Format: 1.8 Date: Sun, 07 Jun 2020 13:44:04 +0100 Source: openssh Binary: openssh-client openssh-client-udeb openssh-server openssh-server-udeb openssh-sftp-server openssh-tests ssh-askpass-gnome Architecture: armhf armhf_translations Version: 1:8.3p1-1 Distribution: groovy-proposed Urgency: medium Maintainer: Launchpad Build Daemon Changed-By: Colin Watson Description: openssh-client - secure shell (SSH) client, for secure access to remote machines openssh-client-udeb - secure shell client for the Debian installer (udeb) openssh-server - secure shell (SSH) server, for secure access from remote machines openssh-server-udeb - secure shell server for the Debian installer (udeb) openssh-sftp-server - secure shell (SSH) sftp server module, for SFTP access from remot openssh-tests - OpenSSH regression tests ssh-askpass-gnome - interactive X program to prompt users for a passphrase for ssh-ad Closes: 932071 962035 Launchpad-Bugs-Fixed: 1876320 Changes: openssh (1:8.3p1-1) unstable; urgency=medium . * New upstream release (https://www.openssh.com/txt/release-8.3): - [SECURITY] scp(1): when receiving files, scp(1) could become desynchronised if a utimes(2) system call failed. This could allow file contents to be interpreted as file metadata and thereby permit an adversary to craft a file system that, when copied with scp(1) in a configuration that caused utimes(2) to fail (e.g. under a SELinux policy or syscall sandbox), transferred different file names and contents to the actual file system layout. - sftp(1): reject an argument of "-1" in the same way as ssh(1) and scp(1) do instead of accepting and silently ignoring it. - sshd(8): make IgnoreRhosts a tri-state option: "yes" to ignore rhosts/shosts, "no" to allow rhosts/shosts or (new) "shosts-only" to allow .shosts files but not .rhosts. - sshd(8): allow the IgnoreRhosts directive to appear anywhere in a sshd_config, not just before any Match blocks. - ssh(1): add %TOKEN percent expansion for the LocalForward and RemoteForward keywords when used for Unix domain socket forwarding. - all: allow loading public keys from the unencrypted envelope of a private key file if no corresponding public key file is present. - ssh(1), sshd(8): prefer to use chacha20 from libcrypto where possible instead of the (slower) portable C implementation included in OpenSSH. - ssh-keygen(1): add ability to dump the contents of a binary key revocation list via "ssh-keygen -lQf /path". - ssh(1): fix IdentitiesOnly=yes to also apply to keys loaded from a PKCS11Provider. - ssh-keygen(1): avoid NULL dereference when trying to convert an invalid RFC4716 private key. - scp(1): when performing remote-to-remote copies using "scp -3", start the second ssh(1) channel with BatchMode=yes enabled to avoid confusing and non-deterministic ordering of prompts. - ssh(1), ssh-keygen(1): when signing a challenge using a FIDO token, perform hashing of the message to be signed in the middleware layer rather than in OpenSSH code. This permits the use of security key middlewares that perform the hashing implicitly, such as Windows Hello. - ssh(1): fix incorrect error message for "too many known hosts files." - ssh(1): make failures when establishing "Tunnel" forwarding terminate the connection when ExitOnForwardFailure is enabled. - ssh-keygen(1): fix printing of fingerprints on private keys and add a regression test for same. - sshd(8): document order of checking AuthorizedKeysFile (first) and AuthorizedKeysCommand (subsequently, if the file doesn't match). - sshd(8): document that /etc/hosts.equiv and /etc/shosts.equiv are not considered for HostbasedAuthentication when the target user is root. - ssh(1), ssh-keygen(1): fix NULL dereference in private certificate key parsing. - ssh(1), sshd(8): more consistency between sets of %TOKENS are accepted in various configuration options. - ssh(1), ssh-keygen(1): improve error messages for some common PKCS#11 C_Login failure cases. - ssh(1), sshd(8): make error messages for problems during SSH banner exchange consistent with other SSH transport-layer error messages and ensure they include the relevant IP addresses. - ssh-keygen(1), ssh-add(1): when downloading FIDO2 resident keys from a token, don't prompt for a PIN until the token has told us that it needs one. Avoids double-prompting on devices that implement on-device authentication (closes: #932071). - sshd(8), ssh-keygen(1): no-touch-required FIDO certificate option should be an extension, not a critical option. - ssh(1), ssh-keygen(1), ssh-add(1): offer a better error message when trying to use a FIDO key function and SecurityKeyProvider is empty. - ssh-add(1), ssh-agent(8): ensure that a key lifetime fits within the values allowed by the wire format (u32). Prevents integer wraparound of the timeout values. - ssh(1): detect and prevent trivial configuration loops when using ProxyJump. bz#3057. - On platforms that do not support setting process-wide routing domains (all excepting OpenBSD at present), fail to accept a configuration attempts to set one at process start time rather than fatally erroring at run time. - Fix theoretical infinite loop in the glob(3) replacement implementation. * Update GSSAPI key exchange patch from https://github.com/openssh-gsskex/openssh-gsskex: - Fix connection through ProxyJump in combination with "GSSAPITrustDNS yes". - Enable SHA2-based GSSAPI key exchange methods by default as RFC 8732 was published. * Fix or suppress various shellcheck errors under debian/. * Use AUTOPKGTEST_TMP rather than the deprecated ADTTMP. * Apply upstream patch to fix the handling of Port directives after Include (closes: #962035, LP: #1876320). Checksums-Sha1: 591ed304a421e9506d7af2bddd569af327c96b01 3903552 openssh-client-dbgsym_8.3p1-1_armhf.ddeb 5fd10e4385dda61059be766c3d1e2438cfeb2907 268804 openssh-client-udeb_8.3p1-1_armhf.udeb bc7298e6f29c51c91c9fcbd98709d23a2902ae37 594964 openssh-client_8.3p1-1_armhf.deb a8d47f970b54dcf478b9a546c58efd136768b31a 1067232 openssh-server-dbgsym_8.3p1-1_armhf.ddeb accc549e222ac0e078816f1b175473176fca59da 290428 openssh-server-udeb_8.3p1-1_armhf.udeb 5c542fdefe3752e06696dc8765d33d79fffa924b 343820 openssh-server_8.3p1-1_armhf.deb 9163098e97ee98e66c8b9b716da5cf1674a63609 163648 openssh-sftp-server-dbgsym_8.3p1-1_armhf.ddeb 4c191ec624f7e0e4fb90f9c7d2b4c809d80661d1 44508 openssh-sftp-server_8.3p1-1_armhf.deb 54cc32b30228388d1027fc119282238e9a8f8793 2355240 openssh-tests-dbgsym_8.3p1-1_armhf.ddeb 832853fdddb83bdbe7962a0ae50f647c1a8477ec 591268 openssh-tests_8.3p1-1_armhf.deb 4ff71b455dd6cb7d0f1a291403ab88b6c11641a6 17639 openssh_8.3p1-1_armhf.buildinfo e1565c49d143fb50ee51cc3ac98bbb89e15409c5 8416 openssh_8.3p1-1_armhf_translations.tar.gz fd67ca2c165019d1a5c2fd036f53ba1da09c34ec 12944 ssh-askpass-gnome-dbgsym_8.3p1-1_armhf.ddeb 85e6220c5d61eab7398f7f320266f3e0433dc373 16772 ssh-askpass-gnome_8.3p1-1_armhf.deb Checksums-Sha256: 8fc57c50b619f73597f6188a6c8746a89c93fdf17bb3aaa19ca07ae0bdcc43b1 3903552 openssh-client-dbgsym_8.3p1-1_armhf.ddeb d1a03025780e9f662656021868a52828f6aabf0fe254ec565c73908fbef46742 268804 openssh-client-udeb_8.3p1-1_armhf.udeb 118dd9604295619e9b8561e56bbb857718ceed4a5e0ede9bd429849b93bb06c0 594964 openssh-client_8.3p1-1_armhf.deb 1f5ac29464ad436f12420ab6902f1e2f317c265fdb489a5551ceec97e3630dc7 1067232 openssh-server-dbgsym_8.3p1-1_armhf.ddeb 5e8a1ea1641a9a60a5edf7bacf55609711031f232d832aa54dd226bebbe18749 290428 openssh-server-udeb_8.3p1-1_armhf.udeb 2022f93b66d8cc3c98c96a14f901cdfff0c26f25ba784f9f5c08ac8d2be24879 343820 openssh-server_8.3p1-1_armhf.deb a24e3e735a14da75989ac0c2793a7fc65443ef797e8631f878ae21dee6fee60b 163648 openssh-sftp-server-dbgsym_8.3p1-1_armhf.ddeb 71be11ad006ebc18affa1b75fa27ca4356867839f0baf67988981c69384a1356 44508 openssh-sftp-server_8.3p1-1_armhf.deb 3adc51b37686f17ec704a7aed4eb37e8ff82d003a394371aa433b2bb12eec7d6 2355240 openssh-tests-dbgsym_8.3p1-1_armhf.ddeb d7a690b494effd9716abeadcc7054e791390137ac7091e59c15a7fb5a47b47cf 591268 openssh-tests_8.3p1-1_armhf.deb 0dac593a8d9e394116136feef1f0fc18a17ad9a89740b7d9c9c10166b6a4d77f 17639 openssh_8.3p1-1_armhf.buildinfo f8d5962bbc8ee6df90d7e7f9fcc59b6c0b187a6b6b126bb0dcf9b4acc3f094bd 8416 openssh_8.3p1-1_armhf_translations.tar.gz 188ebd57c002ceb75e15cedba5f50078d5f27e3e04891d994aecb2c4a4ed59af 12944 ssh-askpass-gnome-dbgsym_8.3p1-1_armhf.ddeb 070639fd895935834d9b11f101773c06c55ad999b6d42632137ba89a700d6528 16772 ssh-askpass-gnome_8.3p1-1_armhf.deb Files: 21a80bf2187ec9d4c4a76030d5c9ceea 3903552 debug optional openssh-client-dbgsym_8.3p1-1_armhf.ddeb 8901763d510c0b247b070f7cdb479932 268804 debian-installer optional openssh-client-udeb_8.3p1-1_armhf.udeb de4dbaebe65de090ff9ee107c25d58d0 594964 net standard openssh-client_8.3p1-1_armhf.deb 4cedf70eb74d9ea12e03e1799c97080c 1067232 debug optional openssh-server-dbgsym_8.3p1-1_armhf.ddeb f4c6d9319efd882f5fb75bc89915eaa9 290428 debian-installer optional openssh-server-udeb_8.3p1-1_armhf.udeb 1db3c4c3927ed3e72db1c7bf50a41ba1 343820 net optional openssh-server_8.3p1-1_armhf.deb bf0c7c20752199b732fb39375f2684ab 163648 debug optional openssh-sftp-server-dbgsym_8.3p1-1_armhf.ddeb 7fc102944cf89a059fe161f1c6b90e51 44508 net optional openssh-sftp-server_8.3p1-1_armhf.deb 4beb5bd1426a06bee863782ca3dcc6e1 2355240 debug optional openssh-tests-dbgsym_8.3p1-1_armhf.ddeb 441a04164f61b6dbfac92641024e58a0 591268 net optional openssh-tests_8.3p1-1_armhf.deb 01eeee31744f0bc110a387a8f4681eca 17639 net standard openssh_8.3p1-1_armhf.buildinfo 0873be1b1a01da53c63c390fc0f41716 8416 raw-translations - openssh_8.3p1-1_armhf_translations.tar.gz f4c9a1307474ff7b603ddb50cbe90049 12944 debug optional ssh-askpass-gnome-dbgsym_8.3p1-1_armhf.ddeb 96bd59ec22cc87ec0a09d774d5da6568 16772 gnome optional ssh-askpass-gnome_8.3p1-1_armhf.deb