debcrafters-packages team mailing list archive
-
debcrafters-packages team
-
Mailing list archive
-
Message #09838
[Bug 2130054] [NEW] Merge openssh from Debian Unstable for resolute
Public bug reported:
Scheduled-For: ubuntu-25.11
Ubuntu: 1:10.0p1-5ubuntu5
Debian Unstable: 1:10.2p1-2
A new release of openssh is available for merging from Debian Unstable.
If it turns out this needs a sync rather than a merge, please change the
tagging from ['dcr-merge'] to ['dcr-sync'], and (optionally) update the
title as desired.
If this merge pulls in a new upstream version, also consider adding an
entry to the resolute Release Notes:
https://discourse.ubuntu.com/t/resolute-raccoon-release-notes/
### New Debian Changes ###
openssh (1:10.2p1-2) unstable; urgency=medium
* ssh-session-cleanup: Update pattern for sshd-session split in 9.8
(closes: #1117965).
* Link ssh against ssh-pkcs11.o directly (closes: #1117638, #1117720).
-- Colin Watson <cjwatson@xxxxxxxxxx> Fri, 17 Oct 2025 10:14:14 +0100
openssh (1:10.2p1-1) unstable; urgency=medium
* New upstream release:
- ssh-keygen(1): fix download of keys from PKCS#11 tokens.
-- Colin Watson <cjwatson@xxxxxxxxxx> Fri, 10 Oct 2025 14:50:27 +0100
openssh (1:10.1p1-2) unstable; urgency=medium
* Don't reuse c->isatty for signalling that the remote channel has a tty
attached (closes: #1117574, #1117594).
* Link ssh-keygen directly against ssh-pkcs11.c.
-- Colin Watson <cjwatson@xxxxxxxxxx> Thu, 09 Oct 2025 00:54:25 +0100
openssh (1:10.1p1-1) unstable; urgency=medium
[ Allison Karlitskaya ]
* sshd@.service: Support ephemeral keys from VM/container hosts.
[ Colin Watson ]
* New upstream release:
- ssh(1): add a warning when the connection negotiates a non-post
quantum key agreement algorithm.
- ssh(1), sshd(8): major changes to handling of DSCP marking/IPQoS: by
default, interactive traffic is assigned to the EF (Expedited
Forwarding) class, while non-interactive traffic uses the operating
system default DSCP marking.
- ssh(1), sshd(8): deprecate support for IPv4 type-of-service (ToS)
keywords in the IPQoS configuration directive.
- ssh-add(1): when adding certificates to an agent, set the expiry to
the certificate expiry time plus a short (5 min) grace period.
- All: remove experimental support for XMSS keys.
- ssh-agent(1), sshd(8): move agent listener sockets from /tmp to under
~/.ssh/agent for both ssh-agent(1) and forwarded sockets in sshd(8).
- CVE-2025-61984: ssh(1): disallow control characters in usernames
passed via the commandline or expanded using %-sequences from the
configuration file (closes: #1117529),
- CVE-2025-61985: ssh(1): disallow \0 characters in ssh:// URIs (closes:
#1117530).
- ssh(1), sshd(8): add SIGINFO handlers to log active channel and
session information.
- sshd(8): when refusing a certificate for user authentication, log
enough information to identify the certificate in addition to the
reason why it was being denied. Makes debugging certificate
authorisation problems a bit easier.
- ssh(1), ssh-agent(1): support ed25519 keys hosted on PKCS#11 tokens.
- ssh(1): add an ssh_config(5) RefuseConnection option that, when
encountered while processing an active section in a configuration,
terminates ssh(1) with an error message that contains the argument to
the option.
- sshd(8): make the X11 display number check relative to
X11DisplayOffset. This will allow people to use X11DisplayOffset to
configure much higher port ranges if they really want, while not
changing the default behaviour.
- ssh(1): fix delay on X client startup when ObscureKeystrokeTiming is
enabled.
- sshd(8): increase the maximum size of the supported configuration from
256KB to 4MB, which ought to be enough for anybody. Fail early and
visibly when this limit is breached.
- sftp(1): during sftp uploads, avoid a condition where a failed write
could be ignored if a subsequent write succeeded. This is unlikely but
technically possible because sftp servers are allowed to reorder
requests.
- sshd(8): avoid a race condition when the sshd-auth process exits that
could cause a spurious error message to be logged.
- sshd(8): log at level INFO when PerSourcePenalties actually blocks
access to a source address range. Previously this was logged at level
VERBOSE, which hid enforcement actions under default config settings.
- sshd(8): Make the MaxStartups and PerSourceNetBlockSize options
first-match-wins as advertised.
- ssh(1): fix an incorrect return value check in the local forward
cancellation path that would cause failed cancellations not to be
logged.
- sshd(8): make "Match !final" not trigger a second parsing pass of
ssh_config (unless hostname canonicalisation or a separate "Match
final" does).
- ssh(1): better debug diagnostics when loading keys. Will now list key
fingerprint and algorithm (not just algorithm number) as well as
making it explicit which keys didn't load.
- All: fix a number of memory leaks found by LeakSanitizer, Coverity and
manual inspection.
- sshd(8): Output the current name for PermitRootLogin's
"prohibit-password" in sshd -T instead of its deprecated alias
"without-password" (closes: #1095922).
- ssh(1): make writing known_hosts lines more atomic by writing the
entire line in one operation and using unbuffered stdio.
- sshd(8): check the username didn't change during the PAM transactions.
- sshd(8): don't log audit messages with UNKNOWN hostname to avoid slow
DNS lookups in the audit subsystem.
- All: when making a copy of struct passwd, ensure struct fields are
non-NULL.
- sshd(8): handle futex_time64 properly in seccomp sandbox.
- Add contrib/gnome-ssh-askpass4 for GNOME 40+ using the GCR API.
- ssh-agent(1): exit 0 from SIGTERM under systemd socket-activation,
preventing a graceful shutdown of an agent via systemd from
incorrectly marking the service as "failed".
* Drop patches:
- no-openssl-version-status.patch: Mostly applied upstream; the rest
only applied to OpenSSL < 3, which isn't relevant to current Debian
releases.
- revert-ipqos-defaults.patch: This new upstream release reworks IPQoS,
so let's see how that works in Debian (closes: #1111446).
* debian/run-tests: Fix path to dropbear.
-- Colin Watson <cjwatson@xxxxxxxxxx> Tue, 07 Oct 2025 22:07:19 +0100
openssh (1:10.0p1-8) unstable; urgency=medium
* Remove some long-obsolete Conflicts (closes: #54243).
* Fix mistracking of MaxStartups process exits in some situations (closes:
#1080350).
-- Colin Watson <cjwatson@xxxxxxxxxx> Sun, 10 Aug 2025 00:07:55 +0100
openssh (1:10.0p1-7) unstable; urgency=medium
* Make postinst logic for cleaning up the sshd diversion more robust.
-- Colin Watson <cjwatson@xxxxxxxxxx> Fri, 01 Aug 2025 16:02:27 +0100
openssh (1:10.0p1-6) unstable; urgency=medium
* Temporarily divert /usr/sbin/sshd during upgrades from before
1:9.8p1-1~, to avoid new connections failing between unpack and
configure (closes: #1109742).
-- Colin Watson <cjwatson@xxxxxxxxxx> Mon, 28 Jul 2025 12:17:42 +0100
### Old Ubuntu Delta ###
openssh (1:10.0p1-5ubuntu5) questing; urgency=medium
* test: workaround test failure caused by uutils dd (LP: #2125943)
* authfd: fallback to default if $SSH_AUTH_SOCK is unset (LP: #2125549)
-- Nick Rosbrook <enr0n@xxxxxxxxxx> Mon, 29 Sep 2025 14:43:07 -0400
openssh (1:10.0p1-5ubuntu4) questing; urgency=medium
* Rebuild to include updated RISC-V base ISA RVA23
-- Heinrich Schuchardt <heinrich.schuchardt@xxxxxxxxxxxxx> Sat, 06 Sep
2025 14:19:10 +0000
openssh (1:10.0p1-5ubuntu3) questing; urgency=medium
* d/p/systemd-socket-activation.patch: allow AF_VSOCK sockets (LP:
#2111226)
-- Nick Rosbrook <enr0n@xxxxxxxxxx> Mon, 04 Aug 2025 11:22:12 -0400
openssh (1:10.0p1-5ubuntu2) questing; urgency=medium
* d/rules,d/control: do not build with wtmpdb support
(LP: #2116241)
* Re-instate UsePAM yes in sshd_config (LP: #2116196):
- d/p/debian-config.patch: reinstate erroneously dropped changes
- debian/openssh-server.ucf-md5sum: update for current checksums
* d/t/control: add breaks-testbed restriction to tests
* d/tests: do not fail when $HOME/.ssh exists
-- Nick Rosbrook <enr0n@xxxxxxxxxx> Tue, 08 Jul 2025 15:40:56 -0400
openssh (1:10.0p1-5ubuntu1) questing; urgency=medium
* Merge with Debian unstable. (LP: #2112050) Remaining changes:
- debian/rules: modify dh_installsystemd invocations for
socket-activated sshd
- debian/README.Debian: document systemd socket activation.
- debian/.gitignore: drop file
- debian/openssh-server.ucf-md5sum: update for Ubuntu delta
- d/p/systemd-socket-activation.patch:
+ Fix sshd re-execution behavior when socket activation is used
+ Adapt sshd-session for systemd socket activation
- debian/tests/systemd-socket-activation: Add autopkgtest for systemd socket
activation functionality.
- debian/patches: Immediately report interactive instructions to PAM clients
- debian/patches: sshconnect2: Write kbd-interactive messages as utf-8
- debian/control: Build-Depends: systemd-dev
- d/p/sshd-socket-generator.patch: add generator for socket activation
- debian/openssh-server.install: install sshd-socket-generator
- debian/openssh-server.postinst: restart whichever systemd unit is enabled
- d/t/sshd-socket-generator: add dep8 test for sshd-socket-generator
- ssh.socket: adjust unit for socket activation by default
- debian/rules: explicitly enable LTO
- d/t/ssh-gssapi: disable -e in cleanup()
- d/p/test-set-UsePAM-no-on-some-tests.patch: set UsePAM=no for some tests
- d/openssh-server.links: add full sshd.service -> ssh.service alias
(LP #2087949)
- document /etc/ssh/sshd_config.d/*.conf better in sshd_config
(LP #2088207)
* New changes:
- debian/openssh-server.ucf-md5sum: update for new Ubuntu version
- d/p/systemd-socket-activation.patch: add -N no-opt flag for sshd-auth
Otherwise, authentication will fail in socket activated mode, due
to the unrecognized flag.
- d/p/debian-config.patch: refresh
* Dropped changes, fixed upstream:
- CVE-2025-26465.patch
- CVE-2025-26466.patch
- CVE-2025-32728.patch
-- Nick Rosbrook <enr0n@xxxxxxxxxx> Thu, 03 Jul 2025 16:25:27 -0400
** Affects: openssh (Ubuntu)
Importance: Undecided
Status: New
** Tags: dcr-merge
** Changed in: openssh (Ubuntu)
Milestone: None => ubuntu-25.11
--
You received this bug notification because you are a member of
Debcrafters packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/2130054
Title:
Merge openssh from Debian Unstable for resolute
Status in openssh package in Ubuntu:
New
Bug description:
Scheduled-For: ubuntu-25.11
Ubuntu: 1:10.0p1-5ubuntu5
Debian Unstable: 1:10.2p1-2
A new release of openssh is available for merging from Debian
Unstable.
If it turns out this needs a sync rather than a merge, please change
the tagging from ['dcr-merge'] to ['dcr-sync'], and (optionally)
update the title as desired.
If this merge pulls in a new upstream version, also consider adding an
entry to the resolute Release Notes:
https://discourse.ubuntu.com/t/resolute-raccoon-release-notes/
### New Debian Changes ###
openssh (1:10.2p1-2) unstable; urgency=medium
* ssh-session-cleanup: Update pattern for sshd-session split in 9.8
(closes: #1117965).
* Link ssh against ssh-pkcs11.o directly (closes: #1117638, #1117720).
-- Colin Watson <cjwatson@xxxxxxxxxx> Fri, 17 Oct 2025 10:14:14
+0100
openssh (1:10.2p1-1) unstable; urgency=medium
* New upstream release:
- ssh-keygen(1): fix download of keys from PKCS#11 tokens.
-- Colin Watson <cjwatson@xxxxxxxxxx> Fri, 10 Oct 2025 14:50:27
+0100
openssh (1:10.1p1-2) unstable; urgency=medium
* Don't reuse c->isatty for signalling that the remote channel has a tty
attached (closes: #1117574, #1117594).
* Link ssh-keygen directly against ssh-pkcs11.c.
-- Colin Watson <cjwatson@xxxxxxxxxx> Thu, 09 Oct 2025 00:54:25
+0100
openssh (1:10.1p1-1) unstable; urgency=medium
[ Allison Karlitskaya ]
* sshd@.service: Support ephemeral keys from VM/container hosts.
[ Colin Watson ]
* New upstream release:
- ssh(1): add a warning when the connection negotiates a non-post
quantum key agreement algorithm.
- ssh(1), sshd(8): major changes to handling of DSCP marking/IPQoS: by
default, interactive traffic is assigned to the EF (Expedited
Forwarding) class, while non-interactive traffic uses the operating
system default DSCP marking.
- ssh(1), sshd(8): deprecate support for IPv4 type-of-service (ToS)
keywords in the IPQoS configuration directive.
- ssh-add(1): when adding certificates to an agent, set the expiry to
the certificate expiry time plus a short (5 min) grace period.
- All: remove experimental support for XMSS keys.
- ssh-agent(1), sshd(8): move agent listener sockets from /tmp to under
~/.ssh/agent for both ssh-agent(1) and forwarded sockets in sshd(8).
- CVE-2025-61984: ssh(1): disallow control characters in usernames
passed via the commandline or expanded using %-sequences from the
configuration file (closes: #1117529),
- CVE-2025-61985: ssh(1): disallow \0 characters in ssh:// URIs (closes:
#1117530).
- ssh(1), sshd(8): add SIGINFO handlers to log active channel and
session information.
- sshd(8): when refusing a certificate for user authentication, log
enough information to identify the certificate in addition to the
reason why it was being denied. Makes debugging certificate
authorisation problems a bit easier.
- ssh(1), ssh-agent(1): support ed25519 keys hosted on PKCS#11 tokens.
- ssh(1): add an ssh_config(5) RefuseConnection option that, when
encountered while processing an active section in a configuration,
terminates ssh(1) with an error message that contains the argument to
the option.
- sshd(8): make the X11 display number check relative to
X11DisplayOffset. This will allow people to use X11DisplayOffset to
configure much higher port ranges if they really want, while not
changing the default behaviour.
- ssh(1): fix delay on X client startup when ObscureKeystrokeTiming is
enabled.
- sshd(8): increase the maximum size of the supported configuration from
256KB to 4MB, which ought to be enough for anybody. Fail early and
visibly when this limit is breached.
- sftp(1): during sftp uploads, avoid a condition where a failed write
could be ignored if a subsequent write succeeded. This is unlikely but
technically possible because sftp servers are allowed to reorder
requests.
- sshd(8): avoid a race condition when the sshd-auth process exits that
could cause a spurious error message to be logged.
- sshd(8): log at level INFO when PerSourcePenalties actually blocks
access to a source address range. Previously this was logged at level
VERBOSE, which hid enforcement actions under default config settings.
- sshd(8): Make the MaxStartups and PerSourceNetBlockSize options
first-match-wins as advertised.
- ssh(1): fix an incorrect return value check in the local forward
cancellation path that would cause failed cancellations not to be
logged.
- sshd(8): make "Match !final" not trigger a second parsing pass of
ssh_config (unless hostname canonicalisation or a separate "Match
final" does).
- ssh(1): better debug diagnostics when loading keys. Will now list key
fingerprint and algorithm (not just algorithm number) as well as
making it explicit which keys didn't load.
- All: fix a number of memory leaks found by LeakSanitizer, Coverity and
manual inspection.
- sshd(8): Output the current name for PermitRootLogin's
"prohibit-password" in sshd -T instead of its deprecated alias
"without-password" (closes: #1095922).
- ssh(1): make writing known_hosts lines more atomic by writing the
entire line in one operation and using unbuffered stdio.
- sshd(8): check the username didn't change during the PAM transactions.
- sshd(8): don't log audit messages with UNKNOWN hostname to avoid slow
DNS lookups in the audit subsystem.
- All: when making a copy of struct passwd, ensure struct fields are
non-NULL.
- sshd(8): handle futex_time64 properly in seccomp sandbox.
- Add contrib/gnome-ssh-askpass4 for GNOME 40+ using the GCR API.
- ssh-agent(1): exit 0 from SIGTERM under systemd socket-activation,
preventing a graceful shutdown of an agent via systemd from
incorrectly marking the service as "failed".
* Drop patches:
- no-openssl-version-status.patch: Mostly applied upstream; the rest
only applied to OpenSSL < 3, which isn't relevant to current Debian
releases.
- revert-ipqos-defaults.patch: This new upstream release reworks IPQoS,
so let's see how that works in Debian (closes: #1111446).
* debian/run-tests: Fix path to dropbear.
-- Colin Watson <cjwatson@xxxxxxxxxx> Tue, 07 Oct 2025 22:07:19
+0100
openssh (1:10.0p1-8) unstable; urgency=medium
* Remove some long-obsolete Conflicts (closes: #54243).
* Fix mistracking of MaxStartups process exits in some situations (closes:
#1080350).
-- Colin Watson <cjwatson@xxxxxxxxxx> Sun, 10 Aug 2025 00:07:55
+0100
openssh (1:10.0p1-7) unstable; urgency=medium
* Make postinst logic for cleaning up the sshd diversion more
robust.
-- Colin Watson <cjwatson@xxxxxxxxxx> Fri, 01 Aug 2025 16:02:27
+0100
openssh (1:10.0p1-6) unstable; urgency=medium
* Temporarily divert /usr/sbin/sshd during upgrades from before
1:9.8p1-1~, to avoid new connections failing between unpack and
configure (closes: #1109742).
-- Colin Watson <cjwatson@xxxxxxxxxx> Mon, 28 Jul 2025 12:17:42
+0100
### Old Ubuntu Delta ###
openssh (1:10.0p1-5ubuntu5) questing; urgency=medium
* test: workaround test failure caused by uutils dd (LP: #2125943)
* authfd: fallback to default if $SSH_AUTH_SOCK is unset (LP: #2125549)
-- Nick Rosbrook <enr0n@xxxxxxxxxx> Mon, 29 Sep 2025 14:43:07 -0400
openssh (1:10.0p1-5ubuntu4) questing; urgency=medium
* Rebuild to include updated RISC-V base ISA RVA23
-- Heinrich Schuchardt <heinrich.schuchardt@xxxxxxxxxxxxx> Sat, 06
Sep 2025 14:19:10 +0000
openssh (1:10.0p1-5ubuntu3) questing; urgency=medium
* d/p/systemd-socket-activation.patch: allow AF_VSOCK sockets (LP:
#2111226)
-- Nick Rosbrook <enr0n@xxxxxxxxxx> Mon, 04 Aug 2025 11:22:12 -0400
openssh (1:10.0p1-5ubuntu2) questing; urgency=medium
* d/rules,d/control: do not build with wtmpdb support
(LP: #2116241)
* Re-instate UsePAM yes in sshd_config (LP: #2116196):
- d/p/debian-config.patch: reinstate erroneously dropped changes
- debian/openssh-server.ucf-md5sum: update for current checksums
* d/t/control: add breaks-testbed restriction to tests
* d/tests: do not fail when $HOME/.ssh exists
-- Nick Rosbrook <enr0n@xxxxxxxxxx> Tue, 08 Jul 2025 15:40:56 -0400
openssh (1:10.0p1-5ubuntu1) questing; urgency=medium
* Merge with Debian unstable. (LP: #2112050) Remaining changes:
- debian/rules: modify dh_installsystemd invocations for
socket-activated sshd
- debian/README.Debian: document systemd socket activation.
- debian/.gitignore: drop file
- debian/openssh-server.ucf-md5sum: update for Ubuntu delta
- d/p/systemd-socket-activation.patch:
+ Fix sshd re-execution behavior when socket activation is used
+ Adapt sshd-session for systemd socket activation
- debian/tests/systemd-socket-activation: Add autopkgtest for systemd socket
activation functionality.
- debian/patches: Immediately report interactive instructions to PAM clients
- debian/patches: sshconnect2: Write kbd-interactive messages as utf-8
- debian/control: Build-Depends: systemd-dev
- d/p/sshd-socket-generator.patch: add generator for socket activation
- debian/openssh-server.install: install sshd-socket-generator
- debian/openssh-server.postinst: restart whichever systemd unit is enabled
- d/t/sshd-socket-generator: add dep8 test for sshd-socket-generator
- ssh.socket: adjust unit for socket activation by default
- debian/rules: explicitly enable LTO
- d/t/ssh-gssapi: disable -e in cleanup()
- d/p/test-set-UsePAM-no-on-some-tests.patch: set UsePAM=no for some tests
- d/openssh-server.links: add full sshd.service -> ssh.service alias
(LP #2087949)
- document /etc/ssh/sshd_config.d/*.conf better in sshd_config
(LP #2088207)
* New changes:
- debian/openssh-server.ucf-md5sum: update for new Ubuntu version
- d/p/systemd-socket-activation.patch: add -N no-opt flag for sshd-auth
Otherwise, authentication will fail in socket activated mode, due
to the unrecognized flag.
- d/p/debian-config.patch: refresh
* Dropped changes, fixed upstream:
- CVE-2025-26465.patch
- CVE-2025-26466.patch
- CVE-2025-32728.patch
-- Nick Rosbrook <enr0n@xxxxxxxxxx> Thu, 03 Jul 2025 16:25:27 -0400
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2130054/+subscriptions
Follow ups
