===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/47.html,v
retrieving revision 1.20
retrieving revision 1.21
diff -u -r1.20 -r1.21
--- www/47.html	2010/03/08 22:25:35	1.20
+++ www/47.html	2010/03/08 22:28:40	1.21
@@ -205,7 +205,135 @@
 
 <li>OpenSSH 5.4:
     <ul>
-    <li>...
+    <li>New features:
+        <ul>
+        <li>SSH protocol 1 is disabled by default.
+        <li>Remove the libsectok/OpenSC-based smartcard code and add support
+            for PKCS#11 tokens.
+        <li>Add support for certificate authentication of users and hosts using
+            a new, minimal OpenSSH certificate format (not X.509).
+        <li>Added a 'netcat mode' to
+            <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>.
+        <li>Add the ability to revoke keys in
+            <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>
+            and
+            <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>.
+        <li>Rewrite the
+            <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>
+            multiplexing support to support non-blocking operation of the mux
+            master.
+        <li>Add a 'read-only' mode to
+            <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sftp-server&sektion=8">sftp-server(8)</a>
+            that disables open in write mode and all other fs-modifying
+            protocol methods. (bz#430)
+        <li>Allow setting an explicit umask on the
+            <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sftp-server&sektion=8">sftp-server(8)</a>
+            commandline to override whatever default the user has. (bz#1229)
+        <li>Many improvements to the
+            <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sftp&sektion=1">sftp(1)</a>
+            client.
+        <li>New RSA keys will be generated with a public exponent of
+            RSA_F4 == (2**16)+1 == 65537 instead of the previous value 35.
+        <li>Passphrase-protected SSH protocol 2 private keys are now protected
+            with AES-128 instead of 3DES.
+        </ul>
+    <li>The following significant bugs have been fixed in this release:
+        <ul>
+        <li>Fixed a minor information leak of environment variables specified
+            in authorized_keys if an attacker happens to know the public key
+            in use.
+        <li>When using <em>ChrootDirectory</em>, make sure we test for the
+            existence of the user's shell inside the chroot and not outside.
+            (bz#1679)
+        <li>Cache user and group name lookups in sftp-server using
+            <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=pwcache&sektion=3">user_from_[ug]id(3)</a>
+            to improve performance on hosts where these operations are slow.
+            (bz#1495)
+        <li>Fix problem that prevented passphrase reading from being
+            interrupted in some circumstances. (bz#1590)
+        <li>Ignore and log any Protocol 1 keys where the claimed size is not
+            equal to the actual size.
+        <li>Make <em>HostBased</em> authentication work with a
+            <em>ProxyCommand</em>. (bz#1569)
+        <li>Avoid run-time failures when specifying hostkeys via a relative
+            path by prepending the current working directory in these cases.
+            (bz#1290)
+        <li>Do not prompt for a passphrase if we fail to open a keyfile, and
+            log the reason why the open failed to debug. (bz#1693)
+        <li>Document that the <em>PubkeyAuthentication</em> directive is
+            allowed in a
+            <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config&sektion=5">sshd_config(5)</a>
+            <em>Match</em> block. (bz#1577)
+        <li>When converting keys, truncate key comments at 72 chars as per
+            RFC4716. (bz#1630)
+        <li>Do not allow logins if <em>/etc/nologin</em> exists but is not
+            readable by the user logging in.
+        <li>Output a debug log if
+            <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>
+            can't open an existing <em>authorized_keys</em>. (bz#1694)
+        <li>Quell
+            <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=tcsetattr&sektion=3">tc[gs]etattr(3)</a>
+            warnings when forcing a tty (ssh -tt), since we usually don't
+            actually have a tty to read/set. (bz#1686)
+        <li>Prevent
+            <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sftp&sektion=1">sftp(1)</a>
+            from crashing when given a "-" without a command; also, allow
+            whitespace to follow a "-". (bz#1691)
+        <li>After
+            <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>
+            receives a SIGHUP, ignore subsequent HUPs while
+            <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>
+            re-execs itself; prevents two HUPs in quick succession from
+            resulting in
+            <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>
+            dying. (bz#1692)
+        <li>Clarify in
+            <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config&sektion=5">sshd_config(5)</a>
+            that <em>StrictModes</em> does not apply to
+            <em>ChrootDirectory</em>; permissions and ownership are always
+            checked when chrooting. (bz#1532)
+        <li>Set close-on-exec on various descriptors so they don't get leaked
+            to child processes. (bz#1643)
+        <li>Fix very rare race condition in x11/agent channel allocation
+        <li>Fix incorrect exit status when multiplexing and channel ID 0 is
+            recycled. (bz#1570)
+        <li>Fail with an error when an attempt is made to connect to a server
+            with <em>ForceCommand=internal-sftp</em> with a shell session.
+            (bz#1606)
+        <li>Warn but do not fail if
+            <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=stat&sektion=2">stat(2)</a>ing
+            the subsystem binary fails. (bz#1599)
+        <li>Change "Connecting to host..." message to "Connected to host."
+            and delay it until after the sftp protocol connection has been
+            established. (bz#1588)
+        <li>Use the <em>HostKeyAlias</em> rather than the hostname specified
+            on the commandline when prompting for passwords. (bz#1039)
+        <li>Correct off-by-one in <em>percent_expand()</em>. (bz#1607)
+        <li>Fix passing of empty options from
+            <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=scp&sektion=1">scp(1)</a>
+            and
+            <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sftp&sektion=1">sftp(1)</a>
+            to the underlying
+            <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>;
+            also add support for the stop option "--".
+        <li>Fix an incorrect magic number and typo in PROTOCOL. (bz#1688)
+        <li>Don't escape backslashes when displaying the SSH2 banner. (bz#1533)
+        <li>Don't unnecessarily dup() the in and out fds for
+            <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sftp-server&sektion=8">sftp-server(8)</a>.
+            (bz#1566)
+        <li>Force use of the correct hash function for random-art signature
+            display. (bz#1611)
+        <li>Do not fall back to adding keys without constraints when the agent
+            refuses the constrained add request. (bz#1612)
+        <li>Fix a race condition in
+            <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-agent&sektion=1">ssh-agent(1)</a>
+            that could result in a wedged or spinning agent. (bz#1633)
+        <li>Flush stdio before exec() to ensure that everying has made it out
+            before the streams go away. (bz#1596)
+        <li>Set <em>FD_CLOEXEC</em> on in/out sockets in
+            <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>.
+            (bz#1706)
+        </ul>
     </ul>
 <p>
 
@@ -673,7 +801,7 @@
 alt="OpenBSD"></a>
 <a href="mailto:www@openbsd.org">www@openbsd.org</a>
 <br><small>
-$OpenBSD: 47.html,v 1.20 2010/03/08 22:25:35 jsg Exp $
+$OpenBSD: 47.html,v 1.21 2010/03/08 22:28:40 sobrado Exp $
 </small>
 
 </body>