This bug was fixed in the package openssh - 1:7.9p1-1 --------------- openssh (1:7.9p1-1) unstable; urgency=medium * New upstream release (https://www.openssh.com/txt/release-7.9): - ssh(1), sshd(8): allow most port numbers to be specified using service names from getservbyname(3) (typically /etc/services; closes: #177406). - ssh(1): allow the IdentityAgent configuration directive to accept environment variable names. This supports the use of multiple agent sockets without needing to use fixed paths. - sshd(8): support signalling sessions via the SSH protocol. A limited subset of signals is supported and only for login or command sessions (i.e. not subsystems) that were not subject to a forced command via authorized_keys or sshd_config. - ssh(1): support "ssh -Q sig" to list supported signature options. Also "ssh -Q help" to show the full set of supported queries. - ssh(1), sshd(8): add a CASignatureAlgorithms option for the client and server configs to allow control over which signature formats are allowed for CAs to sign certificates. For example, this allows banning CAs that sign certificates using the RSA-SHA1 signature algorithm. - sshd(8), ssh-keygen(1): allow key revocation lists (KRLs) to revoke keys specified by SHA256 hash. - ssh-keygen(1): allow creation of key revocation lists directly from base64-encoded SHA256 fingerprints. This supports revoking keys using only the information contained in sshd(8) authentication log messages. - ssh(1), ssh-keygen(1): avoid spurious "invalid format" errors when attempting to load PEM private keys while using an incorrect passphrase. - sshd(8): when a channel closed message is received from a client, close the stderr file descriptor at the same time stdout is closed. This avoids stuck processes if they were waiting for stderr to close and were insensitive to stdin/out closing (closes: #844494). - ssh(1): allow ForwardX11Timeout=0 to disable the untrusted X11 forwarding timeout and support X11 forwarding indefinitely. Previously the behaviour of ForwardX11Timeout=0 was undefined. - sshd(8): when compiled with GSSAPI support, cache supported method OIDs regardless of whether GSSAPI authentication is enabled in the main section of sshd_config. This avoids sandbox violations if GSSAPI authentication was later enabled in a Match block. - sshd(8): do not fail closed when configured with a text key revocation list that contains a too-short key. - ssh(1): treat connections with ProxyJump specified the same as ones with a ProxyCommand set with regards to hostname canonicalisation (i.e. don't try to canonicalise the hostname unless CanonicalizeHostname is set to 'always'). - ssh(1): fix regression in OpenSSH 7.8 that could prevent public-key authentication using certificates hosted in a ssh-agent(1) or against sshd(8) from OpenSSH <7.8 (LP: #1790963). - All: support building against the openssl-1.1 API (releases 1.1.0g and later). The openssl-1.0 API will remain supported at least until OpenSSL terminates security patch support for that API version (closes: #828475). - sshd(8): allow the futex(2) syscall in the Linux seccomp sandbox; apparently required by some glibc/OpenSSL combinations. * Remove dh_builddeb override to use xz compression; this has been the default since dpkg 1.17.0. * Simplify debian/rules using /usr/share/dpkg/default.mk. * Remove /etc/network/if-up.d/openssh-server, as it causes more problems than it solves (thanks, Christian Ehrhardt, Andreas Hasenack, and David Britton; closes: #789532, LP: #1037738, #1674330, #1718227). Add an "if-up hook removed" section to README.Debian documenting the corner case that may need configuration adjustments. -- Colin Watson