version 1.26, 2015/08/10 15:21:51 |
version 1.27, 2015/08/10 19:44:09 |
|
|
<ul> |
<ul> |
<li>Security: |
<li>Security: |
<ul> |
<ul> |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>: |
|
when forwarding X11 connections with <tt>ForwardX11Trusted=no</tt>, |
|
connections made after <tt>ForwardX11Timeout</tt> expired could be |
|
permitted and no longer subject to XSECURITY restrictions because of |
|
an ineffective timeout check in |
|
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a> |
|
coupled with "fail open" behaviour in the X11 server when clients |
|
attempted connections with expired credentials. |
|
This problem was reported by Jann Horn. |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-agent&sektion=1">ssh-agent(1)</a>: |
|
fix weakness of agent locking (<tt>ssh-add -x</tt>) to |
|
password guessing by implementing an increasing failure delay, |
|
storing a salted hash of the password rather than the password |
|
itself and using a timing-safe comparison function for verifying |
|
unlock attempts. This problem was reported by Ryan Castellucci. |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
OpenSSH 6.8 and 6.9 incorrectly set TTYs to be world-writable. |
OpenSSH 6.8 and 6.9 incorrectly set TTYs to be world-writable. |
Local attackers may be able to write arbitrary messages to logged-in |
Local attackers may be able to write arbitrary messages to logged-in |
|
|
</ul> |
</ul> |
<li>New/changed features: |
<li>New/changed features: |
<ul> |
<ul> |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>, |
|
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
|
promote <tt>chacha20-poly1305@openssh.com</tt> to be the default |
|
cipher. |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
|
support admin-specified arguments to <tt>AuthorizedKeysCommand</tt>. |
|
(bz#2081) |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
|
add <tt>AuthorizedPrincipalsCommand</tt> that allows retrieving |
|
authorized principals information from a subprocess rather than a |
|
file. |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>, |
|
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-add&sektion=1">ssh-add(1)</a>: |
|
support PKCS#11 devices with external PIN entry devices. (bz#2240) |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
|
allow GSSAPI host credential check to be relaxed for multihomed |
|
hosts via <tt>GSSAPIStrictAcceptorCheck</tt> option. (bz#928) |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keygen&sektion=1">ssh-keygen(1)</a>: |
|
support <tt>ssh-keygen -lF hostname</tt> to search <tt>known_hosts</tt> |
|
and print key hashes rather than full keys. |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-agent&sektion=1">ssh-agent(1)</a>: |
|
add <tt>-D</tt> flag to leave |
|
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-agent&sektion=1">ssh-agent(1)</a> |
|
in foreground without enabling debug mode. (bz#2381) |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh_config&sektion=5">ssh_config(5)</a>: |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh_config&sektion=5">ssh_config(5)</a>: |
add <tt>PubkeyAcceptedKeyTypes</tt> option to control which public |
add <tt>PubkeyAcceptedKeyTypes</tt> option to control which public |
key types are available for user authentication. |
key types are available for user authentication. |
|
|
<ul> |
<ul> |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>, |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>, |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
|
deprecate legacy <tt>SSH2_MSG_KEX_DH_GEX_REQUEST_OLD</tt> message and |
|
do not try to use it against some 3rd-party SSH implementations that |
|
use it (older PuTTY, WinSCP). |
|
<li>Many fixes for problems caused by compile-time deactivation of |
|
SSH1 support. (including bz#2369) |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>, |
|
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
|
cap DH-GEX group size at 4Kbits for Cisco implementations as some |
|
would fail when attempting to use group sizes greater than 4K. |
|
(bz#2209) |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>: |
|
fix out-of-bound read in <tt>EscapeChar</tt> configuration option |
|
parsing. (bz#2396) |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
|
fix application of <tt>PermitTunnel</tt>, <tt>LoginGraceTime</tt>, |
|
<tt>AuthenticationMethods</tt> and <tt>StreamLocalBindMask</tt> |
|
options in <tt>Match</tt> blocks. |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>, |
|
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
|
improve disconnection message on TCP reset. (bz#2257) |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>: |
|
remove failed remote forwards established by multiplexing from the |
|
list of active forwards. (bz#2363) |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
|
make parsing of <tt>authorized_keys</tt> "<tt>environment=</tt>" |
|
options independent of <tt>PermitUserEnv</tt> being enabled. (bz#2329) |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
|
fix post-auth crash with <tt>permitopen=none</tt>. (bz#2355) |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>, |
|
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-add&sektion=1">ssh-add(1)</a>, |
|
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keygen&sektion=1">ssh-keygen(1)</a>: |
|
allow new-format private keys to be encrypted with AEAD ciphers. |
|
(bz#2366) |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>: |
|
allow <tt>ListenAddress</tt>, <tt>Port</tt> and <tt>AddressFamily</tt> |
|
configuration options to appear in any order. (bz#86) |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
|
check for and reject missing arguments for <tt>VersionAddendum</tt> |
|
and <tt>ForceCommand</tt>. (bz#2281) |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>, |
|
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
|
don't treat unknown certificate extensions as fatal. (bz#2387) |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keygen&sektion=1">ssh-keygen(1)</a>: |
|
make <tt>stdout</tt> and <tt>stderr</tt> output consistent. (bz#2325) |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>: |
|
mention missing <tt>DISPLAY</tt> environment in debug log when X11 |
|
forwarding requested. (bz#1682) |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
|
correctly record login when <tt>UseLogin</tt> is set. (bz#378) |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
|
add some missing options to <tt>sshd -T</tt> output and fix output |
|
of <tt>VersionAddendum</tt> and <tt>HostCertificate</tt>. (bz#2346) |
|
<li>Document and improve consistency of options that accept a |
|
"<tt>none</tt>" argument: <tt>TrustedUserCAKeys</tt>, |
|
<tt>RevokedKeys</tt> (bz#2382), <tt>AuthorizedPrincipalsFile</tt> |
|
(bz#2288). |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>: |
|
include remote username in debug output. (bz#2368) |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
|
avoid compatibility problem with some versions of Tera Term, which |
|
would crash when they received the hostkeys notification message |
|
(<tt>hostkeys-00@openssh.com</tt>). |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
|
mention <tt>ssh-keygen -E</tt> as useful when comparing legacy |
|
<i>MD5 host key fingerprints</i>. (bz#2332) |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>: |
|
clarify pseudo-terminal request behaviour and use make manual language |
|
consistent. (bz#1716) |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>: |
|
document that the <tt>TERM</tt> environment variable is not subject |
|
to <tt>SendEnv</tt> and <tt>AcceptEnv</tt>. (bz#2386) |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>, |
|
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
add compatability workarounds for Cisco and more PuTTY versions. |
add compatability workarounds for Cisco and more PuTTY versions. |
(bz#2424) |
(bz#2424) |
<li>Fix some omissions and errors in the <tt>PROTOCOL</tt> and |
<li>Fix some omissions and errors in the <tt>PROTOCOL</tt> and |
|
|
<ul> |
<ul> |
<li>User-visible features: |
<li>User-visible features: |
<ul> |
<ul> |
|
<li>Reject all <i>server DH keys</i> smaller than 1024 bits. |
|
<li>Multiple CVEs fixed including CVE-2015-0207, CVE-2015-0209, |
|
CVE-2015-0286, CVE-2015-0287, CVE-2015-0288, CVE-2015-0289, |
|
CVE-2015-1788, CVE-2015-1789, CVE-2015-1792. |
|
<li>Protocol parsing conversions to BoringSSL's <i>CRYPTO ByteString</i> |
|
(CBS) API. |
|
<li>Added <tt>EC_curve_nid2nist</tt> and <tt>EC_curve_nist2nid</tt> |
|
from OpenSSL. |
|
<li>Removed Dynamic Engine support. |
|
<li>Removed MDC-2DES support. |
<li>Switched <tt>openssl dhparam</tt> default from 512 to 2048 bits. |
<li>Switched <tt>openssl dhparam</tt> default from 512 to 2048 bits. |
<li>More <i>CRYPTO ByteString</i> (CBS) packet parsing conversions. |
|
<li>Fixed <tt>openssl pkeyutl -verify</tt> to exit with a 0 on success. |
<li>Fixed <tt>openssl pkeyutl -verify</tt> to exit with a 0 on success. |
<li>Fixed dozens of Coverity issues including dead code, memory leaks, |
<li>Fixed dozens of Coverity issues including dead code, memory leaks, |
logic errors and more. |
logic errors and more. |
|
|
</ul> |
</ul> |
<li>Code improvements: |
<li>Code improvements: |
<ul> |
<ul> |
|
<li>Fix incorrect comparison function in openssl(1) certhash command. |
|
Thanks to Christian Neukirchen / Void Linux. |
|
<li>Removal of <tt>OPENSSL_issetugid</tt> and all library getenv calls. |
|
Applications can and should no longer rely on environment variables |
|
for changing library behavior. |
|
<tt>OPENSSL_CONF</tt>/<tt>SSLEAY_CONF</tt> is still supported with the |
|
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=openssl&sektion=1">openssl(1)</a> |
|
command. |
|
<li><tt>libtls</tt> API and documentation additions. |
|
<li>rious bug fixes and simplifications to <tt>libssl</tt> and |
|
<tt>libcrypto</tt>. |
<li>Reworked |
<li>Reworked |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=openssl&sektion=1">openssl(1)</a> |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=openssl&sektion=1">openssl(1)</a> |
option handling. |
option handling. |