summaryrefslogtreecommitdiffstats
path: root/debian/changelog
diff options
context:
space:
mode:
Diffstat (limited to 'debian/changelog')
-rw-r--r--debian/changelog113
1 files changed, 113 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog
index 9aa27f1..847915c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,116 @@
+openssh (1:9.9p1-1) unstable; urgency=medium
+
+ * Alias the old Debian-specific SetupTimeOut client option to
+ ConnectTimeout rather than to ServerAliveInterval.
+ * New upstream release (https://www.openssh.com/releasenotes.html#9.9p1):
+ - ssh(1): remove support for pre-authentication compression.
+ - ssh(1), sshd(8): processing of the arguments to the "Match"
+ configuration directive now follows more shell-like rules for quoted
+ strings, including allowing nested quotes and \-escaped characters.
+ - ssh(1), sshd(8): add support for a new hybrid post-quantum key
+ exchange based on the FIPS 203 Module-Lattice Key Enapsulation
+ mechanism (ML-KEM) combined with X25519 ECDH as described by
+ https://datatracker.ietf.org/doc/html/draft-kampanakis-curdle-ssh-pq-ke-03
+ This algorithm "mlkem768x25519-sha256" is available by default.
+ - ssh(1): the ssh_config "Include" directive can now expand environment
+ as well as the same set of %-tokens "Match Exec" supports.
+ - sshd(8): add a sshd_config "RefuseConnection" option that, if set will
+ terminate the connection at the first authentication request.
+ - sshd(8): add a "refuseconnection" penalty class to sshd_config
+ PerSourcePenalties that is applied when a connection is dropped by the
+ new RefuseConnection keyword.
+ - sshd(8): add a "Match invalid-user" predicate to sshd_config Match
+ options that matches when the target username is not valid on the
+ server.
+ - ssh(1), sshd(8): update the Streamlined NTRUPrime code to a
+ substantially faster implementation.
+ - ssh(1), sshd(8): the hybrid Streamlined NTRUPrime/X25519 key exchange
+ algorithm now has an IANA-assigned name in addition to the
+ "@openssh.com" vendor extension name. This algorithm is now also
+ available under this name "sntrup761x25519-sha512"
+ - ssh(1), sshd(8), ssh-agent(1): prevent private keys from being
+ included in core dump files for most of their lifespans. This is in
+ addition to pre-existing controls in ssh-agent(1) and sshd(8) that
+ prevented coredumps.
+ - All: convert key handling to use the libcrypto EVP_PKEY API, with the
+ exception of DSA.
+ - sshd(8): add a random amount of jitter (up to 4 seconds) to the grace
+ login time to make its expiry unpredictable.
+ - sshd(8): fix regression introduced in openssh-9.8 that swapped the
+ order of source and destination addresses in some sshd log messages.
+ - sshd(8): do not apply authorized_keys options when signature
+ verification fails. Prevents more restrictive key options being
+ incorrectly applied to subsequent keys in authorized_keys.
+ - ssh-keygen(1): include pathname in some of ssh-keygen's passphrase
+ prompts. Helps the user know what's going on when ssh-keygen is
+ invoked via other tools.
+ - ssh(1), ssh-add(1): make parsing user@host consistently look for the
+ last '@' in the string rather than the first. This makes it possible
+ to more consistently use usernames that contain '@' characters.
+ - ssh(1), sshd(8): be more strict in parsing key type names. Only allow
+ short names (e.g "rsa") in user-interface code and require full SSH
+ protocol names (e.g. "ssh-rsa") everywhere else.
+ - regress: many performance and correctness improvements to the
+ re-keying regression test.
+ - ssh-keygen(1): clarify that ed25519 is the default key type generated
+ and clarify that rsa-sha2-512 is the default signature scheme when RSA
+ is in use.
+ - sshd(8): fix minor memory leak in Subsystem option parsing.
+ - All: additional hardening and consistency checks for the sshbuf code.
+ - sshd(8): reduce default logingrace penalty to ensure that a single
+ forgotten login that times out will be below the penalty threshold.
+ - ssh(1): fix proxy multiplexing (-O proxy) bug. If a mux started with
+ ControlPersist then later has a forwarding added using mux proxy
+ connection and the forwarding was used, then when the mux proxy
+ session terminated, the mux master process would issue a bad message
+ that terminated the connection.
+ - Sync contrib/ssh-copy-id to the latest upstream version.
+ - sshd(8): restore audit call before exit that regressed in openssh-9.8.
+ Fixes an issue where the SSH_CONNECTION_ABANDON event was not
+ recorded.
+ - Fix detection of setres*id on GNU/Hurd.
+
+ -- Colin Watson <cjwatson@debian.org> Mon, 23 Sep 2024 21:09:59 -0700
+
+openssh (1:9.8p1-8) unstable; urgency=medium
+
+ * Source-only reupload.
+
+ -- Colin Watson <cjwatson@debian.org> Fri, 30 Aug 2024 00:38:26 +0100
+
+openssh (1:9.8p1-7) unstable; urgency=medium
+
+ * Adjust description line-wrapping so that lintian recognizes that
+ openssh-client-gssapi is an intentionally empty package.
+
+ -- Colin Watson <cjwatson@debian.org> Thu, 29 Aug 2024 14:17:13 +0100
+
+openssh (1:9.8p1-6) unstable; urgency=medium
+
+ * Upload with binaries to satisfy Debian archive NEW checks.
+
+ -- Colin Watson <cjwatson@debian.org> Thu, 29 Aug 2024 13:46:57 +0100
+
+openssh (1:9.8p1-5) unstable; urgency=medium
+
+ * Add openssh-client-gssapi and openssh-server-gssapi packages; these
+ currently just depend on their non-gssapi counterparts, but will become
+ different in future. See
+ https://lists.debian.org/debian-devel/2024/04/msg00044.html.
+
+ -- Colin Watson <cjwatson@debian.org> Thu, 29 Aug 2024 12:53:42 +0100
+
+openssh (1:9.8p1-4) unstable; urgency=medium
+
+ [ Grzegorz Szymaszek ]
+ * Disable listening on 22 in the port change example in README.Debian.
+
+ [ Colin Watson ]
+ * sshd: Allow exec without absolute path in inetd mode (closes: #1078429).
+ * Add an autopkgtest for running sshd from xinetd.
+
+ -- Colin Watson <cjwatson@debian.org> Mon, 26 Aug 2024 15:02:45 +0100
+
openssh (1:9.8p1-3~progress7.99u1) graograman-backports; urgency=medium
* Uploading to graograman-backports, remaining changes: