Package: openssh / 1:7.4p1-10+deb9u7
Metadata
Package | Version | Patches format |
---|---|---|
openssh | 1:7.4p1-10+deb9u7 | 3.0 (quilt) |
Patch series
view the series filePatch | File delta | Description |
---|---|---|
gssapi.patch | (download) |
ChangeLog.gssapi |
113 113 + 0 - 0 ! |
gssapi key exchange support This patch has been rejected upstream: "None of the OpenSSH developers are in favour of adding this, and this situation has not changed for several years. This is not a slight on Simon's patch, which is of fine quality, but just that a) we don't trust GSSAPI implementations that much and b) we don't like adding new KEX since they are pre-auth attack surface. This one is particularly scary, since it requires hooks out to typically root-owned system resources." However, quite a lot of people rely on this in Debian, and it's better to have it merged into the main openssh package rather than having separate -krb5 packages (as we used to have). It seems to have a generally good security history. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 Last-Updated: 2017-01-16 Patch-Name: gssapi.patch |
restore tcp wrappers.patch | (download) |
configure.ac |
57 57 + 0 - 0 ! |
restore tcp wrappers support Support for TCP wrappers was dropped in OpenSSH 6.7. See this message and thread: https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032497.html It is true that this reduces preauth attack surface in sshd. On the other hand, this support seems to be quite widely used, and abruptly dropping it (from the perspective of users who don't read openssh-unix-dev) could easily cause more serious problems in practice. It's not entirely clear what the right long-term answer for Debian is, but it at least probably doesn't involve dropping this feature shortly before a freeze. |
selinux role.patch | (download) |
auth.h |
1 1 + 0 - 0 ! |
handle selinux authorisation roles Rejected upstream due to discomfort with magic usernames; a better approach will need an SSH protocol change. In the meantime, this came from Debian's SELinux maintainer, so we'll keep it until we have something better. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641 Bug-Debian: http://bugs.debian.org/394795 |
ssh vulnkey compat.patch | (download) |
readconf.c |
1 1 + 0 - 0 ! |
accept obsolete ssh-vulnkey configuration options These options were used as part of Debian's response to CVE-2008-0166. Nearly six years later, we no longer need to continue carrying the bulk of that patch, but we do need to avoid failing when the associated configuration options are still present. |
keepalive extensions.patch | (download) |
readconf.c |
14 12 + 2 - 0 ! |
various keepalive extensions Add compatibility aliases for ProtocolKeepAlives and SetupTimeOut, supported in previous versions of Debian's OpenSSH package but since superseded by ServerAliveInterval. (We're probably stuck with this bit for compatibility.) In batch mode, default ServerAliveInterval to five minutes. Adjust documentation to match and to give some more advice on use of keepalives. |
syslog level silent.patch | (download) |
log.c |
1 1 + 0 - 0 ! |
"loglevel silent" compatibility "LogLevel SILENT" (-qq) was introduced in Debian openssh 1:3.0.1p1-1 to match the behaviour of non-free SSH, in which -q does not suppress fatal errors. However, this was unintentionally broken in 1:4.6p1-2 and nobody complained, so we've dropped most of it. The parts that remain are basic configuration file compatibility, and an adjustment to "Pseudo-terminal will not be allocated ..." which should be split out into a separate patch. |
quieter signals.patch | (download) |
clientloop.c |
6 4 + 2 - 0 ! |
reduce severity of "killed by signal %d" This produces irritating messages when using ProxyCommand or other programs that use ssh under the covers (e.g. Subversion). These messages are more normally printed by the calling program, such as the shell. According to the upstream bug, the right way to avoid this is to use the -q option, so we may drop this patch after further investigation into whether any software in Debian is still relying on it. |
user group modes.patch | (download) |
auth-rhosts.c |
6 2 + 4 - 0 ! |
allow harmless group-writability Allow secure files (~/.ssh/config, ~/.ssh/authorized_keys, etc.) to be group-writable, provided that the group in question contains only the file's owner. Rejected upstream for IMO incorrect reasons (e.g. a misunderstanding about the contents of gr->gr_mem). Given that per-user groups and umask 002 are the default setup in Debian (for good reasons - this makes operating in setgid directories with other groups much easier), we need to permit this by default. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1060 Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=314347 |
scp quoting.patch | (download) |
scp.c |
12 10 + 2 - 0 ! |
adjust scp quoting in verbose mode Tweak scp's reporting of filenames in verbose mode to be a bit less confusing with spaces. This should be revised to mimic real shell quoting. Bug-Ubuntu: https://bugs.launchpad.net/bugs/89945 |
shell path.patch | (download) |
sshconnect.c |
4 2 + 2 - 0 ! |
look for $shell on the path for proxycommand/localcommand There's some debate on the upstream bug about whether POSIX requires this. I (Colin Watson) agree with Vincent and think it does. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1494 Bug-Debian: http://bugs.debian.org/492728 |
dnssec sshfp.patch | (download) |
dns.c |
14 13 + 1 - 0 ! |
force use of dnssec even if "options edns0" isn't in resolv.conf This allows SSHFP DNS records to be verified if glibc 2.11 is installed. |
auth log verbosity.patch | (download) |
auth-options.c |
35 26 + 9 - 0 ! |
quieten logs when multiple from= restrictions are used Bug-Debian: http://bugs.debian.org/630606 |
mention ssh keygen on keychange.patch | (download) |
sshconnect.c |
8 7 + 1 - 0 ! |
mention ssh-keygen in ssh fingerprint changed warning Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1843 Bug-Ubuntu: https://bugs.launchpad.net/bugs/686607 |
package versioning.patch | (download) |
sshconnect.c |
4 2 + 2 - 0 ! |
include the debian version in our identification This makes it easier to audit networks for versions patched against security vulnerabilities. It has little detrimental effect, as attackers will generally just try attacks rather than bothering to scan for vulnerable-looking version strings. (However, see debian-banner.patch.) |
debian banner.patch | (download) |
servconf.c |
9 9 + 0 - 0 ! |
add debianbanner server configuration option Setting this to "no" causes sshd to omit the Debian revision from its initial protocol handshake, for those scared by package-versioning.patch. Bug-Debian: http://bugs.debian.org/562048 |
authorized keys man symlink.patch | (download) |
Makefile.in |
1 1 + 0 - 0 ! |
install authorized_keys(5) as a symlink to sshd(8) Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1720 Bug-Debian: http://bugs.debian.org/441817 |
openbsd docs.patch | (download) |
moduli.5 |
4 2 + 2 - 0 ! |
adjust various openbsd-specific references in manual pages No single bug reference for this patch, but history includes: http://bugs.debian.org/154434 (login.conf(5)) http://bugs.debian.org/513417 (/etc/rc) http://bugs.debian.org/530692 (ssl(8)) https://bugs.launchpad.net/bugs/456660 (ssl(8)) |
ssh argv0.patch | (download) |
ssh.1 |
1 1 + 0 - 0 ! |
ssh(1): refer to ssh-argv0(1) Old versions of OpenSSH (up to 2.5 or thereabouts) allowed creating symlinks to ssh with the name of the host you want to connect to. Debian ships an ssh-argv0 script restoring this feature; this patch refers to its manual page from ssh(1). Bug-Debian: http://bugs.debian.org/111341 |
doc hash tab completion.patch | (download) |
ssh_config.5 |
3 3 + 0 - 0 ! |
document that hashknownhosts may break tab-completion Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1727 Bug-Debian: http://bugs.debian.org/430154 |
doc upstart.patch | (download) |
sshd.8 |
5 4 + 1 - 0 ! |
refer to ssh's upstart job as well as its init script |
ssh agent setgid.patch | (download) |
ssh-agent.1 |
15 15 + 0 - 0 ! |
document consequences of ssh-agent being setgid in ssh-agent(1) Bug-Debian: http://bugs.debian.org/711623 |
no openssl version status.patch | (download) |
openbsd-compat/openssl-compat.c |
6 3 + 3 - 0 ! |
don't check the status field of the openssl version There is no reason to check the version of OpenSSL (in Debian). If it's not compatible the soname will change. OpenSSH seems to want to do a check for the soname based on the version number, but wants to keep the status of the release the same. Remove that check on the status since it doesn't tell you anything about how compatible that version is. |
gnome ssh askpass2 icon.patch | (download) |
contrib/gnome-ssh-askpass2.c |
2 2 + 0 - 0 ! |
give the ssh-askpass-gnome window a default icon Bug-Ubuntu: https://bugs.launchpad.net/bugs/27152 |
sigstop.patch | (download) |
sshd.c |
10 10 + 0 - 0 ! |
support synchronisation with service supervisor using sigstop |
systemd readiness.patch | (download) |
configure.ac |
24 24 + 0 - 0 ! |
add systemd readiness notification support Bug-Debian: https://bugs.debian.org/778913 |
debian config.patch | (download) |
readconf.c |
2 1 + 1 - 0 ! |
various debian-specific configuration changes ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause fewer problems with existing setups (http://bugs.debian.org/237021). ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024). ssh: Enable HashKnownHosts by default to try to limit the spread of ssh worms. ssh: Enable GSSAPIAuthentication by default. sshd: Enable PAM, disable ChallengeResponseAuthentication, and disable PrintMotd. sshd: Enable X11Forwarding. sshd: Set 'AcceptEnv LANG LC_*' by default. sshd: Change sftp subsystem path to /usr/lib/openssh/sftp-server. Document all of this. |
regress integrity robust.patch | (download) |
regress/integrity.sh |
9 5 + 4 - 0 ! |
make integrity tests more robust against timeouts If the first test in a series for a given MAC happens to modify the low bytes of a packet length, then ssh will time out and this will be interpreted as a test failure. Handle this failure mode. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2658 Patch-Name: regress-integrity-robust.patch |
regress forwarding race.patch | (download) |
regress/forwarding.sh |
32 19 + 13 - 0 ! |
fix race conditions in forwarding tests The forwarding tests sometimes seem to fail in a way that suggests ports are in use even though they shouldn't be. Convert more of them to use a mux socket rather than relying on sleeps in the hope that that makes behaviour more consistent. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2659 Patch-Name: regress-forwarding-race.patch |
regress mktemp.patch | (download) |
Makefile.in |
5 5 + 0 - 0 ! |
create mux socket for regress in temp directory In some setups, creating the socket under OBJ may result in a path that is too long for a Unix domain socket. Add a helper to let us portably create a temporary directory instead. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2660 |
sandbox x32 workaround.patch | (download) |
sandbox-seccomp-filter.c |
9 9 + 0 - 0 ! |
work around clock_gettime kernel bug on linux x32 On Linux x32, the clock_gettime VDSO currently falls back to the x86-64 syscall, so allow that as well as its x32 sibling. Bug-Debian: https://bugs.debian.org/849923 |
no dsa host key by default.patch | (download) |
servconf.c |
2 0 + 2 - 0 ! |
remove ssh_host_dsa_key from hostkey default The client no longer accepts DSA host keys, and servers using the default HostKey setting should have better host keys available. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2662 Bug-Debian: https://bugs.debian.org/850614 |
restore authorized_keys2.patch | (download) |
sshd_config |
5 2 + 3 - 0 ! |
restore reading authorized_keys2 by default Upstream seems to intend to gradually phase this out, so don't assume that this will remain the default forever. However, we were late in adopting the upstream sshd_config changes, so it makes sense to extend the grace period. Bug-Debian: https://bugs.debian.org/852320 |
ssh keygen hash corruption.patch | (download) |
ssh-keygen.c |
4 2 + 2 - 0 ! |
upstream commit fix ssh-keygen -H accidentally corrupting known_hosts that contained already-hashed entries. HKF_MATCH_HOST_HASHED is only set by hostkeys_foreach() when hostname matching is in use, so we need to look for the hash marker explicitly. Upstream-ID: da82ad653b93e8a753580d3cf5cd448bc2520528 |
ssh keyscan hash port.patch | (download) |
ssh-keyscan.c |
11 6 + 5 - 0 ! |
upstream commit correctly hash hosts with a port number. Reported by Josh Powers in bz#2692; ok dtucker@ Upstream-ID: 468e357ff143e00acc05bdd2803a696b3d4b6442 |
ssh keygen null deref.patch | (download) |
ssh-keygen.c |
2 1 + 1 - 0 ! |
upstream commit Check l->hosts before dereferencing; fixes potential null pointer deref. ok djm@ Upstream-ID: 81c0327c6ec361da794b5c680601195cc23d1301 |
unbreak unix forwarding for root.patch | (download) |
serverloop.c |
19 12 + 7 - 0 ! |
upstream commit unbreak Unix domain socket forwarding for root; ok markus@ Upstream-ID: 6649c76eb7a3fa15409373295ca71badf56920a2 |
fix incoming compression statistics.patch | (download) |
packet.c |
2 1 + 1 - 0 ! |
fix incoming compression statistics Bug-Debian: https://bugs.debian.org/797964 |
winscp dhgex compat.patch | (download) |
compat.c |
9 6 + 3 - 0 ! |
fix dh group exchange compat with current winscp Make WinSCP patterns for SSH_OLD_DHGEX more specific to exclude WinSCP 5.10.x and up. bz#2748, from martin at winscp.net, ok djm@ Upstream-ID: 6fd7c32e99af3952db007aa180e73142ddbc741a |
dash dash before hostname.patch | (download) |
ssh.c |
9 6 + 3 - 0 ! |
make "--" before hostname end option processing make "--" before the hostname terminate command-line option processing completely; previous behaviour would not prevent further options appearing after the hostname (ssh has a supported options after the hostname for >20 years, so that's too late to change). ok deraadt@ Upstream-ID: ef5ee50571b98ad94dcdf8282204e877ec88ad89 |
CVE 2017 15906.patch | (download) |
sftp-server.c |
6 3 + 3 - 0 ! |
upstream commit disallow creation (of empty files) in read-only mode; reported by Michal Zalewski, feedback & ok deraadt@ Upstream-ID: 5d9c8f2fa8511d4ecf95322994ffe73e9283899b |
upstream delay bailout for invalid authenticating user.patch | (download) |
auth2-gss.c |
9 6 + 3 - 0 ! |
upstream: delay bailout for invalid authenticating user MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ... until after the packet containing the request has been fully parsed. Reported by Dariusz Tytko and Micha Sajdak; ok deraadt OpenBSD-Commit-ID: b4891882fbe413f230fe8ac8a37349b03bd0b70d |
scp disallow dot or empty filename.patch | (download) |
scp.c |
3 2 + 1 - 0 ! |
upstream: disallow empty incoming filename or ones that refer to the current directory; based on report/patch from Harry Sintonen OpenBSD-Commit-ID: f27651b30eaee2df49540ab68d030865c04f6de9 |
sanitize scp filenames via snmprintf.patch | (download) |
atomicio.c |
20 15 + 5 - 0 ! |
upstream: sanitize scp filenames via snmprintf. to do this we move the progressmeter formatting outside of signal handler context and have the atomicio callback called for EINTR too. bz#2434 with contributions from djm and jjelen at redhat.com, ok djm@ OpenBSD-Commit-ID: 1af61c1f70e4f3bd8ab140b9f1fa699481db57d8 |
have progressmeter force update at beginning and end transfer.patch | (download) |
progressmeter.c |
13 5 + 8 - 0 ! |
upstream: have progressmeter force an update at the beginning and end of each transfer. Fixes the problem recently introduces where very quick transfers do not display the progressmeter at all. Spotted by naddy@ OpenBSD-Commit-ID: 68dc46c259e8fdd4f5db3ec2a130f8e4590a7a9a |
check filenames in scp client.patch | (download) |
scp.1 |
17 13 + 4 - 0 ! |
upstream: check in scp client that filenames sent during remote->local directory copies satisfy the wildcard specified by the user. This checking provides some protection against a malicious server sending unexpected filenames, but it comes at a risk of rejecting wanted |
scp handle braces.patch | (download) |
scp.c |
280 269 + 11 - 0 ! |
upstream: when checking that filenames sent by the server side match what the client requested, be prepared to handle shell-style brace alternations, e.g. "{foo,bar}". "looks good to me" millert@ + in snaps for the last week courtesy deraadt@ OpenBSD-Commit-ID: 3b1ce7639b0b25b2248e3a30f561a548f6815f3e |
fix deadlock in keys principals command.patch | (download) |
auth2-pubkey.c |
6 6 + 0 - 0 ! |
[patch] upstream commit fix deadlock when keys/principals command produces a lot of output and a key is matched early; bz#2655, patch from jboning AT gmail.com Upstream-ID: e19456429bf99087ea994432c16d00a642060afe |