openssh 1:9.3p1-1ubuntu1 source package in Ubuntu
Changelog
openssh (1:9.3p1-1ubuntu1) mantic; urgency=medium * Merge with Debian unstable (LP: #2025664). Remaining changes: - debian/rules: modify dh_installsystemd invocations for socket-activated sshd - debian/openssh-server.postinst: handle migration of sshd_config options to systemd socket options on upgrade. - debian/README.Debian: document systemd socket activation. - debian/patches/socket-activation-documentation.patch: Document in sshd_config(5) that ListenAddress and Port no longer work. - debian/openssh-server.templates: include debconf prompt explaining when migration cannot happen due to multiple ListenAddress values - debian/.gitignore: drop file - debian/openssh-server.postrm: remove systemd drop-ins for socket-activated sshd on purge - debian/openssh-server.ucf-md5sum: update for Ubuntu delta - debian/openssh-server.tmpfile,debian/systemd/ssh.service: Move /run/sshd creation out of the systemd unit to a tmpfile config so that sshd can be run manually if necessary without having to create this directory by hand. - debian/patches/systemd-socket-activation.patch: Fix sshd re-execution behavior when socket activation is used - debian/tests/systemd-socket-activation: Add autopkgtest for systemd socket activation functionality. - d/p/test-set-UsePAM-no-on-some-tests.patch: set UsePAM=no for some tests - Ensure smooth upgrade path from versions affected by LP: #2020474: + debian/openssh-server.postint: do not try to restart systemd units, and instead indicate that a reboot is required + debian/tests/systemd-socket-activation: Reboot the testbed before starting the test + debian/rules: Do not stop ssh.socket on upgrade openssh (1:9.3p1-1) unstable; urgency=medium * Debconf translations: - Romanian (thanks, Remus-Gabriel Chelu; closes: #1033178). * Properly fix date of 1:3.0.2p1-2 changelog entry (closes: #1034425). * New upstream release (https://www.openssh.com/releasenotes.html#9.3p1): - [CVE-2023-28531] ssh-add(1): when adding smartcard keys to ssh-agent(1) with the per-hop destination constraints (ssh-add -h ...) added in OpenSSH 8.9, a logic error prevented the constraints from being communicated to the agent. This resulted in the keys being added without constraints. The common cases of non-smartcard keys and keys without destination constraints are unaffected. This problem was reported by Luci Stanescu (closes: #1033166). - [SECURITY] ssh(1): Portable OpenSSH provides an implementation of the getrrsetbyname(3) function if the standard library does not provide it, for use by the VerifyHostKeyDNS feature. A specifically crafted DNS response could cause this function to perform an out-of-bounds read of adjacent stack data, but this condition does not appear to be exploitable beyond denial-of-service to the ssh(1) client. - ssh-keygen(1), ssh-keyscan(1): accept -Ohashalg=sha1|sha256 when outputting SSHFP fingerprints to allow algorithm selection. - sshd(8): add a `sshd -G` option that parses and prints the effective configuration without attempting to load private keys and perform other checks. This allows usage of the option before keys have been generated and for configuration evaluation and verification by unprivileged users. - scp(1), sftp(1): fix progressmeter corruption on wide displays. - ssh-add(1), ssh-keygen(1): use RSA/SHA256 when testing usability of private keys as some systems are starting to disable RSA/SHA1 in libcrypto. - sftp-server(8): fix a memory leak. - ssh(1), sshd(8), ssh-keyscan(1): remove vestigial protocol compatibility code and simplify what's left. - Fix a number of low-impact Coverity static analysis findings. - ssh_config(5), sshd_config(5): mention that some options are not first-match-wins. - Rework logging for the regression tests. Regression tests will now capture separate logs for each ssh and sshd invocation in a test. - ssh(1): make `ssh -Q CASignatureAlgorithms` work as the manpage says it should. - ssh(1): ensure that there is a terminating newline when adding a new entry to known_hosts. - sshd(8): harden Linux seccomp sandbox. Move to an allowlist of mmap(2), madvise(2) and futex(2) flags, removing some concerning kernel attack surface. * debian/README.Debian: Clarify that you need to restart ssh.socket after overriding its ListenStream= option (LP: #2020560). * debian/openssh-server.postinst: Use "sshd -G" to parse the server configuration file (closes: #959726). * Fix incorrect RRSET_FORCE_EDNS0 flags validation in SSHFP DNSSEC patch (thanks, Ben Hutchings; closes: #909022). * Always use the internal mkdtemp implementation, since it substitutes more randomness into the template string than glibc's version (closes: #1001186). -- Nick Rosbrook <email address hidden> Mon, 03 Jul 2023 11:34:47 -0400
Upload details
- Uploaded by:
- Nick Rosbrook
- Sponsored by:
- Simon Chopin
- Uploaded to:
- Mantic
- Original maintainer:
- Ubuntu Developers
- Architectures:
- any all
- Section:
- net
- Urgency:
- Medium Urgency
See full publishing history Publishing
| Series | Published | Component | Section |
|---|
Downloads
| File | Size | SHA-256 Checksum |
|---|---|---|
| openssh_9.3p1.orig.tar.gz | 1.8 MiB | e9baba7701a76a51f3d85a62c383a3c9dcd97fa900b859bc7db114c1868af8a8 |
| openssh_9.3p1.orig.tar.gz.asc | 833 bytes | 6d96d2ff60d8d3545f0fa1709cb4c273d9a2fe086afa90f70951cffc01c8fa68 |
| openssh_9.3p1-1ubuntu1.debian.tar.xz | 184.7 KiB | d9aaeff49a0b854e1d7ebd1dffea156e73e0044f365a9ed53506a25a46e9f7c4 |
| openssh_9.3p1-1ubuntu1.dsc | 3.1 KiB | e394ba489e93520a9c05997db845feaded16a3647f00f9f4087d5d9c6a1066db |
Available diffs
- diff from 1:9.2p1-2ubuntu3 to 1:9.3p1-1ubuntu1 (330.2 KiB)
Binary packages built by this source
- openssh-client: secure shell (SSH) client, for secure access to remote machines
This is the portable version of OpenSSH, a free implementation of
the Secure Shell protocol as specified by the IETF secsh working
group.
.
Ssh (Secure Shell) is a program for logging into a remote machine
and for executing commands on a remote machine.
It provides secure encrypted communications between two untrusted
hosts over an insecure network. X11 connections and arbitrary TCP/IP
ports can also be forwarded over the secure channel.
It can be used to provide applications with a secure communication
channel.
.
This package provides the ssh, scp and sftp clients, the ssh-agent
and ssh-add programs to make public key authentication more convenient,
and the ssh-keygen, ssh-keyscan, ssh-copy-id and ssh-argv0 utilities.
.
In some countries it may be illegal to use any encryption at all
without a special permit.
.
ssh replaces the insecure rsh, rcp and rlogin programs, which are
obsolete for most purposes.
- openssh-client-dbgsym: debug symbols for openssh-client
- openssh-server: secure shell (SSH) server, for secure access from remote machines
This is the portable version of OpenSSH, a free implementation of
the Secure Shell protocol as specified by the IETF secsh working
group.
.
Ssh (Secure Shell) is a program for logging into a remote machine
and for executing commands on a remote machine.
It provides secure encrypted communications between two untrusted
hosts over an insecure network. X11 connections and arbitrary TCP/IP
ports can also be forwarded over the secure channel.
It can be used to provide applications with a secure communication
channel.
.
This package provides the sshd server.
.
In some countries it may be illegal to use any encryption at all
without a special permit.
.
sshd replaces the insecure rshd program, which is obsolete for most
purposes.
- openssh-server-dbgsym: debug symbols for openssh-server
- openssh-sftp-server: secure shell (SSH) sftp server module, for SFTP access from remote machines
This is the portable version of OpenSSH, a free implementation of
the Secure Shell protocol as specified by the IETF secsh working
group.
.
Ssh (Secure Shell) is a program for logging into a remote machine
and for executing commands on a remote machine.
It provides secure encrypted communications between two untrusted
hosts over an insecure network. X11 connections and arbitrary TCP/IP
ports can also be forwarded over the secure channel.
It can be used to provide applications with a secure communication
channel.
.
This package provides the SFTP server module for the SSH server. It
is needed if you want to access your SSH server with SFTP. The SFTP
server module also works with other SSH daemons like dropbear.
.
OpenSSH's sftp and sftp-server implement revision 3 of the SSH filexfer
protocol described in:
.
http://www.openssh. com/txt/ draft-ietf- secsh-filexfer- 02.txt
.
Newer versions of the draft will not be supported, though some features
are individually implemented as extensions.
- openssh-sftp-server-dbgsym: debug symbols for openssh-sftp-server
- openssh-tests: OpenSSH regression tests
This package provides OpenSSH's regression test suite. It is mainly
intended for use with the autopkgtest system, though can also be run
directly using /usr/lib/openssh/ regress/ run-tests.
- openssh-tests-dbgsym: debug symbols for openssh-tests
- ssh: secure shell client and server (metapackage)
This metapackage is a convenient way to install both the OpenSSH client
and the OpenSSH server. It provides nothing in and of itself, so you
may remove it if nothing depends on it.
- ssh-askpass-gnome: interactive X program to prompt users for a passphrase for ssh-add
This has been split out of the main openssh-client package so that
openssh-client does not need to depend on GTK+.
.
You probably want the ssh-askpass package instead, but this is
provided to add to your choice and/or confusion.
- ssh-askpass-gnome-dbgsym: debug symbols for ssh-askpass-gnome
