[ubuntu/maverick] openssh 1:5.5p1-3ubuntu1 (Accepted)
Colin Watson
cjwatson at ubuntu.com
Sun May 9 17:10:21 BST 2010
openssh (1:5.5p1-3ubuntu1) maverick; urgency=low
* Resynchronise with Debian. Remaining changes:
- Add support for registering ConsoleKit sessions on login.
- Drop openssh-blacklist and openssh-blacklist-extra to Suggests; they
take up a lot of CD space, and I suspect that rolling them out in
security updates has covered most affected systems now.
- Convert to Upstart. The init script is still here for the benefit of
people running sshd in chroots.
- Install apport hook.
* Stop setting OOM adjustment in Upstart job; sshd does it itself now.
openssh (1:5.5p1-3) unstable; urgency=low
* Discard error messages while checking whether rsh, rlogin, and rcp
alternatives exist (closes: #579285).
* Drop IDEA key check; I don't think it works properly any more due to
textual changes in error output, it's only relevant for direct upgrades
from truly ancient versions, and it breaks upgrades if
/etc/ssh/ssh_host_key can't be loaded (closes: #579570).
openssh (1:5.5p1-2) unstable; urgency=low
* Use dh_installinit -n, since our maintainer scripts already handle this
more carefully (thanks, Julien Cristau).
openssh (1:5.5p1-1) unstable; urgency=low
* New upstream release:
- Unbreak sshd_config's AuthorizedKeysFile option for $HOME-relative
paths.
- Include a language tag when sending a protocol 2 disconnection
message.
- Make logging of certificates used for user authentication more clear
and consistent between CAs specified using TrustedUserCAKeys and
authorized_keys.
openssh (1:5.4p1-2) unstable; urgency=low
* Borrow patch from Fedora to add DNSSEC support: if glibc 2.11 is
installed, the host key is published in an SSHFP RR secured with DNSSEC,
and VerifyHostKeyDNS=yes, then ssh will no longer prompt for host key
verification (closes: #572049).
* Convert to dh(1), and use dh_installdocs --link-doc.
* Drop lpia support, since Ubuntu no longer supports this architecture.
* Use dh_install more effectively.
* Add a NEWS.Debian entry about changes in smartcard support relative to
previous unofficial builds (closes: #231472).
openssh (1:5.4p1-1) unstable; urgency=low
* New upstream release (LP: #535029).
- After a transition period of about 10 years, this release disables SSH
protocol 1 by default. Clients and servers that need to use the
legacy protocol must explicitly enable it in ssh_config / sshd_config
or on the command-line.
- Remove the libsectok/OpenSC-based smartcard code and add support for
PKCS#11 tokens. This support is enabled by default in the Debian
packaging, since it now doesn't involve additional library
dependencies (closes: #231472, LP: #16918).
- Add support for certificate authentication of users and hosts using a
new, minimal OpenSSH certificate format (closes: #482806).
- Added a 'netcat mode' to ssh(1): "ssh -W host:port ...".
- Add the ability to revoke keys in sshd(8) and ssh(1). (For the Debian
package, this overlaps with the key blacklisting facility added in
openssh 1:4.7p1-9, but with different file formats and slightly
different scopes; for the moment, I've roughly merged the two.)
- Various multiplexing improvements, including support for requesting
port-forwardings via the multiplex protocol (closes: #360151).
- Allow setting an explicit umask on the sftp-server(8) commandline to
override whatever default the user has (closes: #496843).
- Many sftp client improvements, including tab-completion, more options,
and recursive transfer support for get/put (LP: #33378). The old
mget/mput commands never worked properly and have been removed
(closes: #270399, #428082).
- Do not prompt for a passphrase if we fail to open a keyfile, and log
the reason why the open failed to debug (closes: #431538).
- Prevent sftp from crashing when given a "-" without a command. Also,
allow whitespace to follow a "-" (closes: #531561).
* Fix 'debian/rules quilt-setup' to avoid writing .orig files if some
patches apply with offsets.
* Include debian/ssh-askpass-gnome.png in the Debian tarball now that
we're using a source format that permits this, rather than messing
around with uudecode.
* Drop compatibility with the old gssapi mechanism used in ssh-krb5 <<
3.8.1p1-1. Simon Wilkinson refused this patch since the old gssapi
mechanism was removed due to a serious security hole, and since these
versions of ssh-krb5 are no longer security-supported by Debian I don't
think there's any point keeping client compatibility for them.
* Fix substitution of ETC_PAM_D_SSH, following the rename in 1:4.7p1-4.
* Hardcode the location of xauth to /usr/bin/xauth rather than
/usr/bin/X11/xauth (thanks, Aron Griffis; closes: #575725, LP: #8440).
xauth no longer depends on x11-common, so we're no longer guaranteed to
have the /usr/bin/X11 symlink available. I was taking advantage of the
/usr/bin/X11 symlink to smooth X's move to /usr/bin, but this is far
enough in the past now that it's probably safe to just use /usr/bin.
* Remove SSHD_OOM_ADJUST configuration. sshd now unconditionally makes
itself non-OOM-killable, and doesn't require configuration to avoid log
spam in virtualisation containers (closes: #555625).
* Drop Debian-specific removal of OpenSSL version check. Upstream ignores
the two patchlevel nybbles now, which is sufficient to address the
original reason this change was introduced, and it appears that any
change in the major/minor/fix nybbles would involve a new libssl package
name. (We'd still lose if the status nybble were ever changed, but that
would mean somebody had packaged a development/beta version rather than
a proper release, which doesn't appear to be normal practice.)
* Drop most of our "LogLevel SILENT" (-qq) patch. This was originally
introduced to match the behaviour of non-free SSH, in which -q does not
suppress fatal errors, but matching the behaviour of OpenSSH upstream is
much more important nowadays. We no longer document that -q does not
suppress fatal errors (closes: #280609). Migrate "LogLevel SILENT" to
"LogLevel QUIET" in sshd_config on upgrade.
* Policy version 3.8.4:
- Add a Homepage field.
Date: Sun, 09 May 2010 18:04:01 +0200
Changed-By: Colin Watson <cjwatson at ubuntu.com>
Signed-By: Colin Watson <cjwatson at canonical.com>
https://launchpad.net/ubuntu/maverick/+source/openssh/1:5.5p1-3ubuntu1
-------------- next part --------------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 09 May 2010 18:04:01 +0200
Source: openssh
Binary: openssh-client openssh-server ssh ssh-krb5 ssh-askpass-gnome openssh-client-udeb openssh-server-udeb
Architecture: source
Version: 1:5.5p1-3ubuntu1
Distribution: maverick
Urgency: low
Maintainer: Colin Watson <cjwatson at ubuntu.com>
Changed-By: Colin Watson <cjwatson at ubuntu.com>
Description:
openssh-client - secure shell (SSH) client, for secure access to remote machines
openssh-client-udeb - secure shell client for the Debian installer (udeb)
openssh-server - secure shell (SSH) server, for secure access from remote machines
openssh-server-udeb - secure shell server for the Debian installer (udeb)
ssh - secure shell client and server (metapackage)
ssh-askpass-gnome - interactive X program to prompt users for a passphrase for ssh-ad
ssh-krb5 - secure shell client and server (transitional package)
Closes: 231472 270399 280609 360151 428082 431538 482806 496843 531561 555625 572049 575725 579285 579570
Launchpad-Bugs-Fixed: 8440 16918 33378 535029
Changes:
openssh (1:5.5p1-3ubuntu1) maverick; urgency=low
.
* Resynchronise with Debian. Remaining changes:
- Add support for registering ConsoleKit sessions on login.
- Drop openssh-blacklist and openssh-blacklist-extra to Suggests; they
take up a lot of CD space, and I suspect that rolling them out in
security updates has covered most affected systems now.
- Convert to Upstart. The init script is still here for the benefit of
people running sshd in chroots.
- Install apport hook.
* Stop setting OOM adjustment in Upstart job; sshd does it itself now.
.
openssh (1:5.5p1-3) unstable; urgency=low
.
* Discard error messages while checking whether rsh, rlogin, and rcp
alternatives exist (closes: #579285).
* Drop IDEA key check; I don't think it works properly any more due to
textual changes in error output, it's only relevant for direct upgrades
from truly ancient versions, and it breaks upgrades if
/etc/ssh/ssh_host_key can't be loaded (closes: #579570).
.
openssh (1:5.5p1-2) unstable; urgency=low
.
* Use dh_installinit -n, since our maintainer scripts already handle this
more carefully (thanks, Julien Cristau).
.
openssh (1:5.5p1-1) unstable; urgency=low
.
* New upstream release:
- Unbreak sshd_config's AuthorizedKeysFile option for $HOME-relative
paths.
- Include a language tag when sending a protocol 2 disconnection
message.
- Make logging of certificates used for user authentication more clear
and consistent between CAs specified using TrustedUserCAKeys and
authorized_keys.
.
openssh (1:5.4p1-2) unstable; urgency=low
.
* Borrow patch from Fedora to add DNSSEC support: if glibc 2.11 is
installed, the host key is published in an SSHFP RR secured with DNSSEC,
and VerifyHostKeyDNS=yes, then ssh will no longer prompt for host key
verification (closes: #572049).
* Convert to dh(1), and use dh_installdocs --link-doc.
* Drop lpia support, since Ubuntu no longer supports this architecture.
* Use dh_install more effectively.
* Add a NEWS.Debian entry about changes in smartcard support relative to
previous unofficial builds (closes: #231472).
.
openssh (1:5.4p1-1) unstable; urgency=low
.
* New upstream release (LP: #535029).
- After a transition period of about 10 years, this release disables SSH
protocol 1 by default. Clients and servers that need to use the
legacy protocol must explicitly enable it in ssh_config / sshd_config
or on the command-line.
- Remove the libsectok/OpenSC-based smartcard code and add support for
PKCS#11 tokens. This support is enabled by default in the Debian
packaging, since it now doesn't involve additional library
dependencies (closes: #231472, LP: #16918).
- Add support for certificate authentication of users and hosts using a
new, minimal OpenSSH certificate format (closes: #482806).
- Added a 'netcat mode' to ssh(1): "ssh -W host:port ...".
- Add the ability to revoke keys in sshd(8) and ssh(1). (For the Debian
package, this overlaps with the key blacklisting facility added in
openssh 1:4.7p1-9, but with different file formats and slightly
different scopes; for the moment, I've roughly merged the two.)
- Various multiplexing improvements, including support for requesting
port-forwardings via the multiplex protocol (closes: #360151).
- Allow setting an explicit umask on the sftp-server(8) commandline to
override whatever default the user has (closes: #496843).
- Many sftp client improvements, including tab-completion, more options,
and recursive transfer support for get/put (LP: #33378). The old
mget/mput commands never worked properly and have been removed
(closes: #270399, #428082).
- Do not prompt for a passphrase if we fail to open a keyfile, and log
the reason why the open failed to debug (closes: #431538).
- Prevent sftp from crashing when given a "-" without a command. Also,
allow whitespace to follow a "-" (closes: #531561).
.
* Fix 'debian/rules quilt-setup' to avoid writing .orig files if some
patches apply with offsets.
* Include debian/ssh-askpass-gnome.png in the Debian tarball now that
we're using a source format that permits this, rather than messing
around with uudecode.
* Drop compatibility with the old gssapi mechanism used in ssh-krb5 <<
3.8.1p1-1. Simon Wilkinson refused this patch since the old gssapi
mechanism was removed due to a serious security hole, and since these
versions of ssh-krb5 are no longer security-supported by Debian I don't
think there's any point keeping client compatibility for them.
* Fix substitution of ETC_PAM_D_SSH, following the rename in 1:4.7p1-4.
* Hardcode the location of xauth to /usr/bin/xauth rather than
/usr/bin/X11/xauth (thanks, Aron Griffis; closes: #575725, LP: #8440).
xauth no longer depends on x11-common, so we're no longer guaranteed to
have the /usr/bin/X11 symlink available. I was taking advantage of the
/usr/bin/X11 symlink to smooth X's move to /usr/bin, but this is far
enough in the past now that it's probably safe to just use /usr/bin.
* Remove SSHD_OOM_ADJUST configuration. sshd now unconditionally makes
itself non-OOM-killable, and doesn't require configuration to avoid log
spam in virtualisation containers (closes: #555625).
* Drop Debian-specific removal of OpenSSL version check. Upstream ignores
the two patchlevel nybbles now, which is sufficient to address the
original reason this change was introduced, and it appears that any
change in the major/minor/fix nybbles would involve a new libssl package
name. (We'd still lose if the status nybble were ever changed, but that
would mean somebody had packaged a development/beta version rather than
a proper release, which doesn't appear to be normal practice.)
* Drop most of our "LogLevel SILENT" (-qq) patch. This was originally
introduced to match the behaviour of non-free SSH, in which -q does not
suppress fatal errors, but matching the behaviour of OpenSSH upstream is
much more important nowadays. We no longer document that -q does not
suppress fatal errors (closes: #280609). Migrate "LogLevel SILENT" to
"LogLevel QUIET" in sshd_config on upgrade.
* Policy version 3.8.4:
- Add a Homepage field.
Checksums-Sha1:
37502b82e50e07df8ef86d1fd8ebbda18c53e339 2446 openssh_5.5p1-3ubuntu1.dsc
361c6335e74809b26ea096b34062ba8ff6c97cd6 1097574 openssh_5.5p1.orig.tar.gz
0c312345d2feab21fc7741376751c1a2d20e91c5 240837 openssh_5.5p1-3ubuntu1.debian.tar.gz
Checksums-Sha256:
f8ddb100cdca32c555471c58c6bbc326c063045215abbbb8e53ee5d3e93b75d0 2446 openssh_5.5p1-3ubuntu1.dsc
36eedd6efe6663186ed23573488670f9b02e34744694e94a9f869b6f25e47e8a 1097574 openssh_5.5p1.orig.tar.gz
d7bdcaecf73832389fb57cecb18e9230e8fbd123b8fdaff6108f6ac53475eb67 240837 openssh_5.5p1-3ubuntu1.debian.tar.gz
Files:
e206fd15a22d00c6996fef1c7d316aca 2446 net standard openssh_5.5p1-3ubuntu1.dsc
88633408f4cb1eb11ec7e2ec58b519eb 1097574 net standard openssh_5.5p1.orig.tar.gz
1e5a18d3a7fbd51e87730c15de1fecad 240837 net standard openssh_5.5p1-3ubuntu1.debian.tar.gz
Original-Maintainer: Debian OpenSSH Maintainers <debian-ssh at lists.debian.org>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Colin Watson <cjwatson at debian.org> -- Debian developer
iQIVAwUBS+bdbjk1h9l9hlALAQi1mA//e8VBedw6Q2gxlTQYMdwNpQYgJE5JsQON
ZTVtyZn8UsPwvUuipnBlIE5pzEsKZhRRRtdbcaNeTcJdmMttAAeH1u8/5LphKS2C
qHI9FvxCrvERJ42JVdfeFcKc92X9gJWM24/P2lYb4d1GH6B+9QtYG5G6oPqO54iL
+N2Xjn5NkSvlKh/WOPSFnrAEioBBcfYQI1KMePyiHmfMf6SLusu02h4XDbVg4cqA
tJMS3Lm+l+MsAKeVGfaDllJbAmQtGyBOqylgzZXK66RBKINSRiL3rKZFrG9LsEqI
9p54YVmPZ2O1LFireT5lK9QHlxLONnDVOd+rSqwyx0oIcfHPhujwFv7ymauLq6Y2
INHeUwB0me9zHC3rpnahSbr4ilveZhNSPdBBSO0C5+LgiG5rbegkUbNSq5Yi1HRm
Dbz7KwMN5aERMkVG09+rbAb3tv2MAcDAn8IoJyC7z1BJIxX4qlm45vMIeIj4DB1N
oVymRRWHzEq3R3EQ2NlwBjb/+qac+VTmsx34P5mbmk89hgLYI6B2ExwYuyG06USF
ZX/1b0lMQ0kbIktozelylRYeLFFUkAT8BloKxbCHykvhTfTWYmoRQNi8rVd8g5my
0MZ/DIFf9WN1iwOYNZ6Pix3FSxjAy1yi/Uze6zlqQ41JnzH0R6KsOTZKvxPamM8/
vW3lNym9sAA=
=VfNZ
-----END PGP SIGNATURE-----
More information about the Maverick-changes
mailing list