diff options
| author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-09-27 08:42:40 +0000 |
|---|---|---|
| committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-09-27 08:42:40 +0000 |
| commit | 61ddb5002596ce4bfc6a400fd9952b514350c95a (patch) | |
| tree | b3c2223bb28ef51f8c683867e440500ef781e20d /debian/NEWS | |
| parent | Merging upstream version 1:9.9p1. (diff) | |
| download | openssh-61ddb5002596ce4bfc6a400fd9952b514350c95a.tar.xz openssh-61ddb5002596ce4bfc6a400fd9952b514350c95a.zip | |
Adding debian version 1:9.9p1-1.debian/1%9.9p1-1debian
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'debian/NEWS')
| -rw-r--r-- | debian/NEWS | 35 |
1 files changed, 35 insertions, 0 deletions
diff --git a/debian/NEWS b/debian/NEWS index 2898018..2ed0d9c 100644 --- a/debian/NEWS +++ b/debian/NEWS @@ -1,3 +1,38 @@ +openssh (1:9.9p1-1) unstable; urgency=medium + + OpenSSH 9.9p1 includes a number of changes that may affect existing + configurations: + + * ssh(1): remove support for pre-authentication compression. OpenSSH has + only supported post-authentication compression in the server for some + years. Compression before authentication significantly increases the + attack surface of SSH servers and risks creating oracles that reveal + information about information sent during authentication. + + * ssh(1), sshd(8): processing of the arguments to the "Match" + configuration directive now follows more shell-like rules for quoted + strings, including allowing nested quotes and \-escaped characters. If + configurations contained workarounds for the previous simplistic quote + handling then they may need to be adjusted. If this is the case, it's + most likely to be in the arguments to a "Match exec" condition. In this + case, moving the command to be evaluated from the Match line to an + external shell script is the easiest way to preserve compatibility with + both the old and new versions. + + -- Colin Watson <cjwatson@debian.org> Mon, 23 Sep 2024 21:09:59 -0700 + +openssh (1:9.8p1-5) unstable; urgency=medium + + Future Debian releases will remove GSS-API authentication and key exchange + support from openssh-client and openssh-server; this adds + pre-authentication attack surface and should only be used where + specifically needed. Users of GSS-API authentication or key exchange + should install the new openssh-client-gssapi or openssh-server-gssapi + package now; these currently just depend on openssh-client and + openssh-server respectively, but this will change in the future. + + -- Colin Watson <cjwatson@debian.org> Thu, 29 Aug 2024 12:13:32 +0100 + openssh (1:9.8p1-1) unstable; urgency=medium OpenSSH 9.8p1 includes a number of changes that may affect existing |