Debian Patches

Status for openssh/1:9.2p1-2+deb12u3

Patch Description Author Forwarded Bugs Origin Last update
gssapi.patch GSSAPI key exchange support
This patch has been rejected upstream: "None of the OpenSSH developers are
in favour of adding this, and this situation has not changed for several
years. This is not a slight on Simon's patch, which is of fine quality, but
just that a) we don't trust GSSAPI implementations that much and b) we don't
like adding new KEX since they are pre-auth attack surface. This one is
particularly scary, since it requires hooks out to typically root-owned
system resources."

However, quite a lot of people rely on this in Debian, and it's better to
have it merged into the main openssh package rather than having separate
-krb5 packages (as we used to have). It seems to have a generally good
security history.
Jakub Jelen <jjelen@redhat.com> yes upstream other, https://github.com/openssh-gsskex/openssh-gsskex/pull/23 2014-02-09
restore-tcp-wrappers.patch Restore TCP wrappers support
Support for TCP wrappers was dropped in OpenSSH 6.7. See this message
and thread:

https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032497.html

It is true that this reduces preauth attack surface in sshd. On the
other hand, this support seems to be quite widely used, and abruptly
dropping it (from the perspective of users who don't read
openssh-unix-dev) could easily cause more serious problems in practice.

It's not entirely clear what the right long-term answer for Debian is,
but it at least probably doesn't involve dropping this feature shortly
before a freeze.
Colin Watson <cjwatson@debian.org> not-needed 2022-02-23
selinux-role.patch Handle SELinux authorisation roles
Rejected upstream due to discomfort with magic usernames; a better approach
will need an SSH protocol change. In the meantime, this came from Debian's
SELinux maintainer, so we'll keep it until we have something better.
Manoj Srivastava <srivasta@debian.org> yes debian upstream 2021-11-05
ssh-vulnkey-compat.patch Accept obsolete ssh-vulnkey configuration options
These options were used as part of Debian's response to CVE-2008-0166.
Nearly six years later, we no longer need to continue carrying the bulk
of that patch, but we do need to avoid failing when the associated
configuration options are still present.
Colin Watson <cjwatson@ubuntu.com> no 2014-02-09
keepalive-extensions.patch Various keepalive extensions
Add compatibility aliases for ProtocolKeepAlives and SetupTimeOut, supported
in previous versions of Debian's OpenSSH package but since superseded by
ServerAliveInterval. (We're probably stuck with this bit for
compatibility.)

In batch mode, default ServerAliveInterval to five minutes.

Adjust documentation to match and to give some more advice on use of
keepalives.
Colin Watson <cjwatson@debian.org> no 2023-01-02
syslog-level-silent.patch "LogLevel SILENT" compatibility
"LogLevel SILENT" (-qq) was introduced in Debian openssh 1:3.0.1p1-1 to
match the behaviour of non-free SSH, in which -q does not suppress fatal
errors. However, this was unintentionally broken in 1:4.6p1-2 and nobody
complained, so we've dropped most of it. The parts that remain are basic
configuration file compatibility, and an adjustment to "Pseudo-terminal will
not be allocated ..." which should be split out into a separate patch.
Colin Watson <cjwatson@debian.org> no 2013-09-14
user-group-modes.patch Allow harmless group-writability
Allow secure files (~/.ssh/config, ~/.ssh/authorized_keys, etc.) to be
group-writable, provided that the group in question contains only the file's
owner. Rejected upstream for IMO incorrect reasons (e.g. a misunderstanding
about the contents of gr->gr_mem). Given that per-user groups and umask 002
are the default setup in Debian (for good reasons - this makes operating in
setgid directories with other groups much easier), we need to permit this by
default.
Colin Watson <cjwatson@debian.org> yes debian upstream 2022-02-23
scp-quoting.patch Adjust scp quoting in verbose mode
Tweak scp's reporting of filenames in verbose mode to be a bit less
confusing with spaces.

This should be revised to mimic real shell quoting.
=?UTF-8?q?Nicolas=20Valc=C3=A1rcel?= <nvalcarcel@ubuntu.com> no 2010-02-27
shell-path.patch Look for $SHELL on the path for ProxyCommand/LocalCommand
There's some debate on the upstream bug about whether POSIX requires this.
I (Colin Watson) agree with Vincent and think it does.
Colin Watson <cjwatson@debian.org> yes debian upstream 2020-02-21
dnssec-sshfp.patch Force use of DNSSEC even if "options edns0" isn't in resolv.conf
This allows SSHFP DNS records to be verified if glibc 2.11 is installed.
Colin Watson <cjwatson@debian.org> invalid debian upstream vendor, https://cvs.fedoraproject.org/viewvc/F-12/openssh/openssh-5.2p1-edns.patch?revision=1.1&view=markup 2010-04-06
mention-ssh-keygen-on-keychange.patch Mention ssh-keygen in ssh fingerprint changed warning Chris Lamb <lamby@debian.org> yes upstream 2017-08-22
package-versioning.patch Include the Debian version in our identification
This makes it easier to audit networks for versions patched against security
vulnerabilities. It has little detrimental effect, as attackers will
generally just try attacks rather than bothering to scan for
vulnerable-looking version strings. (However, see debian-banner.patch.)
Matthew Vernon <matthew@debian.org> not-needed 2021-11-05
debian-banner.patch Add DebianBanner server configuration option
Setting this to "no" causes sshd to omit the Debian revision from its
initial protocol handshake, for those scared by package-versioning.patch.
Kees Cook <kees@debian.org> not-needed debian 2023-01-02
authorized-keys-man-symlink.patch Install authorized_keys(5) as a symlink to sshd(8) Tomas Pospisek <tpo_deb@sourcepole.ch> yes debian upstream 2013-09-14
openbsd-docs.patch Adjust various OpenBSD-specific references in manual pages
No single bug reference for this patch, but history includes:
https://bugs.debian.org/154434 (login.conf(5))
https://bugs.debian.org/513417 (/etc/rc)
https://bugs.debian.org/530692 (ssl(8))
https://bugs.launchpad.net/bugs/456660 (ssl(8))
https://bugs.debian.org/998069 (rdomain(4))
Colin Watson <cjwatson@debian.org> not-needed 2021-11-05
ssh-argv0.patch ssh(1): Refer to ssh-argv0(1)
Old versions of OpenSSH (up to 2.5 or thereabouts) allowed creating symlinks
to ssh with the name of the host you want to connect to. Debian ships an
ssh-argv0 script restoring this feature; this patch refers to its manual
page from ssh(1).
Colin Watson <cjwatson@debian.org> not-needed debian 2013-09-14
doc-hash-tab-completion.patch Document that HashKnownHosts may break tab-completion Colin Watson <cjwatson@debian.org> yes debian upstream 2021-11-05
ssh-agent-setgid.patch Document consequences of ssh-agent being setgid in ssh-agent(1) Colin Watson <cjwatson@debian.org> no debian 2020-02-21
no-openssl-version-status.patch Don't check the status field of the OpenSSL version
There is no reason to check the version of OpenSSL (in Debian). If it's
not compatible the soname will change. OpenSSH seems to want to do a
check for the soname based on the version number, but wants to keep the
status of the release the same. Remove that check on the status since
it doesn't tell you anything about how compatible that version is.
Colin Watson <cjwatson@debian.org> not-needed debian 2014-10-07
gnome-ssh-askpass2-icon.patch Give the ssh-askpass-gnome window a default icon Vincent Untz <vuntz@ubuntu.com> no 2010-02-28
systemd-readiness.patch Add systemd readiness notification support Michael Biebl <biebl@debian.org> no debian 2017-08-22
debian-config.patch Various Debian-specific configuration changes
fewer problems with existing setups (http://bugs.debian.org/237021).


worms.



PrintMotd.






Document all of this.
Russ Allbery <rra@debian.org> not-needed 2023-01-03
restore-authorized_keys2.patch Restore reading authorized_keys2 by default
Upstream seems to intend to gradually phase this out, so don't assume
that this will remain the default forever. However, we were late in
adopting the upstream sshd_config changes, so it makes sense to extend
the grace period.
Colin Watson <cjwatson@debian.org> not-needed debian 2017-03-05
revert-ipqos-defaults.patch Revert "upstream: Update default IPQoS in ssh(1), sshd(8) to DSCP AF21 for"

This reverts commit 5ee8448ad7c306f05a9f56769f95336a8269f379.

The IPQoS default changes have some unfortunate interactions with
iptables (see https://bugs.debian.org/923880) and VMware, so I'm
temporarily reverting them until those have been fixed.
Colin Watson <cjwatson@debian.org> no debian 2019-04-08
maxhostnamelen.patch Define MAXHOSTNAMELEN on GNU/Hurd Svante Signell <svante.signell@gmail.com> no debian 2021-11-05
conch-ssh-rsa.patch Work around RSA SHA-2 signature issues in conch
This was supposed to be fixed in Twisted upstream
(https://twistedmatrix.com/trac/ticket/9765), and that fix is in Debian
now. However, regression tests still seem to fail in GitLab CI but not
locally (see e.g.
https://salsa.debian.org/ssh-team/openssh/-/jobs/3513178). Leave this
in place for now until we figure out what's wrong.
Colin Watson <cjwatson@debian.org> not-needed 2022-11-14
systemd-socket-activation.patch Support systemd socket activation
Unlike inetd socket activation, with systemd socket activation the
supervisor passes the listened-on socket to the child process and lets
the child process handle the accept(). This lets us do delayed start
of the sshd daemon without becoming incompatible with config options
like ClientAliveCountMax.
Steve Langasek <steve.langasek@ubuntu.com> no 2022-09-01
remove-spurious-ssh-agent-options.patch Remove spurious ssh-agent options
These cause regress/agent-getpeereid.sh to leave a stray ssh-agent
process lying around.
Colin Watson <cjwatson@debian.org> yes upstream 2023-02-07
CVE-2023-38408-1.patch terminate pkcs11 process for bad libraries Damien Miller <djm@mindrot.org> no upstream, https://anongit.mindrot.org/openssh.git/commit/?id=b23fe83f06ee7e721033769cfa03ae840476d280 2023-09-17
CVE-2023-38408-2.patch disallow remote addition of FIDO/PKCS11 keys
Depends on the local client performing the session-bind@openssh.com
operation, so non-OpenSSH local client may circumvent this.
Damien Miller <djm@mindrot.org> no upstream, https://anongit.mindrot.org/openssh.git/commit/?id=d7790cdce72a1b6982795baa2b4d6f0bdbb0100d 2023-09-17
CVE-2023-38408-3.patch upstream: Ensure FIDO/PKCS11 libraries contain expected symbols
This checks via nlist(3) that candidate provider libraries contain one
of the symbols that we will require prior to dlopen(), which can cause
a number of side effects, including execution of constructors.

Feedback deraadt; ok markus
"djm@openbsd.org" <djm@openbsd.org> no upstream, https://anongit.mindrot.org/openssh.git/commit/?id=29ef8a04866ca14688d5b7fed7b8b9deab851f77 2023-09-17
CVE-2023-28531.patch upstream: include destination constraints for smartcard keys too.
Spotted by Luci Stanescu; ok deraadt@ markus@
"djm@openbsd.org" <djm@openbsd.org> no debian backport, https://anongit.mindrot.org/openssh.git/commit/?id=54ac4ab2b53ce9fcb66b8250dee91c070e4167ed 2023-12-19
CVE-2023-48795.patch upstream: implement "strict key exchange" in ssh and sshd
This adds a protocol extension to improve the integrity of the SSH
transport protocol, particular in and around the initial key exchange
(KEX) phase.

Full details of the extension are in the PROTOCOL file.

with markus@
"djm@openbsd.org" <djm@openbsd.org> no backport, https://anongit.mindrot.org/openssh.git/commit/?id=1edb00c58f8a6875fad6a497aa2bacf37f9e6cd5 2023-12-19
CVE-2023-51384.patch upstream: apply destination constraints to all p11 keys
Previously applied only to the first key returned from each token.

ok markus@
"djm@openbsd.org" <djm@openbsd.org> no backport, https://anongit.mindrot.org/openssh.git/commit/?id=881d9c6af9da4257c69c327c4e2f1508b2fa754b 2023-12-19
CVE-2023-51385.patch upstream: ban user/hostnames with most shell metacharacters
This makes ssh(1) refuse user or host names provided on the
commandline that contain most shell metacharacters.

Some programs that invoke ssh(1) using untrusted data do not filter
metacharacters in arguments they supply. This could create
interactions with user-specified ProxyCommand and other directives
that allow shell injection attacks to occur.

It's a mistake to invoke ssh(1) with arbitrary untrusted arguments,
but getting this stuff right can be tricky, so this should prevent
most obvious ways of creating risky situations. It however is not
and cannot be perfect: ssh(1) has no practical way of interpreting
what shell quoting rules are in use and how they interact with the
user's specified ProxyCommand.

To allow configurations that use strange user or hostnames to
continue to work, this strictness is applied only to names coming
from the commandline. Names specified using User or Hostname
directives in ssh_config(5) are not affected.

feedback/ok millert@ markus@ dtucker@ deraadt@
"djm@openbsd.org" <djm@openbsd.org> no backport, https://anongit.mindrot.org/openssh.git/commit/?id=7ef3787c84b6b524501211b11a26c742f829af1a 2023-12-19
Disable-async-signal-unsafe-code-from-the-sshsigdie-.patch [PATCH] Disable async-signal-unsafe code from the sshsigdie() function

Address signal handler race condition: if a client does not authenticate
within LoginGraceTime seconds (120 by default, 600 in old OpenSSH
versions), then sshd's SIGALRM handler is called asynchronously, but
this signal handler calls various functions that are not
async-signal-safe (for example, syslog()).

This is a regression from CVE-2006-5051 ("Signal handler race condition
in OpenSSH before 4.4 allows remote attackers to cause a denial of
service (crash), and possibly execute arbitrary code")
Salvatore Bonaccorso <carnil@debian.org> no 2024-06-22

All known versions for source package 'openssh'

Links