===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/58.html,v
retrieving revision 1.14
retrieving revision 1.15
diff -u -r1.14 -r1.15
--- www/58.html 2015/08/06 10:41:35 1.14
+++ www/58.html 2015/08/06 11:23:31 1.15
@@ -133,19 +133,82 @@
-
OpenSSH X.X
+OpenSSH 7.0
+ - Security:
+
+ - sshd(8):
+ OpenSSH 6.8 and 6.9 incorrectly set TTYs to be world-writable.
+ Local attackers may be able to write arbitrary messages to logged-in
+ users, including terminal escape sequences.
+
- sshd(8):
+ fix circumvention of MaxAuthTries using keyboard-interactive
+ authentication. By specifying a long, repeating keyboard-interactive
+ "devices" string, an attacker could request the same authentication
+ method be tried thousands of times in a single pass. The
+ LoginGraceTime timeout in
+ sshd(8)
+ and any authentication failure delays implemented by the authentication
+ mechanism itself were still applied.
+
- Potentially-incompatible changes:
- - ...
+
- Support for the legacy SSH version 1 protocol is disabled by
+ default at compile time.
+
- Support for the 1024-bit diffie-hellman-group1-sha1 key exchange
+ is disabled by default at run-time. It may be re-enabled using
+ the instructions at http://www.openssh.com/legacy.html.
+
- Support for ssh-dss, ssh-dss-cert-* host
+ and user keys is disabled by default at run-time. These may
+ be re-enabled using the instructions at
+ http://www.openssh.com/legacy.html.
+
- Support for the legacy v00 cert format has been removed.
+
- The default for the
+ sshd_config(5)
+ PermitRootLogin option has changed from "yes" to
+ "without-password".
- New/changed features:
- - ...
+
- ssh_config(5)
+ add PubkeyAcceptedKeyTypes option to control which public
+ key types are available for user authentication.
+
- sshd_config(5):
+ add HostKeyAlgorithms option to control which public key
+ types are offered for host authentications.
+
- ssh(1),
+ sshd(8):
+ extend Ciphers, MACs, KexAlgorithms,
+ HostKeyAlgorithms, PubkeyAcceptedKeyTypes and
+ HostbasedKeyTypes options to allow appending to the default
+ set of algorithms instead of replacing it. Options may now be
+ prefixed with a + to append to the default, e.g.
+ "HostKeyAlgorithms=+ssh-dss".
- The following significant bugs have been fixed in this release:
- - ...
+
- ssh(1),
+ sshd(8):
+ add compatability workarounds for Cisco and more PuTTY versions.
+ (bz#2424)
+
- Fix some omissions and errors in the PROTOCOL and
+ PROTCOL.mux documentation relating to Unix domain
+ socket forwarding. (bz#2421, bz#2422)
+
- ssh(1):
+ Improve the
+ ssh(1)
+ manual page to include a better desciption of Unix domain socket
+ forwarding. (bz#2423)
+
- ssh(1),
+ ssh-agent(1):
+ skip uninitialised PKCS#11 slots, fixing failures to load keys when
+ they are present. (bz#2427)
+
- ssh(1),
+ ssh-agent(1):
+ do not ignore PKCS#11 hosted keys that wth empty CKA_ID.
+ (bz#2429)
+
- sshd(8):
+ clarify documentation for UseDNS option. (bz#2045)