===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/56.html,v
retrieving revision 1.13
retrieving revision 1.14
diff -u -r1.13 -r1.14
--- www/56.html	2014/08/11 10:00:45	1.13
+++ www/56.html	2014/08/29 13:02:48	1.14
@@ -128,17 +128,118 @@
 
 <li>OpenSSH 6.7
     <ul>
-    <li>Security:
+    <li>Potentially-incompatible changes:
       <ul>
-      <li>...
+      <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&amp;sektion=8">sshd(8)</a>:
+        The default set of ciphers and <i>MAC</i>s has been altered to remove
+        unsafe algorithms.  In particular, <i>CBC ciphers</i> and
+        <i>arcfour*</i> are disabled by default.
+      <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&amp;sektion=8">sshd(8)</a>:
+        Support for <i>tcpwrappers</i>/<i>libwrap</i> has been removed.
+      <li>OpenSSH 6.5 and 6.6 have a bug that causes ~0.2% of connections
+        using the "curve25519-sha256@libssh.org" <i>KEX exchange method</i>
+        to fail when connecting with something that implements the
+        specification correctly.  OpenSSH 6.7 disables this KEX method when
+        speaking to one of the affected versions.
       </ul>
     <li>New/changed features:
       <ul>
-      <li>...
+      <li>Major internal refactoring to begin to make part of OpenSSH usable
+        as a library.  So far the wire parsing, key handling and KRL code
+        has been refactored.  Please note that we do not consider the API
+        stable yet, nor do we offer the library in separable form.
+      <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&amp;sektion=1">ssh(1)</a>,
+        <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&amp;sektion=8">sshd(8)</a>:
+        Add support for <i>Unix domain socket</i> forwarding.  A remote TCP
+        port may be forwarded to a local Unix domain socket and vice versa or
+        both ends may be a Unix domain socket.
+      <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&amp;sektion=1">ssh(1)</a>,
+        <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keygen&amp;sektion=1">ssh-keygen(1)</a>:
+        Add support for <i>SSHFP DNS records</i> for <i>Ed2551</i>9 key types.
+      <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sftp&amp;sektion=1">sftp(1)</a>:
+        Allow resumption of interrupted uploads.
+      <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&amp;sektion=1">ssh(1)</a>:
+        When rekeying, skip file/DNS lookups of the hostkey if it is the same
+        as the one sent during initial key exchange.  (bz#2154)
+      <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&amp;sektion=8">sshd(8)</a>:
+        Allow explicit ::1 and 127.0.0.1 forwarding bind addresses when
+        <tt>GatewayPorts=no</tt>; allows client to choose address family.
+        (bz#2222)
+      <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&amp;sektion=8">sshd(8)</a>:
+        Add a
+        <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config&amp;sektion=5">sshd_config(5)</a>
+        <tt>PermitUserRC</tt> option to control whether <tt>~/.ssh/rc</tt> is
+        executed, mirroring the <tt>no-user-rc</tt> authorized_keys option.
+        (bz#2160)
+      <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&amp;sektion=1">ssh(1)</a>:
+        Add a %C escape sequence for <tt>LocalCommand</tt> and
+        <tt>ControlPath</tt> that expands to a unique identifer based on a
+        hash of the tuple of (local host, remote user, hostname, port).  Helps
+        avoid exceeding miserly pathname limits for Unix domain sockets in
+        multiplexing control paths.  (bz#2220)
+      <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&amp;sektion=8">sshd(8)</a>:
+        Make the "Too many authentication failures" message include the user,
+        source address, port and protocol in a format similar to the
+        authentication success/failure messages.  (bz#2199)
+      <li>Added <i>unit</i> and <i>fuzz</i> tests for refactored code.
       </ul>
     <li>The following significant bugs have been fixed in this release:
       <ul>
-      <li>...
+      <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&amp;sektion=8">sshd(8)</a>:
+        Fix remote forwarding with same listen port but different listen
+        address.
+      <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&amp;sektion=1">ssh(1)</a>:
+        Fix inverted test that caused <i>PKCS#11</i> keys that were explicitly
+        listed in
+        <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh_config&amp;sektion=5">ssh_config(5)</a>
+        or on the commandline not to be preferred.
+      <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keygen&amp;sektion=1">ssh-keygen(1)</a>:
+        Fix bug in KRL generation: multiple consecutive revoked certificate
+        serial number ranges could be serialised to an invalid format.
+        Readers of a broken KRL caused by this bug will fail closed, so no
+        should-have-been-revoked key will be accepted.
+      <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&amp;sektion=1">ssh(1)</a>:
+        Reflect stdio-forward ("<tt>ssh -W host:port ...</tt>") failures in
+        exit status.  Previously we were always returning 0.  (bz#2255)
+      <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&amp;sektion=1">ssh(1)</a>,
+        <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keygen&amp;sektion=1">ssh-keygen(1)</a>:
+        Make Ed25519 keys' title fit properly in the randomart border.
+        (bz#2247)
+      <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-agent&amp;sektion=1">ssh-agent(1)</a>:
+        Only cleanup agent socket in the main agent process and not in any
+        subprocesses it may have started (e.g. forked askpass).  Fixes agent
+        sockets being zapped when askpass processes <i>fatal()</i>.  (bz#2236)
+      <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-add&amp;sektion=1">ssh-add(1)</a>:
+        Make stdout line-buffered; saves partial output getting lost when
+        <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-add&amp;sektion=1">ssh-add(1)</a>
+        <i>fatal()</i>s part-way through (e.g. when listing keys from an
+        agent that supports key types that
+        <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-add&amp;sektion=1">ssh-add(1)</a>
+        doesn't).  (bz#2234)
+      <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keygen&amp;sektion=1">ssh-keygen(1)</a>:
+        When hashing or removing hosts, don't choke on "@revoked" markers and
+        don't remove "@cert-authority" markers.  (bz#2241)
+      <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&amp;sektion=1">ssh(1)</a>:
+        Don't fatal when hostname canonicalisation fails and a
+        <tt>ProxyCommand</tt> is in use; continue and allow the
+        <tt>ProxyCommand</tt> to connect anyway (e.g. to a host with a name
+        outside the DNS behind a bastion).
+      <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=scp&amp;sektion=1">scp(1)</a>:
+        When copying local->remote fails during read, don't send uninitialised
+        heap to the remote end.
+      <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sftp&amp;sektion=1">sftp(1)</a>:
+        Fix fatal "el_insertstr failed" errors when tab-completing filenames
+        with a single quote char somewhere in the string.  (bz#2238)
+      <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keyscan&amp;sektion=1">ssh-keyscan(1)</a>:
+        Scan for Ed25519 keys by default.
+      <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&amp;sektion=1">ssh(1)</a>:
+        When using <tt>VerifyHostKeyDNS</tt> with a DNSSEC resolver,
+        down-convert any certificate keys to plain keys and attempt SSHFP
+        resolution.  Prevents a server from skipping SSHFP lookup and forcing
+        a new-hostkey dialog by offering only certificate keys.
+      <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&amp;sektion=8">sshd(8)</a>:
+        Avoid crash at exit via NULL pointer reference.  (bz#2225)
+      <li>Fix some strict-alignment errors.
       </ul>
     </ul>
 <p>