1. 24 Nov, 2015 11 commits
  2. 17 Sep, 2015 9 commits
    • Matthew Vernon's avatar
      Mention ~& when waiting for forwarded connections to terminate · cc53919e
      Matthew Vernon authored
      Bug-Debian: http://bugs.debian.org/50308
      Last-Update: 2010-02-27
      
      Patch-Name: helpful-wait-terminate.patch
      cc53919e
    • Peter Samuelson's avatar
      Reduce severity of "Killed by signal %d" · dd148bdf
      Peter Samuelson authored
      This produces irritating messages when using ProxyCommand or other programs
      that use ssh under the covers (e.g. Subversion).  These messages are more
      normally printed by the calling program, such as the shell.
      
      According to the upstream bug, the right way to avoid this is to use the -q
      option, so we may drop this patch after further investigation into whether
      any software in Debian is still relying on it.
      
      Author: Colin Watson <cjwatson@debian.org>
      Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1118
      Bug-Debian: http://bugs.debian.org/313371
      Last-Update: 2013-09-14
      
      Patch-Name: quieter-signals.patch
      dd148bdf
    • Jonathan David Amery's avatar
      "LogLevel SILENT" compatibility · ff5dffb6
      Jonathan David Amery authored
      "LogLevel SILENT" (-qq) was introduced in Debian openssh 1:3.0.1p1-1 to
      match the behaviour of non-free SSH, in which -q does not suppress fatal
      errors.  However, this was unintentionally broken in 1:4.6p1-2 and nobody
      complained, so we've dropped most of it.  The parts that remain are basic
      configuration file compatibility, and an adjustment to "Pseudo-terminal will
      not be allocated ..." which should be split out into a separate patch.
      
      Author: Matthew Vernon <matthew@debian.org>
      Author: Colin Watson <cjwatson@debian.org>
      Last-Update: 2013-09-14
      
      Patch-Name: syslog-level-silent.patch
      ff5dffb6
    • Richard Kettlewell's avatar
      Various keepalive extensions · 302a74ce
      Richard Kettlewell authored
      Add compatibility aliases for ProtocolKeepAlives and SetupTimeOut, supported
      in previous versions of Debian's OpenSSH package but since superseded by
      ServerAliveInterval.  (We're probably stuck with this bit for
      compatibility.)
      
      In batch mode, default ServerAliveInterval to five minutes.
      
      Adjust documentation to match and to give some more advice on use of
      keepalives.
      
      Author: Ian Jackson <ian@chiark.greenend.org.uk>
      Author: Matthew Vernon <matthew@debian.org>
      Author: Colin Watson <cjwatson@debian.org>
      Last-Update: 2015-08-19
      
      Patch-Name: keepalive-extensions.patch
      302a74ce
    • Colin Watson's avatar
      Partial server keep-alive implementation for SSH1 · 634f3188
      Colin Watson authored
      Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1712
      Last-Update: 2013-09-14
      
      Patch-Name: ssh1-keepalive.patch
      634f3188
    • Colin Watson's avatar
      Accept obsolete ssh-vulnkey configuration options · 65475076
      Colin Watson authored
      These options were used as part of Debian's response to CVE-2008-0166.
      Nearly six years later, we no longer need to continue carrying the bulk
      of that patch, but we do need to avoid failing when the associated
      configuration options are still present.
      
      Last-Update: 2014-02-09
      
      Patch-Name: ssh-vulnkey-compat.patch
      65475076
    • Manoj Srivastava's avatar
      Handle SELinux authorisation roles · a12d63c5
      Manoj Srivastava authored
      Rejected upstream due to discomfort with magic usernames; a better approach
      will need an SSH protocol change.  In the meantime, this came from Debian's
      SELinux maintainer, so we'll keep it until we have something better.
      
      Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641
      Bug-Debian: http://bugs.debian.org/394795
      Last-Update: 2015-08-19
      
      Patch-Name: selinux-role.patch
      a12d63c5
    • Colin Watson's avatar
      Restore TCP wrappers support · 1850a2c9
      Colin Watson authored
      Support for TCP wrappers was dropped in OpenSSH 6.7.  See this message
      and thread:
      
        https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032497.html
      
      It is true that this reduces preauth attack surface in sshd.  On the
      other hand, this support seems to be quite widely used, and abruptly
      dropping it (from the perspective of users who don't read
      openssh-unix-dev) could easily cause more serious problems in practice.
      
      It's not entirely clear what the right long-term answer for Debian is,
      but it at least probably doesn't involve dropping this feature shortly
      before a freeze.
      
      Forwarded: not-needed
      Last-Update: 2014-10-07
      
      Patch-Name: restore-tcp-wrappers.patch
      1850a2c9
    • Simon Wilkinson's avatar
      GSSAPI key exchange support · 70b18066
      Simon Wilkinson authored
      This patch has been rejected upstream: "None of the OpenSSH developers are
      in favour of adding this, and this situation has not changed for several
      years.  This is not a slight on Simon's patch, which is of fine quality, but
      just that a) we don't trust GSSAPI implementations that much and b) we don't
      like adding new KEX since they are pre-auth attack surface.  This one is
      particularly scary, since it requires hooks out to typically root-owned
      system resources."
      
      However, quite a lot of people rely on this in Debian, and it's better to
      have it merged into the main openssh package rather than having separate
      -krb5 packages (as we used to have).  It seems to have a generally good
      security history.
      
      Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242
      Last-Updated: 2015-09-17
      
      Patch-Name: gssapi.patch
      70b18066
  3. 19 Aug, 2015 2 commits
  4. 01 Jul, 2015 7 commits
  5. 30 Jun, 2015 3 commits
    • djm@openbsd.org's avatar
      upstream commit · 629df770
      djm@openbsd.org authored
      fatal() when a remote window update causes the window
       value to overflow. Reported by Georg Wicherski, ok markus@
      
      Upstream-ID: ead397a9aceb3bf74ebfa5fcaf259d72e569f351
      629df770
    • djm@openbsd.org's avatar
      upstream commit · f715afeb
      djm@openbsd.org authored
      Fix math error in remote window calculations that causes
       eventual stalls for datagram channels. Reported by Georg Wicherski, ok
       markus@
      
      Upstream-ID: be54059d11bf64e0d85061f7257f53067842e2ab
      f715afeb
    • Damien Miller's avatar
      skip IPv6-related portions on hosts without IPv6 · 52fb6b9b
      Damien Miller authored
      with Tim Rice
      52fb6b9b
  6. 29 Jun, 2015 1 commit
    • djm@openbsd.org's avatar
      upstream commit · 512caddf
      djm@openbsd.org authored
      add getpid to sandbox, reachable by grace_alarm_handler
      
      reported by Jakub Jelen; bz#2419
      
      Upstream-ID: d0da1117c16d4c223954995d35b0f47c8f684cd8
      512caddf
  7. 26 Jun, 2015 1 commit
    • djm@openbsd.org's avatar
      upstream commit · 78c2a4f8
      djm@openbsd.org authored
      Fix \-escaping bug that caused forward path parsing to skip
       two characters and skip past the end of the string.
      
      Based on patch by Salvador Fandino; ok dtucker@
      
      Upstream-ID: 7b879dc446335677cbe4cb549495636a0535f3bd
      78c2a4f8
  8. 24 Jun, 2015 4 commits
    • Damien Miller's avatar
      add missing pselect6 · bc20205c
      Damien Miller authored
      patch from Jakub Jelen
      bc20205c
    • djm@openbsd.org's avatar
      upstream commit · 9d27fb73
      djm@openbsd.org authored
      correct test to sshkey_sign(); spotted by Albert S.
      
      Upstream-ID: 5f7347f40f0ca6abdaca2edb3bd62f4776518933
      9d27fb73
    • dtucker@openbsd.org's avatar
      upstream commit · 7ed01a96
      dtucker@openbsd.org authored
      Revert previous commit.  We still want to call setgroups
       in the case where there are zero groups to remove any that we might otherwise
       inherit (as pointed out by grawity at gmail.com) and since the 2nd argument
       to setgroups is always a static global it's always valid to dereference in
       this case.  ok deraadt@ djm@
      
      Upstream-ID: 895b5ac560a10befc6b82afa778641315725fd01
      7ed01a96
    • dtucker@openbsd.org's avatar
      upstream commit · 882f8bf9
      dtucker@openbsd.org authored
      Revert previous commit.  We still want to call setgroups in
       the case where there are zero groups to remove any that we might otherwise
       inherit (as pointed out by grawity at gmail.com) and since the 2nd argument
       to setgroups is always a static global it's always valid to dereference in
       this case.  ok deraadt@ djm@
      
      Upstream-ID: 895b5ac560a10befc6b82afa778641315725fd01
      882f8bf9
  9. 23 Jun, 2015 2 commits
    • djm@openbsd.org's avatar
      upstream commit · 9488538a
      djm@openbsd.org authored
      Don't count successful partial authentication as failures
       in monitor; this may have caused the monitor to refuse multiple
       authentications that would otherwise have successfully completed; ok markus@
      
      Upstream-ID: eb74b8e506714d0f649bd5c300f762a527af04a3
      9488538a
    • dtucker@openbsd.org's avatar
      upstream commit · 63b78d00
      dtucker@openbsd.org authored
      Don't call setgroups if we have zero groups; there's no
       guarantee that it won't try to deref the pointer.  Based on a patch from mail
       at quitesimple.org, ok djm deraadt
      
      Upstream-ID: 2fff85e11d7a9a387ef7fddf41fbfaf566708ab1
      63b78d00