Format: 1.8 Date: Sun, 07 Jun 2020 13:44:04 +0100 Source: openssh Binary: openssh-client openssh-client-udeb openssh-server openssh-server-udeb openssh-sftp-server openssh-tests ssh-askpass-gnome Architecture: riscv64 riscv64_translations Version: 1:8.3p1-1 Distribution: groovy-proposed Urgency: medium Maintainer: Launchpad Build Daemon Changed-By: Colin Watson Description: openssh-client - secure shell (SSH) client, for secure access to remote machines openssh-client-udeb - secure shell client for the Debian installer (udeb) openssh-server - secure shell (SSH) server, for secure access from remote machines openssh-server-udeb - secure shell server for the Debian installer (udeb) openssh-sftp-server - secure shell (SSH) sftp server module, for SFTP access from remot openssh-tests - OpenSSH regression tests ssh-askpass-gnome - interactive X program to prompt users for a passphrase for ssh-ad Closes: 932071 962035 Launchpad-Bugs-Fixed: 1876320 Changes: openssh (1:8.3p1-1) unstable; urgency=medium . * New upstream release (https://www.openssh.com/txt/release-8.3): - [SECURITY] scp(1): when receiving files, scp(1) could become desynchronised if a utimes(2) system call failed. This could allow file contents to be interpreted as file metadata and thereby permit an adversary to craft a file system that, when copied with scp(1) in a configuration that caused utimes(2) to fail (e.g. under a SELinux policy or syscall sandbox), transferred different file names and contents to the actual file system layout. - sftp(1): reject an argument of "-1" in the same way as ssh(1) and scp(1) do instead of accepting and silently ignoring it. - sshd(8): make IgnoreRhosts a tri-state option: "yes" to ignore rhosts/shosts, "no" to allow rhosts/shosts or (new) "shosts-only" to allow .shosts files but not .rhosts. - sshd(8): allow the IgnoreRhosts directive to appear anywhere in a sshd_config, not just before any Match blocks. - ssh(1): add %TOKEN percent expansion for the LocalForward and RemoteForward keywords when used for Unix domain socket forwarding. - all: allow loading public keys from the unencrypted envelope of a private key file if no corresponding public key file is present. - ssh(1), sshd(8): prefer to use chacha20 from libcrypto where possible instead of the (slower) portable C implementation included in OpenSSH. - ssh-keygen(1): add ability to dump the contents of a binary key revocation list via "ssh-keygen -lQf /path". - ssh(1): fix IdentitiesOnly=yes to also apply to keys loaded from a PKCS11Provider. - ssh-keygen(1): avoid NULL dereference when trying to convert an invalid RFC4716 private key. - scp(1): when performing remote-to-remote copies using "scp -3", start the second ssh(1) channel with BatchMode=yes enabled to avoid confusing and non-deterministic ordering of prompts. - ssh(1), ssh-keygen(1): when signing a challenge using a FIDO token, perform hashing of the message to be signed in the middleware layer rather than in OpenSSH code. This permits the use of security key middlewares that perform the hashing implicitly, such as Windows Hello. - ssh(1): fix incorrect error message for "too many known hosts files." - ssh(1): make failures when establishing "Tunnel" forwarding terminate the connection when ExitOnForwardFailure is enabled. - ssh-keygen(1): fix printing of fingerprints on private keys and add a regression test for same. - sshd(8): document order of checking AuthorizedKeysFile (first) and AuthorizedKeysCommand (subsequently, if the file doesn't match). - sshd(8): document that /etc/hosts.equiv and /etc/shosts.equiv are not considered for HostbasedAuthentication when the target user is root. - ssh(1), ssh-keygen(1): fix NULL dereference in private certificate key parsing. - ssh(1), sshd(8): more consistency between sets of %TOKENS are accepted in various configuration options. - ssh(1), ssh-keygen(1): improve error messages for some common PKCS#11 C_Login failure cases. - ssh(1), sshd(8): make error messages for problems during SSH banner exchange consistent with other SSH transport-layer error messages and ensure they include the relevant IP addresses. - ssh-keygen(1), ssh-add(1): when downloading FIDO2 resident keys from a token, don't prompt for a PIN until the token has told us that it needs one. Avoids double-prompting on devices that implement on-device authentication (closes: #932071). - sshd(8), ssh-keygen(1): no-touch-required FIDO certificate option should be an extension, not a critical option. - ssh(1), ssh-keygen(1), ssh-add(1): offer a better error message when trying to use a FIDO key function and SecurityKeyProvider is empty. - ssh-add(1), ssh-agent(8): ensure that a key lifetime fits within the values allowed by the wire format (u32). Prevents integer wraparound of the timeout values. - ssh(1): detect and prevent trivial configuration loops when using ProxyJump. bz#3057. - On platforms that do not support setting process-wide routing domains (all excepting OpenBSD at present), fail to accept a configuration attempts to set one at process start time rather than fatally erroring at run time. - Fix theoretical infinite loop in the glob(3) replacement implementation. * Update GSSAPI key exchange patch from https://github.com/openssh-gsskex/openssh-gsskex: - Fix connection through ProxyJump in combination with "GSSAPITrustDNS yes". - Enable SHA2-based GSSAPI key exchange methods by default as RFC 8732 was published. * Fix or suppress various shellcheck errors under debian/. * Use AUTOPKGTEST_TMP rather than the deprecated ADTTMP. * Apply upstream patch to fix the handling of Port directives after Include (closes: #962035, LP: #1876320). Checksums-Sha1: 47e9a5a90388dba6bf353b262d58a31f452ea796 3826672 openssh-client-dbgsym_8.3p1-1_riscv64.ddeb a0be4a42de9747f87bd931b877947b0cc914f453 278300 openssh-client-udeb_8.3p1-1_riscv64.udeb fc8bd87eb13e794de04afb47de8828d17e3bbc7e 615568 openssh-client_8.3p1-1_riscv64.deb ca8ee621db34323e18cec06b2c5b5718557ab1f6 1056672 openssh-server-dbgsym_8.3p1-1_riscv64.ddeb 732546975440392590da6c38a72f6defef18bada 297376 openssh-server-udeb_8.3p1-1_riscv64.udeb 200bf323b80a13e5c7a323212e3a8165843188ca 346728 openssh-server_8.3p1-1_riscv64.deb e1bd5137b18296eeb5a7b06c4f0b27e36cce6b97 160744 openssh-sftp-server-dbgsym_8.3p1-1_riscv64.ddeb a55bfc993d653914b9624df017adb28115161fee 45196 openssh-sftp-server_8.3p1-1_riscv64.deb f749caf050596b928b2af42a9ba96f0aa61a9bc1 2317932 openssh-tests-dbgsym_8.3p1-1_riscv64.ddeb 5c42c47a0327ff0577cb3750493bcb7dc3f7d9fc 733876 openssh-tests_8.3p1-1_riscv64.deb c35dd3506d4769860e3ea62e3cbd25ff5d27543a 17588 openssh_8.3p1-1_riscv64.buildinfo f2c61c0583e3f396ea33e9fa4be7066c0f2d2e07 8501 openssh_8.3p1-1_riscv64_translations.tar.gz 27d0cbb2557c4a609acdaf63acd72632244ab5ef 12764 ssh-askpass-gnome-dbgsym_8.3p1-1_riscv64.ddeb 50390cfe7ee9bdb48f4f5ec108a28ede8c8a3408 16704 ssh-askpass-gnome_8.3p1-1_riscv64.deb Checksums-Sha256: abd4a68c40b30144e45b1d9893225daa29e09d3005965be14df5ff45f3669b8d 3826672 openssh-client-dbgsym_8.3p1-1_riscv64.ddeb a10417a604195960d4376f94ef787e37914094eae7471e740b9f2136f6aefd12 278300 openssh-client-udeb_8.3p1-1_riscv64.udeb c42c74adaca9f3b8e4eca660702db026dd4ca15cd239f2e72e60107dd5ef225c 615568 openssh-client_8.3p1-1_riscv64.deb 3433ef8782611edb5fcbf1766ce8a50753975702fb7c1f8d516a2ad80a11093f 1056672 openssh-server-dbgsym_8.3p1-1_riscv64.ddeb 1c5c47fd043b4d1a1a67c4563ea4b06626ad7521d5a102df376e8d473ff27637 297376 openssh-server-udeb_8.3p1-1_riscv64.udeb 08b603413be2ac2cd777446b66e938eef7eb85315548abe2ec16c19375614114 346728 openssh-server_8.3p1-1_riscv64.deb 500feb5640604b843ea069607e429b7a9edbc073e2b502d9019a6da49ddd334a 160744 openssh-sftp-server-dbgsym_8.3p1-1_riscv64.ddeb 74bd92fde20dea012aad321727227e26766d3c74fe187b1043bdf6c44c16c89c 45196 openssh-sftp-server_8.3p1-1_riscv64.deb 59c9f28e052f88614a9cc370b1552874eacd24af8ebe9e717adba1a053d8b515 2317932 openssh-tests-dbgsym_8.3p1-1_riscv64.ddeb 40febed3600dba1b26e6d9204404d2e20e745167f5c8aae58a3d323291e3a46c 733876 openssh-tests_8.3p1-1_riscv64.deb 66dfb127c7c4f7acb84dc60cd33df5e3805c99c0e57cae7ad75ece3ec49b8a9b 17588 openssh_8.3p1-1_riscv64.buildinfo b57dfb1dc3d60197e582fbc6e8f095737e5e1cafcadc99a305302de766d5a6dd 8501 openssh_8.3p1-1_riscv64_translations.tar.gz c87ad86ec64796401efff5e7585e955e2bf215a42b1dedcaa4f583207aa20ac7 12764 ssh-askpass-gnome-dbgsym_8.3p1-1_riscv64.ddeb 96b5a6ce8d75404ee239c86b6a60ed2a5fbd5c560b94cfb6238969b32c9de7c9 16704 ssh-askpass-gnome_8.3p1-1_riscv64.deb Files: 9a45eae234aa3692451124765117239c 3826672 debug optional openssh-client-dbgsym_8.3p1-1_riscv64.ddeb 91715cd35f76e1a1f95a787ef17b5bb2 278300 debian-installer optional openssh-client-udeb_8.3p1-1_riscv64.udeb 1735d7bc3a98aaa835b97c317cfed451 615568 net standard openssh-client_8.3p1-1_riscv64.deb 667d2b837de7c158b105223392dba4ed 1056672 debug optional openssh-server-dbgsym_8.3p1-1_riscv64.ddeb d628b6bf1ba058abf0add3c49388deb7 297376 debian-installer optional openssh-server-udeb_8.3p1-1_riscv64.udeb 125bc6b40f4c0ba994f976e60fc8364e 346728 net optional openssh-server_8.3p1-1_riscv64.deb a0170008101bf46e445039133fc43a96 160744 debug optional openssh-sftp-server-dbgsym_8.3p1-1_riscv64.ddeb 27f7b85d9dc1d00247b8b0ad3e75d3d4 45196 net optional openssh-sftp-server_8.3p1-1_riscv64.deb 354c2659b3d24cfbe0ab43c2578dcf0c 2317932 debug optional openssh-tests-dbgsym_8.3p1-1_riscv64.ddeb 569e6d33b539313f4e3da8a0398bd5ce 733876 net optional openssh-tests_8.3p1-1_riscv64.deb 644d3be8e4fec6ed4af9b241ab007271 17588 net standard openssh_8.3p1-1_riscv64.buildinfo 90983c15119fa980d9c6ecadb231bc30 8501 raw-translations - openssh_8.3p1-1_riscv64_translations.tar.gz f7b2b5553092e50a4b3f0fbafcdde9a1 12764 debug optional ssh-askpass-gnome-dbgsym_8.3p1-1_riscv64.ddeb a84409b998572ba6b7fb9e03b9a2ac25 16704 gnome optional ssh-askpass-gnome_8.3p1-1_riscv64.deb