1. 03 Dec, 2015 15 commits
  2. 29 Nov, 2015 4 commits
    • Colin Watson's avatar
      Accept obsolete ssh-vulnkey configuration options · 250d744e
      Colin Watson authored
      These options were used as part of Debian's response to CVE-2008-0166.
      Nearly six years later, we no longer need to continue carrying the bulk
      of that patch, but we do need to avoid failing when the associated
      configuration options are still present.
      Last-Update: 2014-02-09
      Patch-Name: ssh-vulnkey-compat.patch
    • Manoj Srivastava's avatar
      Handle SELinux authorisation roles · d55bc528
      Manoj Srivastava authored
      Rejected upstream due to discomfort with magic usernames; a better approach
      will need an SSH protocol change.  In the meantime, this came from Debian's
      SELinux maintainer, so we'll keep it until we have something better.
      Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641
      Bug-Debian: http://bugs.debian.org/394795
      Last-Update: 2015-08-19
      Patch-Name: selinux-role.patch
    • Colin Watson's avatar
      Restore TCP wrappers support · 2cd06c4a
      Colin Watson authored
      Support for TCP wrappers was dropped in OpenSSH 6.7.  See this message
      and thread:
      It is true that this reduces preauth attack surface in sshd.  On the
      other hand, this support seems to be quite widely used, and abruptly
      dropping it (from the perspective of users who don't read
      openssh-unix-dev) could easily cause more serious problems in practice.
      It's not entirely clear what the right long-term answer for Debian is,
      but it at least probably doesn't involve dropping this feature shortly
      before a freeze.
      Forwarded: not-needed
      Last-Update: 2014-10-07
      Patch-Name: restore-tcp-wrappers.patch
    • Simon Wilkinson's avatar
      GSSAPI key exchange support · 09c4d9b7
      Simon Wilkinson authored
      This patch has been rejected upstream: "None of the OpenSSH developers are
      in favour of adding this, and this situation has not changed for several
      years.  This is not a slight on Simon's patch, which is of fine quality, but
      just that a) we don't trust GSSAPI implementations that much and b) we don't
      like adding new KEX since they are pre-auth attack surface.  This one is
      particularly scary, since it requires hooks out to typically root-owned
      system resources."
      However, quite a lot of people rely on this in Debian, and it's better to
      have it merged into the main openssh package rather than having separate
      -krb5 packages (as we used to have).  It seems to have a generally good
      security history.
      Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242
      Last-Updated: 2015-11-29
      Patch-Name: gssapi.patch
  3. 22 Aug, 2015 2 commits
  4. 21 Aug, 2015 7 commits
  5. 20 Aug, 2015 4 commits
    • djm@openbsd.org's avatar
      upstream commit · 8543d4ef
      djm@openbsd.org authored
      Better compat matching for WinSCP, add compat matching
       for FuTTY (fork of PuTTY); ok markus@ deraadt@
      Upstream-ID: 24001d1ac115fa3260fbdc329a4b9aeb283c5389
    • djm@openbsd.org's avatar
      upstream commit · ec6eda16
      djm@openbsd.org authored
      fix double-free() in error path of DSA key generation
       reported by Mateusz Kocielski; ok markus@
      Upstream-ID: 4735d8f888b10599a935fa1b374787089116713c
    • djm@openbsd.org's avatar
      upstream commit · 45b0eb75
      djm@openbsd.org authored
      fix free() of uninitialised pointer reported by Mateusz
       Kocielski; ok markus@
      Upstream-ID: 519552b050618501a06b7b023de5cb104e2c5663
    • djm@openbsd.org's avatar
      upstream commit · c837643b
      djm@openbsd.org authored
      fixed unlink([uninitialised memory]) reported by Mateusz
       Kocielski; ok markus@
      Upstream-ID: 14a0c4e7d891f5a8dabc4b89d4f6b7c0d5a20109
  6. 19 Aug, 2015 3 commits
  7. 11 Aug, 2015 5 commits