summaryrefslogtreecommitdiffstats
path: root/debian/NEWS
diff options
context:
space:
mode:
Diffstat (limited to 'debian/NEWS')
-rw-r--r--debian/NEWS35
1 files changed, 35 insertions, 0 deletions
diff --git a/debian/NEWS b/debian/NEWS
index 2898018..2ed0d9c 100644
--- a/debian/NEWS
+++ b/debian/NEWS
@@ -1,3 +1,38 @@
+openssh (1:9.9p1-1) unstable; urgency=medium
+
+ OpenSSH 9.9p1 includes a number of changes that may affect existing
+ configurations:
+
+ * ssh(1): remove support for pre-authentication compression. OpenSSH has
+ only supported post-authentication compression in the server for some
+ years. Compression before authentication significantly increases the
+ attack surface of SSH servers and risks creating oracles that reveal
+ information about information sent during authentication.
+
+ * ssh(1), sshd(8): processing of the arguments to the "Match"
+ configuration directive now follows more shell-like rules for quoted
+ strings, including allowing nested quotes and \-escaped characters. If
+ configurations contained workarounds for the previous simplistic quote
+ handling then they may need to be adjusted. If this is the case, it's
+ most likely to be in the arguments to a "Match exec" condition. In this
+ case, moving the command to be evaluated from the Match line to an
+ external shell script is the easiest way to preserve compatibility with
+ both the old and new versions.
+
+ -- Colin Watson <cjwatson@debian.org> Mon, 23 Sep 2024 21:09:59 -0700
+
+openssh (1:9.8p1-5) unstable; urgency=medium
+
+ Future Debian releases will remove GSS-API authentication and key exchange
+ support from openssh-client and openssh-server; this adds
+ pre-authentication attack surface and should only be used where
+ specifically needed. Users of GSS-API authentication or key exchange
+ should install the new openssh-client-gssapi or openssh-server-gssapi
+ package now; these currently just depend on openssh-client and
+ openssh-server respectively, but this will change in the future.
+
+ -- Colin Watson <cjwatson@debian.org> Thu, 29 Aug 2024 12:13:32 +0100
+
openssh (1:9.8p1-1) unstable; urgency=medium
OpenSSH 9.8p1 includes a number of changes that may affect existing
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-05 09:27:16 +0000