===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/59.html,v
retrieving revision 1.56
retrieving revision 1.57
diff -u -r1.56 -r1.57
--- www/59.html 2016/03/05 22:18:02 1.56
+++ www/59.html 2016/03/06 00:26:59 1.57
@@ -15,7 +15,7 @@
-
+
OpenBSD 5.9
To be released May 1, 2016
@@ -35,7 +35,8 @@
See a detailed log of changes between the
5.8 and 5.9 releases.
-
signify(1) pubkeys for this release:
+signify(1)
+ pubkeys for this release:
base: RWQJVNompF3pwfIqbg+5sxfpxmZMa3tTBaW4qbUhWje/H/M7glrA6oVn
fw: RWSdmaNkytzh6BApmPSNSDLNg26ZaXlY8g/879UvLdo3rjbsby76Eda1
@@ -70,40 +71,70 @@
- amd64 can now boot from 32 bit and 64 bit EFI.
- Initial support for hardware reduced ACPI added to
- acpi(4).
-
- New efifb(4) driver for EFI frame buffer.
+ acpi(4).
+
- New efifb(4)
+ driver for EFI frame buffer.
- Support for ACPI configured SD host controllers has been added to
- sdhc(4).
-
- Xen domU support xen(4),
- xspd(4).
-
- New xnf(4) driver for Xen Netfront network interfaces.
-
- The puc(4) driver now supports Moxa CP-168U, Perle Speed8 LE and QEMU PCI serial devices.
+ sdhc(4).
+
- Xen domU support
+ xen(4),
+ xspd(4).
+
- New xnf(4)
+ driver for Xen Netfront network interfaces.
+
- The puc(4)
+ driver now supports Moxa CP-168U, Perle Speed8 LE and QEMU PCI serial devices.
- Intel 100 Series PCH Ethernet MAC with i219 PHY support has been added to the
- em(4) driver.
-
- The bge(4) and em(4) drivers now process packets without the kernel lock held.
-
- The oce(4) driver now processes received packets without the kernel lock held.
+ em(4) driver.
+
- The bge(4)
+ and em(4)
+ drivers now process packets without the kernel lock held.
+
- The oce(4)
+ driver now processes received packets without the kernel lock held.
- RTL8168H/RTL8111H support has been added to
re(4).
-
- Initial IEEE 802.11n support in the iwm(4)
- and iwn(4) drivers.
-
- New asmc(4) driver for the Apple System Management Controller.
-
- New pchtemp(4) driver for the thermal sensor found on Intel X99, C610 series, 9 series and 100 series PCH.
-
- New uonerng(4) driver for the Moonbase Otago OneRNG.
-
- New dwiic(4) driver for the Synopsys DesignWare I2C controller.
-
- New ikbd(4),
- ims(4), and
- imt(4)
+
- Initial IEEE 802.11n support in the
+ iwm(4)
+ and iwn(4)
+ drivers.
+
- New asmc(4)
+ driver for the Apple System Management Controller.
+
- New pchtemp(4)
+ driver for the thermal sensor found on Intel X99, C610 series, 9 series
+ and 100 series PCH.
+
- New uonerng(4)
+ driver for the Moonbase Otago OneRNG.
+
- New dwiic(4)
+ driver for the Synopsys DesignWare I2C controller.
+
- New ikbd(4),
+ ims(4), and
+ imt(4)
drivers for HID-over-i2c keyboards, mice and multitouch touchpads.
-
- inteldrm(4)
- has been updated to Linux 3.14.52 adding initial support for Bay Trail and Broadwell graphics.
-
- New viocon(4) driver for the virtio(4) console interface provided by KVM, QEMU, and others.
-
- Support for audio in Thinkpad docks has been added to the azalia(4) driver.
-
- Support for Synaptic touchpads without W mode has been added to the pms(4) driver.
-
- Support for tap-and-drag detection with ALPS touchpads in the pms(4) driver has been improved.
-
- The sdmmc(4) driver now supports sector mode for eMMC devices, such as those found on some BeagleBone Black boards.
-
- The cnmac(4) driver now supports checksum offloading and receives packets without the kernel lock held.
-
- The xhci(4) driver is now enabled for macppc machines.
-
- The ipmi(4) driver now supports OpenIPMI compatible character device.
+
- inteldrm(4)
+ has been updated to Linux 3.14.52 adding initial support for Bay Trail
+ and Broadwell graphics.
+
- New viocon(4)
+ driver for the
+ virtio(4)
+ console interface provided by KVM, QEMU, and others.
+
- Support for audio in Thinkpad docks has been added to the
+ azalia(4)
+ driver.
+
- Support for Synaptic touchpads without W mode has been added to the
+ pms(4)
+ driver.
+
- Support for tap-and-drag detection with ALPS touchpads in the
+ pms(4)
+ driver has been improved.
+
- The sdmmc(4)
+ driver now supports sector mode for eMMC devices, such as those found on
+ some BeagleBone Black boards.
+
- The cnmac(4)
+ driver now supports checksum offloading and receives packets without the
+ kernel lock held.
+
- The xhci(4)
+ driver is now enabled for macppc machines.
+
- The ipmi(4)
+ driver now supports OpenIPMI compatible character device.
- ...
@@ -115,33 +146,87 @@
-
pledge(2) support integrated:
+pledge(2)
+ support integrated:
- tame(2) system call renamed to pledge(2).
- Many behaviours/semantics extended and refined.
- 453 out of 707 base system binaries adapted to use pledge.
- 14 ports adapted to use pledge (some decompression tools, mutt,
some pdf tools, chromium/iridium, and the i3 window manager).
-
- Several bugs exposed by pledge(2) have been corrected, for example in bgpd(8), iked(8), ldapd(8), ntpd(8), and syslogd(8),
-
- Several misguided "features" have been removed, such as support for HOSTALIASES from the resolver, support for "lookup yp" in /etc/resolv.conf, setuid-preserving code in binutils tools or ed-style diffs via proc/exec in patch(1).
-
- A somewhat intensive audit of userland program so that they could be properly annotated with pledge(2) was done, resulting in some design changes such as in rdate(1), sndiod(8) or the introduction of SOCK_DNS socket(2) flag that makes an SS_DNS tagged socket conceptually different from a plain socket.
-
- It also has been used to constrain programs to a more limited POSIX subset, such as some binutils tools that handle untrusted data (strings(1), objdump(1), ...), or the RSA-privsep process in smtpd(1).
+
- Several bugs exposed by pledge(2) have been corrected, for example in
+
+ bgpd(8),
+
+ iked(8),
+
+ ldapd(8),
+
+ ntpd(8),
+ and
+ syslogd(8).
+
- Several misguided "features" have been removed, such as
+
+ support for HOSTALIASES from the resolver,
+
+ support for "lookup yp" in /etc/resolv.conf,
+
+ setuid-preserving code in binutils tools or
+
+ ed-style diffs via proc/exec in patch(1).
+
- A somewhat intensive audit of userland program so that they could be
+ properly annotated with pledge(2) was done, resulting in some design
+ changes such as in
+
+ rdate(1),
+
+ sndiod(8)
+ or the introduction of SOCK_DNS
+
+ socket(2)
+ flag that makes an SS_DNS tagged socket conceptually different
+ from a plain socket.
+
- It also has been used to constrain programs to a more limited POSIX
+ subset, such as some
+
+ binutils
+ tools that handle untrusted data
+ (strings(1),
+ objdump(1), ...),
+ or the RSA-privsep process in
+
+ smtpd(1).
Generic network stack improvements:
- Remove support for obsolete IPv6 socket options.
-
- New etherip(4)
- pseudo-device for tunnelling Ethernet frames across IP[46] networks using RFC 3378 EtherIP encapsulation.
-
- New pair(4) pseudo-device for creating paired virtual Ethernet interfaces.
-
- bpf(4) now runs without the kernel lock.
-
- Split up the tun(4)
- pseudo-device into tun(4)
- (for layer 3) and tap(4) (for layer 2) pseudo-devices. As a result, the link0 flag has no effect on tun(4) interfaces anymore.
-
- The iwn(4) driver now passes IEEE 802.11 control frames in monitor mode, allowing full capture of traffic on a particular wireless channel.
-
- pflow(4) now supports IPv6 for transport.
-
- Several interoperability issues in iked(4) have been fixed, including EAP auth with OS X El Capitan.
+
- New etherip(4)
+ pseudo-device for tunnelling Ethernet frames across IP[46] networks
+ using RFC 3378 EtherIP encapsulation.
+
- New pair(4)
+ pseudo-device for creating paired virtual Ethernet interfaces.
+
- bpf(4)
+ now runs without the kernel lock.
+
- Split up the
+ tun(4)
+ pseudo-device into
+ tun(4)
+ (for layer 3) and
+ tap(4)
+ (for layer 2) pseudo-devices.
+ As a result, the link0 flag has no effect on
+ tun(4)
+ interfaces anymore.
+
- The iwn(4)
+ driver now passes IEEE 802.11 control frames in monitor mode, allowing
+ full capture of traffic on a particular wireless channel.
+
- pflow(4)
+ now supports IPv6 for transport.
+
- Several interoperability issues in
+ iked(4)
+ have been fixed, including EAP auth with OS X El Capitan.
- ...
@@ -151,25 +236,52 @@
Inappropriate user choices from a list of options are more reliably rejected.
Installing to a disk partitioned with a GPT is now supported (amd64 only).
When initializing a GPT the required EFI System partition is automatically created.
- When installing to a GPT disk installboot(8) now formats the EFI System partition, creates the appropriate directory structure and copies the required UEFI boot files into place.
+ When installing to a GPT disk
+
+ installboot(8)
+ now formats the EFI System partition, creates the appropriate directory
+ structure and copies the required UEFI boot files into place.
...
Routing daemons and other userland network improvements:
- - New eigrpd(8) routing daemon for the Enhanced Interior Gateway Routing Protocol.
-
- dhclient(8) now supports multiple domain names provided via DHCP option 15 (Domain Name).
-
- dhclient(8) now supports search domains provided via DHCP option 119 (Domain Search).
-
- dhclient(8) no longer continually checks for a change to the routing domain of the interface it controls. It now relies on the appropriate routing socket messages.
-
- dhclient(8) now issues DHCP DECLINE responses to lease offers found to be inadequate, and restarts the DISCOVER/RENEW process rather than waiting indefinitely for a better lease to appear.
-
- dhclient(8) no longer exits if a desired route cannot be added. It now just reports the fact.
-
- dhclient(8) now takes a much more careful approach to received packets to ensure only received data is used to process the packet. Packets with incorrect length information or lacking appropriate header information are now dropped.
-
- dhclient(8) again disables pending timeouts if the interface link is lost, preventing endless retries at obtaining a lease.
-
- dhclient(8) was pledged.
-
- dhcpd(8) again properly utilizes default-lease-time, max-lease-time and bootp-lease-time options.
-
- dhcpd(8) was pledged.
-
- tcpdump(1) now displays more information about IEEE 802.11 frames when run with the -y IEEE802_11_RADIO and -v options.
+ - New eigrpd(8)
+ routing daemon for the Enhanced Interior Gateway Routing Protocol.
+
- dhclient(8)
+ now supports multiple domain names provided via DHCP option 15 (Domain Name).
+
- dhclient(8)
+ now supports search domains provided via DHCP option 119 (Domain Search).
+
- dhclient(8)
+ no longer continually checks for a change to the routing domain of the
+ interface it controls. It now relies on the appropriate routing socket
+ messages.
+
- dhclient(8)
+ now issues DHCP DECLINE responses to lease offers found to be inadequate,
+ and restarts the DISCOVER/RENEW process rather than waiting indefinitely
+ for a better lease to appear.
+
- dhclient(8)
+ no longer exits if a desired route cannot be added. It now just reports
+ the fact.
+
- dhclient(8)
+ now takes a much more careful approach to received packets to ensure
+ only received data is used to process the packet.
+ Packets with incorrect length information or lacking appropriate header
+ information are now dropped.
+
- dhclient(8)
+ again disables pending timeouts if the interface link is lost,
+ preventing endless retries at obtaining a lease.
+
- dhclient(8)
+ was pledged.
+
- dhcpd(8)
+ again properly utilizes default-lease-time, max-lease-time and
+ bootp-lease-time options.
+
- dhcpd(8)
+ was pledged.
+
- tcpdump(1)
+ now displays more information about IEEE 802.11 frames when run with
+ the -y IEEE802_11_RADIO and -v options.
- ...
@@ -178,52 +290,109 @@
- ...
- Support for looking up hosts via YP has been removed from libc.
- The 'yp' lookup method in
- resolv.conf
- is no longer available.
+ The 'yp' lookup method in
+
+ resolv.conf
+ is no longer available.
- Support for the HOSTALIASES environment variable has been removed from libc.
Assorted improvements:
- - doas(1)
- is a little friendlier to use.
+
- doas(1)
+ is a little friendlier to use.
- Updated
- flex(1).
-
- Forked less(1) from upstream, then proceeded to clean it up substantially.
-
- pdisk(8) was largely rewritten and pledged.
+ flex(1).
+
- Forked less(1)
+ from upstream, then proceeded to clean it up substantially.
+
- pdisk(8)
+ was largely rewritten and pledged.
- Renaming files in the root directory of a MSDOS filesystem was fixed.
-
- Many obsolete disktab(5) attributes and entries were removed.
-
- softraid(4) volumes now correctly look for the disklabel in the first OpenBSD disk partition, not the last.
-
- softraid(4) volumes can now be partitioned with a GPT.
-
- fdisk(8) now creates a default GPT as well as the protective MBR when the '-g' flag is used.
-
- fdisk(8) now has a '-b' flag that specifies the size of the EFI System partition to create.
-
- fdisk(8) now has a '-v' flag that causes a verbose display of both MBR and GPT information.
-
- fdisk(8) now provides full interactive GPT editing.
-
- fdisk(8) was pledged.
-
- Disks with sector sizes other than 512 bytes can now be partitioned with a GPT.
-
- The GPT kernel option was removed and GPT support is part of all GENERIC and GENERIC derived kernels.
-
- Many improvements were made to the GPT kernel support to ensure safe and reliable operation of GPT and MBR processing.
-
- disklabel(8) no longer supports boot code installation, with the -B and -b flags being removed. The associated fields in the disklabel were also removed. These functions are now all performed by
- installboot(8).
+
- Many obsolete
+ disktab(5)
+ attributes and entries were removed.
+
- softraid(4)
+ volumes now correctly look for the disklabel in the first OpenBSD disk
+ partition, not the last.
+
- softraid(4)
+ volumes can now be partitioned with a GPT.
+
- fdisk(8)
+ now creates a default GPT as well as the protective MBR when the '-g'
+ flag is used.
+
- fdisk(8)
+ now has a '-b' flag that specifies the size of the EFI System partition
+ to create.
+
- fdisk(8)
+ now has a '-v' flag that causes a verbose display of both MBR and GPT
+ information.
+
- fdisk(8)
+ now provides full interactive GPT editing.
+
- fdisk(8)
+ was pledged.
+
- Disks with sector sizes other than 512 bytes can now be partitioned with
+ a GPT.
+
- The GPT kernel option was removed and GPT support is part of all GENERIC
+ and GENERIC derived kernels.
+
- Many improvements were made to the GPT kernel support to ensure safe and
+ reliable operation of GPT and MBR processing.
+
- disklabel(8)
+ no longer supports boot code installation, with the -B and -b flags
+ being removed.
+ The associated fields in the disklabel were also removed.
+ These functions are now all performed by
+
+ installboot(8).
- PowerPC converted to secure-PLT ABI variant.
-
- Perform lazy binding updates in ld.so(1) using kbind(2) to improve security and reduce overhead in threaded processes.
-
- Over 100 internal or obsolete interfaces have been deleted or are no longer exported by libc, reducing symbol conflicts and process size.
-
- libc now uses local references for most of its own functions to avoid symbol overriding, improve standards compliance, increase speed, and reduce dynamic linking overhead.
-
- Handle intra-thread kills via new thrkill(2) system call to tighten pledge(2) restrictions and improve pthread_kill(3) and pthread_cancel(3) compliance.
-
- Added getpwnam_shadow(3) and getpwuid_shadow(3) to permit tighter pledge(2) restrictions.
-
- Added support to ktrace(1) the arguments to execve(2) and pledge(2). Removed support for tracing context switch points. kevent structures are now dumped.
+
- Perform lazy binding updates in
+ ld.so(1)
+ using
+ kbind(2)
+ to improve security and reduce overhead in threaded processes.
+
- Over 100 internal or obsolete interfaces have been deleted or are no
+ longer exported by libc, reducing symbol conflicts and process size.
+
+
- libc now uses local references for most of its own functions to avoid
+ symbol overriding, improve standards compliance, increase speed,
+ and reduce dynamic linking overhead.
+
- Handle intra-thread kills via new
+ thrkill(2)
+ system call to tighten pledge(2) restrictions and improve pthread_kill(3)
+ and pthread_cancel(3) compliance.
+
- Added
+ getpwnam_shadow(3)
+ and
+ getpwuid_shadow(3)
+ to permit tighter pledge(2) restrictions.
+
- Added support to
+ ktrace(1)
+ the arguments to
+ execve(2)
+ and
+ pledge(2).
+ Removed support for tracing context switch points.
+ kevent structures are now dumped.
- Disabled support for loading locales other than UTF-8.
- UTF-8 character locale data has been updated to Unicode 7.0.0.
-
- Added UTF-8 support to several utilities, including calendar(1), colrm(1), cut(1), fmt(1), ls(1), ps(1), rs(1), ul(1), uniq(1), and wc(1).
+
- Added UTF-8 support to several utilities, including
+ calendar(1),
+ colrm(1),
+ cut(1),
+ fmt(1),
+ ls(1),
+ ps(1),
+ rs(1),
+ ul(1),
+ uniq(1),
+ and wc(1).
- Native language support (NLS) has been removed from libc.
-
- ddb(4) now automatically shows a stack trace upon panic.
+
- ddb(4)
+ now automatically shows a stack trace upon panic.
- ...
-
OpenBSD httpd(8):
+OpenBSD httpd(8):
@@ -234,17 +403,19 @@
Security:
- Both
- smtpd(8)
+ smtpd(8)
and
- smtpctl(8)
+ smtpctl(8)
have been pledged.
-
- The offline enqueue mode of
- smtpctl(8)
- has been redesigned to remove the need for a publicly writable directory which was a vector of multiple attacks in the Qualys Security audit.
+
- The offline enqueue mode of
+ smtpctl(8)
+ has been redesigned to remove the need for a publicly writable directory
+ which was a vector of multiple attacks in the Qualys Security audit.
The following improvements were brought in this release:
- - Experimental support for filters API is now available with several filters available in ports.
+
- Experimental support for filters API is now available with several
+ filters available in ports.
- Add Message-Id header if necessary.
- Removed the kick mechanism which was misbehaving.
- Increased the length of acceptable headers lines.
@@ -258,34 +429,34 @@
- Security:
- Qualys Security identified vulnerabilities in the
- ssh(1)
+ ssh(1)
client experimental support for resuming SSH-connections (roaming).
In the default configuration, this could potentially leak client keys
to a hostile server. The authentication of the server host key
prevents exploitation by a man-in-the-middle, so this information leak
is restricted to connections to malicious or compromised servers.
This feature has been disabled in the
- ssh(1)
+ ssh(1)
client, and it has been removed from the source tree. The matching
server code has never been shipped.
-
- sshd(8):
+
- sshd(8):
OpenSSH 7.0 contained a logic error in
PermitRootLogin=prohibit-password/without-password that could,
depending on compile-time configuration, permit password authentication
to root while preventing other forms of authentication.
- Fix an out of-bound read access in the packet handling code.
- Further use of
- explicit_bzero(3)
+ explicit_bzero(3)
has been added in various buffer handling code paths to guard against
compilers aggressively doing dead-store removal.
-
- ssh(1),
- sshd(8):
+
- ssh(1),
+ sshd(8):
remove unfinished and unused roaming code.
-
- ssh(1):
+
- ssh(1):
eliminate fallback from untrusted X11 forwarding to trusted forwarding
when the X server disables the SECURITY extension.
-
- ssh(1),
- sshd(8):
+
- ssh(1),
+ sshd(8):
increase the minimum modulus size supported for
diffie-hellman-group-exchange to 2048 bits.
@@ -293,7 +464,7 @@
- This release disables a number of legacy cryptographic algorithms
by default in
- ssh(1):
+ ssh(1):
- Several ciphers: blowfish-cbc, cast128-cbc,
all arcfour variants and the rijndael-cbc aliases
@@ -306,14 +477,14 @@
- all: add support for RSA signatures using SHA-256/512 hash algorithms
based on draft-rsa-dsa-sha2-256-03.txt and
draft-ssh-ext-info-04.txt.
-
- ssh(1):
+
- ssh(1):
Add an AddKeysToAgent client option which can be set to
yes, no, ask, or confirm, and
defaults to no. When enabled, a private key that is used
during authentication will be added to
- ssh-agent(1)
+ ssh-agent(1)
if it is running (with confirmation enabled if set to confirm).
-
- sshd(8):
+
- sshd(8):
add a new authorized_keys option restrict that
includes all current and future key restrictions
(no-*-forwarding, etc.).
@@ -321,151 +492,151 @@
no-pty -> pty. This simplifies the task of setting up
restricted keys and ensures they are maximally-restricted,
regardless of any permissions we might implement in the future.
-
- ssh(1):
+
- ssh(1):
add
- ssh_config(5)
+ ssh_config(5)
CertificateFile option to explicitly list certificates. (bz#2436)
-
- ssh-keygen(1):
+
- ssh-keygen(1):
allow
- ssh-keygen(1)
+ ssh-keygen(1)
to change the key comment for all supported formats.
-
- ssh-keygen(1):
+
- ssh-keygen(1):
allow fingerprinting from standard input, e.g. "ssh-keygen -lf -".
-
- ssh-keygen(1):
+
- ssh-keygen(1):
allow fingerprinting multiple public keys in a file, e.g.
ssh-keygen -lf ~/.ssh/authorized_keys. (bz#1319)
-
- sshd(8):
+
- sshd(8):
support none as an argument for
- sshd_config(5)
+ sshd_config(5)
Foreground and ChrootDirectory. Useful inside
Match blocks to override a global default. (bz#2486)
-
- ssh-keygen(1):
+
- ssh-keygen(1):
support multiple certificates (one per line) and reading from standard
input (using "-f -") for ssh-keygen -L.
-
- ssh-keyscan(1):
+
- ssh-keyscan(1):
add ssh-keyscan -c ... flag to allow fetching certificates
instead of plain keys.
-
- ssh(1):
+
- ssh(1):
better handle anchored FQDNs (e.g. cvs.openbsd.org.) in
hostname canonicalisation - treat them as already canonical and
trailing '.' before matching
- ssh_config(5).
+ ssh_config(5).
- The following significant bugs have been fixed in this release:
- - ssh(1),
- sshd(8):
+
- ssh(1),
+ sshd(8):
add compatibility workarounds for FuTTY.
-
- ssh(1),
- sshd(8):
+
- ssh(1),
+ sshd(8):
refine compatibility workarounds for WinSCP.
- Fix a number of memory faults (double-free, free of uninitialised
memory, etc) in
- ssh(1)
+ ssh(1)
and
- ssh-keygen(1).
+ ssh-keygen(1).
- Correctly interpret the first_kex_follows option during the
initial key exchange.
-
- sftp(1):
+
- sftp(1):
existing destination directories should not terminate recursive uploads
(regression in openssh 6.8). (bz#2528)
-
- ssh(1),
- sshd(8):
+
- ssh(1),
+ sshd(8):
correctly send back SSH2_MSG_UNIMPLEMENTED replies to
unexpected messages during key exchange. (bz#2949)
-
- ssh(1):
+
- ssh(1):
refuse attempts to set ConnectionAttempts=0, which does not
make sense and would cause ssh to print an uninitialised stack
variable. (bz#2500)
-
- ssh(1):
+
- ssh(1):
fix errors when attempting to connect to scoped IPv6 addresses with
hostname canonicalisation enabled.
-
- sshd_config(5):
+
- sshd_config(5):
list a couple more options usable in Match blocks. (bz#2489)
-
- sshd(8):
+
- sshd(8):
fix PubkeyAcceptedKeyTypes +... inside a Match block.
-
- ssh(1):
+
- ssh(1):
expand tilde characters in filenames passed to -i options
before checking whether or not the identity file exists. Avoids
confusion for cases where shell doesn't expand (e.g.
-i ~/file vs. -i~/file). (bz#2481)
-
- ssh(1):
+
- ssh(1):
do not prepend "exec" to the shell command run by Match exec
in a config file, which could cause some commands to fail in certain
environments. (bz#2471)
-
- ssh-keyscan(1):
+
- ssh-keyscan(1):
fix output for multiple hosts/addrs on one line when host hashing or
a non standard port is in use. (bz#2479)
-
- sshd(8):
+
- sshd(8):
skip "Could not chdir to home directory" message when
ChrootDirectory is active. (bz#2485)
-
- ssh(1):
+
- ssh(1):
include PubkeyAcceptedKeyTypes in ssh -G config dump.
-
- sshd(8):
+
- sshd(8):
avoid changing TunnelForwarding device flags if they are
already what is needed; makes it possible to use
- tun(4)/
- tap(4)
+ tun(4)/
+ tap(4)
networking as non-root user if device permissions and interface flags
are pre-established.
-
- ssh(1),
- sshd(8):
+
- ssh(1),
+ sshd(8):
RekeyLimits could be exceeded by one packet. (bz#2521)
-
- ssh(1):
+
- ssh(1):
fix multiplexing master failure to notice client exit.
-
- ssh(1),
- ssh-agent(1):
+
- ssh(1),
+ ssh-agent(1):
avoid fatal() for PKCS11 tokens that present empty key IDs.
(bz#1773)
-
- sshd(8):
+
- sshd(8):
avoid
- printf(3)
+ printf(3)
of NULL argument. (bz#2535)
-
- ssh(1),
- sshd(8):
+
- ssh(1),
+ sshd(8):
allow RekeyLimits larger than 4GB. (bz#2521)
-
- ssh-agent(1),
- sshd(8):
+
- ssh-agent(1),
+ sshd(8):
fix several bugs in (unused) KRL signature support.
-
- ssh(1),
- sshd(8):
+
- ssh(1),
+ sshd(8):
fix connections with peers that use the key exchange guess feature of
the protocol. (bz#2515)
-
- sshd(8):
+
- sshd(8):
include remote port number in log messages. (bz#2503)
-
- ssh(1):
+
- ssh(1):
don't try to load SSHv1 private key when compiled without SSHv1
support. (bz#2505)
-
- ssh-agent(1),
- ssh(1):
+
- ssh-agent(1),
+ ssh(1):
fix incorrect error messages during key loading and signing errors.
(bz#2507)
-
- ssh-keygen(1):
+
- ssh-keygen(1):
don't leave empty temporary files when performing known_hosts
file edits when known_hosts doesn't exist.
-
- sshd(8):
+
- sshd(8):
correct packet format for tcpip-forward replies for requests that
don't allocate a port. (bz#2509)
-
- ssh(1),
- sshd(8):
+
- ssh(1),
+ sshd(8):
fix possible hang on closed output. (bz#2469)
-
- ssh(1):
+
- ssh(1):
expand %i in ControlPath to UID. (bz#2449)
-
- ssh(1),
- sshd(8):
+
- ssh(1),
+ sshd(8):
fix return type of openssh_RSA_verify. (bz#2460)
-
- ssh(1),
- sshd(8):
+
- ssh(1),
+ sshd(8):
fix some option parsing memory leaks. (bz#2182)
-
- ssh(1):
+
- ssh(1):
add a some debug output before DNS resolution; it's a place where
ssh could previously silently stall in cases of unresponsive DNS
servers. (bz#2433)
-
- ssh(1):
+
- ssh(1):
remove spurious newline in visual hostkey. (bz#2686)
-
- ssh(1):
+
- ssh(1):
fix printing (ssh -G ...) of HostKeyAlgorithms=+...
-
- ssh(1):
+
- ssh(1):
fix expansion of HostkeyAlgorithms=+...
@@ -486,27 +657,32 @@
- Removed support for DTLS_BAD_VER. Pre-DTLSv1 implementations
are no longer supported.
- The engine command and parameters are removed from
- openssl(1).
+
+ openssl(1).
Previous releases removed dynamic and built-in engine support already.
- SHA-0 is removed, which was withdrawn shortly after publication
twenty years ago.
- Added Certplus CA root certificate to the default
cert.pem file.
- Fixed a leak in
- SSL_new(3)
+
+ SSL_new(3)
in the error path.
- Fixed a memory leak and out-of-bounds access in
- OBJ_obj2txt(3).
+
+ OBJ_obj2txt(3).
- Fixed an up-to 7 byte overflow in RC4 when len is not a multiple of
sizeof(RC4_CHUNK).
- Added
- EVP_aead_chacha20_poly1305_ietf(3)
+
+ EVP_aead_chacha20_poly1305_ietf(3)
which matches the
AEAD construction introduced in RFC 7539, which is different
than that already used in TLS with
- EVP_aead_chacha20_poly1305(3).
+
+ EVP_aead_chacha20_poly1305(3).
- More man pages converted from pod to
- mdoc(7)
+ mdoc(7)
format.
- Added COMODO RSA Certification Authority and
QuoVadis root certificates to cert.pem.
@@ -515,7 +691,7 @@
(serial 3c:91:31:cb:1f:f6:d0:1b:0e:9a:b8:d0:44:bf:12:be)
root certificate from cert.pem.
- Fixed incorrect TLS certificate loading by
- nc(1).
+ nc(1).
- The following CVEs had been fixed:
- CVE-2015-3194—NULL pointer dereference in client
@@ -540,17 +716,22 @@
- The libtls API is changed from the 2.2.x series:
@@ -561,7 +742,7 @@
ssize_t to size_t.
- Deduplicated DTLS code, sharing bugfixes and improvements with TLS.
- Converted
- nc(1)
+ nc(1)
to use libtls for client and server operations; it is
included in the libressl-portable distribution as an example of how
to use the libtls library. This is intended to be a simpler
@@ -575,17 +756,22 @@
libtls.
- Added ability to check certificate validity times with
libtls,
- tls_peer_cert_notbefore(3)
+
+ tls_peer_cert_notbefore(3)
and
- tls_peer_cert_notafter(3).
+
+ tls_peer_cert_notafter(3).
- Changed
- tls_connect_servername(3)
+
+ tls_connect_servername(3)
to use the first address that resolves with
- getaddrinfo(3).
+
+ getaddrinfo(3).
- Remove broken conditional EVP_CHECK_DES_KEY code
(non-functional since initial commit in 2004).
- Reject too small bits value in
- BN_generate_prime_ex(3),
+
+ BN_generate_prime_ex(3),
so that it does not risk becoming negative in
probable_prime_dh_safe().
- Changed format of LIBRESSL_VERSION_NUMBER to match that of
@@ -604,6 +790,7 @@
- Ports and packages:
- Many pre-built packages for each architecture:
+
+
- Some highlights:
+