[Bug 1946286] Re: Merge openssh from Debian unstable for 22.04

Colin Watson 1946286 at bugs.launchpad.net
Sun Oct 10 00:00:42 UTC 2021 

I intend to merge all the Ubuntu changes for my next Debian upload and
then sync it, so there's probably no need to pay attention to this.

I'm preparing packaging of OpenSSH 8.8p1, but the current blocker is
that this drops the ssh-rsa signature algorithm by default (*not* the
public key type), and that needs changes to Twisted and probably
lazr.sshserver in order for Launchpad's SSH endpoints to support it; I'd
rather not upload a package that would break connectivity to
git.launchpad.net etc. out of the box.  I'm working on this but don't
yet have an ETA.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1946286

Title:
  Merge openssh from Debian unstable for 22.04

Status in openssh package in Ubuntu:
  New

Bug description:
  Scheduled-For: 22.12
  Upstream: tbd
  Debian:   1:8.4p1-6    
  Ubuntu:   1:8.4p1-6ubuntu2


  Debian typically updates openssh every 1 months on average, but it was
  last updated 21.08 and looks overdue.  Check back in on this monthly.

  
  ### New Debian Changes ###

  openssh
  openssh (1:8.4p1-6) unstable; urgency=medium

    [ Colin Watson ]
    * Rename ssh group to _ssh (closes: #990456).  It's only used by
      ssh-agent.
    * debian/tests/regress: Don't fail cleanup if haveged isn't running.
    * Backport from upstream:
      - Add includes.h to compat tests (closes: #992134, LP: #1939751).
    * Use 'command -v' in maintainer scripts rather than 'which'.

    [ Athos Ribeiro ]
    * d/systemd/ssh at .service: preserve the systemd managed runtime directory to
      ensure parallel processes will not disrupt one another when halting
      (LP: #1905285) (closes: #934663)

   -- Colin Watson <cjwatson at debian.org>  Thu, 19 Aug 2021 11:04:01
  +0100

  openssh (1:8.4p1-5) unstable; urgency=high

    * CVE-2021-28041: Fix double free in ssh-agent(1) (closes: #984940).

   -- Colin Watson <cjwatson at debian.org>  Sat, 13 Mar 2021 09:59:40
  +0000

  openssh (1:8.4p1-4) unstable; urgency=medium

    * Avoid using libmd's <sha2.h> even if it's installed (closes:
  #982705).

   -- Colin Watson <cjwatson at debian.org>  Mon, 15 Feb 2021 10:25:17
  +0000

  openssh (1:8.4p1-3) unstable; urgency=medium

    * Backport from upstream:
      - Fix `EOF: command not found` error in ssh-copy-id (closes: #975540).

   -- Colin Watson <cjwatson at debian.org>  Wed, 02 Dec 2020 10:32:23
  +0000

  openssh (1:8.4p1-2) unstable; urgency=medium

    * Revert incorrect upstream patch that claimed to fix the seccomp sandbox
      on x32 but in fact broke it instead.

   -- Colin Watson <cjwatson at debian.org>  Mon, 26 Oct 2020 17:41:13
  +0000

  openssh (1:8.4p1-1) unstable; urgency=medium

    * New upstream release (https://www.openssh.com/txt/release-8.4):
      - [SECURITY] ssh-agent(1): restrict ssh-agent from signing web
        challenges for FIDO/U2F keys.
      - [SECURITY] ssh-keygen(1): Enable FIDO 2.1 credProtect extension when
        generating a FIDO resident key.
      - ssh-keygen(1): the format of the attestation information optionally
        recorded when a FIDO key is generated has changed. It now includes the
        authenticator data needed to validate attestation signatures. 
      - The API between OpenSSH and the FIDO token middleware has changed and
        the SSH_SK_VERSION_MAJOR version has been incremented as a result.
        Third-party middleware libraries must support the current API version
        (7) to work with OpenSSH 8.4.
      - ssh(1), ssh-keygen(1): support for FIDO keys that require a PIN for
        each use. These keys may be generated using ssh-keygen using a new
        'verify-required' option. When a PIN-required key is used, the user
        will be prompted for a PIN to complete the signature operation.
      - sshd(8): authorized_keys now supports a new 'verify-required' option
        to require FIDO signatures assert that the token verified that the
        user was present before making the signature. The FIDO protocol
        supports multiple methods for user-verification, but currently OpenSSH
        only supports PIN verification.
      - sshd(8), ssh-keygen(1): add support for verifying FIDO webauthn
        signatures. Webauthn is a standard for using FIDO keys in web
        browsers. These signatures are a slightly different format to plain
        FIDO signatures and thus require explicit support.
      - ssh(1): allow some keywords to expand shell-style ${ENV} environment
        variables. The supported keywords are CertificateFile, ControlPath,
        IdentityAgent and IdentityFile, plus LocalForward and RemoteForward
        when used for Unix domain socket paths.
      - ssh(1), ssh-agent(1): allow some additional control over the use of
        ssh-askpass via a new $SSH_ASKPASS_REQUIRE environment variable,
        including forcibly enabling and disabling its use (closes: #368657).
      - ssh(1): allow ssh_config(5)'s AddKeysToAgent keyword accept a time
        limit for keys in addition to its current flag options. Time-limited
        keys will automatically be removed from ssh-agent after their expiry
        time has passed.
      - scp(1), sftp(1): allow the -A flag to explicitly enable agent
        forwarding in scp and sftp. The default remains to not forward an
        agent, even when ssh_config enables it.
      - ssh(1): add a '%k' TOKEN that expands to the effective HostKey of the
        destination. This allows, e.g., keeping host keys in individual files
        using 'UserKnownHostsFile ~/.ssh/known_hosts.d/%k' (closes: #481250).
      - ssh(1): add %-TOKEN, environment variable and tilde expansion to the
        UserKnownHostsFile directive, allowing the path to be completed by the
        configuration.
      - ssh-keygen(1): allow 'ssh-add -d -' to read keys to be deleted from
        stdin.
      - sshd(8): improve logging for MaxStartups connection throttling.  sshd
        will now log when it starts and stops throttling and periodically
        while in this state.
      - ssh(1), ssh-keygen(1): better support for multiple attached FIDO
        tokens. In cases where OpenSSH cannot unambiguously determine which
        token to direct a request to, the user is now required to select a
        token by touching it. In cases of operations that require a PIN to be
        verified, this avoids sending the wrong PIN to the wrong token and


  ### Old Ubuntu Delta ###

  openssh (1:8.4p1-6ubuntu2) impish; urgency=medium

    * Configure with ac_cv_func_closefrom=no to avoid an incompatibility
      with glibc 2.34's fallback_closefrom function (LP: #1944621)

   -- William 'jawn-smith' Wilson <william.wilson at canonical.com>  Tue,
  21 Sep 2021 22:08:39 +0000

  openssh (1:8.4p1-6ubuntu1) impish; urgency=low

    * Merge from Debian unstable (LP: #1941799). Remaining changes:
      - Cherry-pick seccomp fixes for glibc 2.33 thanks to Dave Jones for
        reports on armhf.

   -- William 'jawn-smith' Wilson <william.wilson at canonical.com>  Thu,
  26 Aug 2021 12:51:02 -0600

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1946286/+subscriptions

More information about the foundations-bugs mailing list