| version 1.26, 2015/08/10 15:21:51 |
version 1.27, 2015/08/10 19:44:09 |
|
|
| <ul> |
<ul> |
| <li>Security: |
<li>Security: |
| <ul> |
<ul> |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>: |
| |
when forwarding X11 connections with <tt>ForwardX11Trusted=no</tt>, |
| |
connections made after <tt>ForwardX11Timeout</tt> expired could be |
| |
permitted and no longer subject to XSECURITY restrictions because of |
| |
an ineffective timeout check in |
| |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a> |
| |
coupled with "fail open" behaviour in the X11 server when clients |
| |
attempted connections with expired credentials. |
| |
This problem was reported by Jann Horn. |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-agent&sektion=1">ssh-agent(1)</a>: |
| |
fix weakness of agent locking (<tt>ssh-add -x</tt>) to |
| |
password guessing by implementing an increasing failure delay, |
| |
storing a salted hash of the password rather than the password |
| |
itself and using a timing-safe comparison function for verifying |
| |
unlock attempts. This problem was reported by Ryan Castellucci. |
| <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
| OpenSSH 6.8 and 6.9 incorrectly set TTYs to be world-writable. |
OpenSSH 6.8 and 6.9 incorrectly set TTYs to be world-writable. |
| Local attackers may be able to write arbitrary messages to logged-in |
Local attackers may be able to write arbitrary messages to logged-in |
|
|
| </ul> |
</ul> |
| <li>New/changed features: |
<li>New/changed features: |
| <ul> |
<ul> |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>, |
| |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
| |
promote <tt>chacha20-poly1305@openssh.com</tt> to be the default |
| |
cipher. |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
| |
support admin-specified arguments to <tt>AuthorizedKeysCommand</tt>. |
| |
(bz#2081) |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
| |
add <tt>AuthorizedPrincipalsCommand</tt> that allows retrieving |
| |
authorized principals information from a subprocess rather than a |
| |
file. |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>, |
| |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-add&sektion=1">ssh-add(1)</a>: |
| |
support PKCS#11 devices with external PIN entry devices. (bz#2240) |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
| |
allow GSSAPI host credential check to be relaxed for multihomed |
| |
hosts via <tt>GSSAPIStrictAcceptorCheck</tt> option. (bz#928) |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keygen&sektion=1">ssh-keygen(1)</a>: |
| |
support <tt>ssh-keygen -lF hostname</tt> to search <tt>known_hosts</tt> |
| |
and print key hashes rather than full keys. |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-agent&sektion=1">ssh-agent(1)</a>: |
| |
add <tt>-D</tt> flag to leave |
| |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-agent&sektion=1">ssh-agent(1)</a> |
| |
in foreground without enabling debug mode. (bz#2381) |
| <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh_config&sektion=5">ssh_config(5)</a>: |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh_config&sektion=5">ssh_config(5)</a>: |
| add <tt>PubkeyAcceptedKeyTypes</tt> option to control which public |
add <tt>PubkeyAcceptedKeyTypes</tt> option to control which public |
| key types are available for user authentication. |
key types are available for user authentication. |
|
|
| <ul> |
<ul> |
| <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>, |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>, |
| <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
| |
deprecate legacy <tt>SSH2_MSG_KEX_DH_GEX_REQUEST_OLD</tt> message and |
| |
do not try to use it against some 3rd-party SSH implementations that |
| |
use it (older PuTTY, WinSCP). |
| |
<li>Many fixes for problems caused by compile-time deactivation of |
| |
SSH1 support. (including bz#2369) |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>, |
| |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
| |
cap DH-GEX group size at 4Kbits for Cisco implementations as some |
| |
would fail when attempting to use group sizes greater than 4K. |
| |
(bz#2209) |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>: |
| |
fix out-of-bound read in <tt>EscapeChar</tt> configuration option |
| |
parsing. (bz#2396) |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
| |
fix application of <tt>PermitTunnel</tt>, <tt>LoginGraceTime</tt>, |
| |
<tt>AuthenticationMethods</tt> and <tt>StreamLocalBindMask</tt> |
| |
options in <tt>Match</tt> blocks. |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>, |
| |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
| |
improve disconnection message on TCP reset. (bz#2257) |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>: |
| |
remove failed remote forwards established by multiplexing from the |
| |
list of active forwards. (bz#2363) |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
| |
make parsing of <tt>authorized_keys</tt> "<tt>environment=</tt>" |
| |
options independent of <tt>PermitUserEnv</tt> being enabled. (bz#2329) |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
| |
fix post-auth crash with <tt>permitopen=none</tt>. (bz#2355) |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>, |
| |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-add&sektion=1">ssh-add(1)</a>, |
| |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keygen&sektion=1">ssh-keygen(1)</a>: |
| |
allow new-format private keys to be encrypted with AEAD ciphers. |
| |
(bz#2366) |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>: |
| |
allow <tt>ListenAddress</tt>, <tt>Port</tt> and <tt>AddressFamily</tt> |
| |
configuration options to appear in any order. (bz#86) |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
| |
check for and reject missing arguments for <tt>VersionAddendum</tt> |
| |
and <tt>ForceCommand</tt>. (bz#2281) |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>, |
| |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
| |
don't treat unknown certificate extensions as fatal. (bz#2387) |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keygen&sektion=1">ssh-keygen(1)</a>: |
| |
make <tt>stdout</tt> and <tt>stderr</tt> output consistent. (bz#2325) |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>: |
| |
mention missing <tt>DISPLAY</tt> environment in debug log when X11 |
| |
forwarding requested. (bz#1682) |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
| |
correctly record login when <tt>UseLogin</tt> is set. (bz#378) |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
| |
add some missing options to <tt>sshd -T</tt> output and fix output |
| |
of <tt>VersionAddendum</tt> and <tt>HostCertificate</tt>. (bz#2346) |
| |
<li>Document and improve consistency of options that accept a |
| |
"<tt>none</tt>" argument: <tt>TrustedUserCAKeys</tt>, |
| |
<tt>RevokedKeys</tt> (bz#2382), <tt>AuthorizedPrincipalsFile</tt> |
| |
(bz#2288). |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>: |
| |
include remote username in debug output. (bz#2368) |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
| |
avoid compatibility problem with some versions of Tera Term, which |
| |
would crash when they received the hostkeys notification message |
| |
(<tt>hostkeys-00@openssh.com</tt>). |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
| |
mention <tt>ssh-keygen -E</tt> as useful when comparing legacy |
| |
<i>MD5 host key fingerprints</i>. (bz#2332) |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>: |
| |
clarify pseudo-terminal request behaviour and use make manual language |
| |
consistent. (bz#1716) |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>: |
| |
document that the <tt>TERM</tt> environment variable is not subject |
| |
to <tt>SendEnv</tt> and <tt>AcceptEnv</tt>. (bz#2386) |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>, |
| |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
| add compatability workarounds for Cisco and more PuTTY versions. |
add compatability workarounds for Cisco and more PuTTY versions. |
| (bz#2424) |
(bz#2424) |
| <li>Fix some omissions and errors in the <tt>PROTOCOL</tt> and |
<li>Fix some omissions and errors in the <tt>PROTOCOL</tt> and |
|
|
| <ul> |
<ul> |
| <li>User-visible features: |
<li>User-visible features: |
| <ul> |
<ul> |
| |
<li>Reject all <i>server DH keys</i> smaller than 1024 bits. |
| |
<li>Multiple CVEs fixed including CVE-2015-0207, CVE-2015-0209, |
| |
CVE-2015-0286, CVE-2015-0287, CVE-2015-0288, CVE-2015-0289, |
| |
CVE-2015-1788, CVE-2015-1789, CVE-2015-1792. |
| |
<li>Protocol parsing conversions to BoringSSL's <i>CRYPTO ByteString</i> |
| |
(CBS) API. |
| |
<li>Added <tt>EC_curve_nid2nist</tt> and <tt>EC_curve_nist2nid</tt> |
| |
from OpenSSL. |
| |
<li>Removed Dynamic Engine support. |
| |
<li>Removed MDC-2DES support. |
| <li>Switched <tt>openssl dhparam</tt> default from 512 to 2048 bits. |
<li>Switched <tt>openssl dhparam</tt> default from 512 to 2048 bits. |
| <li>More <i>CRYPTO ByteString</i> (CBS) packet parsing conversions. |
|
| <li>Fixed <tt>openssl pkeyutl -verify</tt> to exit with a 0 on success. |
<li>Fixed <tt>openssl pkeyutl -verify</tt> to exit with a 0 on success. |
| <li>Fixed dozens of Coverity issues including dead code, memory leaks, |
<li>Fixed dozens of Coverity issues including dead code, memory leaks, |
| logic errors and more. |
logic errors and more. |
|
|
| </ul> |
</ul> |
| <li>Code improvements: |
<li>Code improvements: |
| <ul> |
<ul> |
| |
<li>Fix incorrect comparison function in openssl(1) certhash command. |
| |
Thanks to Christian Neukirchen / Void Linux. |
| |
<li>Removal of <tt>OPENSSL_issetugid</tt> and all library getenv calls. |
| |
Applications can and should no longer rely on environment variables |
| |
for changing library behavior. |
| |
<tt>OPENSSL_CONF</tt>/<tt>SSLEAY_CONF</tt> is still supported with the |
| |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=openssl&sektion=1">openssl(1)</a> |
| |
command. |
| |
<li><tt>libtls</tt> API and documentation additions. |
| |
<li>rious bug fixes and simplifications to <tt>libssl</tt> and |
| |
<tt>libcrypto</tt>. |
| <li>Reworked |
<li>Reworked |
| <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=openssl&sektion=1">openssl(1)</a> |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=openssl&sektion=1">openssl(1)</a> |
| option handling. |
option handling. |
![[BACK]](/icons/back.gif){kind=icon}
Return to 58.html CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / www