-
openssh (1:4.3p2-8ubuntu1.5) feisty-security; urgency=low
* SECURITY UPDATE: block signal handler crash DoS.
* log.c: backport upstream corrections, thanks to Florian Weimer.
* References
CVE-2008-4109
-- Kees Cook <email address hidden> Mon, 29 Sep 2008 11:20:12 -0700
-
openssh (1:4.3p2-8ubuntu1.4) feisty-security; urgency=low
* Add a FILES section to ssh-vulnkey(1) (thanks, Hugh Daniel).
* ssh-vulnkey handles options in authorized_keys (LP: #230029), and treats
# as introducing a comment even if it is preceded by whitespace (thanks
Colin Watson).
-- Jamie Strandboge <email address hidden> Wed, 14 May 2008 08:29:25 -0400
-
openssh (1:4.3p2-8ubuntu1.3) feisty-security; urgency=low
* Mitigate OpenSSL security vulnerability thank to Colin Watson:
- Add key blacklisting support. Keys listed in
/etc/ssh/blacklist.TYPE-LENGTH will be rejected for authentication by
sshd, unless "PermitBlacklistedKeys yes" is set in
/etc/ssh/sshd_config.
- Add a new program, ssh-vulnkey, which can be used to check keys
against these blacklists.
- Depend on openssh-blacklist.
- Force dependencies on libssl0.9.8 / libcrypto0.9.8-udeb to at least
0.9.8c-4ubuntu0.3.
- Automatically regenerate known-compromised host keys, with a
critical-priority debconf note. (I regret that there was no time to
gather translations.)
* added README.compromised-keys thanks to Colin Watson
* References
CVE-2008-0166
http://www.ubuntu.com/usn/usn-612-1
-- Jamie Strandboge <email address hidden> Tue, 13 May 2008 00:16:35 -0400
-
openssh (1:4.3p2-8ubuntu1.2) feisty-security; urgency=low
* SECURITY UPDATE: X11 forward hijacking via alternate address families.
* channels.c: upstream fixes, patched inline. Thanks to Nicolas Valcarcel
(LP: #210175).
* References
CVE-2008-1483
-- Kees Cook <email address hidden> Tue, 01 Apr 2008 10:31:42 -0700
-
openssh (1:4.3p2-8ubuntu1.1) feisty-security; urgency=low
* SECURITY UPDATE: trusted cookie leak when untrusted cookie cannot be
generated.
* clientloop.c: Applied patch according to openssh upstream (LP: #162171),
thanks to Stephan Hermann.
* References:
CVE-2007-4752
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=444738
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/clientloop.c.diff?r1=1.180&r2=1.181
-- Kees Cook <email address hidden> Wed, 09 Jan 2008 12:39:28 -0800
-
openssh (1:4.3p2-8ubuntu1) feisty; urgency=low
* Resynchronise with Debian. Remaining changes:
- Add /sbin, /usr/sbin, and /usr/local/sbin to the default path.
- Use LSB init script functions.
- Increase MAX_SESSIONS to 64.
- Remove stop links from rc0 and rc6.
* Build position-independent executables (only for debs, not for udebs) to
take advantage of address space layout randomisation (thanks, Kees
Cook).
* Set Maintainer to me.
openssh (1:4.3p2-8) unstable; urgency=medium
[ Vincent Untz ]
* Give the ssh-askpass-gnome window a default icon; remove unnecessary
icon extension from .desktop file (closes:
https://launchpad.net/bugs/27152).
[ Colin Watson ]
* Drop versioning on ssh/ssh-krb5 Replaces, as otherwise it isn't
sufficient to replace conffiles (closes: #402804).
* Make GSSAPICleanupCreds a compatibility alias for
GSSAPICleanupCredentials. Mark GSSUseSessionCCache and
GSSAPIUseSessionCredCache as known-but-unsupported options, and migrate
away from them on upgrade.
* It turns out that the people who told me that removing a conffile in the
preinst was sufficient to have dpkg replace it without prompting when
moving a conffile between packages were very much mistaken. As far as I
can tell, the only way to do this reliably is to write out the desired
new text of the conffile in the preinst. This is gross, and requires
shipping the text of all conffiles in the preinst too, but there's
nothing for it. Fortunately this nonsense is only required for smooth
upgrades from sarge.
* debconf template translations:
- Add Romanian (thanks, Stan Ioan-Eugen; closes: #403528).
-- Colin Watson <email address hidden> Mon, 19 Feb 2007 11:18:12 +0000
-
openssh (1:4.3p2-7ubuntu1) feisty; urgency=low
* Resynchronise with Debian. Remaining changes:
- Add /sbin, /usr/sbin, and /usr/local/sbin to the default path.
- Use LSB init script functions.
- Increase MAX_SESSIONS to 64.
- Remove stop links from rc0 and rc6.
openssh (1:4.3p2-7) unstable; urgency=medium
[ Colin Watson ]
* Ignore errors from usermod when changing sshd's shell, since it will
fail if the sshd user is not local (closes: #398436).
* Remove version control tags from /etc/ssh/moduli and /etc/ssh/ssh_config
to avoid unnecessary conffile resolution steps for administrators
(thanks, Jari Aalto; closes: #335259).
* Fix quoting error in configure.ac and regenerate configure (thanks, Ben
Pfaff; closes: #391248).
* When installing openssh-client or openssh-server from scratch, remove
any unchanged conffiles from the pre-split ssh package to work around a
bug in sarge's dpkg (thanks, Justin Pryzby and others; closes: #335276).
[ Russ Allbery ]
* Create transitional ssh-krb5 package which enables GSSAPI configuration
in sshd_config (closes: #390986).
* Default client to attempting GSSAPI authentication.
* Remove obsolete GSSAPINoMICAuthentication from sshd_config if it's
found.
* Add ssh -K option, the converse of -k, to enable GSSAPI credential
delegation (closes: #401483).
-- Colin Watson <email address hidden> Mon, 11 Dec 2006 14:47:01 +0000
-
openssh (1:4.3p2-6ubuntu1) feisty; urgency=low
* Resynchronise with Debian. Remaining changes:
- Add /sbin, /usr/sbin, and /usr/local/sbin to the default path.
- Use LSB init script functions.
- Increase MAX_SESSIONS to 64.
- Remove stop links from rc0 and rc6.
openssh (1:4.3p2-6) unstable; urgency=low
* Acknowledge NMU (thanks, Manoj; closes: #394795).
* Backport from 4.5p1:
- Fix a bug in the sshd privilege separation monitor that weakened its
verification of successful authentication. This bug is not known to be
exploitable in the absence of additional vulnerabilities.
* openssh-server Suggests: molly-guard (closes: #395473).
* debconf template translations:
- Update German (thanks, Helge Kreutzmann; closes: #395947).
openssh (1:4.3p2-5.1) unstable; urgency=low
* NMU to update SELinux patch, bringing it in line with current selinux
releases. The patch for this NMU is simply the Bug#394795 patch,
and no other changes. (closes: #394795)
-- Colin Watson <email address hidden> Mon, 27 Nov 2006 03:47:26 +0000
-
openssh (1:4.3p2-5ubuntu1) edgy; urgency=low
* Resynchronise with Debian.
openssh (1:4.3p2-5) unstable; urgency=low
* Remove ssh/insecure_telnetd check altogether (closes: #391081).
* debconf template translations:
- Update Danish (thanks, Claus Hindsgaul; closes: #390612).
-- Colin Watson <email address hidden> Thu, 5 Oct 2006 09:20:53 +0100
