===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/58.html,v
retrieving revision 1.77
retrieving revision 1.78
diff -c -r1.77 -r1.78
*** www/58.html 2015/10/18 15:21:39 1.77
--- www/58.html 2016/03/21 05:46:19 1.78
***************
*** 37,43 ****
See a detailed log of changes between the
5.7 and 5.8 releases.
!
signify(1) pubkeys for this release:
base: RWQNNZXtC/MqP3Eiu+6FBz/qrxiWQwDhd+9Yljzp62UP4KzFmmvzVk60
fw: RWTpkvg4fhJCDx9yL4bUCou/vtAecPVTfcaaGESQeBruwX/qHToMvWh6
--- 37,43 ----
See a detailed log of changes between the
5.7 and 5.8 releases.
!
signify(1) pubkeys for this release:
base: RWQNNZXtC/MqP3Eiu+6FBz/qrxiWQwDhd+9Yljzp62UP4KzFmmvzVk60
fw: RWTpkvg4fhJCDx9yL4bUCou/vtAecPVTfcaaGESQeBruwX/qHToMvWh6
***************
*** 68,104 ****
- Improved hardware support, including:
! - New rtwn(4) driver for Realtek RTL8188CE wifi cards.
!
- New hpb(4) driver for HyperTransport bridges as found in the IBM CPC945.
!
- The ugold(4) driver now supports TEMPerHUMV1.x temperature and humidity sensors.
!
- Improved sensor support for the upd(4) driver for USB Power Devices (UPS).
!
- Support for jumbo frames on re(4) devices using RTL8168C/D/E/F/G and RTL8411, including PC Engines APU.
!
- re(4) now works with newer devices e.g. RTL8111GU.
!
- Partial support has been added for full-speed isochronous devices in ehci(4), allowing USB 1.1 audio devices to be used on EHCI-only systems in some cases.
- Improved macppc stability and G5 performances with MP kernels.
!
- acpicpu(4) uses ACPI C-state information to reduce power consumption of idle CPUs.
- Kernel supports x86 AVX instructions on CPUs that have them.
- Avoid assigning low address to PCI BARs, fixing various issues on machines whose BIOSes neglect to claim low memory.
!
- wscons(4) works with even more odd trackpads.
!
- Added pvbus(4) paravirtual device tree root on virtual machines that are running on hypervisors.
- New octdwctwo(4) driver for USB support on OpenBSD/octeon.
!
- New amdcf(4) driver for embedded flash on OpenBSD/octeon.
!
- Support for RTL8188EU devices was added to the urtwn(4) driver.
- Removed hardware support:
! - The lmc(4) driver for Lan Media Corporation SSI/T1/DS1/HSSI/DS3 devices has been removed.
!
- The san(4) driver for Sangoma Technologies AFT T1/E1 devices has been removed.
- Generic network stack improvements:
! - MTU of vlan(4) devices can now be set independently from the parent interface's MTU.
- The same network range can now be assigned to multiple interfaces, using interface priorities to choose between them.
!
- New MPLS pseudowire driver mpw(4).
- Much preparatory work for MP unlocking of the network stack.
--- 68,104 ----
! - autoinstall(8)
has been extended to allow
- hostname-mode.conf response file names.
- response files to be placed in a subdir of the webserver's document root.
- passing a template file to
! disklabel(8)
to automatically partition the disk.
! - ntpd(8)
is now enabled by default at install time.
- DUID support has improved enough that new installs now use them unconditionally.
- Installing sets from CD-ROM has been fixed if more than one CD-ROM drive is present.
--- 110,125 ----
- The default answer is now 'no'.
- 'prohibit-password' has been added to the list of possible answers.
! autoinstall(8)
has been extended to allow
- hostname-mode.conf response file names.
- response files to be placed in a subdir of the webserver's document root.
- passing a template file to
! disklabel(8)
to automatically partition the disk.
! ntpd(8)
is now enabled by default at install time.
DUID support has improved enough that new installs now use them unconditionally.
Installing sets from CD-ROM has been fixed if more than one CD-ROM drive is present.
***************
*** 130,212 ****
Routing daemons and other userland network improvements:
! - Many improvements and simplifications in ldpd(8), including configuration reload and support for mpw(4) pseudowire interfaces.
!
- bgpd(8) now allows rules to match on the peer AS number.
!
- For terminated BGP sessions, bgpctl(8) now displays the number of prefixes received on the last session.
!
- ospfd(8) now correctly handles carp(4) interfaces in "backup" mode at startup.
!
- Log messages in bgpd(8) and ospfd(8) have been made more specific.
!
- The default Diffie-Hellman group for VPNs configured by ipsec.conf(5) has been changed to modp3072.
!
- New radiusd(8),
Remote Authentication Dial In User Service (RADIUS) daemon.
Security improvements:
! - sudo in base has been replaced with doas(1), sudo is available as a package.
!
- file(1) has been replaced with a new modern implementation, including sandbox and privilege separation.
!
- pax(1) (and tar(1) and cpio(1)) now prevent archive extraction from escaping the current directory via symlinks; tar(1) without -P option now strips up through any ".." path components.
- Static PIE support for sparc.
- Alpha switched to secure PLT.
- Improved kernel checks of ELF headers.
- Support for the NX (No-eXecute) bit on i386, resulting in much better W^X enforcement in userland for hardware that has this feature.
- Enforcement of W^X in the kernel address space on i386 when using processors with the NX bit.
!
- Work started on a new process-containment facility called tame(2).
Assorted improvements:
! - The worm(6)
now grows at a rate proportional to terminal size.
!
- dlclose(3) now unregisters handlers registered by a pthread_atfork(3) call from the unloaded libraries.
!
- cp(1), mv(1), and pax(1) with the -rw option now preserve timestamps with full nanosecond precision.
!
- pax(1) now detects failure to decompress an archive when reading it and errors out immediately.
!
- nm(1) now supports the -D option for displaying the dynamic symbol table.
!
- dump(8) now uses DUIDs in /etc/dumpdates when present and the -U option has thus been removed.
!
- Corrected kdump(1) reporting of lseek(2) return value on ILP32 archs and getsockopt/setsockopt(2) level and optname arguments. iovec, msghdr, and cmsghdr structures are now dumped.
!
- sed(1) -i option added.
!
- New, much simpler man.conf(5) configuration file format
! for man(1),
! apropos(1),
! and makewhatis(8).
!
- When using man(1)
! with the less(1) pager,
support the :t internal command
to search for definitions of keywords similar to what
! ctags(1) provides.
- Improvements in checking of numeric option values in many utilities.
- Upgraded to binutils version 2.17 with additional fixes.
!
- Improved correctness of poll(2) and poll(2) of O_RDONLY FIFO fds.
!
- Restored reporting of closed sockets by netstat(1) and systat(1).
!
- fdisk(8) now zeros correct GPT sector at end of disk.
!
- fdisk(8) now accepts 'T' sizes for terabytes.
!
- fdisk(8) repaired to work on 4K sector disks again.
!
- dhcpd(8) now logs correct giaddr and ciaddr information even when DHCP relays are present.
!
- dhcpd(8) now accommodates Linux and MS clients by not sending routers or static routes info when classless static routes are sent.
!
- dhcpd(8) and dhclient(8) now accept hostnames beginning with a digit.
!
- dhclient(8) no longer rejects leases with addresses overlapping existing subnets on other interfaces. Kernel routing logic now just works.
!
- Improvements to realloc(3) decrease system calls and increase efficiency.
- The reaper now tears down dead processes without holding on to
the kernel lock. This greatly reduces latency and increases
performance on multi-processor systems.
!
OpenBSD httpd(8):
- New features:
! - Added support for matching and redirections with Lua patterns(7).
- Implemented If-Modified-Since for conditional GET or HEAD requests (RFC 7232).
- Added byte-range support for range requests (RFC 7233).
- Allowing to specify a global or per-location default media type instead of application/octet-stream.
- Added support for HTTP Strict Transport Security (HSTS; RFC 6797).
!
- Added initial regression test suite based on relayd(8)'s implementation.
- Fixes and improvements:
! - TLS in httpd(8) and relayd(8) now defaults to TLSv1.2-only.
- Fixed support for large TLS keys or certificate bundles with up to 16KB each.
- Fixed the Content-Length header for files larger than 2 GB on 32-bit architectures.
- Fixed translation of CGI environment variables in accordance with RFCs 7230 and 3875.
--- 130,212 ----
- Routing daemons and other userland network improvements:
! - Many improvements and simplifications in ldpd(8), including configuration reload and support for mpw(4) pseudowire interfaces.
!
- bgpd(8) now allows rules to match on the peer AS number.
!
- For terminated BGP sessions, bgpctl(8) now displays the number of prefixes received on the last session.
!
- ospfd(8) now correctly handles carp(4) interfaces in "backup" mode at startup.
!
- Log messages in bgpd(8) and ospfd(8) have been made more specific.
!
- The default Diffie-Hellman group for VPNs configured by ipsec.conf(5) has been changed to modp3072.
!
- New radiusd(8),
Remote Authentication Dial In User Service (RADIUS) daemon.
- Security improvements:
! - sudo in base has been replaced with doas(1), sudo is available as a package.
!
- file(1) has been replaced with a new modern implementation, including sandbox and privilege separation.
!
- pax(1) (and tar(1) and cpio(1)) now prevent archive extraction from escaping the current directory via symlinks; tar(1) without -P option now strips up through any ".." path components.
- Static PIE support for sparc.
- Alpha switched to secure PLT.
- Improved kernel checks of ELF headers.
- Support for the NX (No-eXecute) bit on i386, resulting in much better W^X enforcement in userland for hardware that has this feature.
- Enforcement of W^X in the kernel address space on i386 when using processors with the NX bit.
!
- Work started on a new process-containment facility called tame(2).
- Assorted improvements:
! - The worm(6)
now grows at a rate proportional to terminal size.
!
- dlclose(3) now unregisters handlers registered by a pthread_atfork(3) call from the unloaded libraries.
!
- cp(1), mv(1), and pax(1) with the -rw option now preserve timestamps with full nanosecond precision.
!
- pax(1) now detects failure to decompress an archive when reading it and errors out immediately.
!
- nm(1) now supports the -D option for displaying the dynamic symbol table.
!
- dump(8) now uses DUIDs in /etc/dumpdates when present and the -U option has thus been removed.
!
- Corrected kdump(1) reporting of lseek(2) return value on ILP32 archs and getsockopt/setsockopt(2) level and optname arguments. iovec, msghdr, and cmsghdr structures are now dumped.
!
- sed(1) -i option added.
!
- New, much simpler man.conf(5) configuration file format
! for man(1),
! apropos(1),
! and makewhatis(8).
!
- When using man(1)
! with the less(1) pager,
support the :t internal command
to search for definitions of keywords similar to what
! ctags(1) provides.
- Improvements in checking of numeric option values in many utilities.
- Upgraded to binutils version 2.17 with additional fixes.
!
- Improved correctness of poll(2) and poll(2) of O_RDONLY FIFO fds.
!
- Restored reporting of closed sockets by netstat(1) and systat(1).
!
- fdisk(8) now zeros correct GPT sector at end of disk.
!
- fdisk(8) now accepts 'T' sizes for terabytes.
!
- fdisk(8) repaired to work on 4K sector disks again.
!
- dhcpd(8) now logs correct giaddr and ciaddr information even when DHCP relays are present.
!
- dhcpd(8) now accommodates Linux and MS clients by not sending routers or static routes info when classless static routes are sent.
!
- dhcpd(8) and dhclient(8) now accept hostnames beginning with a digit.
!
- dhclient(8) no longer rejects leases with addresses overlapping existing subnets on other interfaces. Kernel routing logic now just works.
!
- Improvements to realloc(3) decrease system calls and increase efficiency.
- The reaper now tears down dead processes without holding on to
the kernel lock. This greatly reduces latency and increases
performance on multi-processor systems.
!
- OpenBSD httpd(8):
- New features:
! - Added support for matching and redirections with Lua patterns(7).
- Implemented If-Modified-Since for conditional GET or HEAD requests (RFC 7232).
- Added byte-range support for range requests (RFC 7233).
- Allowing to specify a global or per-location default media type instead of application/octet-stream.
- Added support for HTTP Strict Transport Security (HSTS; RFC 6797).
!
- Added initial regression test suite based on relayd(8)'s implementation.
- Fixes and improvements:
! - TLS in httpd(8) and relayd(8) now defaults to TLSv1.2-only.
- Fixed support for large TLS keys or certificate bundles with up to 16KB each.
- Fixed the Content-Length header for files larger than 2 GB on 32-bit architectures.
- Fixed translation of CGI environment variables in accordance with RFCs 7230 and 3875.
***************
*** 221,227 ****
- OpenSMTPD 5.4.4
! - smtpd(8) reliability and bug fixes.
- NOTE: Some security risks were discovered and fixed after the
OpenBSD 5.8 release.
See 5.8 errata 004.
--- 221,227 ----
- OpenSMTPD 5.4.4
! - smtpd(8) reliability and bug fixes.
- NOTE: Some security risks were discovered and fixed after the
OpenBSD 5.8 release.
See 5.8 errata 004.
***************
*** 232,263 ****
- Security:
! - ssh(1):
when forwarding X11 connections with ForwardX11Trusted=no,
connections made after ForwardX11Timeout expired could be
permitted and no longer subject to XSECURITY restrictions because of
an ineffective timeout check in
! ssh(1)
coupled with "fail open" behaviour in the X11 server when clients
attempted connections with expired credentials.
This problem was reported by Jann Horn.
!
- ssh-agent(1):
fix weakness of agent locking (ssh-add -x) to
password guessing by implementing an increasing failure delay,
storing a salted hash of the password rather than the password
itself and using a timing-safe comparison function for verifying
unlock attempts. This problem was reported by Ryan Castellucci.
!
- sshd(8):
OpenSSH 6.8 and 6.9 incorrectly set TTYs to be world-writable.
Local attackers may be able to write arbitrary messages to logged-in
users, including terminal escape sequences.
!
- sshd(8):
fix circumvention of MaxAuthTries using keyboard-interactive
authentication. By specifying a long, repeating keyboard-interactive
"devices" string, an attacker could request the same authentication
method be tried thousands of times in a single pass. The
LoginGraceTime timeout in
! sshd(8)
and any authentication failure delays implemented by the authentication
mechanism itself were still applied.
--- 232,263 ----
- Security:
! - ssh(1):
when forwarding X11 connections with ForwardX11Trusted=no,
connections made after ForwardX11Timeout expired could be
permitted and no longer subject to XSECURITY restrictions because of
an ineffective timeout check in
! ssh(1)
coupled with "fail open" behaviour in the X11 server when clients
attempted connections with expired credentials.
This problem was reported by Jann Horn.
!
- ssh-agent(1):
fix weakness of agent locking (ssh-add -x) to
password guessing by implementing an increasing failure delay,
storing a salted hash of the password rather than the password
itself and using a timing-safe comparison function for verifying
unlock attempts. This problem was reported by Ryan Castellucci.
!
- sshd(8):
OpenSSH 6.8 and 6.9 incorrectly set TTYs to be world-writable.
Local attackers may be able to write arbitrary messages to logged-in
users, including terminal escape sequences.
!
- sshd(8):
fix circumvention of MaxAuthTries using keyboard-interactive
authentication. By specifying a long, repeating keyboard-interactive
"devices" string, an attacker could request the same authentication
method be tried thousands of times in a single pass. The
LoginGraceTime timeout in
! sshd(8)
and any authentication failure delays implemented by the authentication
mechanism itself were still applied.
***************
*** 274,280 ****
http://www.openssh.com/legacy.html.
- Support for the legacy v00 cert format has been removed.
- The default for the
! sshd_config(5)
PermitRootLogin option has changed from "yes" to
"prohibit-password" (but the OpenBSD installer defaults to "no").
- NOTE: 'PermitRootLogin prohibit-password' is subtly broken
--- 274,280 ----
http://www.openssh.com/legacy.html.
- Support for the legacy v00 cert format has been removed.
- The default for the
! sshd_config(5)
PermitRootLogin option has changed from "yes" to
"prohibit-password" (but the OpenBSD installer defaults to "no").
- NOTE: 'PermitRootLogin prohibit-password' is subtly broken
***************
*** 283,320 ****
- New/changed features:
! - ssh(1),
! sshd(8):
promote chacha20-poly1305@openssh.com to be the default
cipher.
!
- sshd(8):
support admin-specified arguments to AuthorizedKeysCommand.
(bz#2081)
!
- sshd(8):
add AuthorizedPrincipalsCommand that allows retrieving
authorized principals information from a subprocess rather than a
file.
!
- ssh(1),
! ssh-add(1):
support PKCS#11 devices with external PIN entry devices. (bz#2240)
!
- sshd(8):
allow GSSAPI host credential check to be relaxed for multihomed
hosts via GSSAPIStrictAcceptorCheck option. (bz#928)
!
- ssh-keygen(1):
support ssh-keygen -lF hostname to search known_hosts
and print key hashes rather than full keys.
!
- ssh-agent(1):
add -D flag to leave
! ssh-agent(1)
in foreground without enabling debug mode. (bz#2381)
!
- ssh_config(5):
add PubkeyAcceptedKeyTypes option to control which public
key types are available for user authentication.
!
- sshd_config(5):
add HostKeyAlgorithms option to control which public key
types are offered for host authentications.
!
- ssh(1),
! sshd(8):
extend Ciphers, MACs, KexAlgorithms,
HostKeyAlgorithms, PubkeyAcceptedKeyTypes and
HostbasedKeyTypes options to allow appending to the default
--- 283,320 ----
- New/changed features:
! - ssh(1),
! sshd(8):
promote chacha20-poly1305@openssh.com to be the default
cipher.
!
- sshd(8):
support admin-specified arguments to AuthorizedKeysCommand.
(bz#2081)
!
- sshd(8):
add AuthorizedPrincipalsCommand that allows retrieving
authorized principals information from a subprocess rather than a
file.
!
- ssh(1),
! ssh-add(1):
support PKCS#11 devices with external PIN entry devices. (bz#2240)
!
- sshd(8):
allow GSSAPI host credential check to be relaxed for multihomed
hosts via GSSAPIStrictAcceptorCheck option. (bz#928)
!
- ssh-keygen(1):
support ssh-keygen -lF hostname to search known_hosts
and print key hashes rather than full keys.
!
- ssh-agent(1):
add -D flag to leave
! ssh-agent(1)
in foreground without enabling debug mode. (bz#2381)
!
- ssh_config(5):
add PubkeyAcceptedKeyTypes option to control which public
key types are available for user authentication.
!
- sshd_config(5):
add HostKeyAlgorithms option to control which public key
types are offered for host authentications.
!
- ssh(1),
! sshd(8):
extend Ciphers, MACs, KexAlgorithms,
HostKeyAlgorithms, PubkeyAcceptedKeyTypes and
HostbasedKeyTypes options to allow appending to the default
***************
*** 324,423 ****
- The following significant bugs have been fixed in this release:
! - ssh(1),
! sshd(8):
deprecate legacy SSH2_MSG_KEX_DH_GEX_REQUEST_OLD message and
do not try to use it against some 3rd-party SSH implementations that
use it (older PuTTY, WinSCP).
- Many fixes for problems caused by compile-time deactivation of
SSH1 support. (including bz#2369)
!
- ssh(1),
! sshd(8):
cap DH-GEX group size at 4Kbits for Cisco implementations as some
would fail when attempting to use group sizes greater than 4K.
(bz#2209)
!
- ssh(1):
fix out-of-bound read in EscapeChar configuration option
parsing. (bz#2396)
!
- sshd(8):
fix application of PermitTunnel, LoginGraceTime,
AuthenticationMethods and StreamLocalBindMask
options in Match blocks.
!
- ssh(1),
! sshd(8):
improve disconnection message on TCP reset. (bz#2257)
!
- ssh(1):
remove failed remote forwards established by multiplexing from the
list of active forwards. (bz#2363)
!
- sshd(8):
make parsing of authorized_keys "environment="
options independent of PermitUserEnv being enabled. (bz#2329)
!
- sshd(8):
fix post-auth crash with permitopen=none. (bz#2355)
!
- ssh(1),
! ssh-add(1),
! ssh-keygen(1):
allow new-format private keys to be encrypted with AEAD ciphers.
(bz#2366)
!
- ssh(1):
allow ListenAddress, Port and AddressFamily
configuration options to appear in any order. (bz#86)
!
- sshd(8):
check for and reject missing arguments for VersionAddendum
and ForceCommand. (bz#2281)
!
- ssh(1),
! sshd(8):
don't treat unknown certificate extensions as fatal. (bz#2387)
!
- ssh-keygen(1):
make stdout and stderr output consistent. (bz#2325)
!
- ssh(1):
mention missing DISPLAY environment in debug log when X11
forwarding requested. (bz#1682)
!
- sshd(8):
correctly record login when UseLogin is set. (bz#378)
!
- sshd(8):
add some missing options to sshd -T output and fix output
of VersionAddendum and HostCertificate. (bz#2346)
- Document and improve consistency of options that accept a
"none" argument: TrustedUserCAKeys,
RevokedKeys (bz#2382), AuthorizedPrincipalsFile
(bz#2288).
!
- ssh(1):
include remote username in debug output. (bz#2368)
!
- sshd(8):
avoid compatibility problem with some versions of Tera Term, which
would crash when they received the hostkeys notification message
(hostkeys-00@openssh.com).
!
- sshd(8):
mention ssh-keygen -E as useful when comparing legacy
MD5 host key fingerprints. (bz#2332)
!
- ssh(1):
clarify pseudo-terminal request behaviour and use make manual language
consistent. (bz#1716)
!
- ssh(1):
document that the TERM environment variable is not subject
to SendEnv and AcceptEnv. (bz#2386)
!
- ssh(1),
! sshd(8):
add compatability workarounds for Cisco and more PuTTY versions.
(bz#2424)
- Fix some omissions and errors in the PROTOCOL and
PROTCOL.mux documentation relating to Unix domain
socket forwarding. (bz#2421, bz#2422)
!
- ssh(1):
Improve the
! ssh(1)
manual page to include a better desciption of Unix domain socket
forwarding. (bz#2423)
!
- ssh(1),
! ssh-agent(1):
skip uninitialised PKCS#11 slots, fixing failures to load keys when
they are present. (bz#2427)
!
- ssh(1),
! ssh-agent(1):
do not ignore PKCS#11 hosted keys that wth empty CKA_ID.
(bz#2429)
!
- sshd(8):
clarify documentation for UseDNS option. (bz#2045)
--- 324,423 ----
- The following significant bugs have been fixed in this release:
! - ssh(1),
! sshd(8):
deprecate legacy SSH2_MSG_KEX_DH_GEX_REQUEST_OLD message and
do not try to use it against some 3rd-party SSH implementations that
use it (older PuTTY, WinSCP).
- Many fixes for problems caused by compile-time deactivation of
SSH1 support. (including bz#2369)
!
- ssh(1),
! sshd(8):
cap DH-GEX group size at 4Kbits for Cisco implementations as some
would fail when attempting to use group sizes greater than 4K.
(bz#2209)
!
- ssh(1):
fix out-of-bound read in EscapeChar configuration option
parsing. (bz#2396)
!
- sshd(8):
fix application of PermitTunnel, LoginGraceTime,
AuthenticationMethods and StreamLocalBindMask
options in Match blocks.
!
- ssh(1),
! sshd(8):
improve disconnection message on TCP reset. (bz#2257)
!
- ssh(1):
remove failed remote forwards established by multiplexing from the
list of active forwards. (bz#2363)
!
- sshd(8):
make parsing of authorized_keys "environment="
options independent of PermitUserEnv being enabled. (bz#2329)
!
- sshd(8):
fix post-auth crash with permitopen=none. (bz#2355)
!
- ssh(1),
! ssh-add(1),
! ssh-keygen(1):
allow new-format private keys to be encrypted with AEAD ciphers.
(bz#2366)
!
- ssh(1):
allow ListenAddress, Port and AddressFamily
configuration options to appear in any order. (bz#86)
!
- sshd(8):
check for and reject missing arguments for VersionAddendum
and ForceCommand. (bz#2281)
!
- ssh(1),
! sshd(8):
don't treat unknown certificate extensions as fatal. (bz#2387)
!
- ssh-keygen(1):
make stdout and stderr output consistent. (bz#2325)
!
- ssh(1):
mention missing DISPLAY environment in debug log when X11
forwarding requested. (bz#1682)
!
- sshd(8):
correctly record login when UseLogin is set. (bz#378)
!
- sshd(8):
add some missing options to sshd -T output and fix output
of VersionAddendum and HostCertificate. (bz#2346)
- Document and improve consistency of options that accept a
"none" argument: TrustedUserCAKeys,
RevokedKeys (bz#2382), AuthorizedPrincipalsFile
(bz#2288).
!
- ssh(1):
include remote username in debug output. (bz#2368)
!
- sshd(8):
avoid compatibility problem with some versions of Tera Term, which
would crash when they received the hostkeys notification message
(hostkeys-00@openssh.com).
!
- sshd(8):
mention ssh-keygen -E as useful when comparing legacy
MD5 host key fingerprints. (bz#2332)
!
- ssh(1):
clarify pseudo-terminal request behaviour and use make manual language
consistent. (bz#1716)
!
- ssh(1):
document that the TERM environment variable is not subject
to SendEnv and AcceptEnv. (bz#2386)
!
- ssh(1),
! sshd(8):
add compatability workarounds for Cisco and more PuTTY versions.
(bz#2424)
- Fix some omissions and errors in the PROTOCOL and
PROTCOL.mux documentation relating to Unix domain
socket forwarding. (bz#2421, bz#2422)
!
- ssh(1):
Improve the
! ssh(1)
manual page to include a better desciption of Unix domain socket
forwarding. (bz#2423)
!
- ssh(1),
! ssh-agent(1):
skip uninitialised PKCS#11 slots, fixing failures to load keys when
they are present. (bz#2427)
!
- ssh(1),
! ssh-agent(1):
do not ignore PKCS#11 hosted keys that wth empty CKA_ID.
(bz#2429)
!
- sshd(8):
clarify documentation for UseDNS option. (bz#2045)
***************
*** 442,452 ****
- Fixed dozens of Coverity issues including dead code, memory leaks,
logic errors and more.
- Ensure that
! openssl(1)
restores terminal echo state after reading a password.
- Incorporated fix for OpenSSL issue #3683.
- Removed SSLv3 support from
! openssl(1).
- Modified tls_write in libtls to allow partial
writes, clarified with examples in the documentation.
- Removed RSAX engine.
--- 442,452 ----
- Fixed dozens of Coverity issues including dead code, memory leaks,
logic errors and more.
- Ensure that
! openssl(1)
restores terminal echo state after reading a password.
- Incorporated fix for OpenSSL issue #3683.
- Removed SSLv3 support from
! openssl(1).
- Modified tls_write in libtls to allow partial
writes, clarified with examples in the documentation.
- Removed RSAX engine.
***************
*** 471,489 ****
- Code improvements:
! - Fix incorrect comparison function in openssl(1) certhash command.
Thanks to Christian Neukirchen / Void Linux.
- Removal of OPENSSL_issetugid and all library getenv calls.
Applications can and should no longer rely on environment variables
for changing library behavior.
OPENSSL_CONF and SSLEAY_CONF are still supported with the
! openssl(1)
command, but note that $ENV:: is no longer supported in .cnf files.
- libtls API and documentation additions.
- Various bug fixes and simplifications to libssl and
libcrypto.
- Reworked
! openssl(1)
option handling.
- LibreSSL version define LIBRESSL_VERSION_NUMBER will now
be bumped for each portable release.
--- 471,489 ----
- Code improvements:
! - Fix incorrect comparison function in openssl(1) certhash command.
Thanks to Christian Neukirchen / Void Linux.
- Removal of OPENSSL_issetugid and all library getenv calls.
Applications can and should no longer rely on environment variables
for changing library behavior.
OPENSSL_CONF and SSLEAY_CONF are still supported with the
! openssl(1)
command, but note that $ENV:: is no longer supported in .cnf files.
- libtls API and documentation additions.
- Various bug fixes and simplifications to libssl and
libcrypto.
- Reworked
! openssl(1)
option handling.
- LibreSSL version define LIBRESSL_VERSION_NUMBER will now
be bumped for each portable release.
***************
*** 496,513 ****
- Syslogd:
- OpenBSD
! syslogd(8)
can bind to explicitly given UDP or TCP sockets to receive messages.
TCP streams are accepted with the octet counting or the non
transparent framing method.
- Blocks in
! syslog.conf(5)
started with
+host process messages created by
certain hosts specifically.
- Handle situations when the file descriptor limit is exhausted
gracefully.
!
- Since libtls handles short writes smarter, syslogd(8) can use the
complete output buffer to save messages, coping with
longer TLS server down times without losing messages.
--- 496,513 ----
- Syslogd:
- OpenBSD
! syslogd(8)
can bind to explicitly given UDP or TCP sockets to receive messages.
TCP streams are accepted with the octet counting or the non
transparent framing method.
- Blocks in
! syslog.conf(5)
started with
+host process messages created by
certain hosts specifically.
- Handle situations when the file descriptor limit is exhausted
gracefully.
!
- Since libtls handles short writes smarter, syslogd(8) can use the
complete output buffer to save messages, coping with
longer TLS server down times without losing messages.
***************
*** 947,953 ****
OpenBSD ports system.
The ports/ directory represents a CVS (see the manpage for
!
cvs(1) if
you aren't familiar with CVS) checkout of our ports. As with our complete
source tree, our ports tree is available via
--- 947,953 ----
OpenBSD ports system.
The ports/ directory represents a CVS (see the manpage for
!
cvs(1) if
you aren't familiar with CVS) checkout of our ports. As with our complete
source tree, our ports tree is available via