Package: openssh / 1:6.0p1-4+deb7u4

Metadata

Package Version Patches format
openssh 1:6.0p1-4+deb7u4 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
gssapi.patch | (download)

ChangeLog.gssapi | 113 113 + 0 - 0 !
Makefile.in | 3 2 + 1 - 0 !
auth-krb5.c | 17 15 + 2 - 0 !
auth2-gss.c | 48 45 + 3 - 0 !
auth2.c | 2 2 + 0 - 0 !
clientloop.c | 13 13 + 0 - 0 !
config.h.in | 6 6 + 0 - 0 !
configure | 57 57 + 0 - 0 !
configure.ac | 24 24 + 0 - 0 !
gss-genr.c | 276 272 + 4 - 0 !
gss-serv-krb5.c | 84 78 + 6 - 0 !
gss-serv.c | 220 192 + 28 - 0 !
kex.c | 18 18 + 0 - 0 !
kex.h | 14 14 + 0 - 0 !
kexgssc.c | 334 334 + 0 - 0 !
kexgsss.c | 288 288 + 0 - 0 !
key.c | 4 4 + 0 - 0 !
key.h | 1 1 + 0 - 0 !
monitor.c | 108 107 + 1 - 0 !
monitor.h | 2 2 + 0 - 0 !
monitor_wrap.c | 47 46 + 1 - 0 !
monitor_wrap.h | 4 3 + 1 - 0 !
readconf.c | 42 42 + 0 - 0 !
readconf.h | 5 5 + 0 - 0 !
servconf.c | 38 37 + 1 - 0 !
servconf.h | 3 3 + 0 - 0 !
ssh-gss.h | 39 35 + 4 - 0 !
ssh_config | 2 2 + 0 - 0 !
ssh_config.5 | 34 33 + 1 - 0 !
sshconnect2.c | 124 120 + 4 - 0 !
sshd.c | 110 110 + 0 - 0 !
sshd_config | 2 2 + 0 - 0 !
sshd_config.5 | 28 28 + 0 - 0 !
33 files changed, 2053 insertions(+), 57 deletions(-)

 gssapi key exchange support
 This patch has been rejected upstream: "None of the OpenSSH developers are
 in favour of adding this, and this situation has not changed for several
 years.  This is not a slight on Simon's patch, which is of fine quality,
 but just that a) we don't trust GSSAPI implementations that much and b) we
 don't like adding new KEX since they are pre-auth attack surface.  This one
 is particularly scary, since it requires hooks out to typically root-owned
 system resources."
 .
 However, quite a lot of people rely on this in Debian, and it's better to
 have it merged into the main openssh package rather than having separate
 -krb5 packages (as we used to have).  It seems to have a generally good
 security history.
selinux role.patch | (download)

auth.h | 1 1 + 0 - 0 !
auth1.c | 8 7 + 1 - 0 !
auth2.c | 10 8 + 2 - 0 !
monitor.c | 32 29 + 3 - 0 !
monitor.h | 2 1 + 1 - 0 !
monitor_wrap.c | 22 20 + 2 - 0 !
monitor_wrap.h | 3 2 + 1 - 0 !
openbsd-compat/port-linux.c | 27 20 + 7 - 0 !
openbsd-compat/port-linux.h | 4 2 + 2 - 0 !
platform.c | 4 2 + 2 - 0 !
platform.h | 2 1 + 1 - 0 !
session.c | 10 5 + 5 - 0 !
session.h | 2 1 + 1 - 0 !
sshd.c | 2 1 + 1 - 0 !
sshpty.c | 4 2 + 2 - 0 !
sshpty.h | 2 1 + 1 - 0 !
16 files changed, 103 insertions(+), 32 deletions(-)

 handle selinux authorisation roles
 Rejected upstream due to discomfort with magic usernames; a better approach
 will need an SSH protocol change.  In the meantime, this came from Debian's
 SELinux maintainer, so we'll keep it until we have something better.
copy id restorecon.patch | (download)

contrib/ssh-copy-id | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 call restorecon on copied ~/.ssh/authorized_keys if possible
ssh vulnkey.patch | (download)

Makefile.in | 15 12 + 3 - 0 !
auth-rh-rsa.c | 2 1 + 1 - 0 !
auth-rsa.c | 2 1 + 1 - 0 !
auth.c | 27 26 + 1 - 0 !
auth.h | 2 1 + 1 - 0 !
auth2-hostbased.c | 2 1 + 1 - 0 !
auth2-pubkey.c | 5 3 + 2 - 0 !
authfile.c | 138 138 + 0 - 0 !
authfile.h | 2 2 + 0 - 0 !
pathnames.h | 7 7 + 0 - 0 !
readconf.c | 9 9 + 0 - 0 !
readconf.h | 1 1 + 0 - 0 !
servconf.c | 11 10 + 1 - 0 !
servconf.h | 1 1 + 0 - 0 !
ssh-add.1 | 5 5 + 0 - 0 !
ssh-add.c | 10 9 + 1 - 0 !
ssh-keygen.1 | 1 1 + 0 - 0 !
ssh-vulnkey.1 | 242 242 + 0 - 0 !
ssh-vulnkey.c | 387 387 + 0 - 0 !
ssh.1 | 1 1 + 0 - 0 !
ssh.c | 18 17 + 1 - 0 !
ssh_config.5 | 17 17 + 0 - 0 !
sshconnect2.c | 4 3 + 1 - 0 !
sshd.8 | 1 1 + 0 - 0 !
sshd.c | 5 5 + 0 - 0 !
sshd_config.5 | 14 14 + 0 - 0 !
26 files changed, 915 insertions(+), 14 deletions(-)

 reject vulnerable keys to mitigate debian openssl flaw
 In 2008, Debian (and derived distributions such as Ubuntu) shipped an
 OpenSSL package with a flawed random number generator, causing OpenSSH to
 generate only a very limited set of keys which were subject to private half
 precomputation.  To mitigate this, this patch checks key authentications
 against a blacklist of known-vulnerable keys, and adds a new ssh-vulnkey
 program which can be used to explicitly check keys against that blacklist.
 See CVE-2008-0166.
ssh1 keepalive.patch | (download)

clientloop.c | 25 15 + 10 - 0 !
ssh_config.5 | 5 4 + 1 - 0 !
2 files changed, 19 insertions(+), 11 deletions(-)

 partial server keep-alive implementation for ssh1
keepalive extensions.patch | (download)

readconf.c | 14 12 + 2 - 0 !
ssh_config.5 | 21 19 + 2 - 0 !
sshd_config.5 | 3 3 + 0 - 0 !
3 files changed, 34 insertions(+), 4 deletions(-)

 various keepalive extensions
 Add compatibility aliases for ProtocolKeepAlives and SetupTimeOut,
 supported in previous versions of Debian's OpenSSH package but since
 superseded by ServerAliveInterval.  (We're probably stuck with this bit for
 compatibility.)
 .
 In batch mode, default ServerAliveInterval to five minutes.
 .
 Adjust documentation to match and to give some more advice on use of
 keepalives.
syslog level silent.patch | (download)

log.c | 1 1 + 0 - 0 !
ssh.c | 2 1 + 1 - 0 !
2 files changed, 2 insertions(+), 1 deletion(-)

 "loglevel silent" compatibility
 "LogLevel SILENT" (-qq) was introduced in Debian openssh 1:3.0.1p1-1 to
 match the behaviour of non-free SSH, in which -q does not suppress fatal
 errors.  However, this was unintentionally broken in 1:4.6p1-2 and nobody
 complained, so we've dropped most of it.  The parts that remain are basic
 configuration file compatibility, and an adjustment to "Pseudo-terminal
 will not be allocated ..." which should be split out into a separate patch.
quieter signals.patch | (download)

clientloop.c | 6 4 + 2 - 0 !
1 file changed, 4 insertions(+), 2 deletions(-)

 reduce severity of "killed by signal %d"
 This produces irritating messages when using ProxyCommand or other programs
 that use ssh under the covers (e.g. Subversion).  These messages are more
 normally printed by the calling program, such as the shell.
 .
 According to the upstream bug, the right way to avoid this is to use the -q
 option, so we may drop this patch after further investigation into whether
 any software in Debian is still relying on it.
helpful wait terminate.patch | (download)

serverloop.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 mention ~& when waiting for forwarded connections to terminate
user group modes.patch | (download)

auth-rhosts.c | 6 2 + 4 - 0 !
auth.c | 9 3 + 6 - 0 !
misc.c | 52 51 + 1 - 0 !
misc.h | 2 2 + 0 - 0 !
readconf.c | 5 3 + 2 - 0 !
ssh.1 | 2 2 + 0 - 0 !
ssh_config.5 | 2 2 + 0 - 0 !
7 files changed, 65 insertions(+), 13 deletions(-)

 allow harmless group-writability
 Allow secure files (~/.ssh/config, ~/.ssh/authorized_keys, etc.) to be
 group-writable, provided that the group in question contains only the
 file's owner.  Rejected upstream for IMO incorrect reasons (e.g. a
 misunderstanding about the contents of gr->gr_mem).  Given that
 per-user groups and umask 002 are the default setup in Debian (for good
 reasons - this makes operating in setgid directories with other groups
 much easier), we need to permit this by default.
scp quoting.patch | (download)

scp.c | 12 10 + 2 - 0 !
1 file changed, 10 insertions(+), 2 deletions(-)

 adjust scp quoting in verbose mode
 Tweak scp's reporting of filenames in verbose mode to be a bit less
 confusing with spaces.
 .
 This should be revised to mimic real shell quoting.
shell path.patch | (download)

sshconnect.c | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 look for $shell on the path for proxycommand/localcommand
 There's some debate on the upstream bug about whether POSIX requires this.
 I (Colin Watson) agree with Vincent and think it does.
dnssec sshfp.patch | (download)

dns.c | 14 13 + 1 - 0 !
openbsd-compat/getrrsetbyname.c | 10 5 + 5 - 0 !
openbsd-compat/getrrsetbyname.h | 3 3 + 0 - 0 !
3 files changed, 21 insertions(+), 6 deletions(-)

 force use of dnssec even if "options edns0" isn't in resolv.conf
 This allows SSHFP DNS records to be verified if glibc 2.11 is installed.
max startups default.patch | (download)

servconf.c | 6 3 + 3 - 0 !
sshd_config | 2 1 + 1 - 0 !
sshd_config.5 | 2 1 + 1 - 0 !
3 files changed, 5 insertions(+), 5 deletions(-)

 change default of maxstartups to 10:30:100
 This causes sshd to start doing random early drop at 10 connections up to
 100 connections.  This will make it harder to DoS as CPUs have come a long
 way since the original value was set back in 2000.
package versioning.patch | (download)

sshconnect.c | 2 1 + 1 - 0 !
sshd.c | 2 1 + 1 - 0 !
version.h | 7 6 + 1 - 0 !
3 files changed, 8 insertions(+), 3 deletions(-)

 include the debian version in our identification
 This makes it easier to audit networks for versions patched against
 security vulnerabilities.  It has little detrimental effect, as attackers
 will generally just try attacks rather than bothering to scan for
 vulnerable-looking version strings.  (However, see debian-banner.patch.)
debian banner.patch | (download)

servconf.c | 9 9 + 0 - 0 !
servconf.h | 2 2 + 0 - 0 !
sshd.c | 3 2 + 1 - 0 !
sshd_config.5 | 5 5 + 0 - 0 !
4 files changed, 18 insertions(+), 1 deletion(-)

 add debianbanner server configuration option
 Setting this to "no" causes sshd to omit the Debian revision from its
 initial protocol handshake, for those scared by package-versioning.patch.
authorized keys man symlink.patch | (download)

Makefile.in | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

 install authorized_keys(5) as a symlink to sshd(8)
lintian symlink pickiness.patch | (download)

Makefile.in | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 fix picky lintian errors about slogin symlinks
 Apparently this breaks some SVR4 packaging systems, so upstream can't win
 either way and opted to keep the status quo.  We need this patch anyway.
openbsd docs.patch | (download)

moduli.5 | 4 2 + 2 - 0 !
ssh-keygen.1 | 12 4 + 8 - 0 !
ssh.1 | 4 4 + 0 - 0 !
sshd.8 | 5 2 + 3 - 0 !
sshd_config.5 | 3 1 + 2 - 0 !
5 files changed, 13 insertions(+), 15 deletions(-)

 adjust various openbsd-specific references in manual pages
 No single bug reference for this patch, but history includes:
  http://bugs.debian.org/154434 (login.conf(5))
  http://bugs.debian.org/513417 (/etc/rc)
  http://bugs.debian.org/530692 (ssl(8))
  https://bugs.launchpad.net/bugs/456660 (ssl(8))
ssh argv0.patch | (download)

ssh.1 | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

 ssh(1): refer to ssh-argv0(1)
 Old versions of OpenSSH (up to 2.5 or thereabouts) allowed creating
 symlinks to ssh with the name of the host you want to connect to.  Debian
 ships an ssh-argv0 script restoring this feature; this patch refers to its
 manual page from ssh(1).
Bug-Debian: http://bugs.debian.org/111341
doc hash tab completion.patch | (download)

ssh_config.5 | 3 3 + 0 - 0 !
1 file changed, 3 insertions(+)

 document that hashknownhosts may break tab-completion
auth log verbosity.patch | (download)

auth-options.c | 35 26 + 9 - 0 !
auth-options.h | 1 1 + 0 - 0 !
auth-rsa.c | 2 2 + 0 - 0 !
auth2-pubkey.c | 4 4 + 0 - 0 !
4 files changed, 33 insertions(+), 9 deletions(-)

 quieten logs when multiple from= restrictions are used
cross pkg config.patch | (download)

configure | 63 60 + 3 - 0 !
configure.ac | 2 1 + 1 - 0 !
contrib/Makefile | 6 4 + 2 - 0 !
3 files changed, 65 insertions(+), 6 deletions(-)

 allow using a cross-architecture pkg-config
configure bashism.patch | (download)

configure | 2 1 + 1 - 0 !
configure.ac | 2 1 + 1 - 0 !
2 files changed, 2 insertions(+), 2 deletions(-)

 fix a bashism in configure
sandbox fallback.patch | (download)

Makefile.in | 4 2 + 2 - 0 !
config.h.in | 3 0 + 3 - 0 !
configure | 72 17 + 55 - 0 !
configure.ac | 47 17 + 30 - 0 !
sandbox-darwin.c | 54 42 + 12 - 0 !
sandbox-null.c | 35 23 + 12 - 0 !
sandbox-rlimit.c | 52 41 + 11 - 0 !
sandbox-seccomp-filter.c | 81 66 + 15 - 0 !
sandbox-systrace.c | 55 44 + 11 - 0 !
sandbox.c | 82 82 + 0 - 0 !
ssh-sandbox.h | 25 20 + 5 - 0 !
sshd.c | 2 1 + 1 - 0 !
12 files changed, 355 insertions(+), 157 deletions(-)

 add a sandbox fallback mechanism
no openssl version check.patch | (download)

entropy.c | 12 0 + 12 - 0 !
1 file changed, 12 deletions(-)

 disable openssl version check
 OpenSSL's SONAME is sufficient nowadays.
gnome ssh askpass2 icon.patch | (download)

contrib/gnome-ssh-askpass2.c | 2 2 + 0 - 0 !
1 file changed, 2 insertions(+)

 give the ssh-askpass-gnome window a default icon
debian config.patch | (download)

readconf.c | 2 1 + 1 - 0 !
ssh_config | 7 6 + 1 - 0 !
ssh_config.5 | 19 18 + 1 - 0 !
sshd_config | 1 1 + 0 - 0 !
sshd_config.5 | 27 27 + 0 - 0 !
5 files changed, 53 insertions(+), 3 deletions(-)

 various debian-specific configuration changes
 ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause
 fewer problems with existing setups (http://bugs.debian.org/237021).
 .
 ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024).
 .
 ssh: Enable HashKnownHosts by default to try to limit the spread of ssh
 worms.
 .
 ssh: Enable GSSAPIAuthentication and disable GSSAPIDelegateCredentials by
 default.
 .
 sshd: Refer to /usr/share/doc/openssh-server/README.Debian.gz alongside
 PermitRootLogin default.
 .
 Document all of this, along with several sshd defaults set in
 debian/openssh-server.postinst.
CVE 2014 2532.patch | (download)

session.c | 9 7 + 2 - 0 !
1 file changed, 7 insertions(+), 2 deletions(-)

 disallow invalid characters in environment variable names
 This prevents bypassing AcceptEnv wildcard restrictions (CVE-2014-2532).
CVE 2014 2653.patch | (download)

sshconnect.c | 42 26 + 16 - 0 !
1 file changed, 26 insertions(+), 16 deletions(-)

 attempt sshfp lookup even if server presents a certificate
 If an ssh server presents a certificate to the client, then the client does
 not check the DNS for SSHFP records. This means that a malicious server can
 essentially disable DNS-host-key-checking, which means the client will fall
 back to asking the user (who will just say "yes" to the fingerprint,
 sadly).
 .
 This is CVE-2014-2653.
disable roaming.patch | (download)

readconf.c | 5 2 + 3 - 0 !
1 file changed, 2 insertions(+), 3 deletions(-)

---
CVE 2015 8325.patch | (download)

session.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 [patch] ignore pam environment vars when uselogin=yes

If PAM is configured to read user-specified environment variables
and UseLogin=yes in sshd_config, then a hostile local user may
attack /bin/login via LD_PRELOAD or similar environment variables
set via PAM.

CVE-2015-8325, found by Shayan Sadigh, via Colin Watson