Package: openssh / 1:5.5p1-6+squeeze5
Metadata
Package | Version | Patches format |
---|---|---|
openssh | 1:5.5p1-6+squeeze5 | 3.0 (quilt) |
Patch series
view the series filePatch | File delta | Description |
---|---|---|
gssapi.patch | (download) |
ChangeLog.gssapi |
103 103 + 0 - 0 ! |
gssapi key exchange support This patch has been rejected upstream: "None of the OpenSSH developers are in favour of adding this, and this situation has not changed for several years. This is not a slight on Simon's patch, which is of fine quality, but just that a) we don't trust GSSAPI implementations that much and b) we don't like adding new KEX since they are pre-auth attack surface. This one is particularly scary, since it requires hooks out to typically root-owned system resources." . However, quite a lot of people rely on this in Debian, and it's better to have it merged into the main openssh package rather than having separate -krb5 packages (as we used to have). It seems to have a generally good security history. |
gssapi autoconf.patch | (download) |
config.h.in |
6 6 + 0 - 0 ! |
update config.h.in following gssapi patch |
gssapi compat.patch | (download) |
servconf.c |
4 4 + 0 - 0 ! |
compatibility with old gssapi option names These options were supported by the old ssh-krb5 package in Debian. . Forwarded to Simon Wilkinson for inclusion in the GSSAPI patch. |
gssapi dump.patch | (download) |
servconf.c |
3 3 + 0 - 0 ! |
gssapi configuration dump fixes Add GSSAPIKeyExchange, GSSAPIStrictAcceptorCheck, and GSSAPIStoreCredentialsOnRekey to sshd -T configuration dump. . Forwarded to Simon Wilkinson for inclusion in the GSSAPI patch. |
selinux role.patch | (download) |
auth.h |
1 1 + 0 - 0 ! |
handle selinux authorisation roles Rejected upstream due to discomfort with magic usernames; a better approach will need an SSH protocol change. In the meantime, this came from Debian's SELinux maintainer, so we'll keep it until we have something better. |
ssh vulnkey.patch | (download) |
Makefile.in |
17 13 + 4 - 0 ! |
reject vulnerable keys to mitigate debian openssl flaw In 2008, Debian (and derived distributions such as Ubuntu) shipped an OpenSSL package with a flawed random number generator, causing OpenSSH to generate only a very limited set of keys which were subject to private half precomputation. To mitigate this, this patch checks key authentications against a blacklist of known-vulnerable keys, and adds a new ssh-vulnkey program which can be used to explicitly check keys against that blacklist. See CVE-2008-0166. |
ssh1 keepalive.patch | (download) |
clientloop.c |
27 16 + 11 - 0 ! |
partial server keep-alive implementation for ssh1 |
keepalive extensions.patch | (download) |
readconf.c |
14 12 + 2 - 0 ! |
various keepalive extensions Add compatibility aliases for ProtocolKeepAlives and SetupTimeOut, supported in previous versions of Debian's OpenSSH package but since superseded by ServerAliveInterval. (We're probably stuck with this bit for compatibility.) . In batch mode, default ServerAliveInterval to five minutes. . Adjust documentation to match and to give some more advice on use of keepalives. |
syslog level silent.patch | (download) |
log.c |
1 1 + 0 - 0 ! |
"loglevel silent" compatibility "LogLevel SILENT" (-qq) was introduced in Debian openssh 1:3.0.1p1-1 to match the behaviour of non-free SSH, in which -q does not suppress fatal errors. However, this was unintentionally broken in 1:4.6p1-2 and nobody complained, so we've dropped most of it. The parts that remain are basic configuration file compatibility, and an adjustment to "Pseudo-terminal will not be allocated ..." which should be split out into a separate patch. |
quieter signals.patch | (download) |
clientloop.c |
6 4 + 2 - 0 ! |
reduce severity of "killed by signal %d" This produces irritating messages when using ProxyCommand or other programs that use ssh under the covers (e.g. Subversion). These messages are more normally printed by the calling program, such as the shell. . According to the upstream bug, the right way to avoid this is to use the -q option, so we may drop this patch after further investigation into whether any software in Debian is still relying on it. |
helpful wait terminate.patch | (download) |
serverloop.c |
2 1 + 1 - 0 ! |
mention ~& when waiting for forwarded connections to terminate |
user group modes.patch | (download) |
auth-rhosts.c |
6 2 + 4 - 0 ! |
allow harmless group-writability Allow secure files (~/.ssh/config, ~/.ssh/authorized_keys, etc.) to be group-writable, provided that the group in question contains only the file's owner. Rejected upstream for IMO incorrect reasons (e.g. a misunderstanding about the contents of gr->gr_mem). Given that per-user groups and umask 002 are the default setup in Debian (for good reasons - this makes operating in setgid directories with other groups much easier), we need to permit this by default. |
scp quoting.patch | (download) |
scp.c |
12 10 + 2 - 0 ! |
adjust scp quoting in verbose mode Tweak scp's reporting of filenames in verbose mode to be a bit less confusing with spaces. . This should be revised to mimic real shell quoting. |
shell path.patch | (download) |
sshconnect.c |
4 2 + 2 - 0 ! |
look for $shell on the path for proxycommand/localcommand There's some debate on the upstream bug about whether POSIX requires this. I (Colin Watson) agree with Vincent and think it does. |
ssh copy id trailing colons.patch | (download) |
contrib/ssh-copy-id |
4 2 + 2 - 0 ! |
ssh-copy-id: strip trailing colons from hostname |
dnssec sshfp.patch | (download) |
dns.c |
14 13 + 1 - 0 ! |
force use of dnssec even if "options edns0" isn't in resolv.conf This allows SSHFP DNS records to be verified if glibc 2.11 is installed. |
auth log verbosity.patch | (download) |
auth-options.c |
33 25 + 8 - 0 ! |
quieten logs when multiple from= restrictions are used |
forced command debug security.patch | (download) |
auth-options.c |
2 1 + 1 - 0 ! |
don't send the actual forced command in a debug message |
max startups default.patch | (download) |
servconf.c |
6 3 + 3 - 0 ! |
change default of maxstartups to 10:30:100 This causes sshd to start doing random early drop at 10 connections up to 100 connections. This will make it harder to DoS as CPUs have come a long way since the original value was set back in 2000. |
gss serv int overflow.patch | (download) |
gss-serv.c |
2 2 + 0 - 0 ! |
fix potential int overflow when using gssapi-with-mac auth |
package versioning.patch | (download) |
sshconnect.c |
2 1 + 1 - 0 ! |
include the debian version in our identification This makes it easier to audit networks for versions patched against security vulnerabilities. It has little detrimental effect, as attackers will generally just try attacks rather than bothering to scan for vulnerable-looking version strings. (However, see debian-banner.patch.) |
debian banner.patch | (download) |
servconf.c |
9 9 + 0 - 0 ! |
add debianbanner server configuration option Setting this to "no" causes sshd to omit the Debian revision from its initial protocol handshake, for those scared by package-versioning.patch. |
authorized keys man symlink.patch | (download) |
Makefile.in |
1 1 + 0 - 0 ! |
install authorized_keys(5) as a symlink to sshd(8) |
lintian symlink pickiness.patch | (download) |
Makefile.in |
4 2 + 2 - 0 ! |
fix picky lintian errors about slogin symlinks Apparently this breaks some SVR4 packaging systems, so upstream can't win either way and opted to keep the status quo. We need this patch anyway. |
openbsd docs.patch | (download) |
moduli.5 |
4 2 + 2 - 0 ! |
adjust various openbsd-specific references in manual pages No single bug reference for this patch, but history includes: http://bugs.debian.org/154434 (login.conf(5)) http://bugs.debian.org/513417 (/etc/rc) http://bugs.debian.org/530692 (ssl(8)) https://bugs.launchpad.net/bugs/456660 (ssl(8)) |
ssh argv0.patch | (download) |
ssh.1 |
1 1 + 0 - 0 ! |
ssh(1): refer to ssh-argv0(1) Old versions of OpenSSH (up to 2.5 or thereabouts) allowed creating symlinks to ssh with the name of the host you want to connect to. Debian ships an ssh-argv0 script restoring this feature; this patch refers to its manual page from ssh(1). Bug-Debian: http://bugs.debian.org/111341 |
doc hash tab completion.patch | (download) |
ssh_config.5 |
3 3 + 0 - 0 ! |
document that hashknownhosts may break tab-completion |
gnome ssh askpass2 icon.patch | (download) |
contrib/gnome-ssh-askpass2.c |
2 2 + 0 - 0 ! |
give the ssh-askpass-gnome window a default icon |
debian config.patch | (download) |
readconf.c |
2 1 + 1 - 0 ! |
various debian-specific configuration changes ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause fewer problems with existing setups (http://bugs.debian.org/237021). . ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024). . ssh: Enable HashKnownHosts by default to try to limit the spread of ssh worms. . ssh: Enable GSSAPIAuthentication and disable GSSAPIDelegateCredentials by default. . sshd: Refer to /usr/share/doc/openssh-server/README.Debian.gz alongside PermitRootLogin default. . Document all of this, along with several sshd defaults set in debian/openssh-server.postinst. |
CVE 2014 2532.patch | (download) |
bufaux.c |
33 33 + 0 - 0 ! |
disallow invalid characters in environment variable names This prevents bypassing AcceptEnv wildcard restrictions (CVE-2014-2532). |
CVE 2014 2653.patch | (download) |
sshconnect.c |
43 26 + 17 - 0 ! |
attempt sshfp lookup even if server presents a certificate If an ssh server presents a certificate to the client, then the client does not check the DNS for SSHFP records. This means that a malicious server can essentially disable DNS-host-key-checking, which means the client will fall back to asking the user (who will just say "yes" to the fingerprint, sadly). . This is CVE-2014-2653. |