Format: 1.8
Date: Sun, 07 Jun 2020 13:44:04 +0100
Source: openssh
Binary: openssh-client openssh-client-udeb openssh-server openssh-server-udeb openssh-sftp-server ssh-askpass-gnome
Architecture: i386 i386_translations
Version: 1:8.3p1-1
Distribution: groovy-proposed
Urgency: medium
Maintainer: Launchpad Build Daemon <buildd@lgw01-amd64-010.buildd>
Changed-By: Colin Watson <cjwatson@debian.org>
Description:
 openssh-client - secure shell (SSH) client, for secure access to remote machines
 openssh-client-udeb - secure shell client for the Debian installer (udeb)
 openssh-server - secure shell (SSH) server, for secure access from remote machines
 openssh-server-udeb - secure shell server for the Debian installer (udeb)
 openssh-sftp-server - secure shell (SSH) sftp server module, for SFTP access from remot
 ssh-askpass-gnome - interactive X program to prompt users for a passphrase for ssh-ad
Closes: 932071 962035
Launchpad-Bugs-Fixed: 1876320
Changes:
 openssh (1:8.3p1-1) unstable; urgency=medium
 .
   * New upstream release (https://www.openssh.com/txt/release-8.3):
     - [SECURITY] scp(1): when receiving files, scp(1) could become
       desynchronised if a utimes(2) system call failed.  This could allow
       file contents to be interpreted as file metadata and thereby permit an
       adversary to craft a file system that, when copied with scp(1) in a
       configuration that caused utimes(2) to fail (e.g. under a SELinux
       policy or syscall sandbox), transferred different file names and
       contents to the actual file system layout.
     - sftp(1): reject an argument of "-1" in the same way as ssh(1) and
       scp(1) do instead of accepting and silently ignoring it.
     - sshd(8): make IgnoreRhosts a tri-state option: "yes" to ignore
       rhosts/shosts, "no" to allow rhosts/shosts or (new) "shosts-only" to
       allow .shosts files but not .rhosts.
     - sshd(8): allow the IgnoreRhosts directive to appear anywhere in a
       sshd_config, not just before any Match blocks.
     - ssh(1): add %TOKEN percent expansion for the LocalForward and
       RemoteForward keywords when used for Unix domain socket forwarding.
     - all: allow loading public keys from the unencrypted envelope of a
       private key file if no corresponding public key file is present.
     - ssh(1), sshd(8): prefer to use chacha20 from libcrypto where possible
       instead of the (slower) portable C implementation included in OpenSSH.
     - ssh-keygen(1): add ability to dump the contents of a binary key
       revocation list via "ssh-keygen -lQf /path".
     - ssh(1): fix IdentitiesOnly=yes to also apply to keys loaded from a
       PKCS11Provider.
     - ssh-keygen(1): avoid NULL dereference when trying to convert an
       invalid RFC4716 private key.
     - scp(1): when performing remote-to-remote copies using "scp -3", start
       the second ssh(1) channel with BatchMode=yes enabled to avoid
       confusing and non-deterministic ordering of prompts.
     - ssh(1), ssh-keygen(1): when signing a challenge using a FIDO token,
       perform hashing of the message to be signed in the middleware layer
       rather than in OpenSSH code.  This permits the use of security key
       middlewares that perform the hashing implicitly, such as Windows
       Hello.
     - ssh(1): fix incorrect error message for "too many known hosts files."
     - ssh(1): make failures when establishing "Tunnel" forwarding terminate
       the connection when ExitOnForwardFailure is enabled.
     - ssh-keygen(1): fix printing of fingerprints on private keys and add a
       regression test for same.
     - sshd(8): document order of checking AuthorizedKeysFile (first) and
       AuthorizedKeysCommand (subsequently, if the file doesn't match).
     - sshd(8): document that /etc/hosts.equiv and /etc/shosts.equiv are not
       considered for HostbasedAuthentication when the target user is root.
     - ssh(1), ssh-keygen(1): fix NULL dereference in private certificate key
       parsing.
     - ssh(1), sshd(8): more consistency between sets of %TOKENS are accepted
       in various configuration options.
     - ssh(1), ssh-keygen(1): improve error messages for some common PKCS#11
       C_Login failure cases.
     - ssh(1), sshd(8): make error messages for problems during SSH banner
       exchange consistent with other SSH transport-layer error messages and
       ensure they include the relevant IP addresses.
     - ssh-keygen(1), ssh-add(1): when downloading FIDO2 resident keys from a
       token, don't prompt for a PIN until the token has told us that it
       needs one.  Avoids double-prompting on devices that implement
       on-device authentication (closes: #932071).
     - sshd(8), ssh-keygen(1): no-touch-required FIDO certificate option
       should be an extension, not a critical option.
     - ssh(1), ssh-keygen(1), ssh-add(1): offer a better error message when
       trying to use a FIDO key function and SecurityKeyProvider is empty.
     - ssh-add(1), ssh-agent(8): ensure that a key lifetime fits within the
       values allowed by the wire format (u32).  Prevents integer wraparound
       of the timeout values.
     - ssh(1): detect and prevent trivial configuration loops when using
       ProxyJump. bz#3057.
     - On platforms that do not support setting process-wide routing domains
       (all excepting OpenBSD at present), fail to accept a configuration
       attempts to set one at process start time rather than fatally erroring
       at run time.
     - Fix theoretical infinite loop in the glob(3) replacement
       implementation.
   * Update GSSAPI key exchange patch from
     https://github.com/openssh-gsskex/openssh-gsskex:
     - Fix connection through ProxyJump in combination with "GSSAPITrustDNS
       yes".
     - Enable SHA2-based GSSAPI key exchange methods by default as RFC 8732
       was published.
   * Fix or suppress various shellcheck errors under debian/.
   * Use AUTOPKGTEST_TMP rather than the deprecated ADTTMP.
   * Apply upstream patch to fix the handling of Port directives after
     Include (closes: #962035, LP: #1876320).
Checksums-Sha1:
 646718d4c7a66aeec6520b8c1a28b27520e431b6 3459392 openssh-client-dbgsym_8.3p1-1_i386.ddeb
 522240f33b0a50dde3c628778d6ee387cd2f6c82 302660 openssh-client-udeb_8.3p1-1_i386.udeb
 5d706c02a7918d5429aea6a03e30c1644367cec1 741596 openssh-client_8.3p1-1_i386.deb
 d3c85152c5b7dae67a80f446620afb96b5623f96 943500 openssh-server-dbgsym_8.3p1-1_i386.ddeb
 543b35f360f134805e5f5509ba23d3beb7f71bbd 327184 openssh-server-udeb_8.3p1-1_i386.udeb
 15464e520e227311cd68e0b29f8f27c3e99edf05 416212 openssh-server_8.3p1-1_i386.deb
 3998f7db107b2e490bb923c3e8de18f275b19c69 145616 openssh-sftp-server-dbgsym_8.3p1-1_i386.ddeb
 b82946f206fb7c23f9a5ba24a05d269ce53434ed 57488 openssh-sftp-server_8.3p1-1_i386.deb
 29c413f6f83f7c4701edf5a28ffe0d99ecab9ce5 17209 openssh_8.3p1-1_i386.buildinfo
 4fbb54b4a98ff2181932e97ea5f8c304d794add4 8486 openssh_8.3p1-1_i386_translations.tar.gz
 eb91a6270d78e68efbfea389e90d9a97dd7fafd5 12192 ssh-askpass-gnome-dbgsym_8.3p1-1_i386.ddeb
 ad2a6c3323b6537169a170ea923f59ccb880cdb0 17568 ssh-askpass-gnome_8.3p1-1_i386.deb
Checksums-Sha256:
 7242caeaa8cb41a637d3b52570635a68e60726ea506571ae93d58221339dc1e6 3459392 openssh-client-dbgsym_8.3p1-1_i386.ddeb
 844b93ab5d22902723224f1a69cd59f5174720cc9b7bf7df6015fb8ac3d085b2 302660 openssh-client-udeb_8.3p1-1_i386.udeb
 b62629ae7ce99e5e00b7af6e1ef2b95e457e1cdea1d1ebe81277932dfd1fffbc 741596 openssh-client_8.3p1-1_i386.deb
 89ac15bd9d8d487498b886553455649f50d4df26ddc46425631d9c33f027f089 943500 openssh-server-dbgsym_8.3p1-1_i386.ddeb
 50e26b1941d2f9f4a1ccce6656d603b713127c3808ca53225b83993676a2799f 327184 openssh-server-udeb_8.3p1-1_i386.udeb
 0744694189d756b251bfbeb6680ae220fb34cc7d92c507831d3452fa964726ad 416212 openssh-server_8.3p1-1_i386.deb
 e278be4bbb28625f1d3a6f13845fd83f17202ab43b1ff43396bd09408b569502 145616 openssh-sftp-server-dbgsym_8.3p1-1_i386.ddeb
 3210390d2848f34780b2e45deb7a9ddc019d5053b0b852e011ff933ae425dcb1 57488 openssh-sftp-server_8.3p1-1_i386.deb
 1455419b588c788c119107332f23fa1b349447fe78b56e829562d016ffa86dcb 17209 openssh_8.3p1-1_i386.buildinfo
 5084fe438a60a2fadd4f5d8883d287dcdb89e306de96b6aa0b9431d859d262f9 8486 openssh_8.3p1-1_i386_translations.tar.gz
 2342a45fffc936fbc49e7f80f0edebe42ad42c5c74d71f88cfcf9e31c2ed401b 12192 ssh-askpass-gnome-dbgsym_8.3p1-1_i386.ddeb
 79c0e4c681db49d7572fc29b429ca0cc00032de689799fa7d4d72ff05bc4f04d 17568 ssh-askpass-gnome_8.3p1-1_i386.deb
Files:
 6922ded8ad810853ec639870f61961ac 3459392 debug optional openssh-client-dbgsym_8.3p1-1_i386.ddeb
 322b6a4ad0e56f650a9a7cf16ca042b5 302660 debian-installer optional openssh-client-udeb_8.3p1-1_i386.udeb
 75987a0d400b0d930a5141adb5dab7a2 741596 net standard openssh-client_8.3p1-1_i386.deb
 bb77daf1479265fd32089d984b8361bd 943500 debug optional openssh-server-dbgsym_8.3p1-1_i386.ddeb
 edda1e33eaba39c404a610ae6d266b86 327184 debian-installer optional openssh-server-udeb_8.3p1-1_i386.udeb
 eaa37481c000e90a6383846b7e7a7c22 416212 net optional openssh-server_8.3p1-1_i386.deb
 5ad7e0b32359df746c146fcd8b8660ae 145616 debug optional openssh-sftp-server-dbgsym_8.3p1-1_i386.ddeb
 644ca90f52a9b6442cc19cdafa3fc241 57488 net optional openssh-sftp-server_8.3p1-1_i386.deb
 967b35886ca39f46474b389e5cfd80a5 17209 net standard openssh_8.3p1-1_i386.buildinfo
 26eac65462bdb8c38568a0b289e3ec0e 8486 raw-translations - openssh_8.3p1-1_i386_translations.tar.gz
 6e6673bfe815aa93c9cf5042a97c346a 12192 debug optional ssh-askpass-gnome-dbgsym_8.3p1-1_i386.ddeb
 47aefd15bf5c0182e48fbb6967166a15 17568 gnome optional ssh-askpass-gnome_8.3p1-1_i386.deb