[ubuntu/resolute-proposed] openssh 1:10.2p1-2ubuntu1 (Accepted)
Nick Rosbrook
enr0n at ubuntu.com
Wed Dec 3 14:38:16 UTC 2025
openssh (1:10.2p1-2ubuntu1) resolute; urgency=medium
* Merge with Debian unstable (LP: #2130054). Remaining changes:
- debian/rules: modify dh_installsystemd invocations for
socket-activated sshd
- debian/README.Debian: document systemd socket activation.
- debian/.gitignore: drop file
- debian/openssh-server.ucf-md5sum: update for Ubuntu delta
- d/p/systemd-socket-activation.patch:
+ Fix sshd re-execution behavior when socket activation is used
+ Adapt sshd-session and sshd-auth for systemd socket activation
+ Allow AF_VSOCK sockets
- debian/tests/systemd-socket-activation: Add autopkgtest for systemd socket
activation functionality.
- debian/patches: Immediately report interactive instructions to PAM clients
- debian/patches: sshconnect2: Write kbd-interactive messages as utf-8
- debian/control: Build-Depends: systemd-dev
- d/p/sshd-socket-generator.patch: add generator for socket activation
- debian/openssh-server.install: install sshd-socket-generator
- debian/openssh-server.postinst: restart whichever systemd unit is enabled
- d/t/sshd-socket-generator: add dep8 test for sshd-socket-generator
- ssh.socket: adjust unit for socket activation by default
- debian/rules: explicitly enable LTO
- d/t/ssh-gssapi: disable -e in cleanup()
- d/p/test-set-UsePAM-no-on-some-tests.patch: set UsePAM=no for some tests
- d/openssh-server.links: add full sshd.service -> ssh.service alias
(LP #2087949)
- document /etc/ssh/sshd_config.d/*.conf better in sshd_config
(LP #2088207)
- d/rules,d/control: do not build with wtmpdb support
- d/t/control: add breaks-testbed restriction to tests
- d/tests: do not fail when $HOME/.ssh exists
- test: workaround test failure caused by uutils dd (LP #2125943)
* Dropped:
- authfd: fallback to default if $SSH_AUTH_SOCK is unset (LP #2125549)
[ This was not the right fix, so do not carry it anymore ]
openssh (1:10.2p1-2) unstable; urgency=medium
* ssh-session-cleanup: Update pattern for sshd-session split in 9.8
(closes: #1117965).
* Link ssh against ssh-pkcs11.o directly (closes: #1117638, #1117720).
openssh (1:10.2p1-1) unstable; urgency=medium
* New upstream release:
- ssh-keygen(1): fix download of keys from PKCS#11 tokens.
openssh (1:10.1p1-2) unstable; urgency=medium
* Don't reuse c->isatty for signalling that the remote channel has a tty
attached (closes: #1117574, #1117594).
* Link ssh-keygen directly against ssh-pkcs11.c.
openssh (1:10.1p1-1) unstable; urgency=medium
[ Allison Karlitskaya ]
* sshd at .service: Support ephemeral keys from VM/container hosts.
[ Colin Watson ]
* New upstream release:
- ssh(1): add a warning when the connection negotiates a non-post
quantum key agreement algorithm.
- ssh(1), sshd(8): major changes to handling of DSCP marking/IPQoS: by
default, interactive traffic is assigned to the EF (Expedited
Forwarding) class, while non-interactive traffic uses the operating
system default DSCP marking.
- ssh(1), sshd(8): deprecate support for IPv4 type-of-service (ToS)
keywords in the IPQoS configuration directive.
- ssh-add(1): when adding certificates to an agent, set the expiry to
the certificate expiry time plus a short (5 min) grace period.
- All: remove experimental support for XMSS keys.
- ssh-agent(1), sshd(8): move agent listener sockets from /tmp to under
~/.ssh/agent for both ssh-agent(1) and forwarded sockets in sshd(8).
- CVE-2025-61984: ssh(1): disallow control characters in usernames
passed via the commandline or expanded using %-sequences from the
configuration file (closes: #1117529),
- CVE-2025-61985: ssh(1): disallow \0 characters in ssh:// URIs (closes:
#1117530).
- ssh(1), sshd(8): add SIGINFO handlers to log active channel and
session information.
- sshd(8): when refusing a certificate for user authentication, log
enough information to identify the certificate in addition to the
reason why it was being denied. Makes debugging certificate
authorisation problems a bit easier.
- ssh(1), ssh-agent(1): support ed25519 keys hosted on PKCS#11 tokens.
- ssh(1): add an ssh_config(5) RefuseConnection option that, when
encountered while processing an active section in a configuration,
terminates ssh(1) with an error message that contains the argument to
the option.
- sshd(8): make the X11 display number check relative to
X11DisplayOffset. This will allow people to use X11DisplayOffset to
configure much higher port ranges if they really want, while not
changing the default behaviour.
- ssh(1): fix delay on X client startup when ObscureKeystrokeTiming is
enabled.
- sshd(8): increase the maximum size of the supported configuration from
256KB to 4MB, which ought to be enough for anybody. Fail early and
visibly when this limit is breached.
- sftp(1): during sftp uploads, avoid a condition where a failed write
could be ignored if a subsequent write succeeded. This is unlikely but
technically possible because sftp servers are allowed to reorder
requests.
- sshd(8): avoid a race condition when the sshd-auth process exits that
could cause a spurious error message to be logged.
- sshd(8): log at level INFO when PerSourcePenalties actually blocks
access to a source address range. Previously this was logged at level
VERBOSE, which hid enforcement actions under default config settings.
- sshd(8): Make the MaxStartups and PerSourceNetBlockSize options
first-match-wins as advertised.
- ssh(1): fix an incorrect return value check in the local forward
cancellation path that would cause failed cancellations not to be
logged.
- sshd(8): make "Match !final" not trigger a second parsing pass of
ssh_config (unless hostname canonicalisation or a separate "Match
final" does).
- ssh(1): better debug diagnostics when loading keys. Will now list key
fingerprint and algorithm (not just algorithm number) as well as
making it explicit which keys didn't load.
- All: fix a number of memory leaks found by LeakSanitizer, Coverity and
manual inspection.
- sshd(8): Output the current name for PermitRootLogin's
"prohibit-password" in sshd -T instead of its deprecated alias
"without-password" (closes: #1095922).
- ssh(1): make writing known_hosts lines more atomic by writing the
entire line in one operation and using unbuffered stdio.
- sshd(8): check the username didn't change during the PAM transactions.
- sshd(8): don't log audit messages with UNKNOWN hostname to avoid slow
DNS lookups in the audit subsystem.
- All: when making a copy of struct passwd, ensure struct fields are
non-NULL.
- sshd(8): handle futex_time64 properly in seccomp sandbox.
- Add contrib/gnome-ssh-askpass4 for GNOME 40+ using the GCR API.
- ssh-agent(1): exit 0 from SIGTERM under systemd socket-activation,
preventing a graceful shutdown of an agent via systemd from
incorrectly marking the service as "failed".
* Drop patches:
- no-openssl-version-status.patch: Mostly applied upstream; the rest
only applied to OpenSSL < 3, which isn't relevant to current Debian
releases.
- revert-ipqos-defaults.patch: This new upstream release reworks IPQoS,
so let's see how that works in Debian (closes: #1111446).
* debian/run-tests: Fix path to dropbear.
openssh (1:10.0p1-8) unstable; urgency=medium
* Remove some long-obsolete Conflicts (closes: #54243).
* Fix mistracking of MaxStartups process exits in some situations (closes:
#1080350).
openssh (1:10.0p1-7) unstable; urgency=medium
* Make postinst logic for cleaning up the sshd diversion more robust.
openssh (1:10.0p1-6) unstable; urgency=medium
* Temporarily divert /usr/sbin/sshd during upgrades from before
1:9.8p1-1~, to avoid new connections failing between unpack and
configure (closes: #1109742).
Date: Tue, 02 Dec 2025 16:22:16 -0500
Changed-By: Nick Rosbrook <enr0n at ubuntu.com>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
https://launchpad.net/ubuntu/+source/openssh/1:10.2p1-2ubuntu1
-------------- next part --------------
Format: 1.8
Date: Tue, 02 Dec 2025 16:22:16 -0500
Source: openssh
Built-For-Profiles: noudeb
Architecture: source
Version: 1:10.2p1-2ubuntu1
Distribution: resolute
Urgency: medium
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Nick Rosbrook <enr0n at ubuntu.com>
Closes: 54243 1080350 1095922 1109742 1111446 1117529 1117530 1117574 1117594 1117638 1117720 1117965
Launchpad-Bugs-Fixed: 2130054
Changes:
openssh (1:10.2p1-2ubuntu1) resolute; urgency=medium
.
* Merge with Debian unstable (LP: #2130054). Remaining changes:
- debian/rules: modify dh_installsystemd invocations for
socket-activated sshd
- debian/README.Debian: document systemd socket activation.
- debian/.gitignore: drop file
- debian/openssh-server.ucf-md5sum: update for Ubuntu delta
- d/p/systemd-socket-activation.patch:
+ Fix sshd re-execution behavior when socket activation is used
+ Adapt sshd-session and sshd-auth for systemd socket activation
+ Allow AF_VSOCK sockets
- debian/tests/systemd-socket-activation: Add autopkgtest for systemd socket
activation functionality.
- debian/patches: Immediately report interactive instructions to PAM clients
- debian/patches: sshconnect2: Write kbd-interactive messages as utf-8
- debian/control: Build-Depends: systemd-dev
- d/p/sshd-socket-generator.patch: add generator for socket activation
- debian/openssh-server.install: install sshd-socket-generator
- debian/openssh-server.postinst: restart whichever systemd unit is enabled
- d/t/sshd-socket-generator: add dep8 test for sshd-socket-generator
- ssh.socket: adjust unit for socket activation by default
- debian/rules: explicitly enable LTO
- d/t/ssh-gssapi: disable -e in cleanup()
- d/p/test-set-UsePAM-no-on-some-tests.patch: set UsePAM=no for some tests
- d/openssh-server.links: add full sshd.service -> ssh.service alias
(LP #2087949)
- document /etc/ssh/sshd_config.d/*.conf better in sshd_config
(LP #2088207)
- d/rules,d/control: do not build with wtmpdb support
- d/t/control: add breaks-testbed restriction to tests
- d/tests: do not fail when $HOME/.ssh exists
- test: workaround test failure caused by uutils dd (LP #2125943)
* Dropped:
- authfd: fallback to default if $SSH_AUTH_SOCK is unset (LP #2125549)
[ This was not the right fix, so do not carry it anymore ]
.
openssh (1:10.2p1-2) unstable; urgency=medium
.
* ssh-session-cleanup: Update pattern for sshd-session split in 9.8
(closes: #1117965).
* Link ssh against ssh-pkcs11.o directly (closes: #1117638, #1117720).
.
openssh (1:10.2p1-1) unstable; urgency=medium
.
* New upstream release:
- ssh-keygen(1): fix download of keys from PKCS#11 tokens.
.
openssh (1:10.1p1-2) unstable; urgency=medium
.
* Don't reuse c->isatty for signalling that the remote channel has a tty
attached (closes: #1117574, #1117594).
* Link ssh-keygen directly against ssh-pkcs11.c.
.
openssh (1:10.1p1-1) unstable; urgency=medium
.
[ Allison Karlitskaya ]
* sshd at .service: Support ephemeral keys from VM/container hosts.
.
[ Colin Watson ]
* New upstream release:
- ssh(1): add a warning when the connection negotiates a non-post
quantum key agreement algorithm.
- ssh(1), sshd(8): major changes to handling of DSCP marking/IPQoS: by
default, interactive traffic is assigned to the EF (Expedited
Forwarding) class, while non-interactive traffic uses the operating
system default DSCP marking.
- ssh(1), sshd(8): deprecate support for IPv4 type-of-service (ToS)
keywords in the IPQoS configuration directive.
- ssh-add(1): when adding certificates to an agent, set the expiry to
the certificate expiry time plus a short (5 min) grace period.
- All: remove experimental support for XMSS keys.
- ssh-agent(1), sshd(8): move agent listener sockets from /tmp to under
~/.ssh/agent for both ssh-agent(1) and forwarded sockets in sshd(8).
- CVE-2025-61984: ssh(1): disallow control characters in usernames
passed via the commandline or expanded using %-sequences from the
configuration file (closes: #1117529),
- CVE-2025-61985: ssh(1): disallow \0 characters in ssh:// URIs (closes:
#1117530).
- ssh(1), sshd(8): add SIGINFO handlers to log active channel and
session information.
- sshd(8): when refusing a certificate for user authentication, log
enough information to identify the certificate in addition to the
reason why it was being denied. Makes debugging certificate
authorisation problems a bit easier.
- ssh(1), ssh-agent(1): support ed25519 keys hosted on PKCS#11 tokens.
- ssh(1): add an ssh_config(5) RefuseConnection option that, when
encountered while processing an active section in a configuration,
terminates ssh(1) with an error message that contains the argument to
the option.
- sshd(8): make the X11 display number check relative to
X11DisplayOffset. This will allow people to use X11DisplayOffset to
configure much higher port ranges if they really want, while not
changing the default behaviour.
- ssh(1): fix delay on X client startup when ObscureKeystrokeTiming is
enabled.
- sshd(8): increase the maximum size of the supported configuration from
256KB to 4MB, which ought to be enough for anybody. Fail early and
visibly when this limit is breached.
- sftp(1): during sftp uploads, avoid a condition where a failed write
could be ignored if a subsequent write succeeded. This is unlikely but
technically possible because sftp servers are allowed to reorder
requests.
- sshd(8): avoid a race condition when the sshd-auth process exits that
could cause a spurious error message to be logged.
- sshd(8): log at level INFO when PerSourcePenalties actually blocks
access to a source address range. Previously this was logged at level
VERBOSE, which hid enforcement actions under default config settings.
- sshd(8): Make the MaxStartups and PerSourceNetBlockSize options
first-match-wins as advertised.
- ssh(1): fix an incorrect return value check in the local forward
cancellation path that would cause failed cancellations not to be
logged.
- sshd(8): make "Match !final" not trigger a second parsing pass of
ssh_config (unless hostname canonicalisation or a separate "Match
final" does).
- ssh(1): better debug diagnostics when loading keys. Will now list key
fingerprint and algorithm (not just algorithm number) as well as
making it explicit which keys didn't load.
- All: fix a number of memory leaks found by LeakSanitizer, Coverity and
manual inspection.
- sshd(8): Output the current name for PermitRootLogin's
"prohibit-password" in sshd -T instead of its deprecated alias
"without-password" (closes: #1095922).
- ssh(1): make writing known_hosts lines more atomic by writing the
entire line in one operation and using unbuffered stdio.
- sshd(8): check the username didn't change during the PAM transactions.
- sshd(8): don't log audit messages with UNKNOWN hostname to avoid slow
DNS lookups in the audit subsystem.
- All: when making a copy of struct passwd, ensure struct fields are
non-NULL.
- sshd(8): handle futex_time64 properly in seccomp sandbox.
- Add contrib/gnome-ssh-askpass4 for GNOME 40+ using the GCR API.
- ssh-agent(1): exit 0 from SIGTERM under systemd socket-activation,
preventing a graceful shutdown of an agent via systemd from
incorrectly marking the service as "failed".
* Drop patches:
- no-openssl-version-status.patch: Mostly applied upstream; the rest
only applied to OpenSSL < 3, which isn't relevant to current Debian
releases.
- revert-ipqos-defaults.patch: This new upstream release reworks IPQoS,
so let's see how that works in Debian (closes: #1111446).
* debian/run-tests: Fix path to dropbear.
.
openssh (1:10.0p1-8) unstable; urgency=medium
.
* Remove some long-obsolete Conflicts (closes: #54243).
* Fix mistracking of MaxStartups process exits in some situations (closes:
#1080350).
.
openssh (1:10.0p1-7) unstable; urgency=medium
.
* Make postinst logic for cleaning up the sshd diversion more robust.
.
openssh (1:10.0p1-6) unstable; urgency=medium
.
* Temporarily divert /usr/sbin/sshd during upgrades from before
1:9.8p1-1~, to avoid new connections failing between unpack and
configure (closes: #1109742).
Checksums-Sha1:
bf12247a0244381149287472a068cc99691b02f7 3499 openssh_10.2p1-2ubuntu1.dsc
c34efade16109f065ec8c834f237bcedd8d7ef5c 1974519 openssh_10.2p1.orig.tar.gz
a2363ac9ef437e7eadbd550cd272a5285e02c7de 833 openssh_10.2p1.orig.tar.gz.asc
d9bbf428c232631ba8da5b5d4e7e24d0dfa2bd65 214552 openssh_10.2p1-2ubuntu1.debian.tar.xz
fb705ed77ecd8fb3fb9d18b1e4a06f952d7d30ed 16105 openssh_10.2p1-2ubuntu1_source.buildinfo
Checksums-Sha256:
7e0ecf1398fc8200c95464fdeff2e79589f6227e9bc1ffae075a147d03ee8756 3499 openssh_10.2p1-2ubuntu1.dsc
ccc42c0419937959263fa1dbd16dafc18c56b984c03562d2937ce56a60f798b2 1974519 openssh_10.2p1.orig.tar.gz
9abf9435ca9d437b896e14bf35c63993f523aea34795d93fc03539f9bf780fd7 833 openssh_10.2p1.orig.tar.gz.asc
19ad5c75df8ab0ec37de56854ced50a40395f3acfd1773dcfa580b9dc66f3ad4 214552 openssh_10.2p1-2ubuntu1.debian.tar.xz
d57a9a328b120bc36379df6954eed05712d785c4eb953adc78f22a0bb8dadc06 16105 openssh_10.2p1-2ubuntu1_source.buildinfo
Files:
6ac684c12195034bcba20f3fd88c083f 3499 net standard openssh_10.2p1-2ubuntu1.dsc
801b5ad6da38e0045de20dd5dd2f6a80 1974519 net standard openssh_10.2p1.orig.tar.gz
1b778b0bc19f667fb624f6d54971dbcd 833 net standard openssh_10.2p1.orig.tar.gz.asc
cd38a00e3b6bf4b414af227f0685dadc 214552 net standard openssh_10.2p1-2ubuntu1.debian.tar.xz
27c6dffca1084f8e80a9e5c2b72dafff 16105 net standard openssh_10.2p1-2ubuntu1_source.buildinfo
Original-Maintainer: Debian OpenSSH Maintainers <debian-ssh at lists.debian.org>
Vcs-Git: https://git.launchpad.net/~enr0n/ubuntu/+source/openssh
Vcs-Git-Commit: 41e6124470ad564fdfdc26107a0e4b96c66bdb7d
Vcs-Git-Ref: refs/heads/merge-resolute
More information about the Resolute-changes
mailing list