===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/58.html,v
retrieving revision 1.14
retrieving revision 1.15
diff -c -r1.14 -r1.15
*** www/58.html	2015/08/06 10:41:35	1.14
--- www/58.html	2015/08/06 11:23:31	1.15
***************
*** 133,151 ****
      </ul>
  <p>
  
! <li>OpenSSH X.X
      <ul>
      <li>Potentially-incompatible changes:
        <ul>
!       <li>...
        </ul>
      <li>New/changed features:
        <ul>
!       <li>...
        </ul>
      <li>The following significant bugs have been fixed in this release:
        <ul>
!       <li>...
        </ul>
      </ul>
  <p>
--- 133,214 ----
      </ul>
  <p>
  
! <li>OpenSSH 7.0
      <ul>
+     <li>Security:
+       <ul>
+       <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&amp;sektion=8">sshd(8)</a>:
+         OpenSSH 6.8 and 6.9 incorrectly set TTYs to be world-writable.
+         Local attackers may be able to write arbitrary messages to logged-in
+         users, including terminal escape sequences.
+       <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&amp;sektion=8">sshd(8)</a>:
+         fix circumvention of <tt>MaxAuthTries</tt> using keyboard-interactive
+         authentication.  By specifying a long, repeating keyboard-interactive
+         "devices" string, an attacker could request the same authentication
+         method be tried thousands of times in a single pass.  The
+         <tt>LoginGraceTime</tt> timeout in
+         <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&amp;sektion=8">sshd(8)</a>
+         and any authentication failure delays implemented by the authentication
+         mechanism itself were still applied.
+       </ul>
      <li>Potentially-incompatible changes:
        <ul>
!       <li>Support for the legacy <i>SSH version 1 protocol</i> is disabled by
!         default at compile time.
!       <li>Support for the 1024-bit diffie-hellman-group1-sha1 key exchange
!         is disabled by default at run-time.  It may be re-enabled using
!         the instructions at <tt>http://www.openssh.com/legacy.html</tt>.
!       <li>Support for <tt>ssh-dss</tt>, <tt>ssh-dss-cert-*</tt> <i>host</i>
!         and <i>user</i> keys is disabled by default at run-time.  These may
!         be re-enabled using the instructions at
!         <tt>http://www.openssh.com/legacy.html</tt>.
!       <li>Support for the legacy <i>v00 cert format</i> has been removed.
!       <li>The default for the
!         <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config&amp;sektion=5">sshd_config(5)</a>
!         <tt>PermitRootLogin</tt> option has changed from "yes" to
!         "without-password".
        </ul>
      <li>New/changed features:
        <ul>
!       <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh_config&amp;sektion=5">ssh_config(5)</a>
!         add <tt>PubkeyAcceptedKeyTypes</tt> option to control which public
!         key types are available for user authentication.
!       <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config&amp;sektion=5">sshd_config(5)</a>:
!         add <tt>HostKeyAlgorithms</tt> option to control which public key
!         types are offered for host authentications.
!       <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&amp;sektion=1">ssh(1)</a>,
!         <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&amp;sektion=8">sshd(8)</a>:
!         extend <tt>Ciphers</tt>, <tt>MACs</tt>, <tt>KexAlgorithms</tt>,
!         <tt>HostKeyAlgorithms</tt>, <tt>PubkeyAcceptedKeyTypes</tt> and
!         <tt>HostbasedKeyTypes</tt> options to allow appending to the default
!         set of algorithms instead of replacing it.  Options may now be
!         prefixed with a <tt>+</tt> to append to the default, e.g.
!         "<tt>HostKeyAlgorithms=+ssh-dss</tt>".
        </ul>
      <li>The following significant bugs have been fixed in this release:
        <ul>
!       <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&amp;sektion=1">ssh(1)</a>,
!         <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&amp;sektion=8">sshd(8)</a>:
!         add compatability workarounds for Cisco and more PuTTY versions.
!         (bz#2424)
!       <li>Fix some omissions and errors in the <tt>PROTOCOL</tt> and
!         <tt>PROTCOL.mux</tt> documentation relating to <i>Unix domain
!         socket</i> forwarding.  (bz#2421, bz#2422)
!       <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&amp;sektion=1">ssh(1)</a>:
!         Improve the
!         <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&amp;sektion=1">ssh(1)</a>
!         manual page to include a better desciption of Unix domain socket
!         forwarding.  (bz#2423)
!       <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&amp;sektion=1">ssh(1)</a>,
!         <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-agent&amp;sektion=1">ssh-agent(1)</a>:
!         skip uninitialised PKCS#11 slots, fixing failures to load keys when
!         they are present.  (bz#2427)
!       <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&amp;sektion=1">ssh(1)</a>,
!         <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-agent&amp;sektion=1">ssh-agent(1)</a>:
!         do not ignore PKCS#11 hosted keys that wth empty <tt>CKA_ID</tt>.
!         (bz#2429)
!       <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&amp;sektion=8">sshd(8)</a>:
!         clarify documentation for <tt>UseDNS</tt> option.  (bz#2045)
        </ul>
      </ul>
  <p>