Debian Bug report logs - #873201
openssh-client: command line parsing with -- between option and non-option arguments completely broken

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Thorsten Glaser <tg@mirbsd.de>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: openssh-client: command line parsing with -- between option and non-option arguments completely broken

Date: Fri, 25 Aug 2017 16:05:33 +0200

Package: openssh-client
Version: 1:7.5p1-7
Severity: grave
Tags: upstream security
Justification: user security hole

Dear Debian maintainer,

I was intending to report this upstream, but, contrary to the documentation
     * [9]openssh-unix-dev@mindrot.org This is a public list and is open to posting from non-subscribed
       users.
on https://www.openssh.com/report.html the upstream mailing list is not
open for postings, as I got a rejection message…
> Posting by non-members to openssh-unix-dev@mindrot.org is currently
> disabled, sorry.
… so please forward this upstream, as is a package maintainer’s duty.

Original message follows:

-----cutting here may damage your screen surface-----
From: Thorsten Glaser <t.glaser@tarent.de>
Message-ID: <alpine.DEB.2.20.1708251545580.2732@tglase.lan.tarent.de>
To: openssh-unix-dev@mindrot.org
Date: Fri, 25 Aug 2017 15:57:47 +0200 (CEST)
Subject: command line parsing with -- between option and non-option arguments completely broken

Hi,

in the process of me fixing CVE-2017-12836 a user noticed a
problem with OpenSSH’s command line parsing.

I’ve verified these on OpenSSH 5.3 (MirBSD) and 7.5p1 (Debian).

So, to begin with, this command _should_ spawn xeyes:

$ ssh -oProxyCommand=xeyes vuxu.org

This command _could_ spawn xeyes on glibc systems, but
probably shouldn’t on POSIX or BSD systems:

$ ssh vuxu.org -oProxyCommand=xeyes

This command properly does not spawn xeyes but tries to
resolve “-oProxyCommand=xeyes” as hostname, correctly failing:

$ ssh -- -oProxyCommand=xeyes

This command *must not* spawn xeyes, but does:

$ ssh -- vuxu.org -oProxyCommand=xeyes

This instead must execute “-oProxyCommand=xeyes” as command
on the remote side.

Interestingly enough, this command works the same and also
mustn’t but also doesn’t:

$ ssh vuxu.org -- -oProxyCommand=xeyes

Now it gets completely weird, this doesn’t spawn xeyes either:

$ ssh -- vuxu.org -- -oProxyCommand=xeyes

This “should” execute “--” as command with “-oProxyCommand=xeyes”
as its first option on the remote site, but judging from the error
| mksh: ProxyCommand=xeyes: unknown option
it instead passes “-oProxyCommand=xeyes” as option to a shell on
the remote side.

I don’t do the security theatre, but this could perhaps be considered
missing command escaping on the remote side (passing what would be a
command as an option to the remote shell) in addition to completely
fucked up option parsing on the local side.

This was first reported by nickserv-auth’d user jn__ on #musl on
Freenode IRC, and leah2 forwarded it to me as current de-facto
maintainer of GNU CVS because I considered adding “--” between
option and nōn-option arguments sufficient for fixing the afore‐
mentioned CVE, judging this effective enough with normal command
line parsing rules (as in getopt(3) on OpenBSD) and given the
.Sx SYNOPSIS
in the ssh manpage.

bye,
//mirabilos

PS: Please keep me in Cc, I’m not subscribed to the list.
-----cutting here may damage your screen surface-----

Thanks!

PS: This affects cvs in wheezy, jessie and stretch but not sid.


-- System Information:
Debian Release: buster/sid
  APT prefers unreleased
  APT policy: (500, 'unreleased'), (500, 'buildd-unstable'), (500, 'unstable')
Architecture: x32 (x86_64)
Foreign Architectures: i386, amd64

Kernel: Linux 4.11.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=C, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=C (charmap=UTF-8)
Shell: /bin/sh linked to /bin/lksh
Init: sysvinit (via /sbin/init)

Versions of packages openssh-client depends on:
ii  adduser           3.116
ii  dpkg              1.18.24
ii  libc6             2.24-14
ii  libedit2          3.1-20170329-1
ii  libgssapi-krb5-2  1.15.1-2
ii  libselinux1       2.6-3+b2
ii  libssl1.0.2       1.0.2l-2
ii  passwd            1:4.4-4.1
ii  zlib1g            1:1.2.8.dfsg-5

Versions of packages openssh-client recommends:
ii  xauth  1:1.0.9-1

Versions of packages openssh-client suggests:
pn  keychain                  <none>
ii  kwalletcli [ssh-askpass]  3.00-1
pn  libpam-ssh                <none>
pn  monkeysphere              <none>

-- Configuration Files:
/etc/ssh/moduli changed [not included]
/etc/ssh/ssh_config changed [not included]

-- no debconf information

Message #10 received at 873201@bugs.debian.org (full text, mbox, reply):

From: Vincent Lefevre <vincent@vinc17.net>

To: Thorsten Glaser <tg@mirbsd.de>, 873201@bugs.debian.org

Subject: Re: Bug#873201: openssh-client: command line parsing with -- between option and non-option arguments completely broken

Date: Fri, 25 Aug 2017 16:31:37 +0200

The ssh manpage doesn't mention the support of "--".
So, I don't think this is a bug. Well, just a wishlist.

-- 
Vincent Lefèvre <vincent@vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

Message #15 received at 873201@bugs.debian.org (full text, mbox, reply):

From: Colin Watson <cjwatson@debian.org>

To: Thorsten Glaser <tg@mirbsd.de>, 873201@bugs.debian.org

Subject: Re: Bug#873201: openssh-client: command line parsing with -- between option and non-option arguments completely broken

Date: Fri, 25 Aug 2017 16:36:05 +0100

Control: forwarded -1 https://bugzilla.mindrot.org/show_bug.cgi?id=2766

On Fri, Aug 25, 2017 at 04:05:33PM +0200, Thorsten Glaser wrote:
> I was intending to report this upstream, but, contrary to the documentation
>      * [9]openssh-unix-dev@mindrot.org This is a public list and is open to posting from non-subscribed
>        users.
> on https://www.openssh.com/report.html the upstream mailing list is not
> open for postings, as I got a rejection message…
> > Posting by non-members to openssh-unix-dev@mindrot.org is currently
> > disabled, sorry.
> … so please forward this upstream, as is a package maintainer’s duty.

I have forwarded your report upstream as
https://bugzilla.mindrot.org/show_bug.cgi?id=2766.  If you can, please
(if necessary) create an account on that Bugzilla instance and add
yourself to the CC list so that you can communicate directly, as it's
not actually a terribly effective use of time to demand that maintainers
act as relays.

-- 
Colin Watson                                       [cjwatson@debian.org]

Message #22 received at 873201@bugs.debian.org (full text, mbox, reply):

From: Thorsten Glaser <tg@mirbsd.de>

To: Colin Watson <cjwatson@debian.org>, Vincent Lefevre <vincent@vinc17.net>

Cc: 873201@bugs.debian.org

Subject: Re: Bug#873201: openssh-client: command line parsing with -- between option and non-option arguments completely broken

Date: Fri, 25 Aug 2017 16:57:58 +0000 (UTC)

Colin Watson dixit:

>I have forwarded your report upstream as

Thanks.

>https://bugzilla.mindrot.org/show_bug.cgi?id=2766.  If you can, please
>(if necessary) create an account on that Bugzilla instance and add

Hm, that bugzilla was not listed on their site either. But for a
drive-by bugreport I’m not very inclined to create an account
somewhere which I’ll forget later anyway.


Vincent Lefevre dixit:

>The ssh manpage doesn't mention the support of "--".

It’s common and POSIX utility syntax, though, *and* it’s apparently
somewhat supported, just in a very broken way.

bye,
//mirabilos
-- 
Yes, I hate users and I want them to suffer.
	-- Marco d'Itri on gmane.linux.debian.devel.general

Message #27 received at 873201@bugs.debian.org (full text, mbox, reply):

From: Vincent Lefevre <vincent@vinc17.net>

To: Thorsten Glaser <tg@mirbsd.de>

Cc: Colin Watson <cjwatson@debian.org>, 873201@bugs.debian.org

Subject: Re: Bug#873201: openssh-client: command line parsing with -- between option and non-option arguments completely broken

Date: Fri, 25 Aug 2017 20:07:21 +0200

On 2017-08-25 16:57:58 +0000, Thorsten Glaser wrote:
> Vincent Lefevre dixit:
> 
> >The ssh manpage doesn't mention the support of "--".
> 
> It’s common and POSIX utility syntax, though, *and* it’s apparently
> somewhat supported, just in a very broken way.

It seems that ssh assumes that the argument after "--" is not
an option (vs any argument for usual commands).

-- 
Vincent Lefèvre <vincent@vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

Message #32 received at 873201@bugs.debian.org (full text, mbox, reply):

From: Colin Watson <cjwatson@debian.org>

To: Thorsten Glaser <tg@mirbsd.de>

Cc: Vincent Lefevre <vincent@vinc17.net>, 873201@bugs.debian.org

Subject: Re: Bug#873201: openssh-client: command line parsing with -- between option and non-option arguments completely broken

Date: Sat, 26 Aug 2017 12:50:40 +0100

Control: tag -1 fixed-upstream

On Fri, Aug 25, 2017 at 04:57:58PM +0000, Thorsten Glaser wrote:
> Colin Watson dixit:
> >I have forwarded your report upstream as
> 
> Thanks.
> 
> >https://bugzilla.mindrot.org/show_bug.cgi?id=2766.  If you can, please
> >(if necessary) create an account on that Bugzilla instance and add
> 
> Hm, that bugzilla was not listed on their site either. But for a
> drive-by bugreport I’m not very inclined to create an account
> somewhere which I’ll forget later anyway.

Upstream noted that they in fact fixed this a couple of weeks ago, so
it'll be in 7.6.

-- 
Colin Watson                                       [cjwatson@debian.org]

Message #41 received at 873201-close@bugs.debian.org (full text, mbox, reply):

From: Colin Watson <cjwatson@debian.org>

To: 873201-close@bugs.debian.org

Subject: Bug#873201: fixed in openssh 1:7.6p1-1

Date: Fri, 06 Oct 2017 12:06:10 +0000

Source: openssh
Source-Version: 1:7.6p1-1

We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 873201@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated openssh package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 06 Oct 2017 12:36:48 +0100
Source: openssh
Binary: openssh-client openssh-server openssh-sftp-server ssh ssh-krb5 ssh-askpass-gnome openssh-client-udeb openssh-server-udeb
Architecture: source
Version: 1:7.6p1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Description:
 openssh-client - secure shell (SSH) client, for secure access to remote machines
 openssh-client-udeb - secure shell client for the Debian installer (udeb)
 openssh-server - secure shell (SSH) server, for secure access from remote machines
 openssh-server-udeb - secure shell server for the Debian installer (udeb)
 openssh-sftp-server - secure shell (SSH) sftp server module, for SFTP access from remot
 ssh        - secure shell client and server (metapackage)
 ssh-askpass-gnome - interactive X program to prompt users for a passphrase for ssh-ad
 ssh-krb5   - secure shell client and server (transitional package)
Closes: 873201 877800
Changes:
 openssh (1:7.6p1-1) unstable; urgency=medium
 .
   * New upstream release (https://www.openssh.com/txt/release-7.6):
     - SECURITY: sftp-server(8): In read-only mode, sftp-server was
       incorrectly permitting creation of zero-length files. Reported by
       Michal Zalewski.
     - ssh(1): Delete SSH protocol version 1 support, associated
       configuration options and documentation (LP: #1584321).
     - ssh(1)/sshd(8): Remove support for the hmac-ripemd160 MAC.
     - ssh(1)/sshd(8): Remove support for the arcfour, blowfish and CAST
       ciphers.
     - Refuse RSA keys <1024 bits in length and improve reporting for keys
       that do not meet this requirement.
     - ssh(1): Do not offer CBC ciphers by default.
     - ssh(1): Add RemoteCommand option to specify a command in the ssh
       config file instead of giving it on the client's command line.  This
       allows the configuration file to specify the command that will be
       executed on the remote host.
     - sshd(8): Add ExposeAuthInfo option that enables writing details of the
       authentication methods used (including public keys where applicable)
       to a file that is exposed via a $SSH_USER_AUTH environment variable in
       the subsequent session.
     - ssh(1): Add support for reverse dynamic forwarding.  In this mode, ssh
       will act as a SOCKS4/5 proxy and forward connections to destinations
       requested by the remote SOCKS client.  This mode is requested using
       extended syntax for the -R and RemoteForward options and, because it
       is implemented solely at the client, does not require the server be
       updated to be supported.
     - sshd(8): Allow LogLevel directive in sshd_config Match blocks.
     - ssh-keygen(1): Allow inclusion of arbitrary string or flag certificate
       extensions and critical options.
     - ssh-keygen(1): Allow ssh-keygen to use a key held in ssh-agent as a CA
       when signing certificates.
     - ssh(1)/sshd(8): Allow IPQoS=none in ssh/sshd to not set an explicit
       ToS/DSCP value and just use the operating system default.
     - ssh-add(1): Add -q option to make ssh-add quiet on success.
     - ssh(1): Expand the StrictHostKeyChecking option with two new settings.
       The first "accept-new" will automatically accept hitherto-unseen keys
       but will refuse connections for changed or invalid hostkeys.  This is
       a safer subset of the current behaviour of StrictHostKeyChecking=no.
       The second setting "off", is a synonym for the current behaviour of
       StrictHostKeyChecking=no: accept new host keys, and continue
       connection for hosts with incorrect hostkeys.  A future release will
       change the meaning of StrictHostKeyChecking=no to the behaviour of
       "accept-new".
     - ssh(1): Add SyslogFacility option to ssh(1) matching the equivalent
       option in sshd(8).
     - ssh(1): Use HostKeyAlias if specified instead of hostname for matching
       host certificate principal names.
     - sftp(1): Implement sorting for globbed ls.
     - ssh(1): Add a user@host prefix to client's "Permission denied"
       messages, useful in particular when using "stacked" connections (e.g.
       ssh -J) where it's not clear which host is denying.
     - ssh(1): Accept unknown EXT_INFO extension values that contain \0
       characters.  These are legal, but would previously cause fatal
       connection errors if received.
     - sftp(1): Print '?' instead of incorrect link count (that the protocol
       doesn't provide) for remote listings.
     - ssh(1): Return failure rather than fatal() for more cases during
       session multiplexing negotiations.  Causes the session to fall back to
       a non-mux connection if they occur.
     - ssh(1): Mention that the server may send debug messages to explain
       public key authentication problems under some circumstances.
     - Translate OpenSSL error codes to better report incorrect passphrase
       errors when loading private keys.
     - sshd(8): Adjust compatibility patterns for WinSCP to correctly
       identify versions that implement only the legacy DH group exchange
       scheme (closes: #877800).
     - ssh(1): Print the "Killed by signal 1" message only at LogLevel
       verbose so that it is not shown at the default level; prevents it from
       appearing during ssh -J and equivalent ProxyCommand configs.
     - ssh-keygen(1): When generating all hostkeys (ssh-keygen -A), clobber
       existing keys if they exist but are zero length.  Zero-length keys
       could previously be made if ssh-keygen failed or was interrupted part
       way through generating them.
     - ssh-keyscan(1): Avoid double-close() on file descriptors.
     - sshd(8): Avoid reliance on shared use of pointers shared between
       monitor and child sshd processes.
     - sshd_config(8): Document available AuthenticationMethods.
     - ssh(1): Avoid truncation in some login prompts.
     - ssh(1): Make "--" before the hostname terminate argument processing
       after the hostname too (closes: #873201).
     - ssh-keygen(1): Switch from aes256-cbc to aes256-ctr for encrypting
       new-style private keys.
     - ssh(1): Warn and do not attempt to use keys when the public and
       private halves do not match.
     - sftp(1): Don't print verbose error message when ssh disconnects from
       under sftp.
     - sshd(8): Fix keepalive scheduling problem: prevent activity on a
       forwarded port from preventing the keepalive from being sent.
     - sshd(8): When started without root privileges, don't require the
       privilege separation user or path to exist.
     - ssh(1)/sshd(8): Correctness fix for channels implementation: accept
       channel IDs greater than 0x7FFFFFFF.
     - sshd(8): Expose list of completed authentication methods to PAM via
       the SSH_AUTH_INFO_0 PAM environment variable.
     - ssh(1)/sshd(8): Fix several problems in the tun/tap forwarding code,
       mostly to do with host/network byte order confusion.
     - sshd(8): Avoid Linux seccomp violations on ppc64le over the socketcall
       syscall.
   * Build-depend on debhelper (>= 9.20160709~) rather than dh-systemd.
   * Change priorities of ssh and ssh-krb5 binary packages to optional, since
     "Priority: extra" is now deprecated.
   * Use HTTPS form of copyright-format URL.
   * Adjust "Running sshd from inittab" instructions in README.Debian to
     recommend using service(8) rather than calling the init script directly.
   * Policy version 4.1.0.
   * Adjust "Per-connection sshd instances with systemd" instructions in
     README.Debian to recommend using a drop-in file rather than copying and
     modifying the ssh.socket unit file.
Checksums-Sha1:
 140fba771bb21c3dffb4c8b62a2c3485d0988b8f 3090 openssh_7.6p1-1.dsc
 a6984bc2c72192bed015c8b879b35dd9f5350b3b 1489788 openssh_7.6p1.orig.tar.gz
 d99b00282e52434f208345067732be87669b3e8e 683 openssh_7.6p1.orig.tar.gz.asc
 0b2c021d483e642a4259d80bc47c234e436d60ed 158944 openssh_7.6p1-1.debian.tar.xz
 e19378e8012d344547c7492b33667969958bdf27 14093 openssh_7.6p1-1_source.buildinfo
Checksums-Sha256:
 27e76de22a0ca589f4756fab8440cb2fb7cf4a8f185d985558194df0eb563716 3090 openssh_7.6p1-1.dsc
 a323caeeddfe145baaa0db16e98d784b1fbc7dd436a6bf1f479dfd5cd1d21723 1489788 openssh_7.6p1.orig.tar.gz
 14e5097d68c73d42afe6314a510e7056b1748ac1d1e19518057b270d19656ad6 683 openssh_7.6p1.orig.tar.gz.asc
 4a34d5d561e495d1b3e45d49b7d5589c25f5af38476baa2f7fce6f1881f47ec6 158944 openssh_7.6p1-1.debian.tar.xz
 d299f289d18777a8aec292212be2344103ef556d8e3b75a5ccc41d388f56b2ae 14093 openssh_7.6p1-1_source.buildinfo
Files:
 71cf8d57a22054894962c434b8899f95 3090 net standard openssh_7.6p1-1.dsc
 06a88699018e5fef13d4655abfed1f63 1489788 net standard openssh_7.6p1.orig.tar.gz
 17179e30530ea7301c8e74279ecbe1fd 683 net standard openssh_7.6p1.orig.tar.gz.asc
 15b94e32ec5f9c7388781b1afc0bc020 158944 net standard openssh_7.6p1-1.debian.tar.xz
 b3009db9ea7684ccff33317e74202cbd 14093 net standard openssh_7.6p1-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAlnXa3sACgkQOTWH2X2G
UAv3pBAAtfK7CHQFj9mJfz0V1qmrWl8JHWi7IbQVrt8ZosWC+0Ztees/54G84zbj
fYbtxPQOYJVFggTs90U40YlCgGuM7Y828Hwc0K90SZOVwndADO8rrg+lxMSl8LFR
N+lDDu2bTWUHd0aM/KwXb8M9GqoD4+MZgQiNmSAogS/KmxQqDwCt6XD6bO57McRs
SLUqVLsLCYUO8dZNkr3axuMFqFiPFuJq8l7nDHfRqTugq1HD1UMrMSBWxMCoHJF7
oB6wCIXwAc166RQzHNdmiGm4oeu9KvPxgvfb4G5hPvAUe6rt20l7OJtzETFyAmel
uG9v1muBsoPMZm5U1aM6kUSSUBAiu5fVa4ssCnDoHa7PM77W4HRDCb1UEqvDhK/1
EgJ2vzWwe0O1ndy3+/36lCAsp4sysM17rVGdimhFFYSBUizq9db/1Ft8S889qGmS
ttolkscfprwMaQEJHBR1WMwHe7bMFGlFLNmsSKnYgPpH3DIg4Ms9kkGO7VEpec4i
64Xqy2Qs78uKD1t9LUnoKqXb0iJHxXYlNItJwmRbm6O1mo1eOOmi2ivL0SsS9A+O
UpNQZD4XD1z+WD3k7UUauEw7DynhFq5R2mt4KDAv+1xZZ65wGbZM2Jgk9exjTDrV
ccrC1eyBwrj7MMkjpNlp5DVTFocmG+XXiG4jr8H8Mj2bVVRNShU=
=yDfM
-----END PGP SIGNATURE-----

Message #54 received at 873201-done@bugs.debian.org (full text, mbox, reply):

From: Colin Watson <cjwatson@debian.org>

To: 873201-done@bugs.debian.org

Subject: fixed in openssh 1:7.4p1-10+deb9u2

Date: Sun, 19 Nov 2017 10:53:14 +0000

Source: openssh
Source-Version: 1:7.4p1-10+deb9u2

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 18 Nov 2017 09:37:22 +0000
Source: openssh
Binary: openssh-client openssh-client-ssh1 openssh-server openssh-sftp-server ssh ssh-krb5 ssh-askpass-gnome openssh-client-udeb openssh-server-udeb
Architecture: source
Version: 1:7.4p1-10+deb9u2
Distribution: stretch
Urgency: medium
Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Description:
 openssh-client - secure shell (SSH) client, for secure access to remote machines
 openssh-client-ssh1 - secure shell (SSH) client for legacy SSH1 protocol
 openssh-client-udeb - secure shell client for the Debian installer (udeb)
 openssh-server - secure shell (SSH) server, for secure access from remote machines
 openssh-server-udeb - secure shell server for the Debian installer (udeb)
 openssh-sftp-server - secure shell (SSH) sftp server module, for SFTP access from remot
 ssh        - secure shell client and server (metapackage)
 ssh-askpass-gnome - interactive X program to prompt users for a passphrase for ssh-ad
 ssh-krb5   - secure shell client and server (transitional package)
Closes: 865770 873201 877800
Changes:
 openssh (1:7.4p1-10+deb9u2) stretch; urgency=medium
 .
   * Test configuration before starting or reloading sshd under systemd
     (closes: #865770).
   * Adjust compatibility patterns for WinSCP to correctly identify versions
     that implement only the legacy DH group exchange scheme (closes:
     #877800).
   * Make "--" before the hostname terminate argument processing after the
     hostname too (closes: #873201).
Checksums-Sha1:
 46c6f918c4327b76bccf708cb17f078eefa24494 2924 openssh_7.4p1-10+deb9u2.dsc
 6daedbfc85b992a406642ceed5d28ba03d8946c8 162256 openssh_7.4p1-10+deb9u2.debian.tar.xz
 a17e64964ba0d7882ae4238869ce8ea601736ca7 14817 openssh_7.4p1-10+deb9u2_source.buildinfo
Checksums-Sha256:
 450e7daae7dd4e354e80c1d2ea9228e744950ffebce51d0d75fe937be7f54301 2924 openssh_7.4p1-10+deb9u2.dsc
 023c2277db76405b85262e05255cd9782b5634dbd861e4ea455872a6da195abe 162256 openssh_7.4p1-10+deb9u2.debian.tar.xz
 b328e90f47bd122b83fb21bb98ec369db4394de02008ad9349da3e0b1b85d613 14817 openssh_7.4p1-10+deb9u2_source.buildinfo
Files:
 f9a6ea5b78288b85aaeb88973e14a642 2924 net standard openssh_7.4p1-10+deb9u2.dsc
 deab53428f04ccc029e69ccdb8e3e208 162256 net standard openssh_7.4p1-10+deb9u2.debian.tar.xz
 94443afcdfd7369ec9bb8e49584963ae 14817 net standard openssh_7.4p1-10+deb9u2_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAloP/80ACgkQOTWH2X2G
UAs6zA/+Nk5oU8m40tIwQqV0aqc3KUbz1tcU3AUvUeLLS0MuMBwnsbPYMeWscUIo
nlPQo6cmt68G90t5owij2FuLDMwR0Osvv7ZaFouyF3HVEkRlRrSBRv1erkY/g8D1
J4p9VHZozsGcDXSbliqcU9Py7Q4ARISNs8/JOTEyoseUGQWONZvYZhLsVMnaRI0d
GO5/CJ+EBm8CdI1ewjqb+ZXnzkXNFWB02+2Q7tvY5BcjASfnzOhZgnX6dZ/tID+C
KsNGRdVBLGAIupVMrHWRi56ywATZa2BSX1KdLI03GmbJ4TZXXX76NK4jk0SIxamB
wZt2bb4SROlj5rWb4ZvjfnNsUPOWsoJeneh8aUYclVmHJi/pTR1OPJIo1FCU2LPM
54sXTD9Xw9mfGtkiAwjdY8zKqt0ciDqS7RaQWnzVFT/Zd/O/CFcP7Fb+N6V9DbBx
bRs9i2GmYQm2ab6umwKPk2/t0OBPt4INANoCsfHTWiRLvZb2DwGTAMPq3MXtDbzk
3yrDsCpwk/13T9PX+uP714NuttTccdI7WhF6G9/dVnV3Y22TkU+VFXkawceZLqI1
/fIGGQsASe/R0cuWxjlQFi4u+kiq0M9uqbmwYM9il8Fg7dX/CIen898JNOmdaG28
ErKAOWMt1NgX9yRbXBi8Ftp6KSPsZXOF9+fju99zYTUTlE4pzu8=
=Y5rU
-----END PGP SIGNATURE-----

-- 
Colin Watson                                       [cjwatson@debian.org]

Message #59 received at 873201-close@bugs.debian.org (full text, mbox, reply):

From: Colin Watson <cjwatson@debian.org>

To: 873201-close@bugs.debian.org

Subject: Bug#873201: fixed in openssh 1:6.7p1-5+deb8u4

Date: Sun, 19 Nov 2017 22:47:45 +0000

Source: openssh
Source-Version: 1:6.7p1-5+deb8u4

We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 873201@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated openssh package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 18 Nov 2017 10:56:29 +0000
Source: openssh
Binary: openssh-client openssh-server openssh-sftp-server ssh ssh-krb5 ssh-askpass-gnome openssh-client-udeb openssh-server-udeb
Architecture: source amd64 all
Version: 1:6.7p1-5+deb8u4
Distribution: jessie
Urgency: medium
Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Description:
 openssh-client - secure shell (SSH) client, for secure access to remote machines
 openssh-client-udeb - secure shell client for the Debian installer (udeb)
 openssh-server - secure shell (SSH) server, for secure access from remote machines
 openssh-server-udeb - secure shell server for the Debian installer (udeb)
 openssh-sftp-server - secure shell (SSH) sftp server module, for SFTP access from remot
 ssh        - secure shell client and server (metapackage)
 ssh-askpass-gnome - interactive X program to prompt users for a passphrase for ssh-ad
 ssh-krb5   - secure shell client and server (transitional package)
Closes: 865770 873201
Changes:
 openssh (1:6.7p1-5+deb8u4) jessie; urgency=medium
 .
   * Test configuration before starting or reloading sshd under systemd
     (closes: #865770).
   * Make "--" before the hostname terminate argument processing after the
     hostname too (closes: #873201).
Checksums-Sha1:
 d0d499b91f65e4782c4664023ddfb135e1b2e028 2723 openssh_6.7p1-5+deb8u4.dsc
 70b6eafed91f78009d04d5b5390579d79fdaa998 151584 openssh_6.7p1-5+deb8u4.debian.tar.xz
 1d77925fa662f5d25eac37055b439fa65540eae5 692514 openssh-client_6.7p1-5+deb8u4_amd64.deb
 23a4092e567f89af42ba1e9aaebae4f1d410b947 331344 openssh-server_6.7p1-5+deb8u4_amd64.deb
 f26905cd1d45df17bd1b88d7ff74339a5c2b9cab 37914 openssh-sftp-server_6.7p1-5+deb8u4_amd64.deb
 6064c857d7b9a35bb3dc65e47147a1a754520891 119974 ssh_6.7p1-5+deb8u4_all.deb
 d5be9faefeee34c3bfeae838578c23e4de207c8f 119506 ssh-krb5_6.7p1-5+deb8u4_all.deb
 bc122485f886b3da155b5aeace7a44453c3e0eea 127604 ssh-askpass-gnome_6.7p1-5+deb8u4_amd64.deb
 e1044dffcfc934ea4654e197b51283d659ac1e61 258754 openssh-client-udeb_6.7p1-5+deb8u4_amd64.udeb
 2a31820af9544a419fba6ead213f6ce23ea40654 284912 openssh-server-udeb_6.7p1-5+deb8u4_amd64.udeb
Checksums-Sha256:
 4b71d7eb2291c096173e701113a3c56cbcc23e9a13d3ddec539518fa4a25dd8d 2723 openssh_6.7p1-5+deb8u4.dsc
 2523942c9a8472331a47ce8b34c9433fbea381bae8940821e3b378767a3c33f9 151584 openssh_6.7p1-5+deb8u4.debian.tar.xz
 c45c56351f304858c08d4c3ffa9f816f3f1731248b555ece2a40c52c57d6f4fb 692514 openssh-client_6.7p1-5+deb8u4_amd64.deb
 abf7c445c5ec4e58ea2e6528dd62dcefbae4cc609075dcf2c34e3e5e304536ff 331344 openssh-server_6.7p1-5+deb8u4_amd64.deb
 69fe2b1c5e2867d66d4ed95b45e93528c95c9e7481b6bb5c609ae83a397bfed3 37914 openssh-sftp-server_6.7p1-5+deb8u4_amd64.deb
 6fcd4decb6fc4a4dd8f819d395d60444d2c0a29324d6865621671c2942247a4e 119974 ssh_6.7p1-5+deb8u4_all.deb
 68760de7bd8d15fc4f77833a1ac3cc21984c29764deb3551f1fdced2596402d4 119506 ssh-krb5_6.7p1-5+deb8u4_all.deb
 cbdd81a680efe87a44e0c62326f3ec8c33fb720544d25e31acff5c44a6736fb3 127604 ssh-askpass-gnome_6.7p1-5+deb8u4_amd64.deb
 3c4eb402b84c66ecf95aa27695f671292e645d37964a5a75bdb039853437efcd 258754 openssh-client-udeb_6.7p1-5+deb8u4_amd64.udeb
 1d512782abafd68adcc8cd4b185adecc03b0fec81c870c357ebd116c408b0228 284912 openssh-server-udeb_6.7p1-5+deb8u4_amd64.udeb
Files:
 9343c85cdcd21d6124575cdf8b0c0937 2723 net standard openssh_6.7p1-5+deb8u4.dsc
 c94a4f2cf4698223bbaafb5525a898c1 151584 net standard openssh_6.7p1-5+deb8u4.debian.tar.xz
 14e5e89655c03ed51a690aa2151f4f57 692514 net standard openssh-client_6.7p1-5+deb8u4_amd64.deb
 5c9fc8c2f002582c59a2588e41d3b528 331344 net optional openssh-server_6.7p1-5+deb8u4_amd64.deb
 642eef8901b30dae57181940d73ea05b 37914 net optional openssh-sftp-server_6.7p1-5+deb8u4_amd64.deb
 58fa7b34c67104dd7d63745d97c03b25 119974 net extra ssh_6.7p1-5+deb8u4_all.deb
 62906c0f0f282ea7e6f87e13a42660c3 119506 oldlibs extra ssh-krb5_6.7p1-5+deb8u4_all.deb
 c5280fcec263d444bda7db44d6c3f173 127604 gnome optional ssh-askpass-gnome_6.7p1-5+deb8u4_amd64.deb
 ca805ef17e6caa689a220f4f38f6c703 258754 debian-installer optional openssh-client-udeb_6.7p1-5+deb8u4_amd64.udeb
 6521d6d9e623a91de192e48227fcc9e1 284912 debian-installer optional openssh-server-udeb_6.7p1-5+deb8u4_amd64.udeb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAloRabIACgkQOTWH2X2G
UAtkJxAAoC6wo/fSuOhwyPwYOiv008BbW5O8YjwEaWZLNbKKE8PpTFvca3XaCGYw
Nt/f5qKFPy+PBm1oj77kGVoIi0rnvruetGr25v7FdiU8EDaZIEnmdBYHpL9YSpR3
fRDULIJMrqhlGLNyMlTPp33LyghsClDJNSebej3EBPSc3RdVBTTdlfGeYrUOmeFL
LbW0P3VhCHxURSbKkcf37xPSl4u4b1IfqjdlTeO4cpOO+KP+pQMBte79NYnQ4ktD
tyscVF8yHPBxxxKMdMZRaBuKkJkD9OwixfRNbzM058IXPr29EvQOia1pIUpRsX5m
uI9XuaWvLfuqY6olnRuS80vD9F8V003bvKvHRxVTwddWxW1IoGRcx4aspYt5jX4w
B8ixe3/oGrnXvgIEFEZUcVg4q0N3Zuj+p8NM7Dg1bYq07QjGjuxrI8mQJshWBmAw
BiwxmY+QpgqbNpmOIbYpiVM6XOml13cpHVHl38gItmJg3nOE+9Jvjr9BCjFfvvcf
OXXfDd//afClG3wCXB9nxin8lznx9Eofn4KTkUGM6ccQXJ8Ab+hpJIcOQgGIVreb
tJ/nfNh/T6CDjWa+NA+5fD4mHVMn3fhVr6N9BcAjDVUr9g+TQxCqz/8oi43q4RpQ
phCGG1gPZIdDImixnZ8YVE9IQlh94r8pPe6q8tMr4vmuQPmJ3V0=
=JNmc
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.