openssh 1:7.2p2-4ubuntu2.4 source package in Ubuntu

Changelog

openssh (1:7.2p2-4ubuntu2.4) xenial-security; urgency=medium

  * SECURITY UPDATE: untrusted search path when loading PKCS#11 modules
    - debian/patches/CVE-2016-10009.patch: add a whitelist of paths from
      which ssh-agent will load a PKCS#11 module in ssh-agent.1,
      ssh-agent.c.
    - debian/patches/CVE-2016-10009-2.patch: fix deletion of PKCS#11 keys
      in ssh-agent.c.
    - debian/patches/CVE-2016-10009-3.patch: relax whitelist in
      ssh-agent.c.
    - debian/patches/CVE-2016-10009-4.patch: add missing label in
      ssh-agent.c.
    - CVE-2016-10009
  * SECURITY UPDATE: local privilege escalation via socket permissions when
    privilege separation is disabled
    - debian/patches/CVE-2016-10010.patch: disable Unix-domain socket
      forwarding when privsep is disabled in serverloop.c.
    - debian/patches/CVE-2016-10010-2.patch: unbreak Unix domain socket
      forwarding for root in serverloop.c.
    - CVE-2016-10010
  * SECURITY UPDATE: local information disclosure via effects of realloc on
    buffer contents
    - debian/patches/CVE-2016-10011-pre.patch: split allocation out of
      sshbuf_reserve() in sshbuf.c, sshbuf.h.
    - debian/patches/CVE-2016-10011.patch: pre-allocate the buffer used for
      loading keys in authfile.c.
    - CVE-2016-10011
  * SECURITY UPDATE: local privilege escalation via incorrect bounds check
    in shared memory manager
    - debian/patches/CVE-2016-10012-1.patch: remove support for
      pre-authentication compression in Makefile.in, monitor.c, monitor.h,
      monitor_mm.c, monitor_mm.h, monitor_wrap.h, myproposal.h, opacket.h,
      packet.c, packet.h, servconf.c, sshconnect2.c, sshd.c.
    - debian/patches/CVE-2016-10012-2.patch: restore pre-auth compression
      support in the client in kex.c, kex.h, packet.c, servconf.c,
      sshconnect2.c, sshd_config.5.
    - debian/patches/CVE-2016-10012-3.patch: put back some pre-auth zlib
      bits in kex.c, kex.h, packet.c.
    - CVE-2016-10012
  * SECURITY UPDATE: DoS via zero-length file creation in readonly mode
    - debian/patches/CVE-2017-15906.patch: disallow creation of empty files
      in sftp-server.c.
    - CVE-2017-15906

 -- Marc Deslauriers <email address hidden>  Mon, 15 Jan 2018 09:50:38 -0500

Upload details

Uploaded by:
Marc Deslauriers
Uploaded to:
Xenial
Original maintainer:
Ubuntu Developers
Architectures:
any all
Section:
net
Urgency:
Medium Urgency

See full publishing history Publishing

Series Pocket Published Component Section

Downloads

File Size SHA-256 Checksum
openssh_7.2p2.orig.tar.gz 1.4 MiB a72781d1a043876a224ff1b0032daa4094d87565a68528759c1c2cab5482548c
openssh_7.2p2-4ubuntu2.4.debian.tar.xz 162.7 KiB 00b7e94483e369ab0e098ccada7b35473694544e4498d20ff7c2a2ae8bfe8def
openssh_7.2p2-4ubuntu2.4.dsc 2.8 KiB 4c35e06545e8e332474f5e3cb1fa4ef159e8af090c566693d34d401ef726b493

View changes file

Binary packages built by this source

openssh-client: secure shell (SSH) client, for secure access to remote machines

 This is the portable version of OpenSSH, a free implementation of
 the Secure Shell protocol as specified by the IETF secsh working
 group.
 .
 Ssh (Secure Shell) is a program for logging into a remote machine
 and for executing commands on a remote machine.
 It provides secure encrypted communications between two untrusted
 hosts over an insecure network. X11 connections and arbitrary TCP/IP
 ports can also be forwarded over the secure channel.
 It can be used to provide applications with a secure communication
 channel.
 .
 This package provides the ssh, scp and sftp clients, the ssh-agent
 and ssh-add programs to make public key authentication more convenient,
 and the ssh-keygen, ssh-keyscan, ssh-copy-id and ssh-argv0 utilities.
 .
 In some countries it may be illegal to use any encryption at all
 without a special permit.
 .
 ssh replaces the insecure rsh, rcp and rlogin programs, which are
 obsolete for most purposes.

openssh-client-dbgsym: debug symbols for package openssh-client

 This is the portable version of OpenSSH, a free implementation of
 the Secure Shell protocol as specified by the IETF secsh working
 group.
 .
 Ssh (Secure Shell) is a program for logging into a remote machine
 and for executing commands on a remote machine.
 It provides secure encrypted communications between two untrusted
 hosts over an insecure network. X11 connections and arbitrary TCP/IP
 ports can also be forwarded over the secure channel.
 It can be used to provide applications with a secure communication
 channel.
 .
 This package provides the ssh, scp and sftp clients, the ssh-agent
 and ssh-add programs to make public key authentication more convenient,
 and the ssh-keygen, ssh-keyscan, ssh-copy-id and ssh-argv0 utilities.
 .
 In some countries it may be illegal to use any encryption at all
 without a special permit.
 .
 ssh replaces the insecure rsh, rcp and rlogin programs, which are
 obsolete for most purposes.

openssh-client-ssh1: secure shell (SSH) client for legacy SSH1 protocol

 This is the portable version of OpenSSH, a free implementation of
 the Secure Shell protocol as specified by the IETF secsh working
 group.
 .
 Ssh (Secure Shell) is a program for logging into a remote machine
 and for executing commands on a remote machine.
 It provides secure encrypted communications between two untrusted
 hosts over an insecure network. X11 connections and arbitrary TCP/IP
 ports can also be forwarded over the secure channel.
 It can be used to provide applications with a secure communication
 channel.
 .
 This package provides the ssh1 and scp1 clients and the ssh-keygen1
 utility, all built with support for the legacy SSH1 protocol. This
 protocol is obsolete and should not normally be used, but in some cases
 there may be no alternative way to connect to outdated servers.
 .
 In some countries it may be illegal to use any encryption at all
 without a special permit.
 .
 ssh replaces the insecure rsh, rcp and rlogin programs, which are
 obsolete for most purposes.

openssh-client-ssh1-dbgsym: debug symbols for package openssh-client-ssh1

 This is the portable version of OpenSSH, a free implementation of
 the Secure Shell protocol as specified by the IETF secsh working
 group.
 .
 Ssh (Secure Shell) is a program for logging into a remote machine
 and for executing commands on a remote machine.
 It provides secure encrypted communications between two untrusted
 hosts over an insecure network. X11 connections and arbitrary TCP/IP
 ports can also be forwarded over the secure channel.
 It can be used to provide applications with a secure communication
 channel.
 .
 This package provides the ssh1 and scp1 clients and the ssh-keygen1
 utility, all built with support for the legacy SSH1 protocol. This
 protocol is obsolete and should not normally be used, but in some cases
 there may be no alternative way to connect to outdated servers.
 .
 In some countries it may be illegal to use any encryption at all
 without a special permit.
 .
 ssh replaces the insecure rsh, rcp and rlogin programs, which are
 obsolete for most purposes.

openssh-client-udeb: secure shell client for the Debian installer

 This is the portable version of OpenSSH, a free implementation of
 the Secure Shell protocol as specified by the IETF secsh working
 group.
 .
 This package provides the ssh client for use in debian-installer.

openssh-client-udeb-dbgsym: debug symbols for package openssh-client-udeb

 This is the portable version of OpenSSH, a free implementation of
 the Secure Shell protocol as specified by the IETF secsh working
 group.
 .
 This package provides the ssh client for use in debian-installer.

openssh-server: secure shell (SSH) server, for secure access from remote machines

 This is the portable version of OpenSSH, a free implementation of
 the Secure Shell protocol as specified by the IETF secsh working
 group.
 .
 Ssh (Secure Shell) is a program for logging into a remote machine
 and for executing commands on a remote machine.
 It provides secure encrypted communications between two untrusted
 hosts over an insecure network. X11 connections and arbitrary TCP/IP
 ports can also be forwarded over the secure channel.
 It can be used to provide applications with a secure communication
 channel.
 .
 This package provides the sshd server.
 .
 In some countries it may be illegal to use any encryption at all
 without a special permit.
 .
 sshd replaces the insecure rshd program, which is obsolete for most
 purposes.

openssh-server-dbgsym: debug symbols for package openssh-server

 This is the portable version of OpenSSH, a free implementation of
 the Secure Shell protocol as specified by the IETF secsh working
 group.
 .
 Ssh (Secure Shell) is a program for logging into a remote machine
 and for executing commands on a remote machine.
 It provides secure encrypted communications between two untrusted
 hosts over an insecure network. X11 connections and arbitrary TCP/IP
 ports can also be forwarded over the secure channel.
 It can be used to provide applications with a secure communication
 channel.
 .
 This package provides the sshd server.
 .
 In some countries it may be illegal to use any encryption at all
 without a special permit.
 .
 sshd replaces the insecure rshd program, which is obsolete for most
 purposes.

openssh-server-udeb: secure shell server for the Debian installer

 This is the portable version of OpenSSH, a free implementation of
 the Secure Shell protocol as specified by the IETF secsh working
 group.
 .
 This package provides the sshd server for use in debian-installer.
 Since it is expected to be used in specialized situations (e.g. S/390
 installs with no console), it does not provide any configuration.

openssh-server-udeb-dbgsym: debug symbols for package openssh-server-udeb

 This is the portable version of OpenSSH, a free implementation of
 the Secure Shell protocol as specified by the IETF secsh working
 group.
 .
 This package provides the sshd server for use in debian-installer.
 Since it is expected to be used in specialized situations (e.g. S/390
 installs with no console), it does not provide any configuration.

openssh-sftp-server: secure shell (SSH) sftp server module, for SFTP access from remote machines

 This is the portable version of OpenSSH, a free implementation of
 the Secure Shell protocol as specified by the IETF secsh working
 group.
 .
 Ssh (Secure Shell) is a program for logging into a remote machine
 and for executing commands on a remote machine.
 It provides secure encrypted communications between two untrusted
 hosts over an insecure network. X11 connections and arbitrary TCP/IP
 ports can also be forwarded over the secure channel.
 It can be used to provide applications with a secure communication
 channel.
 .
 This package provides the SFTP server module for the SSH server. It
 is needed if you want to access your SSH server with SFTP. The SFTP
 server module also works with other SSH daemons like dropbear.

openssh-sftp-server-dbgsym: debug symbols for package openssh-sftp-server

 This is the portable version of OpenSSH, a free implementation of
 the Secure Shell protocol as specified by the IETF secsh working
 group.
 .
 Ssh (Secure Shell) is a program for logging into a remote machine
 and for executing commands on a remote machine.
 It provides secure encrypted communications between two untrusted
 hosts over an insecure network. X11 connections and arbitrary TCP/IP
 ports can also be forwarded over the secure channel.
 It can be used to provide applications with a secure communication
 channel.
 .
 This package provides the SFTP server module for the SSH server. It
 is needed if you want to access your SSH server with SFTP. The SFTP
 server module also works with other SSH daemons like dropbear.

ssh: secure shell client and server (metapackage)

 This metapackage is a convenient way to install both the OpenSSH client
 and the OpenSSH server. It provides nothing in and of itself, so you
 may remove it if nothing depends on it.

ssh-askpass-gnome: interactive X program to prompt users for a passphrase for ssh-add

 This has been split out of the main openssh-client package so that
 openssh-client does not need to depend on GTK+.
 .
 You probably want the ssh-askpass package instead, but this is
 provided to add to your choice and/or confusion.

ssh-askpass-gnome-dbgsym: debug symbols for package ssh-askpass-gnome

 This has been split out of the main openssh-client package so that
 openssh-client does not need to depend on GTK+.
 .
 You probably want the ssh-askpass package instead, but this is
 provided to add to your choice and/or confusion.

ssh-krb5: secure shell client and server (transitional package)

 This is a transitional package depending on the regular Debian OpenSSH
 client and server, which now support GSSAPI natively. It will add the
 necessary GSSAPI options to the server configuration file. You can
 remove it once the upgrade is complete and nothing depends on it.