1. 03 Dec, 2015 15 commits
  2. 29 Nov, 2015 4 commits
    • Colin Watson's avatar
      Accept obsolete ssh-vulnkey configuration options · 250d744e
      Colin Watson authored
      These options were used as part of Debian's response to CVE-2008-0166.
      Nearly six years later, we no longer need to continue carrying the bulk
      of that patch, but we do need to avoid failing when the associated
      configuration options are still present.
      
      Last-Update: 2014-02-09
      
      Patch-Name: ssh-vulnkey-compat.patch
      250d744e
    • Manoj Srivastava's avatar
      Handle SELinux authorisation roles · d55bc528
      Manoj Srivastava authored
      Rejected upstream due to discomfort with magic usernames; a better approach
      will need an SSH protocol change.  In the meantime, this came from Debian's
      SELinux maintainer, so we'll keep it until we have something better.
      
      Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641
      Bug-Debian: http://bugs.debian.org/394795
      Last-Update: 2015-08-19
      
      Patch-Name: selinux-role.patch
      d55bc528
    • Colin Watson's avatar
      Restore TCP wrappers support · 2cd06c4a
      Colin Watson authored
      Support for TCP wrappers was dropped in OpenSSH 6.7.  See this message
      and thread:
      
        https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032497.html
      
      It is true that this reduces preauth attack surface in sshd.  On the
      other hand, this support seems to be quite widely used, and abruptly
      dropping it (from the perspective of users who don't read
      openssh-unix-dev) could easily cause more serious problems in practice.
      
      It's not entirely clear what the right long-term answer for Debian is,
      but it at least probably doesn't involve dropping this feature shortly
      before a freeze.
      
      Forwarded: not-needed
      Last-Update: 2014-10-07
      
      Patch-Name: restore-tcp-wrappers.patch
      2cd06c4a
    • Simon Wilkinson's avatar
      GSSAPI key exchange support · 09c4d9b7
      Simon Wilkinson authored
      This patch has been rejected upstream: "None of the OpenSSH developers are
      in favour of adding this, and this situation has not changed for several
      years.  This is not a slight on Simon's patch, which is of fine quality, but
      just that a) we don't trust GSSAPI implementations that much and b) we don't
      like adding new KEX since they are pre-auth attack surface.  This one is
      particularly scary, since it requires hooks out to typically root-owned
      system resources."
      
      However, quite a lot of people rely on this in Debian, and it's better to
      have it merged into the main openssh package rather than having separate
      -krb5 packages (as we used to have).  It seems to have a generally good
      security history.
      
      Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242
      Last-Updated: 2015-11-29
      
      Patch-Name: gssapi.patch
      09c4d9b7
  3. 22 Aug, 2015 2 commits
  4. 21 Aug, 2015 7 commits
  5. 20 Aug, 2015 4 commits
    • djm@openbsd.org's avatar
      upstream commit · 8543d4ef
      djm@openbsd.org authored
      Better compat matching for WinSCP, add compat matching
       for FuTTY (fork of PuTTY); ok markus@ deraadt@
      
      Upstream-ID: 24001d1ac115fa3260fbdc329a4b9aeb283c5389
      8543d4ef
    • djm@openbsd.org's avatar
      upstream commit · ec6eda16
      djm@openbsd.org authored
      fix double-free() in error path of DSA key generation
       reported by Mateusz Kocielski; ok markus@
      
      Upstream-ID: 4735d8f888b10599a935fa1b374787089116713c
      ec6eda16
    • djm@openbsd.org's avatar
      upstream commit · 45b0eb75
      djm@openbsd.org authored
      fix free() of uninitialised pointer reported by Mateusz
       Kocielski; ok markus@
      
      Upstream-ID: 519552b050618501a06b7b023de5cb104e2c5663
      45b0eb75
    • djm@openbsd.org's avatar
      upstream commit · c837643b
      djm@openbsd.org authored
      fixed unlink([uninitialised memory]) reported by Mateusz
       Kocielski; ok markus@
      
      Upstream-ID: 14a0c4e7d891f5a8dabc4b89d4f6b7c0d5a20109
      c837643b
  6. 19 Aug, 2015 3 commits
  7. 11 Aug, 2015 5 commits