Debian Patches

Status for openssh-ssh1/1:7.5p1-14

Patch Description Author Forwarded Bugs Origin Last update
ssh-vulnkey-compat.patch Accept obsolete ssh-vulnkey configuration options
These options were used as part of Debian's response to CVE-2008-0166.
Nearly six years later, we no longer need to continue carrying the bulk
of that patch, but we do need to avoid failing when the associated
configuration options are still present.
Colin Watson <> no 2017-05-03
keepalive-extensions.patch Various keepalive extensions
Add compatibility aliases for ProtocolKeepAlives and SetupTimeOut, supported
in previous versions of Debian's OpenSSH package but since superseded by
ServerAliveInterval. (We're probably stuck with this bit for

In batch mode, default ServerAliveInterval to five minutes.

Adjust documentation to match and to give some more advice on use of
Colin Watson <> no 2017-05-03
syslog-level-silent.patch "LogLevel SILENT" compatibility
"LogLevel SILENT" (-qq) was introduced in Debian openssh 1:3.0.1p1-1 to
match the behaviour of non-free SSH, in which -q does not suppress fatal
errors. However, this was unintentionally broken in 1:4.6p1-2 and nobody
complained, so we've dropped most of it. The parts that remain are basic
configuration file compatibility, and an adjustment to "Pseudo-terminal will
not be allocated ..." which should be split out into a separate patch.
Colin Watson <> no 2013-09-14
quieter-signals.patch Reduce severity of "Killed by signal %d"
This produces irritating messages when using ProxyCommand or other programs
that use ssh under the covers (e.g. Subversion). These messages are more
normally printed by the calling program, such as the shell.

According to the upstream bug, the right way to avoid this is to use the -q
option, so we may drop this patch after further investigation into whether
any software in Debian is still relying on it.
Colin Watson <> yes debian upstream 2013-09-14
ssh-argv0.patch ssh(1): Refer to ssh-argv0(1)
Old versions of OpenSSH (up to 2.5 or thereabouts) allowed creating symlinks
to ssh with the name of the host you want to connect to. Debian ships an
ssh-argv0 script restoring this feature; this patch refers to its manual
page from ssh(1).
Colin Watson <> not-needed debian 2013-09-14
user-group-modes.patch Allow harmless group-writability
Allow secure files (~/.ssh/config, ~/.ssh/authorized_keys, etc.) to be
group-writable, provided that the group in question contains only the file's
owner. Rejected upstream for IMO incorrect reasons (e.g. a misunderstanding
about the contents of gr->gr_mem). Given that per-user groups and umask 002
are the default setup in Debian (for good reasons - this makes operating in
setgid directories with other groups much easier), we need to permit this by
Colin Watson <> yes debian upstream 2013-09-14
scp-quoting.patch Adjust scp quoting in verbose mode
Tweak scp's reporting of filenames in verbose mode to be a bit less
confusing with spaces.

This should be revised to mimic real shell quoting.
=?UTF-8?q?Nicolas=20Valc=C3=A1rcel?= <> no 2010-02-27
shell-path.patch Look for $SHELL on the path for ProxyCommand/LocalCommand
There's some debate on the upstream bug about whether POSIX requires this.
I (Colin Watson) agree with Vincent and think it does.
Colin Watson <> yes debian upstream 2013-09-14
dnssec-sshfp.patch Force use of DNSSEC even if "options edns0" isn't in resolv.conf
This allows SSHFP DNS records to be verified if glibc 2.11 is installed.
Colin Watson <> invalid debian upstream vendor, 2010-04-06
mention-ssh-keygen-on-keychange.patch Mention ssh-keygen in ssh fingerprint changed warning Chris Lamb <> yes upstream 2017-08-22
package-versioning.patch Include the Debian version in our identification
This makes it easier to audit networks for versions patched against security
vulnerabilities. It has little detrimental effect, as attackers will
generally just try attacks rather than bothering to scan for
vulnerable-looking version strings. (However, see debian-banner.patch.)
Matthew Vernon <> not-needed 2013-09-14
openbsd-docs.patch Adjust various OpenBSD-specific references in manual pages
No single bug reference for this patch, but history includes: (login.conf(5)) (/etc/rc) (ssl(8)) (ssl(8))
Colin Watson <> not-needed 2017-05-03
no-openssl-version-status.patch Don't check the status field of the OpenSSL version
There is no reason to check the version of OpenSSL (in Debian). If it's
not compatible the soname will change. OpenSSH seems to want to do a
check for the soname based on the version number, but wants to keep the
status of the release the same. Remove that check on the status since
it doesn't tell you anything about how compatible that version is.
Colin Watson <> not-needed debian 2014-10-07
debian-config.patch Various Debian-specific configuration changes
fewer problems with existing setups (


Document all of this.
Russ Allbery <> not-needed 2017-05-03
fix-incoming-compression-statistics.patch Fix incoming compression statistics Russell Coker <> yes debian 2017-06-06
openssl-1.1.patch OpenSSL 1.1.0 compat
This is too risky for the main OpenSSH packages, but for openssh-ssh1
it's unlikely to make matters significantly worse. See:
Colin Watson <> yes debian vendor, 2017-11-27
avoid-hardcoded-selinux-class.patch avoid inclusion of deprecated selinux/flask.h
Use string_to_security_class() instead.
Damien Miller <> no debian upstream, 2020-07-25

All known versions for source package 'openssh-ssh1'