) will open descriptors for their own use that closefrom(2)
       could clobber.
   * debian/run-tests: Add a little more flexibility for debugging.
Checksums-Sha1:
 b275d52fe8ef9f043a6e15f287eb79b49c961622 3312 openssh_9.2p1-2.dsc
 191b1c52aa1f4f0e78d274a2fd864a90ffc5517f 182332 openssh_9.2p1-2.debian.tar.xz
 3b172b8e971773a7018bbf3231f6589ae539ca4b 1852380 openssh_9.2p1.orig.tar.gz
 057ac5ac6e2fa0a26a105b085822a09f1a068683 833 openssh_9.2p1.orig.tar.gz.asc
Checksums-Sha256:
 ffb80ac0ac24a3216ffcc9c7a21e1475509ca83638f640b11688b9a4d8ccaf4e 3312 openssh_9.2p1-2.dsc
 c78a3d92c983d7040dcf304a08144c4e21f319384a3dfb2a451c99f0d14c01dd 182332 openssh_9.2p1-2.debian.tar.xz
 3f66dbf1655fb45f50e1c56da62ab01218c228807b21338d634ebcdf9d71cf46 1852380 openssh_9.2p1.orig.tar.gz
 7acc8e9502040972aeecb785fa3b6bb00c069cc01fbd7c214f8f7867033a6dbb 833 openssh_9.2p1.orig.tar.gz.asc
Files:
 3db9fdf91c254d02f0ca7a02e2f4f7f8 3312 net standard openssh_9.2p1-2.dsc
 227ca2df4cb0f7c3e57388b514cb6a64 182332 net standard openssh_9.2p1-2.debian.tar.xz
 f78b2acac4bb299629a8c58ddc3fac63 1852380 net standard openssh_9.2p1.orig.tar.gz
 4b8baeab4dd1ff732a02e94c227cf788 833 net standard openssh_9.2p1.orig.tar.gz.asc

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAmPjfUwACgkQOTWH2X2G
UAsJSw//QcDqgoA+C/U8N6HW887xrz7/cPGZW7blNa8YV5k4sEXDpXWKc7A+SxMj
TSM2XdZ8vhzJ/TNuaBq9tMsU2sleb0Xr/URJsIPvHs4wpLLWicgsBzaLAjmpGMdT
jzr0x1AchEcMSD3kVY/t7dbTiexaQcOyfVax4OcU+xgzz3aCyLvOrzs/zReKfdNj
rMCOAsaU7Xe2ZUiNnf0JxC2covcSr0Rvj+mbn9WkmV3GMtU8ZxAsCbvtJAC3CoTk
6MCPKKzzdBLCEJPQGWWQcY4J946k2KhuS8DlRIoO+iA+FFuBsVSxD7S+ArbIwxYk
I8pv1Q7hV61E6xNAvym0IBHcXt+8PgdmxVCn1ANAzsktcdcerZBSNvsOuO4KTa9s
ohRJhRMx25ZpJODMnvcYlODJs8LiW5IsY6zcJCBgYGbsxp21qfBrakV/m/eeeTGn
Lw9d4oCJc4khM4Ylhmlrx4dtsoBUbcFGhFFv7DXcSk5tYDjnFaFpINfUBBwcwWtM
r0ImlaqrKspeQY4cjdotGBPmU1MzFti2lWXbXn4p+dU4UzPGCpaRCq+nmFzoRJcr
k1IO/XtZiL2luWMNzSM1DlhtRvhwzNRIOqBOQR7OZu5LC8VOlO77M9I0nFHkMsXJ
2NbFclFN4BoApLgrqerIx+wxZ+ZTz60Uo7X7NLob7eFrNxzGBPo=
=wYDG
-----END PGP SIGNATURE-----