Package: openssh / 1:6.7p1-5+deb8u4
Metadata
Package | Version | Patches format |
---|---|---|
openssh | 1:6.7p1-5+deb8u4 | 3.0 (quilt) |
Patch series
view the series filePatch | File delta | Description |
---|---|---|
gssapi.patch | (download) |
ChangeLog.gssapi |
113 113 + 0 - 0 ! |
gssapi key exchange support This patch has been rejected upstream: "None of the OpenSSH developers are in favour of adding this, and this situation has not changed for several years. This is not a slight on Simon's patch, which is of fine quality, but just that a) we don't trust GSSAPI implementations that much and b) we don't like adding new KEX since they are pre-auth attack surface. This one is particularly scary, since it requires hooks out to typically root-owned system resources." However, quite a lot of people rely on this in Debian, and it's better to have it merged into the main openssh package rather than having separate -krb5 packages (as we used to have). It seems to have a generally good security history. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 Last-Updated: 2014-10-07 Patch-Name: gssapi.patch |
restore tcp wrappers.patch | (download) |
configure.ac |
57 57 + 0 - 0 ! |
restore tcp wrappers support Support for TCP wrappers was dropped in OpenSSH 6.7. See this message and thread: https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032497.html It is true that this reduces preauth attack surface in sshd. On the other hand, this support seems to be quite widely used, and abruptly dropping it (from the perspective of users who don't read openssh-unix-dev) could easily cause more serious problems in practice. It's not entirely clear what the right long-term answer for Debian is, but it at least probably doesn't involve dropping this feature shortly before a freeze. |
selinux role.patch | (download) |
auth.h |
1 1 + 0 - 0 ! |
handle selinux authorisation roles Rejected upstream due to discomfort with magic usernames; a better approach will need an SSH protocol change. In the meantime, this came from Debian's SELinux maintainer, so we'll keep it until we have something better. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641 Bug-Debian: http://bugs.debian.org/394795 |
ssh vulnkey compat.patch | (download) |
readconf.c |
1 1 + 0 - 0 ! |
accept obsolete ssh-vulnkey configuration options These options were used as part of Debian's response to CVE-2008-0166. Nearly six years later, we no longer need to continue carrying the bulk of that patch, but we do need to avoid failing when the associated configuration options are still present. |
ssh1 keepalive.patch | (download) |
clientloop.c |
25 15 + 10 - 0 ! |
partial server keep-alive implementation for ssh1 Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1712 |
keepalive extensions.patch | (download) |
readconf.c |
14 12 + 2 - 0 ! |
various keepalive extensions Add compatibility aliases for ProtocolKeepAlives and SetupTimeOut, supported in previous versions of Debian's OpenSSH package but since superseded by ServerAliveInterval. (We're probably stuck with this bit for compatibility.) In batch mode, default ServerAliveInterval to five minutes. Adjust documentation to match and to give some more advice on use of keepalives. |
syslog level silent.patch | (download) |
log.c |
1 1 + 0 - 0 ! |
"loglevel silent" compatibility "LogLevel SILENT" (-qq) was introduced in Debian openssh 1:3.0.1p1-1 to match the behaviour of non-free SSH, in which -q does not suppress fatal errors. However, this was unintentionally broken in 1:4.6p1-2 and nobody complained, so we've dropped most of it. The parts that remain are basic configuration file compatibility, and an adjustment to "Pseudo-terminal will not be allocated ..." which should be split out into a separate patch. |
quieter signals.patch | (download) |
clientloop.c |
6 4 + 2 - 0 ! |
reduce severity of "killed by signal %d" This produces irritating messages when using ProxyCommand or other programs that use ssh under the covers (e.g. Subversion). These messages are more normally printed by the calling program, such as the shell. According to the upstream bug, the right way to avoid this is to use the -q option, so we may drop this patch after further investigation into whether any software in Debian is still relying on it. |
helpful wait terminate.patch | (download) |
serverloop.c |
2 1 + 1 - 0 ! |
mention ~& when waiting for forwarded connections to terminate Bug-Debian: http://bugs.debian.org/50308 |
consolekit.patch | (download) |
Makefile.in |
3 2 + 1 - 0 ! |
add support for registering consolekit sessions on login Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1450 Last-Updated: 2014-10-07 Patch-Name: consolekit.patch |
user group modes.patch | (download) |
auth-rhosts.c |
6 2 + 4 - 0 ! |
allow harmless group-writability Allow secure files (~/.ssh/config, ~/.ssh/authorized_keys, etc.) to be group-writable, provided that the group in question contains only the file's owner. Rejected upstream for IMO incorrect reasons (e.g. a misunderstanding about the contents of gr->gr_mem). Given that per-user groups and umask 002 are the default setup in Debian (for good reasons - this makes operating in setgid directories with other groups much easier), we need to permit this by default. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1060 Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=314347 |
scp quoting.patch | (download) |
scp.c |
12 10 + 2 - 0 ! |
adjust scp quoting in verbose mode Tweak scp's reporting of filenames in verbose mode to be a bit less confusing with spaces. This should be revised to mimic real shell quoting. Bug-Ubuntu: https://bugs.launchpad.net/bugs/89945 |
shell path.patch | (download) |
sshconnect.c |
4 2 + 2 - 0 ! |
look for $shell on the path for proxycommand/localcommand There's some debate on the upstream bug about whether POSIX requires this. I (Colin Watson) agree with Vincent and think it does. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1494 Bug-Debian: http://bugs.debian.org/492728 |
dnssec sshfp.patch | (download) |
dns.c |
14 13 + 1 - 0 ! |
force use of dnssec even if "options edns0" isn't in resolv.conf This allows SSHFP DNS records to be verified if glibc 2.11 is installed. |
auth log verbosity.patch | (download) |
auth-options.c |
35 26 + 9 - 0 ! |
quieten logs when multiple from= restrictions are used Bug-Debian: http://bugs.debian.org/630606 |
mention ssh keygen on keychange.patch | (download) |
sshconnect.c |
7 6 + 1 - 0 ! |
mention ssh-keygen in ssh fingerprint changed warning Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1843 Bug-Ubuntu: https://bugs.launchpad.net/bugs/686607 |
package versioning.patch | (download) |
sshconnect.c |
4 2 + 2 - 0 ! |
include the debian version in our identification This makes it easier to audit networks for versions patched against security vulnerabilities. It has little detrimental effect, as attackers will generally just try attacks rather than bothering to scan for vulnerable-looking version strings. (However, see debian-banner.patch.) |
debian banner.patch | (download) |
servconf.c |
9 9 + 0 - 0 ! |
add debianbanner server configuration option Setting this to "no" causes sshd to omit the Debian revision from its initial protocol handshake, for those scared by package-versioning.patch. Bug-Debian: http://bugs.debian.org/562048 |
authorized keys man symlink.patch | (download) |
Makefile.in |
1 1 + 0 - 0 ! |
install authorized_keys(5) as a symlink to sshd(8) Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1720 Bug-Debian: http://bugs.debian.org/441817 |
lintian symlink pickiness.patch | (download) |
Makefile.in |
4 2 + 2 - 0 ! |
fix picky lintian errors about slogin symlinks Apparently this breaks some SVR4 packaging systems, so upstream can't win either way and opted to keep the status quo. We need this patch anyway. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1728 |
openbsd docs.patch | (download) |
moduli.5 |
4 2 + 2 - 0 ! |
adjust various openbsd-specific references in manual pages No single bug reference for this patch, but history includes: http://bugs.debian.org/154434 (login.conf(5)) http://bugs.debian.org/513417 (/etc/rc) http://bugs.debian.org/530692 (ssl(8)) https://bugs.launchpad.net/bugs/456660 (ssl(8)) |
ssh argv0.patch | (download) |
ssh.1 |
1 1 + 0 - 0 ! |
ssh(1): refer to ssh-argv0(1) Old versions of OpenSSH (up to 2.5 or thereabouts) allowed creating symlinks to ssh with the name of the host you want to connect to. Debian ships an ssh-argv0 script restoring this feature; this patch refers to its manual page from ssh(1). Bug-Debian: http://bugs.debian.org/111341 |
doc hash tab completion.patch | (download) |
ssh_config.5 |
3 3 + 0 - 0 ! |
document that hashknownhosts may break tab-completion Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1727 Bug-Debian: http://bugs.debian.org/430154 |
doc upstart.patch | (download) |
sshd.8 |
5 4 + 1 - 0 ! |
refer to ssh's upstart job as well as its init script |
ssh agent setgid.patch | (download) |
ssh-agent.1 |
15 15 + 0 - 0 ! |
document consequences of ssh-agent being setgid in ssh-agent(1) Bug-Debian: http://bugs.debian.org/711623 |
no openssl version status.patch | (download) |
openbsd-compat/openssl-compat.c |
6 3 + 3 - 0 ! |
don't check the status field of the openssl version There is no reason to check the version of OpenSSL (in Debian). If it's not compatible the soname will change. OpenSSH seems to want to do a check for the soname based on the version number, but wants to keep the status of the release the same. Remove that check on the status since it doesn't tell you anything about how compatible that version is. |
gnome ssh askpass2 icon.patch | (download) |
contrib/gnome-ssh-askpass2.c |
2 2 + 0 - 0 ! |
give the ssh-askpass-gnome window a default icon Bug-Ubuntu: https://bugs.launchpad.net/bugs/27152 |
sigstop.patch | (download) |
sshd.c |
10 10 + 0 - 0 ! |
support synchronisation with service supervisor using sigstop |
debian config.patch | (download) |
readconf.c |
2 1 + 1 - 0 ! |
various debian-specific configuration changes ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause fewer problems with existing setups (http://bugs.debian.org/237021). ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024). ssh: Enable HashKnownHosts by default to try to limit the spread of ssh worms. ssh: Enable GSSAPIAuthentication and disable GSSAPIDelegateCredentials by default. sshd: Refer to /usr/share/doc/openssh-server/README.Debian.gz alongside PermitRootLogin default. Document all of this, along with several sshd defaults set in debian/openssh-server.postinst. |
disable roaming.patch | (download) |
readconf.c |
5 2 + 3 - 0 ! |
disable roaming in ssh client SSH roaming implementation in openssh client is vulnerable to an information leak (CVE-2016-0777) and heap-based buffer overflow (CVE-2016-0778). The information leak is somehow attacker-controller, and it is for example possible to extract the ssh client private keys. Patch-Name: disable-roaming.patch |
CVE 2015 8325.patch | (download) |
session.c |
2 1 + 1 - 0 ! |
ignore pam environment vars when uselogin=yes If PAM is configured to read user-specified environment variables and UseLogin=yes in sshd_config, then a hostile local user may attack /bin/login via LD_PRELOAD or similar environment variables set via PAM. CVE-2015-8325, found by Shayan Sadigh, via Colin Watson Patch-Name: CVE-2015-8325.patch |
CVE 2016 6210 1.patch | (download) |
auth-passwd.c |
12 8 + 4 - 0 ! |
determine appropriate salt for invalid users. When sshd is processing a non-PAM login for a non-existent user it uses the string from the fakepw structure as the salt for crypt(3)ing the password supplied by the client. That string has a Blowfish prefix, so on systems that don't understand that crypt will fail fast due to an invalid |
CVE 2016 6210 2.patch | (download) |
auth-pam.c |
35 31 + 4 - 0 ! |
mitigate timing of disallowed users pam logins. When sshd decides to not allow a login (eg PermitRootLogin=no) and it's using PAM, it sends a fake password to PAM so that the timing for |
CVE 2016 6210 3.patch | (download) |
openbsd-compat/xcrypt.c |
24 15 + 9 - 0 ! |
search users for one with a valid salt. If the root account is locked (eg password "!!" or "*LK*") keep looking until we find a user with a valid salt to use for crypting passwords of invalid users. ok djm@ Patch-Name: CVE-2016-6210-3.patch |
dash dash before hostname.patch | (download) |
ssh.c |
9 6 + 3 - 0 ! |
make "--" before hostname end option processing make "--" before the hostname terminate command-line option processing completely; previous behaviour would not prevent further options appearing after the hostname (ssh has a supported options after the hostname for >20 years, so that's too late to change). ok deraadt@ Upstream-ID: ef5ee50571b98ad94dcdf8282204e877ec88ad89 |