version 1.13, 2014/08/11 10:00:45 |
version 1.14, 2014/08/29 13:02:48 |
|
|
|
|
<li>OpenSSH 6.7 |
<li>OpenSSH 6.7 |
<ul> |
<ul> |
<li>Security: |
<li>Potentially-incompatible changes: |
<ul> |
<ul> |
<li>... |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
|
The default set of ciphers and <i>MAC</i>s has been altered to remove |
|
unsafe algorithms. In particular, <i>CBC ciphers</i> and |
|
<i>arcfour*</i> are disabled by default. |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
|
Support for <i>tcpwrappers</i>/<i>libwrap</i> has been removed. |
|
<li>OpenSSH 6.5 and 6.6 have a bug that causes ~0.2% of connections |
|
using the "curve25519-sha256@libssh.org" <i>KEX exchange method</i> |
|
to fail when connecting with something that implements the |
|
specification correctly. OpenSSH 6.7 disables this KEX method when |
|
speaking to one of the affected versions. |
</ul> |
</ul> |
<li>New/changed features: |
<li>New/changed features: |
<ul> |
<ul> |
<li>... |
<li>Major internal refactoring to begin to make part of OpenSSH usable |
|
as a library. So far the wire parsing, key handling and KRL code |
|
has been refactored. Please note that we do not consider the API |
|
stable yet, nor do we offer the library in separable form. |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>, |
|
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
|
Add support for <i>Unix domain socket</i> forwarding. A remote TCP |
|
port may be forwarded to a local Unix domain socket and vice versa or |
|
both ends may be a Unix domain socket. |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>, |
|
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keygen&sektion=1">ssh-keygen(1)</a>: |
|
Add support for <i>SSHFP DNS records</i> for <i>Ed2551</i>9 key types. |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sftp&sektion=1">sftp(1)</a>: |
|
Allow resumption of interrupted uploads. |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>: |
|
When rekeying, skip file/DNS lookups of the hostkey if it is the same |
|
as the one sent during initial key exchange. (bz#2154) |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
|
Allow explicit ::1 and 127.0.0.1 forwarding bind addresses when |
|
<tt>GatewayPorts=no</tt>; allows client to choose address family. |
|
(bz#2222) |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
|
Add a |
|
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config&sektion=5">sshd_config(5)</a> |
|
<tt>PermitUserRC</tt> option to control whether <tt>~/.ssh/rc</tt> is |
|
executed, mirroring the <tt>no-user-rc</tt> authorized_keys option. |
|
(bz#2160) |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>: |
|
Add a %C escape sequence for <tt>LocalCommand</tt> and |
|
<tt>ControlPath</tt> that expands to a unique identifer based on a |
|
hash of the tuple of (local host, remote user, hostname, port). Helps |
|
avoid exceeding miserly pathname limits for Unix domain sockets in |
|
multiplexing control paths. (bz#2220) |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
|
Make the "Too many authentication failures" message include the user, |
|
source address, port and protocol in a format similar to the |
|
authentication success/failure messages. (bz#2199) |
|
<li>Added <i>unit</i> and <i>fuzz</i> tests for refactored code. |
</ul> |
</ul> |
<li>The following significant bugs have been fixed in this release: |
<li>The following significant bugs have been fixed in this release: |
<ul> |
<ul> |
<li>... |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
|
Fix remote forwarding with same listen port but different listen |
|
address. |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>: |
|
Fix inverted test that caused <i>PKCS#11</i> keys that were explicitly |
|
listed in |
|
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh_config&sektion=5">ssh_config(5)</a> |
|
or on the commandline not to be preferred. |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keygen&sektion=1">ssh-keygen(1)</a>: |
|
Fix bug in KRL generation: multiple consecutive revoked certificate |
|
serial number ranges could be serialised to an invalid format. |
|
Readers of a broken KRL caused by this bug will fail closed, so no |
|
should-have-been-revoked key will be accepted. |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>: |
|
Reflect stdio-forward ("<tt>ssh -W host:port ...</tt>") failures in |
|
exit status. Previously we were always returning 0. (bz#2255) |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>, |
|
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keygen&sektion=1">ssh-keygen(1)</a>: |
|
Make Ed25519 keys' title fit properly in the randomart border. |
|
(bz#2247) |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-agent&sektion=1">ssh-agent(1)</a>: |
|
Only cleanup agent socket in the main agent process and not in any |
|
subprocesses it may have started (e.g. forked askpass). Fixes agent |
|
sockets being zapped when askpass processes <i>fatal()</i>. (bz#2236) |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-add&sektion=1">ssh-add(1)</a>: |
|
Make stdout line-buffered; saves partial output getting lost when |
|
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-add&sektion=1">ssh-add(1)</a> |
|
<i>fatal()</i>s part-way through (e.g. when listing keys from an |
|
agent that supports key types that |
|
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-add&sektion=1">ssh-add(1)</a> |
|
doesn't). (bz#2234) |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keygen&sektion=1">ssh-keygen(1)</a>: |
|
When hashing or removing hosts, don't choke on "@revoked" markers and |
|
don't remove "@cert-authority" markers. (bz#2241) |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>: |
|
Don't fatal when hostname canonicalisation fails and a |
|
<tt>ProxyCommand</tt> is in use; continue and allow the |
|
<tt>ProxyCommand</tt> to connect anyway (e.g. to a host with a name |
|
outside the DNS behind a bastion). |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=scp&sektion=1">scp(1)</a>: |
|
When copying local->remote fails during read, don't send uninitialised |
|
heap to the remote end. |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sftp&sektion=1">sftp(1)</a>: |
|
Fix fatal "el_insertstr failed" errors when tab-completing filenames |
|
with a single quote char somewhere in the string. (bz#2238) |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keyscan&sektion=1">ssh-keyscan(1)</a>: |
|
Scan for Ed25519 keys by default. |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>: |
|
When using <tt>VerifyHostKeyDNS</tt> with a DNSSEC resolver, |
|
down-convert any certificate keys to plain keys and attempt SSHFP |
|
resolution. Prevents a server from skipping SSHFP lookup and forcing |
|
a new-hostkey dialog by offering only certificate keys. |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
|
Avoid crash at exit via NULL pointer reference. (bz#2225) |
|
<li>Fix some strict-alignment errors. |
</ul> |
</ul> |
</ul> |
</ul> |
<p> |
<p> |