-
openssh (1:7.7p1-4ubuntu0.3) cosmic-security; urgency=medium
* SECURITY UPDATE: Incomplete fix for CVE-2019-6111
- debian/patches/CVE-2019-6111-2.patch: add another fix to the filename
check in scp.c.
- CVE-2019-6111
* Fixed inverted CVE numbers in patch filenames and in previous
changelog.
-- Marc Deslauriers <email address hidden> Mon, 04 Mar 2019 07:38:06 -0500
-
openssh (1:7.7p1-4ubuntu0.2) cosmic-security; urgency=medium
* SECURITY UPDATE: access restrictions bypass in scp
- debian/patches/CVE-2018-20685.patch: disallow empty filenames
or ones that refer to the current directory in scp.c.
- CVE-2018-20685
* SECURITY UPDATE: scp client spoofing via object name
- debian/patches/CVE-2019-6109.patch: make sure the filenames match
the wildcard specified by the user, and add new flag to relax the new
restrictions in scp.c, scp.1.
- CVE-2019-6109
* SECURITY UPDATE: scp client missing received object name validation
- debian/patches/CVE-2019-6111-1.patch: sanitize scp filenames via
snmprintf in atomicio.c, progressmeter.c, progressmeter.h,
scp.c, sftp-client.c.
- debian/patches/CVE-2019-6111-2.patch: force progressmeter updates in
progressmeter.c, progressmeter.h, scp.c, sftp-client.c.
- CVE-2019-6111
-- Marc Deslauriers <email address hidden> Thu, 31 Jan 2019 08:35:48 -0500
-
openssh (1:7.7p1-4ubuntu0.1) cosmic; urgency=medium
* debian/patches/fix-broken-tunnel-forwarding.patch: Fix tunnel forwarding
broken in 7.7p1. Thanks to Damien Miller <email address hidden>. (LP: #1801128)
-- Karl Stenerud <email address hidden> Wed, 07 Nov 2018 14:52:49 +0100
-
openssh (1:7.7p1-4) unstable; urgency=high
* Apply upstream patch to delay bailout for invalid authenticating user
until after the packet containing the request has been fully parsed
(closes: #906236).
-- Colin Watson <email address hidden> Fri, 17 Aug 2018 14:09:32 +0100
-
openssh (1:7.7p1-3) unstable; urgency=medium
[ Colin Watson ]
* Adjust git-dpm tagging configuration.
* Remove no-longer-used Lintian overrides from openssh-server and ssh.
* Add Documentation keys to ssh-agent.service, ssh.service, and
ssh@.service.
[ Juri Grabowski ]
* Add rescue.target with ssh support.
[ Christian Ehrhardt ]
* Fix unintentional restriction of authorized keys environment options
to be alphanumeric (closes: #903474, LP: #1771011).
-- Colin Watson <email address hidden> Tue, 10 Jul 2018 16:07:16 +0100
-
openssh (1:7.7p1-2) unstable; urgency=medium
* Fix parsing of DebianBanner option (closes: #894730).
-- Colin Watson <email address hidden> Wed, 04 Apr 2018 00:47:29 +0100
-
openssh (1:7.6p1-4) unstable; urgency=medium
* Move VCS to salsa.debian.org.
* Add a preseeding-only openssh-server/password-authentication debconf
template that can be used to disable password authentication (closes:
#878945).
-- Colin Watson <email address hidden> Sat, 10 Feb 2018 02:31:46 +0000