===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/58.html,v
retrieving revision 1.14
retrieving revision 1.15
diff -c -r1.14 -r1.15
*** www/58.html 2015/08/06 10:41:35 1.14
--- www/58.html 2015/08/06 11:23:31 1.15
***************
*** 133,151 ****
!
OpenSSH X.X
- Potentially-incompatible changes:
- New/changed features:
- The following significant bugs have been fixed in this release:
--- 133,214 ----
!
OpenSSH 7.0
+ - Security:
+
+ - sshd(8):
+ OpenSSH 6.8 and 6.9 incorrectly set TTYs to be world-writable.
+ Local attackers may be able to write arbitrary messages to logged-in
+ users, including terminal escape sequences.
+
- sshd(8):
+ fix circumvention of MaxAuthTries using keyboard-interactive
+ authentication. By specifying a long, repeating keyboard-interactive
+ "devices" string, an attacker could request the same authentication
+ method be tried thousands of times in a single pass. The
+ LoginGraceTime timeout in
+ sshd(8)
+ and any authentication failure delays implemented by the authentication
+ mechanism itself were still applied.
+
- Potentially-incompatible changes:
! - Support for the legacy SSH version 1 protocol is disabled by
! default at compile time.
!
- Support for the 1024-bit diffie-hellman-group1-sha1 key exchange
! is disabled by default at run-time. It may be re-enabled using
! the instructions at http://www.openssh.com/legacy.html.
!
- Support for ssh-dss, ssh-dss-cert-* host
! and user keys is disabled by default at run-time. These may
! be re-enabled using the instructions at
! http://www.openssh.com/legacy.html.
!
- Support for the legacy v00 cert format has been removed.
!
- The default for the
! sshd_config(5)
! PermitRootLogin option has changed from "yes" to
! "without-password".
- New/changed features:
! - ssh_config(5)
! add PubkeyAcceptedKeyTypes option to control which public
! key types are available for user authentication.
!
- sshd_config(5):
! add HostKeyAlgorithms option to control which public key
! types are offered for host authentications.
!
- ssh(1),
! sshd(8):
! extend Ciphers, MACs, KexAlgorithms,
! HostKeyAlgorithms, PubkeyAcceptedKeyTypes and
! HostbasedKeyTypes options to allow appending to the default
! set of algorithms instead of replacing it. Options may now be
! prefixed with a + to append to the default, e.g.
! "HostKeyAlgorithms=+ssh-dss".
- The following significant bugs have been fixed in this release:
! - ssh(1),
! sshd(8):
! add compatability workarounds for Cisco and more PuTTY versions.
! (bz#2424)
!
- Fix some omissions and errors in the PROTOCOL and
! PROTCOL.mux documentation relating to Unix domain
! socket forwarding. (bz#2421, bz#2422)
!
- ssh(1):
! Improve the
! ssh(1)
! manual page to include a better desciption of Unix domain socket
! forwarding. (bz#2423)
!
- ssh(1),
! ssh-agent(1):
! skip uninitialised PKCS#11 slots, fixing failures to load keys when
! they are present. (bz#2427)
!
- ssh(1),
! ssh-agent(1):
! do not ignore PKCS#11 hosted keys that wth empty CKA_ID.
! (bz#2429)
!
- sshd(8):
! clarify documentation for UseDNS option. (bz#2045)