1.266.0

Notably, this release addresses:

USN-3885-1 USN-3885-1: OpenSSH vulnerabilities:

• CVE-2018-20685: In OpenSSH 7.9, scp.c in the scp client allows remote SSH servers to bypassintended access restrictions via the filename of . or an empty filename.The impact is modifying the permissions of the target directory on theclient side.
• CVE-2019-6109: An issue was discovered in OpenSSH 7.9. Due to missing character encodingin the progress display, a malicious server (or Man-in-The-Middle attacker)can employ crafted object names to manipulate the client output, e.g., byusing ANSI control codes to hide additional files being transferred. Thisaffects refresh_progress_meter() in progressmeter.c.
• CVE-2019-6111: An issue was discovered in OpenSSH 7.9. Due to the scp implementation beingderived from 1983 rcp, the server chooses which files/directories are sentto the client. However, the scp client only performs cursory validation ofthe object name returned (only directory traversal attacks are prevented).A malicious scp server (or Man-in-The-Middle attacker) can overwritearbitrary files in the scp client target directory. If recursive operation(-r) is performed, the server can manipulate subdirectories as well (forexample, to overwrite the .ssh/authorized_keys file).

-ii  openssh-client      1:6.6p1-2ubuntu2.11  amd64  secure shell (SSH) client, for secure access to remote machines
-ii  openssh-server      1:6.6p1-2ubuntu2.11  amd64  secure shell (SSH) server, for secure access from remote machines
-ii  openssh-sftp-server 1:6.6p1-2ubuntu2.11  amd64  secure shell (SSH) sftp server module, for SFTP access from remote machines
+ii  openssh-client      1:6.6p1-2ubuntu2.12  amd64  secure shell (SSH) client, for secure access to remote machines
+ii  openssh-server      1:6.6p1-2ubuntu2.12  amd64  secure shell (SSH) server, for secure access from remote machines
+ii  openssh-sftp-server 1:6.6p1-2ubuntu2.12  amd64  secure shell (SSH) sftp server module, for SFTP access from remote machines