===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/56.html,v
retrieving revision 1.13
retrieving revision 1.14
diff -c -r1.13 -r1.14
*** www/56.html 2014/08/11 10:00:45 1.13
--- www/56.html 2014/08/29 13:02:48 1.14
***************
*** 128,144 ****
OpenSSH 6.7
! - Security:
- New/changed features:
- The following significant bugs have been fixed in this release:
--- 128,245 ----
OpenSSH 6.7
! - Potentially-incompatible changes:
! - sshd(8):
! The default set of ciphers and MACs has been altered to remove
! unsafe algorithms. In particular, CBC ciphers and
! arcfour* are disabled by default.
!
- sshd(8):
! Support for tcpwrappers/libwrap has been removed.
!
- OpenSSH 6.5 and 6.6 have a bug that causes ~0.2% of connections
! using the "curve25519-sha256@libssh.org" KEX exchange method
! to fail when connecting with something that implements the
! specification correctly. OpenSSH 6.7 disables this KEX method when
! speaking to one of the affected versions.
- New/changed features:
! - Major internal refactoring to begin to make part of OpenSSH usable
! as a library. So far the wire parsing, key handling and KRL code
! has been refactored. Please note that we do not consider the API
! stable yet, nor do we offer the library in separable form.
!
- ssh(1),
! sshd(8):
! Add support for Unix domain socket forwarding. A remote TCP
! port may be forwarded to a local Unix domain socket and vice versa or
! both ends may be a Unix domain socket.
!
- ssh(1),
! ssh-keygen(1):
! Add support for SSHFP DNS records for Ed25519 key types.
!
- sftp(1):
! Allow resumption of interrupted uploads.
!
- ssh(1):
! When rekeying, skip file/DNS lookups of the hostkey if it is the same
! as the one sent during initial key exchange. (bz#2154)
!
- sshd(8):
! Allow explicit ::1 and 127.0.0.1 forwarding bind addresses when
! GatewayPorts=no; allows client to choose address family.
! (bz#2222)
!
- sshd(8):
! Add a
! sshd_config(5)
! PermitUserRC option to control whether ~/.ssh/rc is
! executed, mirroring the no-user-rc authorized_keys option.
! (bz#2160)
!
- ssh(1):
! Add a %C escape sequence for LocalCommand and
! ControlPath that expands to a unique identifer based on a
! hash of the tuple of (local host, remote user, hostname, port). Helps
! avoid exceeding miserly pathname limits for Unix domain sockets in
! multiplexing control paths. (bz#2220)
!
- sshd(8):
! Make the "Too many authentication failures" message include the user,
! source address, port and protocol in a format similar to the
! authentication success/failure messages. (bz#2199)
!
- Added unit and fuzz tests for refactored code.
- The following significant bugs have been fixed in this release:
! - sshd(8):
! Fix remote forwarding with same listen port but different listen
! address.
!
- ssh(1):
! Fix inverted test that caused PKCS#11 keys that were explicitly
! listed in
! ssh_config(5)
! or on the commandline not to be preferred.
!
- ssh-keygen(1):
! Fix bug in KRL generation: multiple consecutive revoked certificate
! serial number ranges could be serialised to an invalid format.
! Readers of a broken KRL caused by this bug will fail closed, so no
! should-have-been-revoked key will be accepted.
!
- ssh(1):
! Reflect stdio-forward ("ssh -W host:port ...") failures in
! exit status. Previously we were always returning 0. (bz#2255)
!
- ssh(1),
! ssh-keygen(1):
! Make Ed25519 keys' title fit properly in the randomart border.
! (bz#2247)
!
- ssh-agent(1):
! Only cleanup agent socket in the main agent process and not in any
! subprocesses it may have started (e.g. forked askpass). Fixes agent
! sockets being zapped when askpass processes fatal(). (bz#2236)
!
- ssh-add(1):
! Make stdout line-buffered; saves partial output getting lost when
! ssh-add(1)
! fatal()s part-way through (e.g. when listing keys from an
! agent that supports key types that
! ssh-add(1)
! doesn't). (bz#2234)
!
- ssh-keygen(1):
! When hashing or removing hosts, don't choke on "@revoked" markers and
! don't remove "@cert-authority" markers. (bz#2241)
!
- ssh(1):
! Don't fatal when hostname canonicalisation fails and a
! ProxyCommand is in use; continue and allow the
! ProxyCommand to connect anyway (e.g. to a host with a name
! outside the DNS behind a bastion).
!
- scp(1):
! When copying local->remote fails during read, don't send uninitialised
! heap to the remote end.
!
- sftp(1):
! Fix fatal "el_insertstr failed" errors when tab-completing filenames
! with a single quote char somewhere in the string. (bz#2238)
!
- ssh-keyscan(1):
! Scan for Ed25519 keys by default.
!
- ssh(1):
! When using VerifyHostKeyDNS with a DNSSEC resolver,
! down-convert any certificate keys to plain keys and attempt SSHFP
! resolution. Prevents a server from skipping SSHFP lookup and forcing
! a new-hostkey dialog by offering only certificate keys.
!
- sshd(8):
! Avoid crash at exit via NULL pointer reference. (bz#2225)
!
- Fix some strict-alignment errors.