| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| ssh-vulnkey-compat.patch | Accept obsolete ssh-vulnkey configuration options These options were used as part of Debian's response to CVE-2008-0166. Nearly six years later, we no longer need to continue carrying the bulk of that patch, but we do need to avoid failing when the associated configuration options are still present. |
Colin Watson <cjwatson@ubuntu.com> | no | 2017-05-03 | ||
| keepalive-extensions.patch | Various keepalive extensions Add compatibility aliases for ProtocolKeepAlives and SetupTimeOut, supported in previous versions of Debian's OpenSSH package but since superseded by ServerAliveInterval. (We're probably stuck with this bit for compatibility.) In batch mode, default ServerAliveInterval to five minutes. Adjust documentation to match and to give some more advice on use of keepalives. |
Colin Watson <cjwatson@debian.org> | no | 2017-05-03 | ||
| syslog-level-silent.patch | "LogLevel SILENT" compatibility "LogLevel SILENT" (-qq) was introduced in Debian openssh 1:3.0.1p1-1 to match the behaviour of non-free SSH, in which -q does not suppress fatal errors. However, this was unintentionally broken in 1:4.6p1-2 and nobody complained, so we've dropped most of it. The parts that remain are basic configuration file compatibility, and an adjustment to "Pseudo-terminal will not be allocated ..." which should be split out into a separate patch. |
Colin Watson <cjwatson@debian.org> | no | 2013-09-14 | ||
| quieter-signals.patch | Reduce severity of "Killed by signal %d" This produces irritating messages when using ProxyCommand or other programs that use ssh under the covers (e.g. Subversion). These messages are more normally printed by the calling program, such as the shell. According to the upstream bug, the right way to avoid this is to use the -q option, so we may drop this patch after further investigation into whether any software in Debian is still relying on it. |
Colin Watson <cjwatson@debian.org> | yes | debian upstream | 2013-09-14 | |
| ssh-argv0.patch | ssh(1): Refer to ssh-argv0(1) Old versions of OpenSSH (up to 2.5 or thereabouts) allowed creating symlinks to ssh with the name of the host you want to connect to. Debian ships an ssh-argv0 script restoring this feature; this patch refers to its manual page from ssh(1). |
Colin Watson <cjwatson@debian.org> | not-needed | debian | 2013-09-14 | |
| user-group-modes.patch | Allow harmless group-writability Allow secure files (~/.ssh/config, ~/.ssh/authorized_keys, etc.) to be group-writable, provided that the group in question contains only the file's owner. Rejected upstream for IMO incorrect reasons (e.g. a misunderstanding about the contents of gr->gr_mem). Given that per-user groups and umask 002 are the default setup in Debian (for good reasons - this makes operating in setgid directories with other groups much easier), we need to permit this by default. |
Colin Watson <cjwatson@debian.org> | yes | debian upstream | 2013-09-14 | |
| scp-quoting.patch | Adjust scp quoting in verbose mode Tweak scp's reporting of filenames in verbose mode to be a bit less confusing with spaces. This should be revised to mimic real shell quoting. |
=?UTF-8?q?Nicolas=20Valc=C3=A1rcel?= <nvalcarcel@ubuntu.com> | no | 2010-02-27 | ||
| shell-path.patch | Look for $SHELL on the path for ProxyCommand/LocalCommand There's some debate on the upstream bug about whether POSIX requires this. I (Colin Watson) agree with Vincent and think it does. |
Colin Watson <cjwatson@debian.org> | yes | debian upstream | 2013-09-14 | |
| dnssec-sshfp.patch | Force use of DNSSEC even if "options edns0" isn't in resolv.conf This allows SSHFP DNS records to be verified if glibc 2.11 is installed. |
Colin Watson <cjwatson@debian.org> | invalid | debian upstream | vendor, https://cvs.fedoraproject.org/viewvc/F-12/openssh/openssh-5.2p1-edns.patch?revision=1.1&view=markup | 2010-04-06 |
| mention-ssh-keygen-on-keychange.patch | Mention ssh-keygen in ssh fingerprint changed warning | Chris Lamb <lamby@debian.org> | yes | upstream | 2017-08-22 | |
| package-versioning.patch | Include the Debian version in our identification This makes it easier to audit networks for versions patched against security vulnerabilities. It has little detrimental effect, as attackers will generally just try attacks rather than bothering to scan for vulnerable-looking version strings. (However, see debian-banner.patch.) |
Matthew Vernon <matthew@debian.org> | not-needed | 2013-09-14 | ||
| openbsd-docs.patch | Adjust various OpenBSD-specific references in manual pages No single bug reference for this patch, but history includes: http://bugs.debian.org/154434 (login.conf(5)) http://bugs.debian.org/513417 (/etc/rc) http://bugs.debian.org/530692 (ssl(8)) https://bugs.launchpad.net/bugs/456660 (ssl(8)) |
Colin Watson <cjwatson@debian.org> | not-needed | 2017-05-03 | ||
| no-openssl-version-status.patch | Don't check the status field of the OpenSSL version There is no reason to check the version of OpenSSL (in Debian). If it's not compatible the soname will change. OpenSSH seems to want to do a check for the soname based on the version number, but wants to keep the status of the release the same. Remove that check on the status since it doesn't tell you anything about how compatible that version is. |
Colin Watson <cjwatson@debian.org> | not-needed | debian | 2014-10-07 | |
| debian-config.patch | Various Debian-specific configuration changes fewer problems with existing setups (http://bugs.debian.org/237021). worms. Document all of this. |
Russ Allbery <rra@debian.org> | not-needed | 2017-05-03 | ||
| fix-incoming-compression-statistics.patch | Fix incoming compression statistics | Russell Coker <russell@coker.com.au> | yes | debian | 2017-06-06 | |
| openssl-1.1.patch | OpenSSL 1.1.0 compat This is too risky for the main OpenSSH packages, but for openssh-ssh1 it's unlikely to make matters significantly worse. See: https://lists.mindrot.org/pipermail/openssh-unix-dev/2017-November/036467.html |
Colin Watson <cjwatson@debian.org> | yes | debian | vendor, https://src.fedoraproject.org/rpms/openssh/blob/9e46aafab9baa6bb905efdf442cd963ea074e8cd/f/openssh-7.3p1-openssl-1.1.0.patch | 2017-11-27 |
| avoid-hardcoded-selinux-class.patch | avoid inclusion of deprecated selinux/flask.h Use string_to_security_class() instead. |
Damien Miller <djm@mindrot.org> | no | debian | upstream, https://anongit.mindrot.org/openssh.git/commit/?id=bda709b8e13d3eef19e69c2d1684139e3af728f5 | 2020-07-25 |