Public bug reported: Scheduled-For: ubuntu-25.11 Ubuntu: 1:10.0p1-5ubuntu5 Debian Unstable: 1:10.2p1-2
A new release of openssh is available for merging from Debian Unstable. If it turns out this needs a sync rather than a merge, please change the tagging from ['dcr-merge'] to ['dcr-sync'], and (optionally) update the title as desired. If this merge pulls in a new upstream version, also consider adding an entry to the resolute Release Notes: https://discourse.ubuntu.com/t/resolute-raccoon-release-notes/ ### New Debian Changes ### openssh (1:10.2p1-2) unstable; urgency=medium * ssh-session-cleanup: Update pattern for sshd-session split in 9.8 (closes: #1117965). * Link ssh against ssh-pkcs11.o directly (closes: #1117638, #1117720). -- Colin Watson <[email protected]> Fri, 17 Oct 2025 10:14:14 +0100 openssh (1:10.2p1-1) unstable; urgency=medium * New upstream release: - ssh-keygen(1): fix download of keys from PKCS#11 tokens. -- Colin Watson <[email protected]> Fri, 10 Oct 2025 14:50:27 +0100 openssh (1:10.1p1-2) unstable; urgency=medium * Don't reuse c->isatty for signalling that the remote channel has a tty attached (closes: #1117574, #1117594). * Link ssh-keygen directly against ssh-pkcs11.c. -- Colin Watson <[email protected]> Thu, 09 Oct 2025 00:54:25 +0100 openssh (1:10.1p1-1) unstable; urgency=medium [ Allison Karlitskaya ] * [email protected]: Support ephemeral keys from VM/container hosts. [ Colin Watson ] * New upstream release: - ssh(1): add a warning when the connection negotiates a non-post quantum key agreement algorithm. - ssh(1), sshd(8): major changes to handling of DSCP marking/IPQoS: by default, interactive traffic is assigned to the EF (Expedited Forwarding) class, while non-interactive traffic uses the operating system default DSCP marking. - ssh(1), sshd(8): deprecate support for IPv4 type-of-service (ToS) keywords in the IPQoS configuration directive. - ssh-add(1): when adding certificates to an agent, set the expiry to the certificate expiry time plus a short (5 min) grace period. - All: remove experimental support for XMSS keys. - ssh-agent(1), sshd(8): move agent listener sockets from /tmp to under ~/.ssh/agent for both ssh-agent(1) and forwarded sockets in sshd(8). - CVE-2025-61984: ssh(1): disallow control characters in usernames passed via the commandline or expanded using %-sequences from the configuration file (closes: #1117529), - CVE-2025-61985: ssh(1): disallow \0 characters in ssh:// URIs (closes: #1117530). - ssh(1), sshd(8): add SIGINFO handlers to log active channel and session information. - sshd(8): when refusing a certificate for user authentication, log enough information to identify the certificate in addition to the reason why it was being denied. Makes debugging certificate authorisation problems a bit easier. - ssh(1), ssh-agent(1): support ed25519 keys hosted on PKCS#11 tokens. - ssh(1): add an ssh_config(5) RefuseConnection option that, when encountered while processing an active section in a configuration, terminates ssh(1) with an error message that contains the argument to the option. - sshd(8): make the X11 display number check relative to X11DisplayOffset. This will allow people to use X11DisplayOffset to configure much higher port ranges if they really want, while not changing the default behaviour. - ssh(1): fix delay on X client startup when ObscureKeystrokeTiming is enabled. - sshd(8): increase the maximum size of the supported configuration from 256KB to 4MB, which ought to be enough for anybody. Fail early and visibly when this limit is breached. - sftp(1): during sftp uploads, avoid a condition where a failed write could be ignored if a subsequent write succeeded. This is unlikely but technically possible because sftp servers are allowed to reorder requests. - sshd(8): avoid a race condition when the sshd-auth process exits that could cause a spurious error message to be logged. - sshd(8): log at level INFO when PerSourcePenalties actually blocks access to a source address range. Previously this was logged at level VERBOSE, which hid enforcement actions under default config settings. - sshd(8): Make the MaxStartups and PerSourceNetBlockSize options first-match-wins as advertised. - ssh(1): fix an incorrect return value check in the local forward cancellation path that would cause failed cancellations not to be logged. - sshd(8): make "Match !final" not trigger a second parsing pass of ssh_config (unless hostname canonicalisation or a separate "Match final" does). - ssh(1): better debug diagnostics when loading keys. Will now list key fingerprint and algorithm (not just algorithm number) as well as making it explicit which keys didn't load. - All: fix a number of memory leaks found by LeakSanitizer, Coverity and manual inspection. - sshd(8): Output the current name for PermitRootLogin's "prohibit-password" in sshd -T instead of its deprecated alias "without-password" (closes: #1095922). - ssh(1): make writing known_hosts lines more atomic by writing the entire line in one operation and using unbuffered stdio. - sshd(8): check the username didn't change during the PAM transactions. - sshd(8): don't log audit messages with UNKNOWN hostname to avoid slow DNS lookups in the audit subsystem. - All: when making a copy of struct passwd, ensure struct fields are non-NULL. - sshd(8): handle futex_time64 properly in seccomp sandbox. - Add contrib/gnome-ssh-askpass4 for GNOME 40+ using the GCR API. - ssh-agent(1): exit 0 from SIGTERM under systemd socket-activation, preventing a graceful shutdown of an agent via systemd from incorrectly marking the service as "failed". * Drop patches: - no-openssl-version-status.patch: Mostly applied upstream; the rest only applied to OpenSSL < 3, which isn't relevant to current Debian releases. - revert-ipqos-defaults.patch: This new upstream release reworks IPQoS, so let's see how that works in Debian (closes: #1111446). * debian/run-tests: Fix path to dropbear. -- Colin Watson <[email protected]> Tue, 07 Oct 2025 22:07:19 +0100 openssh (1:10.0p1-8) unstable; urgency=medium * Remove some long-obsolete Conflicts (closes: #54243). * Fix mistracking of MaxStartups process exits in some situations (closes: #1080350). -- Colin Watson <[email protected]> Sun, 10 Aug 2025 00:07:55 +0100 openssh (1:10.0p1-7) unstable; urgency=medium * Make postinst logic for cleaning up the sshd diversion more robust. -- Colin Watson <[email protected]> Fri, 01 Aug 2025 16:02:27 +0100 openssh (1:10.0p1-6) unstable; urgency=medium * Temporarily divert /usr/sbin/sshd during upgrades from before 1:9.8p1-1~, to avoid new connections failing between unpack and configure (closes: #1109742). -- Colin Watson <[email protected]> Mon, 28 Jul 2025 12:17:42 +0100 ### Old Ubuntu Delta ### openssh (1:10.0p1-5ubuntu5) questing; urgency=medium * test: workaround test failure caused by uutils dd (LP: #2125943) * authfd: fallback to default if $SSH_AUTH_SOCK is unset (LP: #2125549) -- Nick Rosbrook <[email protected]> Mon, 29 Sep 2025 14:43:07 -0400 openssh (1:10.0p1-5ubuntu4) questing; urgency=medium * Rebuild to include updated RISC-V base ISA RVA23 -- Heinrich Schuchardt <[email protected]> Sat, 06 Sep 2025 14:19:10 +0000 openssh (1:10.0p1-5ubuntu3) questing; urgency=medium * d/p/systemd-socket-activation.patch: allow AF_VSOCK sockets (LP: #2111226) -- Nick Rosbrook <[email protected]> Mon, 04 Aug 2025 11:22:12 -0400 openssh (1:10.0p1-5ubuntu2) questing; urgency=medium * d/rules,d/control: do not build with wtmpdb support (LP: #2116241) * Re-instate UsePAM yes in sshd_config (LP: #2116196): - d/p/debian-config.patch: reinstate erroneously dropped changes - debian/openssh-server.ucf-md5sum: update for current checksums * d/t/control: add breaks-testbed restriction to tests * d/tests: do not fail when $HOME/.ssh exists -- Nick Rosbrook <[email protected]> Tue, 08 Jul 2025 15:40:56 -0400 openssh (1:10.0p1-5ubuntu1) questing; urgency=medium * Merge with Debian unstable. (LP: #2112050) Remaining changes: - debian/rules: modify dh_installsystemd invocations for socket-activated sshd - debian/README.Debian: document systemd socket activation. - debian/.gitignore: drop file - debian/openssh-server.ucf-md5sum: update for Ubuntu delta - d/p/systemd-socket-activation.patch: + Fix sshd re-execution behavior when socket activation is used + Adapt sshd-session for systemd socket activation - debian/tests/systemd-socket-activation: Add autopkgtest for systemd socket activation functionality. - debian/patches: Immediately report interactive instructions to PAM clients - debian/patches: sshconnect2: Write kbd-interactive messages as utf-8 - debian/control: Build-Depends: systemd-dev - d/p/sshd-socket-generator.patch: add generator for socket activation - debian/openssh-server.install: install sshd-socket-generator - debian/openssh-server.postinst: restart whichever systemd unit is enabled - d/t/sshd-socket-generator: add dep8 test for sshd-socket-generator - ssh.socket: adjust unit for socket activation by default - debian/rules: explicitly enable LTO - d/t/ssh-gssapi: disable -e in cleanup() - d/p/test-set-UsePAM-no-on-some-tests.patch: set UsePAM=no for some tests - d/openssh-server.links: add full sshd.service -> ssh.service alias (LP #2087949) - document /etc/ssh/sshd_config.d/*.conf better in sshd_config (LP #2088207) * New changes: - debian/openssh-server.ucf-md5sum: update for new Ubuntu version - d/p/systemd-socket-activation.patch: add -N no-opt flag for sshd-auth Otherwise, authentication will fail in socket activated mode, due to the unrecognized flag. - d/p/debian-config.patch: refresh * Dropped changes, fixed upstream: - CVE-2025-26465.patch - CVE-2025-26466.patch - CVE-2025-32728.patch -- Nick Rosbrook <[email protected]> Thu, 03 Jul 2025 16:25:27 -0400 ** Affects: openssh (Ubuntu) Importance: Undecided Status: New ** Tags: dcr-merge ** Changed in: openssh (Ubuntu) Milestone: None => ubuntu-25.11 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/2130054 Title: Merge openssh from Debian Unstable for resolute Status in openssh package in Ubuntu: New Bug description: Scheduled-For: ubuntu-25.11 Ubuntu: 1:10.0p1-5ubuntu5 Debian Unstable: 1:10.2p1-2 A new release of openssh is available for merging from Debian Unstable. If it turns out this needs a sync rather than a merge, please change the tagging from ['dcr-merge'] to ['dcr-sync'], and (optionally) update the title as desired. If this merge pulls in a new upstream version, also consider adding an entry to the resolute Release Notes: https://discourse.ubuntu.com/t/resolute-raccoon-release-notes/ ### New Debian Changes ### openssh (1:10.2p1-2) unstable; urgency=medium * ssh-session-cleanup: Update pattern for sshd-session split in 9.8 (closes: #1117965). * Link ssh against ssh-pkcs11.o directly (closes: #1117638, #1117720). -- Colin Watson <[email protected]> Fri, 17 Oct 2025 10:14:14 +0100 openssh (1:10.2p1-1) unstable; urgency=medium * New upstream release: - ssh-keygen(1): fix download of keys from PKCS#11 tokens. -- Colin Watson <[email protected]> Fri, 10 Oct 2025 14:50:27 +0100 openssh (1:10.1p1-2) unstable; urgency=medium * Don't reuse c->isatty for signalling that the remote channel has a tty attached (closes: #1117574, #1117594). * Link ssh-keygen directly against ssh-pkcs11.c. -- Colin Watson <[email protected]> Thu, 09 Oct 2025 00:54:25 +0100 openssh (1:10.1p1-1) unstable; urgency=medium [ Allison Karlitskaya ] * [email protected]: Support ephemeral keys from VM/container hosts. [ Colin Watson ] * New upstream release: - ssh(1): add a warning when the connection negotiates a non-post quantum key agreement algorithm. - ssh(1), sshd(8): major changes to handling of DSCP marking/IPQoS: by default, interactive traffic is assigned to the EF (Expedited Forwarding) class, while non-interactive traffic uses the operating system default DSCP marking. - ssh(1), sshd(8): deprecate support for IPv4 type-of-service (ToS) keywords in the IPQoS configuration directive. - ssh-add(1): when adding certificates to an agent, set the expiry to the certificate expiry time plus a short (5 min) grace period. - All: remove experimental support for XMSS keys. - ssh-agent(1), sshd(8): move agent listener sockets from /tmp to under ~/.ssh/agent for both ssh-agent(1) and forwarded sockets in sshd(8). - CVE-2025-61984: ssh(1): disallow control characters in usernames passed via the commandline or expanded using %-sequences from the configuration file (closes: #1117529), - CVE-2025-61985: ssh(1): disallow \0 characters in ssh:// URIs (closes: #1117530). - ssh(1), sshd(8): add SIGINFO handlers to log active channel and session information. - sshd(8): when refusing a certificate for user authentication, log enough information to identify the certificate in addition to the reason why it was being denied. Makes debugging certificate authorisation problems a bit easier. - ssh(1), ssh-agent(1): support ed25519 keys hosted on PKCS#11 tokens. - ssh(1): add an ssh_config(5) RefuseConnection option that, when encountered while processing an active section in a configuration, terminates ssh(1) with an error message that contains the argument to the option. - sshd(8): make the X11 display number check relative to X11DisplayOffset. This will allow people to use X11DisplayOffset to configure much higher port ranges if they really want, while not changing the default behaviour. - ssh(1): fix delay on X client startup when ObscureKeystrokeTiming is enabled. - sshd(8): increase the maximum size of the supported configuration from 256KB to 4MB, which ought to be enough for anybody. Fail early and visibly when this limit is breached. - sftp(1): during sftp uploads, avoid a condition where a failed write could be ignored if a subsequent write succeeded. This is unlikely but technically possible because sftp servers are allowed to reorder requests. - sshd(8): avoid a race condition when the sshd-auth process exits that could cause a spurious error message to be logged. - sshd(8): log at level INFO when PerSourcePenalties actually blocks access to a source address range. Previously this was logged at level VERBOSE, which hid enforcement actions under default config settings. - sshd(8): Make the MaxStartups and PerSourceNetBlockSize options first-match-wins as advertised. - ssh(1): fix an incorrect return value check in the local forward cancellation path that would cause failed cancellations not to be logged. - sshd(8): make "Match !final" not trigger a second parsing pass of ssh_config (unless hostname canonicalisation or a separate "Match final" does). - ssh(1): better debug diagnostics when loading keys. Will now list key fingerprint and algorithm (not just algorithm number) as well as making it explicit which keys didn't load. - All: fix a number of memory leaks found by LeakSanitizer, Coverity and manual inspection. - sshd(8): Output the current name for PermitRootLogin's "prohibit-password" in sshd -T instead of its deprecated alias "without-password" (closes: #1095922). - ssh(1): make writing known_hosts lines more atomic by writing the entire line in one operation and using unbuffered stdio. - sshd(8): check the username didn't change during the PAM transactions. - sshd(8): don't log audit messages with UNKNOWN hostname to avoid slow DNS lookups in the audit subsystem. - All: when making a copy of struct passwd, ensure struct fields are non-NULL. - sshd(8): handle futex_time64 properly in seccomp sandbox. - Add contrib/gnome-ssh-askpass4 for GNOME 40+ using the GCR API. - ssh-agent(1): exit 0 from SIGTERM under systemd socket-activation, preventing a graceful shutdown of an agent via systemd from incorrectly marking the service as "failed". * Drop patches: - no-openssl-version-status.patch: Mostly applied upstream; the rest only applied to OpenSSL < 3, which isn't relevant to current Debian releases. - revert-ipqos-defaults.patch: This new upstream release reworks IPQoS, so let's see how that works in Debian (closes: #1111446). * debian/run-tests: Fix path to dropbear. -- Colin Watson <[email protected]> Tue, 07 Oct 2025 22:07:19 +0100 openssh (1:10.0p1-8) unstable; urgency=medium * Remove some long-obsolete Conflicts (closes: #54243). * Fix mistracking of MaxStartups process exits in some situations (closes: #1080350). -- Colin Watson <[email protected]> Sun, 10 Aug 2025 00:07:55 +0100 openssh (1:10.0p1-7) unstable; urgency=medium * Make postinst logic for cleaning up the sshd diversion more robust. -- Colin Watson <[email protected]> Fri, 01 Aug 2025 16:02:27 +0100 openssh (1:10.0p1-6) unstable; urgency=medium * Temporarily divert /usr/sbin/sshd during upgrades from before 1:9.8p1-1~, to avoid new connections failing between unpack and configure (closes: #1109742). -- Colin Watson <[email protected]> Mon, 28 Jul 2025 12:17:42 +0100 ### Old Ubuntu Delta ### openssh (1:10.0p1-5ubuntu5) questing; urgency=medium * test: workaround test failure caused by uutils dd (LP: #2125943) * authfd: fallback to default if $SSH_AUTH_SOCK is unset (LP: #2125549) -- Nick Rosbrook <[email protected]> Mon, 29 Sep 2025 14:43:07 -0400 openssh (1:10.0p1-5ubuntu4) questing; urgency=medium * Rebuild to include updated RISC-V base ISA RVA23 -- Heinrich Schuchardt <[email protected]> Sat, 06 Sep 2025 14:19:10 +0000 openssh (1:10.0p1-5ubuntu3) questing; urgency=medium * d/p/systemd-socket-activation.patch: allow AF_VSOCK sockets (LP: #2111226) -- Nick Rosbrook <[email protected]> Mon, 04 Aug 2025 11:22:12 -0400 openssh (1:10.0p1-5ubuntu2) questing; urgency=medium * d/rules,d/control: do not build with wtmpdb support (LP: #2116241) * Re-instate UsePAM yes in sshd_config (LP: #2116196): - d/p/debian-config.patch: reinstate erroneously dropped changes - debian/openssh-server.ucf-md5sum: update for current checksums * d/t/control: add breaks-testbed restriction to tests * d/tests: do not fail when $HOME/.ssh exists -- Nick Rosbrook <[email protected]> Tue, 08 Jul 2025 15:40:56 -0400 openssh (1:10.0p1-5ubuntu1) questing; urgency=medium * Merge with Debian unstable. (LP: #2112050) Remaining changes: - debian/rules: modify dh_installsystemd invocations for socket-activated sshd - debian/README.Debian: document systemd socket activation. - debian/.gitignore: drop file - debian/openssh-server.ucf-md5sum: update for Ubuntu delta - d/p/systemd-socket-activation.patch: + Fix sshd re-execution behavior when socket activation is used + Adapt sshd-session for systemd socket activation - debian/tests/systemd-socket-activation: Add autopkgtest for systemd socket activation functionality. - debian/patches: Immediately report interactive instructions to PAM clients - debian/patches: sshconnect2: Write kbd-interactive messages as utf-8 - debian/control: Build-Depends: systemd-dev - d/p/sshd-socket-generator.patch: add generator for socket activation - debian/openssh-server.install: install sshd-socket-generator - debian/openssh-server.postinst: restart whichever systemd unit is enabled - d/t/sshd-socket-generator: add dep8 test for sshd-socket-generator - ssh.socket: adjust unit for socket activation by default - debian/rules: explicitly enable LTO - d/t/ssh-gssapi: disable -e in cleanup() - d/p/test-set-UsePAM-no-on-some-tests.patch: set UsePAM=no for some tests - d/openssh-server.links: add full sshd.service -> ssh.service alias (LP #2087949) - document /etc/ssh/sshd_config.d/*.conf better in sshd_config (LP #2088207) * New changes: - debian/openssh-server.ucf-md5sum: update for new Ubuntu version - d/p/systemd-socket-activation.patch: add -N no-opt flag for sshd-auth Otherwise, authentication will fail in socket activated mode, due to the unrecognized flag. - d/p/debian-config.patch: refresh * Dropped changes, fixed upstream: - CVE-2025-26465.patch - CVE-2025-26466.patch - CVE-2025-32728.patch -- Nick Rosbrook <[email protected]> Thu, 03 Jul 2025 16:25:27 -0400 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2130054/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
