===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/56.html,v
retrieving revision 1.13
retrieving revision 1.14
diff -u -r1.13 -r1.14
--- www/56.html 2014/08/11 10:00:45 1.13
+++ www/56.html 2014/08/29 13:02:48 1.14
@@ -128,17 +128,118 @@
OpenSSH 6.7
- - Security:
+
- Potentially-incompatible changes:
- - ...
+
- sshd(8):
+ The default set of ciphers and MACs has been altered to remove
+ unsafe algorithms. In particular, CBC ciphers and
+ arcfour* are disabled by default.
+
- sshd(8):
+ Support for tcpwrappers/libwrap has been removed.
+
- OpenSSH 6.5 and 6.6 have a bug that causes ~0.2% of connections
+ using the "curve25519-sha256@libssh.org" KEX exchange method
+ to fail when connecting with something that implements the
+ specification correctly. OpenSSH 6.7 disables this KEX method when
+ speaking to one of the affected versions.
- New/changed features:
- - ...
+
- Major internal refactoring to begin to make part of OpenSSH usable
+ as a library. So far the wire parsing, key handling and KRL code
+ has been refactored. Please note that we do not consider the API
+ stable yet, nor do we offer the library in separable form.
+
- ssh(1),
+ sshd(8):
+ Add support for Unix domain socket forwarding. A remote TCP
+ port may be forwarded to a local Unix domain socket and vice versa or
+ both ends may be a Unix domain socket.
+
- ssh(1),
+ ssh-keygen(1):
+ Add support for SSHFP DNS records for Ed25519 key types.
+
- sftp(1):
+ Allow resumption of interrupted uploads.
+
- ssh(1):
+ When rekeying, skip file/DNS lookups of the hostkey if it is the same
+ as the one sent during initial key exchange. (bz#2154)
+
- sshd(8):
+ Allow explicit ::1 and 127.0.0.1 forwarding bind addresses when
+ GatewayPorts=no; allows client to choose address family.
+ (bz#2222)
+
- sshd(8):
+ Add a
+ sshd_config(5)
+ PermitUserRC option to control whether ~/.ssh/rc is
+ executed, mirroring the no-user-rc authorized_keys option.
+ (bz#2160)
+
- ssh(1):
+ Add a %C escape sequence for LocalCommand and
+ ControlPath that expands to a unique identifer based on a
+ hash of the tuple of (local host, remote user, hostname, port). Helps
+ avoid exceeding miserly pathname limits for Unix domain sockets in
+ multiplexing control paths. (bz#2220)
+
- sshd(8):
+ Make the "Too many authentication failures" message include the user,
+ source address, port and protocol in a format similar to the
+ authentication success/failure messages. (bz#2199)
+
- Added unit and fuzz tests for refactored code.
- The following significant bugs have been fixed in this release:
- - ...
+
- sshd(8):
+ Fix remote forwarding with same listen port but different listen
+ address.
+
- ssh(1):
+ Fix inverted test that caused PKCS#11 keys that were explicitly
+ listed in
+ ssh_config(5)
+ or on the commandline not to be preferred.
+
- ssh-keygen(1):
+ Fix bug in KRL generation: multiple consecutive revoked certificate
+ serial number ranges could be serialised to an invalid format.
+ Readers of a broken KRL caused by this bug will fail closed, so no
+ should-have-been-revoked key will be accepted.
+
- ssh(1):
+ Reflect stdio-forward ("ssh -W host:port ...") failures in
+ exit status. Previously we were always returning 0. (bz#2255)
+
- ssh(1),
+ ssh-keygen(1):
+ Make Ed25519 keys' title fit properly in the randomart border.
+ (bz#2247)
+
- ssh-agent(1):
+ Only cleanup agent socket in the main agent process and not in any
+ subprocesses it may have started (e.g. forked askpass). Fixes agent
+ sockets being zapped when askpass processes fatal(). (bz#2236)
+
- ssh-add(1):
+ Make stdout line-buffered; saves partial output getting lost when
+ ssh-add(1)
+ fatal()s part-way through (e.g. when listing keys from an
+ agent that supports key types that
+ ssh-add(1)
+ doesn't). (bz#2234)
+
- ssh-keygen(1):
+ When hashing or removing hosts, don't choke on "@revoked" markers and
+ don't remove "@cert-authority" markers. (bz#2241)
+
- ssh(1):
+ Don't fatal when hostname canonicalisation fails and a
+ ProxyCommand is in use; continue and allow the
+ ProxyCommand to connect anyway (e.g. to a host with a name
+ outside the DNS behind a bastion).
+
- scp(1):
+ When copying local->remote fails during read, don't send uninitialised
+ heap to the remote end.
+
- sftp(1):
+ Fix fatal "el_insertstr failed" errors when tab-completing filenames
+ with a single quote char somewhere in the string. (bz#2238)
+
- ssh-keyscan(1):
+ Scan for Ed25519 keys by default.
+
- ssh(1):
+ When using VerifyHostKeyDNS with a DNSSEC resolver,
+ down-convert any certificate keys to plain keys and attempt SSHFP
+ resolution. Prevents a server from skipping SSHFP lookup and forcing
+ a new-hostkey dialog by offering only certificate keys.
+
- sshd(8):
+ Avoid crash at exit via NULL pointer reference. (bz#2225)
+
- Fix some strict-alignment errors.