openssh 1:8.1p1-1 source package in Debian

Changelog

openssh (1:8.1p1-1) unstable; urgency=medium

  * New upstream release (https://www.openssh.com/txt/release-8.1):
    - ssh(1), sshd(8), ssh-agent(1): Add protection for private keys at rest
      in RAM against speculation and memory side-channel attacks like
      Spectre, Meltdown and Rambleed.  This release encrypts private keys
      when they are not in use with a symmetric key that is derived from a
      relatively large "prekey" consisting of random data (currently 16KB).
    - ssh(1): Allow %n to be expanded in ProxyCommand strings.
    - ssh(1), sshd(8): Allow prepending a list of algorithms to the default
      set by starting the list with the '^' character, e.g.
      "HostKeyAlgorithms ^ssh-ed25519".
    - ssh-keygen(1): Add an experimental lightweight signature and
      verification ability.  Signatures may be made using regular ssh keys
      held on disk or stored in a ssh-agent and verified against an
      authorized_keys-like list of allowed keys.  Signatures embed a
      namespace that prevents confusion and attacks between different usage
      domains (e.g. files vs email).
    - ssh-keygen(1): Print key comment when extracting public key from a
      private key.
    - ssh-keygen(1): Accept the verbose flag when searching for host keys in
      known hosts (i.e. "ssh-keygen -vF host") to print the matching host's
      random-art signature too.
    - All: Support PKCS8 as an optional format for storage of private keys
      to disk.  The OpenSSH native key format remains the default, but PKCS8
      is a superior format to PEM if interoperability with non-OpenSSH
      software is required, as it may use a less insecure key derivation
      function than PEM's.
    - ssh(1): If a PKCS#11 token returns no keys then try to login and
      refetch them.
    - ssh(1): Produce a useful error message if the user's shell is set
      incorrectly during "match exec" processing.
    - sftp(1): Allow the maximum uint32 value for the argument passed to -b
      which allows better error messages from later validation.
    - ssh-keyscan(1): Include SHA2-variant RSA key algorithms in KEX
      proposal; allows ssh-keyscan to harvest keys from servers that disable
      old SHA1 ssh-rsa.
    - sftp(1): Print explicit "not modified" message if a file was requested
      for resumed download but was considered already complete.
    - sftp(1): Fix a typo and make <esc><right> move right to the closest
      end of a word just like <esc><left> moves left to the closest
      beginning of a word.
    - sshd(8): Cap the number of permitopen/permitlisten directives allowed
      to appear on a single authorized_keys line.
    - All: Fix a number of memory leaks (one-off or on exit paths).
    - ssh(1), sshd(8): Check for convtime() refusing to accept times that
      resolve to LONG_MAX.
    - ssh(1): Slightly more instructive error message when the user
      specifies multiple -J options on the command-line (closes: #929669).
    - ssh-agent(1): Process agent requests for RSA certificate private keys
      using correct signature algorithm when requested.
    - sftp(1): Check for user@host when parsing sftp target.  This allows
      user@[1.2.3.4] to work without a path.
    - sshd(8): Enlarge format buffer size for certificate serial number so
      the log message can record any 64-bit integer without truncation.
    - sshd(8): For PermitOpen violations add the remote host and port to be
      able to more easily ascertain the source of the request.  Add the same
      logging for PermitListen violations which were not previously logged
      at all.
    - scp(1), sftp(1): Use the correct POSIX format style for left
      justification for the transfer progress meter.
    - sshd(8): When examining a configuration using sshd -T, assume any
      attribute not provided by -C does not match, which allows it to work
      when sshd_config contains a Match directive with or without -C.
    - ssh(1), ssh-keygen(1): Downgrade PKCS#11 "provider returned no slots"
      warning from log level error to debug.  This is common when attempting
      to enumerate keys on smartcard readers with no cards plugged in.
    - ssh(1), ssh-keygen(1): Do not unconditionally log in to PKCS#11
      tokens.  Avoids spurious PIN prompts for keys not selected for
      authentication in ssh(1) and when listing public keys available in a
      token using ssh-keygen(1).
    - ssh(1), sshd(8): Fix typo that prevented detection of Linux VRF.
    - sshd(8): In the Linux seccomp-bpf sandbox, allow mprotect(2) with
      PROT_(READ|WRITE|NONE) only.  This syscall is used by some hardened
      heap allocators.
    - sshd(8): In the Linux seccomp-bpf sandbox, allow the s390-specific
      ioctl for ECC hardware support.
  * Re-enable hardening on hppa, since the corresponding GCC bug is
    apparently fixed.

 -- Colin Watson <email address hidden>  Thu, 10 Oct 2019 10:23:19 +0100

Upload details

Uploaded by:
Debian OpenSSH Maintainers
Uploaded to:
Sid
Original maintainer:
Debian OpenSSH Maintainers
Architectures:
any all
Section:
net
Urgency:
Medium Urgency

See full publishing history Publishing

Series Pocket Published Component Section

Builds

Downloads

File Size SHA-256 Checksum
openssh_8.1p1-1.dsc 3.2 KiB 01e3152f72f1352078308842357f56f5206edcad7c5228ff8c13be83be69349b
openssh_8.1p1.orig.tar.gz 1.6 MiB 02f5dbef3835d0753556f973cd57b4c19b6b1f6cd24c03445e23ac77ca1b93ff
openssh_8.1p1.orig.tar.gz.asc 683 bytes da3f623f0131b55c8199fbbd86be0748d00c6e1e098dfc0ebea664901c9a7ab4
openssh_8.1p1-1.debian.tar.xz 167.6 KiB d93a83ebd34b917a307c2876d7a3ad778277f745f38634b961cba65bf07cd10c

No changes file available.

Binary packages built by this source