[ubuntu/mantic-proposed] openssh 1:9.3p1-1ubuntu1 (Accepted)
Nick Rosbrook
nick.rosbrook at canonical.com
Thu Jul 6 15:56:14 UTC 2023
openssh (1:9.3p1-1ubuntu1) mantic; urgency=medium
* Merge with Debian unstable (LP: #2025664). Remaining changes:
- debian/rules: modify dh_installsystemd invocations for
socket-activated sshd
- debian/openssh-server.postinst: handle migration of sshd_config options
to systemd socket options on upgrade.
- debian/README.Debian: document systemd socket activation.
- debian/patches/socket-activation-documentation.patch: Document in
sshd_config(5) that ListenAddress and Port no longer work.
- debian/openssh-server.templates: include debconf prompt explaining
when migration cannot happen due to multiple ListenAddress values
- debian/.gitignore: drop file
- debian/openssh-server.postrm: remove systemd drop-ins for
socket-activated sshd on purge
- debian/openssh-server.ucf-md5sum: update for Ubuntu delta
- debian/openssh-server.tmpfile,debian/systemd/ssh.service: Move
/run/sshd creation out of the systemd unit to a tmpfile config so
that sshd can be run manually if necessary without having to create
this directory by hand.
- debian/patches/systemd-socket-activation.patch: Fix sshd
re-execution behavior when socket activation is used
- debian/tests/systemd-socket-activation: Add autopkgtest for systemd socket
activation functionality.
- d/p/test-set-UsePAM-no-on-some-tests.patch: set UsePAM=no for some tests
- Ensure smooth upgrade path from versions affected by LP: #2020474:
+ debian/openssh-server.postint: do not try to restart systemd units,
and instead indicate that a reboot is required
+ debian/tests/systemd-socket-activation: Reboot the testbed before starting the test
+ debian/rules: Do not stop ssh.socket on upgrade
openssh (1:9.3p1-1) unstable; urgency=medium
* Debconf translations:
- Romanian (thanks, Remus-Gabriel Chelu; closes: #1033178).
* Properly fix date of 1:3.0.2p1-2 changelog entry (closes: #1034425).
* New upstream release (https://www.openssh.com/releasenotes.html#9.3p1):
- [CVE-2023-28531] ssh-add(1): when adding smartcard keys to
ssh-agent(1) with the per-hop destination constraints (ssh-add -h ...)
added in OpenSSH 8.9, a logic error prevented the constraints from
being communicated to the agent. This resulted in the keys being added
without constraints. The common cases of non-smartcard keys and keys
without destination constraints are unaffected. This problem was
reported by Luci Stanescu (closes: #1033166).
- [SECURITY] ssh(1): Portable OpenSSH provides an implementation of the
getrrsetbyname(3) function if the standard library does not provide
it, for use by the VerifyHostKeyDNS feature. A specifically crafted
DNS response could cause this function to perform an out-of-bounds
read of adjacent stack data, but this condition does not appear to be
exploitable beyond denial-of-service to the ssh(1) client.
- ssh-keygen(1), ssh-keyscan(1): accept -Ohashalg=sha1|sha256 when
outputting SSHFP fingerprints to allow algorithm selection.
- sshd(8): add a `sshd -G` option that parses and prints the effective
configuration without attempting to load private keys and perform
other checks. This allows usage of the option before keys have been
generated and for configuration evaluation and verification by
unprivileged users.
- scp(1), sftp(1): fix progressmeter corruption on wide displays.
- ssh-add(1), ssh-keygen(1): use RSA/SHA256 when testing usability of
private keys as some systems are starting to disable RSA/SHA1 in
libcrypto.
- sftp-server(8): fix a memory leak.
- ssh(1), sshd(8), ssh-keyscan(1): remove vestigial protocol
compatibility code and simplify what's left.
- Fix a number of low-impact Coverity static analysis findings.
- ssh_config(5), sshd_config(5): mention that some options are not
first-match-wins.
- Rework logging for the regression tests. Regression tests will now
capture separate logs for each ssh and sshd invocation in a test.
- ssh(1): make `ssh -Q CASignatureAlgorithms` work as the manpage says
it should.
- ssh(1): ensure that there is a terminating newline when adding a new
entry to known_hosts.
- sshd(8): harden Linux seccomp sandbox. Move to an allowlist of
mmap(2), madvise(2) and futex(2) flags, removing some concerning
kernel attack surface.
* debian/README.Debian: Clarify that you need to restart ssh.socket after
overriding its ListenStream= option (LP: #2020560).
* debian/openssh-server.postinst: Use "sshd -G" to parse the server
configuration file (closes: #959726).
* Fix incorrect RRSET_FORCE_EDNS0 flags validation in SSHFP DNSSEC patch
(thanks, Ben Hutchings; closes: #909022).
* Always use the internal mkdtemp implementation, since it substitutes
more randomness into the template string than glibc's version (closes:
#1001186).
Date: Mon, 03 Jul 2023 11:34:47 -0400
Changed-By: Nick Rosbrook <nick.rosbrook at canonical.com>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Signed-By: Simon Chopin <simon.chopin at canonical.com>
https://launchpad.net/ubuntu/+source/openssh/1:9.3p1-1ubuntu1
-------------- next part --------------
Format: 1.8
Date: Mon, 03 Jul 2023 11:34:47 -0400
Source: openssh
Built-For-Profiles: noudeb
Architecture: source
Version: 1:9.3p1-1ubuntu1
Distribution: mantic
Urgency: medium
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Nick Rosbrook <nick.rosbrook at canonical.com>
Closes: 909022 959726 1001186 1033166 1033178 1034425
Launchpad-Bugs-Fixed: 2020474 2020560 2025664
Changes:
openssh (1:9.3p1-1ubuntu1) mantic; urgency=medium
.
* Merge with Debian unstable (LP: #2025664). Remaining changes:
- debian/rules: modify dh_installsystemd invocations for
socket-activated sshd
- debian/openssh-server.postinst: handle migration of sshd_config options
to systemd socket options on upgrade.
- debian/README.Debian: document systemd socket activation.
- debian/patches/socket-activation-documentation.patch: Document in
sshd_config(5) that ListenAddress and Port no longer work.
- debian/openssh-server.templates: include debconf prompt explaining
when migration cannot happen due to multiple ListenAddress values
- debian/.gitignore: drop file
- debian/openssh-server.postrm: remove systemd drop-ins for
socket-activated sshd on purge
- debian/openssh-server.ucf-md5sum: update for Ubuntu delta
- debian/openssh-server.tmpfile,debian/systemd/ssh.service: Move
/run/sshd creation out of the systemd unit to a tmpfile config so
that sshd can be run manually if necessary without having to create
this directory by hand.
- debian/patches/systemd-socket-activation.patch: Fix sshd
re-execution behavior when socket activation is used
- debian/tests/systemd-socket-activation: Add autopkgtest for systemd socket
activation functionality.
- d/p/test-set-UsePAM-no-on-some-tests.patch: set UsePAM=no for some tests
- Ensure smooth upgrade path from versions affected by LP: #2020474:
+ debian/openssh-server.postint: do not try to restart systemd units,
and instead indicate that a reboot is required
+ debian/tests/systemd-socket-activation: Reboot the testbed before starting the test
+ debian/rules: Do not stop ssh.socket on upgrade
.
openssh (1:9.3p1-1) unstable; urgency=medium
.
* Debconf translations:
- Romanian (thanks, Remus-Gabriel Chelu; closes: #1033178).
* Properly fix date of 1:3.0.2p1-2 changelog entry (closes: #1034425).
* New upstream release (https://www.openssh.com/releasenotes.html#9.3p1):
- [CVE-2023-28531] ssh-add(1): when adding smartcard keys to
ssh-agent(1) with the per-hop destination constraints (ssh-add -h ...)
added in OpenSSH 8.9, a logic error prevented the constraints from
being communicated to the agent. This resulted in the keys being added
without constraints. The common cases of non-smartcard keys and keys
without destination constraints are unaffected. This problem was
reported by Luci Stanescu (closes: #1033166).
- [SECURITY] ssh(1): Portable OpenSSH provides an implementation of the
getrrsetbyname(3) function if the standard library does not provide
it, for use by the VerifyHostKeyDNS feature. A specifically crafted
DNS response could cause this function to perform an out-of-bounds
read of adjacent stack data, but this condition does not appear to be
exploitable beyond denial-of-service to the ssh(1) client.
- ssh-keygen(1), ssh-keyscan(1): accept -Ohashalg=sha1|sha256 when
outputting SSHFP fingerprints to allow algorithm selection.
- sshd(8): add a `sshd -G` option that parses and prints the effective
configuration without attempting to load private keys and perform
other checks. This allows usage of the option before keys have been
generated and for configuration evaluation and verification by
unprivileged users.
- scp(1), sftp(1): fix progressmeter corruption on wide displays.
- ssh-add(1), ssh-keygen(1): use RSA/SHA256 when testing usability of
private keys as some systems are starting to disable RSA/SHA1 in
libcrypto.
- sftp-server(8): fix a memory leak.
- ssh(1), sshd(8), ssh-keyscan(1): remove vestigial protocol
compatibility code and simplify what's left.
- Fix a number of low-impact Coverity static analysis findings.
- ssh_config(5), sshd_config(5): mention that some options are not
first-match-wins.
- Rework logging for the regression tests. Regression tests will now
capture separate logs for each ssh and sshd invocation in a test.
- ssh(1): make `ssh -Q CASignatureAlgorithms` work as the manpage says
it should.
- ssh(1): ensure that there is a terminating newline when adding a new
entry to known_hosts.
- sshd(8): harden Linux seccomp sandbox. Move to an allowlist of
mmap(2), madvise(2) and futex(2) flags, removing some concerning
kernel attack surface.
* debian/README.Debian: Clarify that you need to restart ssh.socket after
overriding its ListenStream= option (LP: #2020560).
* debian/openssh-server.postinst: Use "sshd -G" to parse the server
configuration file (closes: #959726).
* Fix incorrect RRSET_FORCE_EDNS0 flags validation in SSHFP DNSSEC patch
(thanks, Ben Hutchings; closes: #909022).
* Always use the internal mkdtemp implementation, since it substitutes
more randomness into the template string than glibc's version (closes:
#1001186).
Checksums-Sha1:
b04e48d2bc85745bf131ef602d00e75646219efe 3139 openssh_9.3p1-1ubuntu1.dsc
610959871bf8d6baafc3525811948f85b5dd84ab 1856839 openssh_9.3p1.orig.tar.gz
31e40d5a0769d4febc8493f354b273eff0d9cab5 833 openssh_9.3p1.orig.tar.gz.asc
14f4fb5a23efdd949f5f0e67a17f4bf3b0bd6493 189108 openssh_9.3p1-1ubuntu1.debian.tar.xz
a540d53b09ef3d5b4a7c2abfb59f2dd41577e1e3 8184 openssh_9.3p1-1ubuntu1_source.buildinfo
Checksums-Sha256:
e394ba489e93520a9c05997db845feaded16a3647f00f9f4087d5d9c6a1066db 3139 openssh_9.3p1-1ubuntu1.dsc
e9baba7701a76a51f3d85a62c383a3c9dcd97fa900b859bc7db114c1868af8a8 1856839 openssh_9.3p1.orig.tar.gz
6d96d2ff60d8d3545f0fa1709cb4c273d9a2fe086afa90f70951cffc01c8fa68 833 openssh_9.3p1.orig.tar.gz.asc
d9aaeff49a0b854e1d7ebd1dffea156e73e0044f365a9ed53506a25a46e9f7c4 189108 openssh_9.3p1-1ubuntu1.debian.tar.xz
366f03dc73de12cc1be9896da7cf133ea272badc4264b8525dc8bfa250d93e34 8184 openssh_9.3p1-1ubuntu1_source.buildinfo
Files:
daded8d8e05b6d24d9f69f5a56ba3bd2 3139 net standard openssh_9.3p1-1ubuntu1.dsc
3430d5e6e71419e28f440a42563cb553 1856839 net standard openssh_9.3p1.orig.tar.gz
8a1aef9314a4224cf3f2936430733796 833 net standard openssh_9.3p1.orig.tar.gz.asc
28ef0f1031a5f69d018f349463903b23 189108 net standard openssh_9.3p1-1ubuntu1.debian.tar.xz
c36c5072201ebd5c62ddb4e86b8de2c0 8184 net standard openssh_9.3p1-1ubuntu1_source.buildinfo
Original-Maintainer: Debian OpenSSH Maintainers <debian-ssh at lists.debian.org>
Vcs-Git: https://git.launchpad.net/~schopin/ubuntu/+source/openssh
Vcs-Git-Commit: 2f2d3542658a7719314afe31bd09e5014fe07d33
Vcs-Git-Ref: refs/heads/merge-mantic-lp2025664
More information about the mantic-changes
mailing list