openssh (1:7.2p2-4ubuntu2.8) xenial-security; urgency=medium * SECURITY UPDATE: Incomplete fix for CVE-2019-6111 - debian/patches/CVE-2019-6111-2.patch: add another fix to the filename check in scp.c. - CVE-2019-6111 * Fixed inverted CVE numbers in patch filenames and in previous changelog. -- Marc Deslauriers Mon, 04 Mar 2019 07:50:38 -0500 openssh (1:7.2p2-4ubuntu2.7) xenial-security; urgency=medium * SECURITY UPDATE: access restrictions bypass in scp - debian/patches/CVE-2018-20685.patch: disallow empty filenames or ones that refer to the current directory in scp.c. - CVE-2018-20685 * SECURITY UPDATE: scp client spoofing via object name - debian/patches/CVE-2019-6111.patch: make sure the filenames match the wildcard specified by the user, and add new flag to relax the new restrictions in scp.c, scp.1. - CVE-2019-6111 * SECURITY UPDATE: scp client missing received object name validation - debian/patches/CVE-2019-6109-pre1.patch: backport snmprintf from newer OpenSSH in Makefile.in, utf8.c, utf8.h, configure.ac. - debian/patches/CVE-2019-6109-pre2.patch: update vis.h and vis.c from newer OpenSSH. - debian/patches/CVE-2019-6109-1.patch: sanitize scp filenames via snmprintf in atomicio.c, progressmeter.c, progressmeter.h, scp.c, sftp-client.c. - debian/patches/CVE-2019-6109-2.patch: force progressmeter updates in progressmeter.c, progressmeter.h, scp.c, sftp-client.c. - CVE-2019-6109 -- Marc Deslauriers Thu, 31 Jan 2019 09:03:12 -0500 openssh (1:7.2p2-4ubuntu2.6) xenial-security; urgency=medium [ Ryan Finnie ] * SECURITY UPDATE: OpenSSH User Enumeration Vulnerability (LP: #1794629) - debian/patches/CVE-2018-15473.patch: delay bailout for invalid authenticating user until after the packet containing the request has been fully parsed. - CVE-2018-15473 * SECURITY UPDATE: Privsep process chrashing via an out-of-sequence - debian/patches/CVE-2016-10708.patch: fix in kex.c, pack.c. - CVE-2016-10708 -- Leonidas S. Barbosa Thu, 01 Nov 2018 16:16:02 -0300 openssh (1:7.2p2-4ubuntu2.5) xenial; urgency=medium * debian/systemd/ssh.service: Test configuration before starting or reloading sshd (LP: #1771340) -- Karl Stenerud Tue, 21 Aug 2018 10:45:26 -0700 openssh (1:7.2p2-4ubuntu2.4) xenial-security; urgency=medium * SECURITY UPDATE: untrusted search path when loading PKCS#11 modules - debian/patches/CVE-2016-10009.patch: add a whitelist of paths from which ssh-agent will load a PKCS#11 module in ssh-agent.1, ssh-agent.c. - debian/patches/CVE-2016-10009-2.patch: fix deletion of PKCS#11 keys in ssh-agent.c. - debian/patches/CVE-2016-10009-3.patch: relax whitelist in ssh-agent.c. - debian/patches/CVE-2016-10009-4.patch: add missing label in ssh-agent.c. - CVE-2016-10009 * SECURITY UPDATE: local privilege escalation via socket permissions when privilege separation is disabled - debian/patches/CVE-2016-10010.patch: disable Unix-domain socket forwarding when privsep is disabled in serverloop.c. - debian/patches/CVE-2016-10010-2.patch: unbreak Unix domain socket forwarding for root in serverloop.c. - CVE-2016-10010 * SECURITY UPDATE: local information disclosure via effects of realloc on buffer contents - debian/patches/CVE-2016-10011-pre.patch: split allocation out of sshbuf_reserve() in sshbuf.c, sshbuf.h. - debian/patches/CVE-2016-10011.patch: pre-allocate the buffer used for loading keys in authfile.c. - CVE-2016-10011 * SECURITY UPDATE: local privilege escalation via incorrect bounds check in shared memory manager - debian/patches/CVE-2016-10012-1.patch: remove support for pre-authentication compression in Makefile.in, monitor.c, monitor.h, monitor_mm.c, monitor_mm.h, monitor_wrap.h, myproposal.h, opacket.h, packet.c, packet.h, servconf.c, sshconnect2.c, sshd.c. - debian/patches/CVE-2016-10012-2.patch: restore pre-auth compression support in the client in kex.c, kex.h, packet.c, servconf.c, sshconnect2.c, sshd_config.5. - debian/patches/CVE-2016-10012-3.patch: put back some pre-auth zlib bits in kex.c, kex.h, packet.c. - CVE-2016-10012 * SECURITY UPDATE: DoS via zero-length file creation in readonly mode - debian/patches/CVE-2017-15906.patch: disallow creation of empty files in sftp-server.c. - CVE-2017-15906 -- Marc Deslauriers Mon, 15 Jan 2018 09:50:38 -0500 openssh (1:7.2p2-4ubuntu2.2) xenial; urgency=medium * Fix ssh-keygen -H accidentally corrupting known_hosts that contained already-hashed entries (LP: #1668093). * Fix ssh-keyscan to correctly hash hosts with a port number (LP: #1670745). -- Christian Ehrhardt Wed, 15 Mar 2017 13:16:56 +0100 openssh (1:7.2p2-4ubuntu2.1) xenial-security; urgency=medium * SECURITY UPDATE: user enumeration via covert timing channel - debian/patches/CVE-2016-6210-1.patch: determine appropriate salt for invalid users in auth-passwd.c, openbsd-compat/xcrypt.c. - debian/patches/CVE-2016-6210-2.patch: mitigate timing of disallowed users PAM logins in auth-pam.c. - debian/patches/CVE-2016-6210-3.patch: search users for one with a valid salt in openbsd-compat/xcrypt.c. - CVE-2016-6210 * SECURITY UPDATE: denial of service via long passwords - debian/patches/CVE-2016-6515.patch: skip passwords longer than 1k in length in auth-passwd.c. - CVE-2016-6515 -- Marc Deslauriers Thu, 11 Aug 2016 08:38:27 -0400 openssh (1:7.2p2-4ubuntu2) xenial; urgency=medium * debian/openssh-server.if-up: Don't block on a finished reload of openssh.service, to avoid deadlocking with restarting networking. (Closes: #832557, LP: #1584393) -- Martin Pitt Sun, 31 Jul 2016 10:51:01 +0200 openssh (1:7.2p2-4ubuntu1) xenial; urgency=medium * Backport upstream patch to unbreak authentication using lone certificate keys in ssh-agent: when attempting pubkey auth with a certificate, if no separate private key is found among the keys then try with the certificate key itself (thanks, Paul Querna; LP: #1575961). -- Colin Watson Thu, 28 Apr 2016 01:57:51 +0100 openssh (1:7.2p2-4) unstable; urgency=medium * Drop dependency on libnss-files-udeb (closes: #819686). * Policy version 3.9.7: no changes required. -- Colin Watson Fri, 15 Apr 2016 16:40:07 +0100 # For older changelog entries, run 'apt-get changelog openssh-client'