[ubuntu/noble-proposed] openssh 1:9.4p1-1ubuntu1 (Accepted)
Nick Rosbrook
enr0n at ubuntu.com
Wed Nov 15 19:11:12 UTC 2023
openssh (1:9.4p1-1ubuntu1) noble; urgency=medium
* Merge with Debian unstable. Remaining changes:
- debian/rules: modify dh_installsystemd invocations for
socket-activated sshd
- debian/openssh-server.postinst: handle migration of sshd_config options
to systemd socket options on upgrade.
- debian/README.Debian: document systemd socket activation.
- debian/patches/socket-activation-documentation.patch: Document in
sshd_config(5) that ListenAddress and Port no longer work.
- debian/openssh-server.templates: include debconf prompt explaining
when migration cannot happen due to multiple ListenAddress values
- debian/.gitignore: drop file
- debian/openssh-server.postrm: remove systemd drop-ins for
socket-activated sshd on purge
- debian/openssh-server.ucf-md5sum: update for Ubuntu delta
- debian/openssh-server.tmpfile,debian/systemd/ssh.service: Move
/run/sshd creation out of the systemd unit to a tmpfile config so
that sshd can be run manually if necessary without having to create
this directory by hand.
- debian/patches/systemd-socket-activation.patch: Fix sshd
re-execution behavior when socket activation is used
- debian/tests/systemd-socket-activation: Add autopkgtest for systemd socket
activation functionality.
- d/p/test-set-UsePAM-no-on-some-tests.patch: set UsePAM=no for some tests
* Dropped changes, fixed upstream:
- d/p/fix-authorized-principals-command.patch: Fix the situation where
sshd ignores AuthorizedPrincipalsCommand if AuthorizedKeysCommand
is also set by checking if the value pointed to by the pointer
'charptr' is NULL.
- debian/patches/CVE-2023-38408-1.patch: terminate process if requested
to load a PKCS#11 provider that isn't a PKCS#11 provider in
ssh-pkcs11.c.
- debian/patches/CVE-2023-38408-2.patch: disallow remote addition of
FIDO/PKCS11 provider in ssh-agent.1, ssh-agent.c.
- debian/patches/CVE-2023-38408-3.patch: ensure FIDO/PKCS11 libraries
contain expected symbols in misc.c, misc.h, ssh-pkcs11.c, ssh-sk.c.
* Dropped changes, affected package versions not published in supported
releases:
- debian/openssh-server.postint: do not try to restart systemd units,
and instead indicate that a reboot is required
- debian/tests/systemd-socket-activation: Reboot the testbed before starting the test
- debian/rules: Do not stop ssh.socket on upgrade
openssh (1:9.4p1-1) unstable; urgency=medium
* New upstream release (https://www.openssh.com/releasenotes.html#9.4p1):
- ssh-agent(1): PKCS#11 modules must now be specified by their full
paths. Previously dlopen(3) could search for them in system library
directories.
- ssh(1): allow forwarding Unix Domain sockets via ssh -W.
- ssh(1): add support for configuration tags to ssh(1). This adds a
ssh_config(5) "Tag" directive and corresponding "Match tag" predicate
that may be used to select blocks of configuration similar to the
pf.conf(5) keywords of the same name.
- ssh(1): add a "match localnetwork" predicate. This allows matching on
the addresses of available network interfaces and may be used to vary
the effective client configuration based on network location.
- ssh(1), sshd(8), ssh-keygen(1): infrastructure support for KRL
extensions. This defines wire formats for optional KRL extensions and
implements parsing of the new submessages. No actual extensions are
supported at this point.
- sshd(8): AuthorizedPrincipalsCommand and AuthorizedKeysCommand now
accept two additional %-expansion sequences: %D which expands to the
routing domain of the connected session and %C which expands to the
addresses and port numbers for the source and destination of the
connection.
- ssh-keygen(1): increase the default work factor (rounds) for the
bcrypt KDF used to derive symmetric encryption keys for passphrase
protected key files by 50%.
- ssh-agent(1): improve isolation between loaded PKCS#11 modules by
running separate ssh-pkcs11-helpers for each loaded provider.
- ssh(1): make -f (fork after authentication) work correctly with
multiplexed connections, including ControlPersist (closes: #348741).
- ssh(1): make ConnectTimeout apply to multiplexing sockets and not just
to network connections.
- ssh-agent(1), ssh(1): improve defences against invalid PKCS#11 modules
being loaded by checking that the requested module contains the
required symbol before loading it.
- sshd(8): fix AuthorizedPrincipalsCommand when AuthorizedKeysCommand
appears before it in sshd_config. Since OpenSSH 8.7 the
AuthorizedPrincipalsCommand directive was incorrectly ignored in this
situation.
- sshd(8), ssh(1), ssh-keygen(1): remove vestigial support for KRL
signatures. When the KRL format was originally defined, it included
support for signing of KRL objects. However, the code to sign KRLs and
verify KRL signatues was never completed in OpenSSH. This release
removes the partially-implemented code to verify KRLs. All OpenSSH
tools now ignore KRL_SECTION_SIGNATURE sections in KRL files.
- All: fix a number of memory leaks and unreachable/harmless integer
overflows.
- ssh-agent(1), ssh(1): don't truncate strings logged from PKCS#11
modules.
- sshd(8), ssh(1): better validate CASignatureAlgorithms in ssh_config
and sshd_config. Previously this directive would accept certificate
algorithm names, but these were unusable in practice as OpenSSH does
not support CA chains.
- ssh(1): make `ssh -Q CASignatureAlgorithms` only list signature
algorithms that are valid for CA signing. Previous behaviour was to
list all signing algorithms, including certificate algorithms.
- ssh-keyscan(1): gracefully handle systems where rlimits or the maximum
number of open files is larger than INT_MAX.
- ssh-keygen(1): fix "no comment" not showing on when running
`ssh-keygen -l` on multiple keys where one has a comment and other
following keys do not. bz3580
- scp(1), sftp(1): adjust ftruncate() logic to handle servers that
reorder requests. Previously, if the server reordered requests then
the resultant file would be erroneously truncated.
- ssh(1): don't incorrectly disable hostname canonicalization when
CanonicalizeHostname=yes and ProxyJump was explicitly set to "none".
- scp(1): when copying local->remote, check that the source file exists
before opening an SFTP connection to the server (closes: #59255).
- sshd(8): provide a replacement for the SELinux matchpathcon()
function, which is deprecated.
- All: relax libcrypto version checks for OpenSSL >=3 (closes:
#1035623). Beyond OpenSSL 3.0, the ABI compatibility guarantees are
wider (only the library major must match instead of major and minor in
earlier versions).
- ssh-copy-id(1): Special case OpenWrt instead of Dropbear
(LP: #1966886).
openssh (1:9.3p2-1) unstable; urgency=high
* New upstream release (https://www.openssh.com/releasenotes.html#9.3p2):
- [CVE-2023-38408] Fix a condition where specific libraries loaded via
ssh-agent(1)'s PKCS#11 support could be abused to achieve remote code
execution via a forwarded agent socket.
Date: Mon, 13 Nov 2023 12:47:29 -0500
Changed-By: Nick Rosbrook <enr0n at ubuntu.com>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
https://launchpad.net/ubuntu/+source/openssh/1:9.4p1-1ubuntu1
-------------- next part --------------
Format: 1.8
Date: Mon, 13 Nov 2023 12:47:29 -0500
Source: openssh
Built-For-Profiles: noudeb
Architecture: source
Version: 1:9.4p1-1ubuntu1
Distribution: noble
Urgency: high
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Nick Rosbrook <enr0n at ubuntu.com>
Closes: 59255 348741 1035623
Launchpad-Bugs-Fixed: 1966886
Changes:
openssh (1:9.4p1-1ubuntu1) noble; urgency=medium
.
* Merge with Debian unstable. Remaining changes:
- debian/rules: modify dh_installsystemd invocations for
socket-activated sshd
- debian/openssh-server.postinst: handle migration of sshd_config options
to systemd socket options on upgrade.
- debian/README.Debian: document systemd socket activation.
- debian/patches/socket-activation-documentation.patch: Document in
sshd_config(5) that ListenAddress and Port no longer work.
- debian/openssh-server.templates: include debconf prompt explaining
when migration cannot happen due to multiple ListenAddress values
- debian/.gitignore: drop file
- debian/openssh-server.postrm: remove systemd drop-ins for
socket-activated sshd on purge
- debian/openssh-server.ucf-md5sum: update for Ubuntu delta
- debian/openssh-server.tmpfile,debian/systemd/ssh.service: Move
/run/sshd creation out of the systemd unit to a tmpfile config so
that sshd can be run manually if necessary without having to create
this directory by hand.
- debian/patches/systemd-socket-activation.patch: Fix sshd
re-execution behavior when socket activation is used
- debian/tests/systemd-socket-activation: Add autopkgtest for systemd socket
activation functionality.
- d/p/test-set-UsePAM-no-on-some-tests.patch: set UsePAM=no for some tests
* Dropped changes, fixed upstream:
- d/p/fix-authorized-principals-command.patch: Fix the situation where
sshd ignores AuthorizedPrincipalsCommand if AuthorizedKeysCommand
is also set by checking if the value pointed to by the pointer
'charptr' is NULL.
- debian/patches/CVE-2023-38408-1.patch: terminate process if requested
to load a PKCS#11 provider that isn't a PKCS#11 provider in
ssh-pkcs11.c.
- debian/patches/CVE-2023-38408-2.patch: disallow remote addition of
FIDO/PKCS11 provider in ssh-agent.1, ssh-agent.c.
- debian/patches/CVE-2023-38408-3.patch: ensure FIDO/PKCS11 libraries
contain expected symbols in misc.c, misc.h, ssh-pkcs11.c, ssh-sk.c.
* Dropped changes, affected package versions not published in supported
releases:
- debian/openssh-server.postint: do not try to restart systemd units,
and instead indicate that a reboot is required
- debian/tests/systemd-socket-activation: Reboot the testbed before starting the test
- debian/rules: Do not stop ssh.socket on upgrade
.
openssh (1:9.4p1-1) unstable; urgency=medium
.
* New upstream release (https://www.openssh.com/releasenotes.html#9.4p1):
- ssh-agent(1): PKCS#11 modules must now be specified by their full
paths. Previously dlopen(3) could search for them in system library
directories.
- ssh(1): allow forwarding Unix Domain sockets via ssh -W.
- ssh(1): add support for configuration tags to ssh(1). This adds a
ssh_config(5) "Tag" directive and corresponding "Match tag" predicate
that may be used to select blocks of configuration similar to the
pf.conf(5) keywords of the same name.
- ssh(1): add a "match localnetwork" predicate. This allows matching on
the addresses of available network interfaces and may be used to vary
the effective client configuration based on network location.
- ssh(1), sshd(8), ssh-keygen(1): infrastructure support for KRL
extensions. This defines wire formats for optional KRL extensions and
implements parsing of the new submessages. No actual extensions are
supported at this point.
- sshd(8): AuthorizedPrincipalsCommand and AuthorizedKeysCommand now
accept two additional %-expansion sequences: %D which expands to the
routing domain of the connected session and %C which expands to the
addresses and port numbers for the source and destination of the
connection.
- ssh-keygen(1): increase the default work factor (rounds) for the
bcrypt KDF used to derive symmetric encryption keys for passphrase
protected key files by 50%.
- ssh-agent(1): improve isolation between loaded PKCS#11 modules by
running separate ssh-pkcs11-helpers for each loaded provider.
- ssh(1): make -f (fork after authentication) work correctly with
multiplexed connections, including ControlPersist (closes: #348741).
- ssh(1): make ConnectTimeout apply to multiplexing sockets and not just
to network connections.
- ssh-agent(1), ssh(1): improve defences against invalid PKCS#11 modules
being loaded by checking that the requested module contains the
required symbol before loading it.
- sshd(8): fix AuthorizedPrincipalsCommand when AuthorizedKeysCommand
appears before it in sshd_config. Since OpenSSH 8.7 the
AuthorizedPrincipalsCommand directive was incorrectly ignored in this
situation.
- sshd(8), ssh(1), ssh-keygen(1): remove vestigial support for KRL
signatures. When the KRL format was originally defined, it included
support for signing of KRL objects. However, the code to sign KRLs and
verify KRL signatues was never completed in OpenSSH. This release
removes the partially-implemented code to verify KRLs. All OpenSSH
tools now ignore KRL_SECTION_SIGNATURE sections in KRL files.
- All: fix a number of memory leaks and unreachable/harmless integer
overflows.
- ssh-agent(1), ssh(1): don't truncate strings logged from PKCS#11
modules.
- sshd(8), ssh(1): better validate CASignatureAlgorithms in ssh_config
and sshd_config. Previously this directive would accept certificate
algorithm names, but these were unusable in practice as OpenSSH does
not support CA chains.
- ssh(1): make `ssh -Q CASignatureAlgorithms` only list signature
algorithms that are valid for CA signing. Previous behaviour was to
list all signing algorithms, including certificate algorithms.
- ssh-keyscan(1): gracefully handle systems where rlimits or the maximum
number of open files is larger than INT_MAX.
- ssh-keygen(1): fix "no comment" not showing on when running
`ssh-keygen -l` on multiple keys where one has a comment and other
following keys do not. bz3580
- scp(1), sftp(1): adjust ftruncate() logic to handle servers that
reorder requests. Previously, if the server reordered requests then
the resultant file would be erroneously truncated.
- ssh(1): don't incorrectly disable hostname canonicalization when
CanonicalizeHostname=yes and ProxyJump was explicitly set to "none".
- scp(1): when copying local->remote, check that the source file exists
before opening an SFTP connection to the server (closes: #59255).
- sshd(8): provide a replacement for the SELinux matchpathcon()
function, which is deprecated.
- All: relax libcrypto version checks for OpenSSL >=3 (closes:
#1035623). Beyond OpenSSL 3.0, the ABI compatibility guarantees are
wider (only the library major must match instead of major and minor in
earlier versions).
- ssh-copy-id(1): Special case OpenWrt instead of Dropbear
(LP: #1966886).
.
openssh (1:9.3p2-1) unstable; urgency=high
.
* New upstream release (https://www.openssh.com/releasenotes.html#9.3p2):
- [CVE-2023-38408] Fix a condition where specific libraries loaded via
ssh-agent(1)'s PKCS#11 support could be abused to achieve remote code
execution via a forwarded agent socket.
Checksums-Sha1:
e156f258ef9349014a3df5ae765a78e257cf2230 3337 openssh_9.4p1-1ubuntu1.dsc
5dea1f3c88f9cfe53a711a3c893ee8b7d3ffecff 1845094 openssh_9.4p1.orig.tar.gz
28b901a05850d2a050435611b5e19e357f791db6 833 openssh_9.4p1.orig.tar.gz.asc
7c2b067f993c4349d04d5569cd66feac8dffa471 190660 openssh_9.4p1-1ubuntu1.debian.tar.xz
fc4e77efb5a5bbf5aaa8cec7e2d10fe751c95e2b 7828 openssh_9.4p1-1ubuntu1_source.buildinfo
Checksums-Sha256:
29eb6c880a50d7185719e6d8677fc66dd9a93589352c903a0fcde340d86a2c45 3337 openssh_9.4p1-1ubuntu1.dsc
3608fd9088db2163ceb3e600c85ab79d0de3d221e59192ea1923e23263866a85 1845094 openssh_9.4p1.orig.tar.gz
d92592d82bee81745a71bbf249ede02afcdbf933f0de18841a7f17b15b975a03 833 openssh_9.4p1.orig.tar.gz.asc
fa626714bbac4991e3819486e70e2462102252f48a6d9880fe3f6fcc37079af2 190660 openssh_9.4p1-1ubuntu1.debian.tar.xz
1ba5a82052e09f5a0fe2f85893c2106d3df10f59a9181673306800637569ccff 7828 openssh_9.4p1-1ubuntu1_source.buildinfo
Files:
8032e383784e33cd6511cfe88af39375 3337 net standard openssh_9.4p1-1ubuntu1.dsc
4bbd56a7ba51b0cd61debe8f9e77f8bb 1845094 net standard openssh_9.4p1.orig.tar.gz
3df753a32f5bede3dd037022ae85813e 833 net standard openssh_9.4p1.orig.tar.gz.asc
85a34e8dd790e0c3ce46683aa99d1b03 190660 net standard openssh_9.4p1-1ubuntu1.debian.tar.xz
2f31ff5dc156ffd978f43cdf55bb6bb5 7828 net standard openssh_9.4p1-1ubuntu1_source.buildinfo
Original-Maintainer: Debian OpenSSH Maintainers <debian-ssh at lists.debian.org>
Vcs-Git: https://git.launchpad.net/~enr0n/ubuntu/+source/openssh
Vcs-Git-Commit: f502bb1653d8f510bee6a6f94b9c817e163da4ff
Vcs-Git-Ref: refs/heads/merge-noble
More information about the noble-changes
mailing list