openssh 1:7.4p1-1 source package in Ubuntu

Changelog

openssh (1:7.4p1-1) unstable; urgency=medium

  * New upstream release (http://www.openssh.com/txt/release-7.4):
    - ssh(1): Remove 3des-cbc from the client's default proposal.  64-bit
      block ciphers are not safe in 2016 and we don't want to wait until
      attacks like SWEET32 are extended to SSH.  As 3des-cbc was the only
      mandatory cipher in the SSH RFCs, this may cause problems connecting
      to older devices using the default configuration, but it's highly
      likely that such devices already need explicit configuration for key
      exchange and hostkey algorithms already anyway.
    - sshd(8): When a forced-command appears in both a certificate and an
      authorized keys/principals command= restriction, sshd will now refuse
      to accept the certificate unless they are identical.  The previous
      (documented) behaviour of having the certificate forced-command
      override the other could be a bit confusing and error-prone.
    - sshd(8): Remove the UseLogin configuration directive and support for
      having /bin/login manage login sessions.
    - CVE-2016-10009: ssh-agent(1): Will now refuse to load PKCS#11 modules
      from paths outside a trusted whitelist (run-time configurable).
      Requests to load modules could be passed via agent forwarding and an
      attacker could attempt to load a hostile PKCS#11 module across the
      forwarded agent channel: PKCS#11 modules are shared libraries, so this
      would result in code execution on the system running the ssh-agent if
      the attacker has control of the forwarded agent-socket (on the host
      running the sshd server) and the ability to write to the filesystem of
      the host running ssh-agent (usually the host running the ssh client)
      (closes: #848714).
    - CVE-2016-10010: sshd(8): When privilege separation is disabled,
      forwarded Unix-domain sockets would be created by sshd(8) with the
      privileges of 'root' instead of the authenticated user.  This release
      refuses Unix-domain socket forwarding when privilege separation is
      disabled (Privilege separation has been enabled by default for 14
      years) (closes: #848715).
    - CVE-2016-10011: sshd(8): Avoid theoretical leak of host private key
      material to privilege-separated child processes via realloc() when
      reading keys.  No such leak was observed in practice for normal-sized
      keys, nor does a leak to the child processes directly expose key
      material to unprivileged users (closes: #848716).
    - CVE-2016-10012: sshd(8): The shared memory manager used by
      pre-authentication compression support had a bounds checks that could
      be elided by some optimising compilers.  Additionally, this memory
      manager was incorrectly accessible when pre-authentication compression
      was disabled.  This could potentially allow attacks against the
      privileged monitor process from the sandboxed privilege-separation
      process (a compromise of the latter would be required first).  This
      release removes support for pre-authentication compression from
      sshd(8) (closes: #848717).
    - SECURITY: sshd(8): Validate address ranges for AllowUser and DenyUsers
      directives at configuration load time and refuse to accept invalid
      ones.  It was previously possible to specify invalid CIDR address
      ranges (e.g. user@127.1.2.3/55) and these would always match, possibly
      resulting in granting access where it was not intended.
    - ssh(1): Add a proxy multiplexing mode to ssh(1) inspired by the
      version in PuTTY by Simon Tatham.  This allows a multiplexing client
      to communicate with the master process using a subset of the SSH
      packet and channels protocol over a Unix-domain socket, with the main
      process acting as a proxy that translates channel IDs, etc.  This
      allows multiplexing mode to run on systems that lack file-descriptor
      passing (used by current multiplexing code) and potentially, in
      conjunction with Unix-domain socket forwarding, with the client and
      multiplexing master process on different machines.  Multiplexing proxy
      mode may be invoked using "ssh -O proxy ...".
    - sshd(8): Add a sshd_config DisableForwarding option that disables X11,
      agent, TCP, tunnel and Unix domain socket forwarding, as well as
      anything else we might implement in the future.  Like the 'restrict'
      authorized_keys flag, this is intended to be a simple and future-proof
      way of restricting an account.
    - sshd(8), ssh(1): Support the "curve25519-sha256" key exchange method.
      This is identical to the currently-supported method named
      "<email address hidden>".
    - sshd(8): Improve handling of SIGHUP by checking to see if sshd is
      already daemonised at startup and skipping the call to daemon(3) if it
      is.  This ensures that a SIGHUP restart of sshd(8) will retain the
      same process-ID as the initial execution.  sshd(8) will also now
      unlink the PidFile prior to SIGHUP restart and re-create it after a
      successful restart, rather than leaving a stale file in the case of a
      configuration error.
    - sshd(8): Allow ClientAliveInterval and ClientAliveCountMax directives
      to appear in sshd_config Match blocks.
    - sshd(8): Add %-escapes to AuthorizedPrincipalsCommand to match those
      supported by AuthorizedKeysCommand (key, key type, fingerprint, etc.)
      and a few more to provide access to the contents of the certificate
      being offered.
    - ssh(1): Allow IdentityFile to successfully load and use certificates
      that have no corresponding bare public key.
    - ssh(1): Fix public key authentication when multiple authentication is
      in use and publickey is not just the first method attempted.
    - ssh(1): Improve reporting when attempting to load keys from PKCS#11
      tokens with fewer useless log messages and more detail in debug
      messages.
    - ssh(1): When tearing down ControlMaster connections, don't pollute
      stderr when LogLevel=quiet.
    - sftp(1): On ^Z wait for underlying ssh(1) to suspend before suspending
      sftp(1) to ensure that ssh(1) restores the terminal mode correctly if
      suspended during a password prompt.
    - ssh(1): Avoid busy-wait when ssh(1) is suspended during a password
      prompt (LP: #1646813).
    - ssh(1), sshd(8): Correctly report errors during sending of ext-info
      messages.
    - sshd(8): Fix NULL-deref crash if sshd(8) received an out-of-sequence
      NEWKEYS message.
    - sshd(8): Correct list of supported signature algorithms sent in the
      server-sig-algs extension.
    - sshd(8): Fix sending ext_info message if privsep is disabled.
    - sshd(8): More strictly enforce the expected ordering of privilege
      separation monitor calls used for authentication and allow them only
      when their respective authentication methods are enabled in the
      configuration.
    - sshd_config(5): Use 2001:db8::/32, the official IPv6 subnet for
      configuration examples.
    - On environments configured with Turkish locales, fall back to the
      C/POSIX locale to avoid errors in configuration parsing caused by that
      locale's unique handling of the letters 'i' and 'I' (LP: #1638338).
    - contrib: Add a gnome-ssh-askpass3 with GTK+3 support.
    - sshd(8): Improve PRNG reseeding across privilege separation and force
      libcrypto to obtain a high-quality seed before chroot or sandboxing.
  * Apply "wrap-and-sort -at -f debian/control -f debian/tests/control".
  * Remove entries related to protocol 1 from the default sshd_config
    generated on new installations.
  * Remove some advice related to protocol 1 from README.Debian.
  * Start handling /etc/ssh/sshd_config using ucf.  The immediate motivation
    for this is to deal with deprecations of options related to protocol 1,
    but something like this has been needed for a long time (closes:
    #419574, #848089):
    - sshd_config is now a slightly-patched version of upstream's, and only
      contains non-default settings (closes: #147201).
    - I've included as many historical md5sums of default versions of
      sshd_config as I could reconstruct from version control, but I'm sure
      I've missed some.
    - Explicitly synchronise the debconf database with the current
      configuration file state in openssh-server.config, to ensure that the
      PermitRootLogin setting is properly preserved.
    - UsePrivilegeSeparation now defaults to the stronger "sandbox" rather
      than "yes", per upstream.
  * Remove redundant "GSSAPIDelegateCredentials no" from ssh_config (already
    the upstream default), and document that setting ServerAliveInterval to
    300 by default if BatchMode is set is Debian-specific (closes: #765630).
  * Build gnome-ssh-askpass with GTK+ 3 (LP: #801187).
  * When running regression tests under autopkgtest, use a non-root user
    with passwordless sudo.

 -- Colin Watson <email address hidden>  Tue, 27 Dec 2016 18:01:46 +0000