!
- Chromium 48.0.2564.116
- Emacs 21.4 and 24.5
- GCC 4.9.3
--- 517,857 ----
- New/changed features:
- all: add support for RSA signatures using SHA-256/512 hash algorithms
! based on
draft-rsa-dsa-sha2-256-03.txt and
! draft-ssh-ext-info-04.txt .
! - ssh(1):
! add an
AddKeysToAgent client option which can be set to
! yes , no , ask , or confirm , and
! defaults to no . When enabled, a private key that is used
during authentication will be added to
! ssh-agent(1)
! if it is running (with confirmation enabled if set to confirm ).
! - sshd(8):
! add a new
authorized_keys option restrict that
includes all current and future key restrictions
! (no-*-forwarding , etc.).
Also add permissive versions of the existing restrictions, e.g.
! no-pty -> pty . This simplifies the task of setting up
restricted keys and ensures they are maximally-restricted,
regardless of any permissions we might implement in the future.
! - ssh(1):
add
! ssh_config(5)
CertificateFile option to explicitly list certificates. (bz#2436)
!
- ssh-keygen(1):
allow
! ssh-keygen(1)
to change the key comment for all supported formats.
!
- ssh-keygen(1):
allow fingerprinting from standard input, e.g. "ssh-keygen -lf -".
!
- ssh-keygen(1):
allow fingerprinting multiple public keys in a file, e.g.
!
ssh-keygen -lf ~/.ssh/authorized_keys . (bz#1319)
! - sshd(8):
! support
none as an argument for
! sshd_config(5)
! Foreground and ChrootDirectory . Useful inside
! Match blocks to override a global default. (bz#2486)
! - ssh-keygen(1):
support multiple certificates (one per line) and reading from standard
! input (using "
-f - ") for ssh-keygen -L .
! - ssh-keyscan(1):
! add
ssh-keyscan -c ... flag to allow fetching certificates
instead of plain keys.
! - ssh(1):
! better handle anchored FQDNs (e.g.
cvs.openbsd.org. ) in
hostname canonicalisation - treat them as already canonical and
! trailing '. ' before matching
! ssh_config(5).
- The following significant bugs have been fixed in this release:
! - ssh(1),
! sshd(8):
add compatibility workarounds for FuTTY.
!
- ssh(1),
! sshd(8):
refine compatibility workarounds for WinSCP.
- Fix a number of memory faults (double-free, free of uninitialised
memory, etc.) in
! ssh(1)
and
! ssh-keygen(1).
!
- Correctly interpret the
first_kex_follows option during the
initial key exchange.
! - sftp(1):
existing destination directories should not terminate recursive uploads
(regression in openssh 6.8). (bz#2528)
!
- ssh(1),
! sshd(8):
! correctly send back
SSH2_MSG_UNIMPLEMENTED replies to
unexpected messages during key exchange. (bz#2949)
! - ssh(1):
! refuse attempts to set
ConnectionAttempts=0 , which does not
make sense and would cause ssh to print an uninitialised stack
variable. (bz#2500)
! - ssh(1):
fix errors when attempting to connect to scoped IPv6 addresses with
hostname canonicalisation enabled.
!
- sshd_config(5):
! list a couple more options usable in
Match blocks. (bz#2489)
! - sshd(8):
! fix
PubkeyAcceptedKeyTypes +... inside a Match block.
! - ssh(1):
! expand tilde characters in filenames passed to
-i options
before checking whether or not the identity file exists. Avoids
confusion for cases where shell doesn't expand (e.g.
! -i ~/file vs. -i~/file ). (bz#2481)
! - ssh(1):
! do not prepend "exec" to the shell command run by
Match exec
in a config file, which could cause some commands to fail in certain
environments. (bz#2471)
! - ssh-keyscan(1):
fix output for multiple hosts/addrs on one line when host hashing or
a non standard port is in use. (bz#2479)
!
- sshd(8):
skip "Could not chdir to home directory" message when
!
ChrootDirectory is active. (bz#2485)
! - ssh(1):
! include
PubkeyAcceptedKeyTypes in ssh -G config dump.
! - sshd(8):
! avoid changing
TunnelForwarding device flags if they are
already what is needed; makes it possible to use
! tun(4)/
! tap(4)
networking as non-root user if device permissions and interface flags
are pre-established.
! - ssh(1),
! sshd(8):
!
RekeyLimits could be exceeded by one packet. (bz#2521)
! - ssh(1):
fix multiplexing master failure to notice client exit.
!
- ssh(1),
! ssh-agent(1):
! avoid
fatal() for PKCS11 tokens that present empty key IDs.
(bz#1773)
! - sshd(8):
avoid
! printf(3)
of NULL argument. (bz#2535)
!
- ssh(1),
! sshd(8):
! allow
RekeyLimits larger than 4GB. (bz#2521)
! - ssh-agent(1),
! sshd(8):
fix several bugs in (unused) KRL signature support.
!
- ssh(1),
! sshd(8):
fix connections with peers that use the key exchange guess feature of
the protocol. (bz#2515)
!
- sshd(8):
include remote port number in log messages. (bz#2503)
!
- ssh(1):
don't try to load SSHv1 private key when compiled without SSHv1
support. (bz#2505)
!
- ssh-agent(1),
! ssh(1):
fix incorrect error messages during key loading and signing errors.
(bz#2507)
!
- ssh-keygen(1):
! don't leave empty temporary files when performing
known_hosts
! file edits when known_hosts doesn't exist.
! - sshd(8):
correct packet format for tcpip-forward replies for requests that
don't allocate a port. (bz#2509)
!
- ssh(1),
! sshd(8):
fix possible hang on closed output. (bz#2469)
!
- ssh(1):
! expand
%i in ControlPath to UID. (bz#2449)
! - ssh(1),
! sshd(8):
! fix return type of
openssh_RSA_verify . (bz#2460)
! - ssh(1),
! sshd(8):
fix some option parsing memory leaks. (bz#2182)
!
- ssh(1):
add some debug output before DNS resolution; it's a place where
ssh could previously silently stall in cases of unresponsive DNS
servers. (bz#2433)
!
- ssh(1):
remove spurious newline in visual hostkey. (bz#2686)
!
- ssh(1):
! fix printing (
ssh -G ... ) of HostKeyAlgorithms=+...
! - ssh(1):
! fix expansion of
HostkeyAlgorithms=+...
!
LibreSSL 2.3.2
- User-visible features:
! - This release corrects the handling of
ClientHello messages
that do not include TLS extensions, resulting in such handshakes being
aborted.
- When loading a DSA key from a raw (without DH parameters) ASN.1
! serialization, perform some consistency checks on its 'p' and 'q'
values, and return an error if the checks failed.
!
- Fixed a bug in
ECDH_compute_key that can lead to silent
truncation of the result key without error. A coding error could cause
software to use much shorter keys than intended.
! - Removed support for
DTLS_BAD_VER . Pre-DTLSv1 implementations
are no longer supported.
! - The
engine command and parameters are removed from
!
openssl(1).
Previous releases removed dynamic and built-in engine support already.
- SHA-0 is removed, which was withdrawn shortly after publication
twenty years ago.
!
- Added
Certplus CA root certificate to the default
! cert.pem file.
- Fixed a leak in
!
SSL_new(3)
in the error path.
- Fixed a memory leak and out-of-bounds access in
!
OBJ_obj2txt(3).
- Fixed an up-to 7 byte overflow in RC4 when len is not a multiple of
!
sizeof(RC4_CHUNK) .
- Added
!
EVP_aead_chacha20_poly1305_ietf(3)
which matches the
!
AEAD construction introduced in RFC 7539, which is different
than that already used in TLS with
!
EVP_aead_chacha20_poly1305(3).
- More man pages converted from pod to
! mdoc(7)
format.
!
- Added
COMODO RSA Certification Authority and
! QuoVadis root certificates to cert.pem .
! - Removed "
C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority "
(serial 3c:91:31:cb:1f:f6:d0:1b:0e:9a:b8:d0:44:bf:12:be)
! root certificate from cert.pem .
- Fixed incorrect TLS certificate loading by
! nc(1).
- The
!
openssl(1)
!
s_time command now performs a proper shutdown which allows a
full TLS connection to be benchmarked more accurately. A new
! -no_shutdown flag
! makes s_time adopt the previous behavior so that comparisons
can still be made with OpenSSL's version.
! - Removed support for the
SSLEAY_CONF backwards compatibility
environment variable in
!
openssl(1).
- The following CVEs had been fixed:
! CVE-2015-3194 —NULL pointer dereference in client
side certificate validation.
! CVE-2015-3195 —memory leak in PKCS7, not reachable
from TLS/SSL.
- Note: The following OpenSSL CVEs did not apply to LibreSSL:
! CVE-2015-3193 —carry propagating bug in the x86_64
Montgomery squaring procedure.
! CVE-2015-3196 —double free race condition of the
identify hint data.
- Code improvements:
! - Added install target for
cmake builds.
! - Updated
pkgconfig files to correctly report the release
version number, not the individual library ABI version numbers.
- SSLv3 is now permanently removed from the tree.
!
- The
libtls API is changed from the 2.2.x series:
- The
!
tls_read(3)
and
!
tls_write(3)
functions now work better with external event libraries.
- Client-side verification is now supported, with the client
supplying the certificate to the server.
- Also, when using
!
tls_connect_fds(3),
!
tls_connect_socket(3) or
!
tls_accept_fds(3),
!
libtls no longer implicitly closes the passed in sockets.
The caller is responsible for closing them in this case.
! - New interface
OPENSSL_cpu_caps is provided that does not
allow software to inadvertently modify cpu capability flags.
! OPENSSL_ia32cap and OPENSSL_ia32cap_loc are removed.
! - The
out_len argument of AEAD changed from
! ssize_t to size_t .
- Deduplicated DTLS code, sharing bugfixes and improvements with TLS.
- Converted
! nc(1)
! to use
libtls for client and server operations; it is
included in the libressl-portable distribution as an example of how
! to use the libtls library. This is intended to be a simpler
! and more robust replacement for openssl s_client and
! openssl s_server for day-to-day operations.
- ASN.1 cleanups and RFC5280 compliance fixes.
!
- Time representations switched from
unsigned long to
! time_t . LibreSSL now checks if the host OS supports 64-bit
! time_t .
- Support always extracting the peer cipher and version with
!
libtls .
- Added ability to check certificate validity times with
!
libtls ,
!
tls_peer_cert_notbefore(3)
and
!
tls_peer_cert_notafter(3).
- Changed
!
tls_connect_servername(3)
to use the first address that resolves with
!
getaddrinfo(3).
!
- Remove broken conditional
EVP_CHECK_DES_KEY code
(non-functional since initial commit in 2004).
- Reject too small bits value in
!
BN_generate_prime(3),
so that it does not risk becoming negative in
!
probable_prime_dh_safe() .
! - Changed format of
LIBRESSL_VERSION_NUMBER to match that of
! OPENSSL_VERSION_NUMBER .
- Avoid a potential undefined C99+ behavior due to shift overflow in
!
AES_decrypt .
! - Deprecated the
SSL_OP_SINGLE_DH_USE flag.
Ports and packages:
! Many pre-built packages for each architecture:
!
- alpha: 7450
- amd64: 9295
- hppa: 6304
- i386: 9290
- mips64: 7094
- mips64el: 7846
- powerpc: 8383
- sh: 111
- sparc: 1105
- sparc64: 8528
!
! Some highlights:
!
- Chromium 48.0.2564.116
- Emacs 21.4 and 24.5
- GCC 4.9.3
***************
*** 889,895 ****
- Mono 4.2.1.102
- Mozilla Firefox 38.6.1esr and 44.0.2
- Mozilla Thunderbird 38.6.0
-
|
- Node.js 4.3.0
- OpenLDAP 2.3.43 and 2.4.43
- PHP 5.4.45, 5.5.32 and 5.6.18
--- 867,872 ----
***************
*** 905,916 ****
- TeX Live 2014
- Vim 7.4.900
- Xfce 4.12
!
|
! |