===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/60.html,v
retrieving revision 1.38
retrieving revision 1.39
diff -c -r1.38 -r1.39
*** www/60.html 2016/08/01 20:11:23 1.38
--- www/60.html 2016/08/02 14:26:55 1.39
***************
*** 306,328 ****
- Security:
-
- Potentially-incompatible changes:
-
- New/changed features:
- The following significant bugs have been fixed in this release:
- In scp(1)
! and sftp(1),
! prevent screwing up terminal settings by escaping bytes
! not forming ASCII or UTF-8 characters.
!
- ...
--- 306,413 ----
- Security:
! - sshd(8):
! Mitigate a potential denial-of-service attack against the system's
! crypt(3)
! function via
! sshd(8).
! An attacker could send very long passwords that would cause
! excessive CPU use in
! crypt(3).
! sshd(8)
! now refuses to accept password authentication requests of length
! greater than 1024 characters.
!
- sshd(8):
! Mitigate timing differences in password authentication that could be
! used to discern valid from invalid account names when long passwords
! were sent and particular password hashing algorithms are in use on
! the server. CVE-2016-6210.
!
- ssh(1),
! sshd(8):
! Fix observable timing weakness in the CBC padding oracle
! countermeasures. Note that CBC ciphers are disabled by default
! and only included for legacy compatibility.
!
- ssh(1),
! sshd(8):
! Improve ordering ordering of MAC verification for
! Encrypt-then-MAC (EtM) mode transport MAC algorithms to
! verify the MAC before decrypting any ciphertext. This removes the
! possibility of timing differences leaking facts about the plaintext,
! though no such leakage is known.
- New/changed features:
! - ssh(1):
! Add a ProxyJump option and corresponding -J
! command-line flag to allow simplified indirection through a one or
! more SSH bastions or "jump hosts".
!
- ssh(1):
! Add an IdentityAgent option to allow specifying specific
! agent sockets instead of accepting one from the environment.
!
- ssh(1):
! Allow ExitOnForwardFailure and ClearAllForwardings
! to be optionally overridden when using ssh -W. (bz#2577)
!
- ssh(1),
! sshd(8):
! Implement support for the IUTF8 terminal mode as per
! draft-sgtatham-secsh-iutf8-00.
!
- ssh(1),
! sshd(8):
! Add support for additional fixed Diffie-Hellman 2K, 4K
! and 8K groups from draft-ietf-curdle-ssh-kex-sha2-03.
!
- ssh-keygen(1),
! ssh(1),
! sshd(8):
! support SHA256 and SHA512 RSA signatures in certificates.
!
- ssh(1):
! Add an Include directive for
! ssh_config(5)
! files.
!
- ssh(1):
! Permit UTF-8 characters in pre-authentication banners sent from the
! server. (bz#2058)
- The following significant bugs have been fixed in this release:
- In scp(1)
! and sftp(1),
! prevent screwing up terminal settings by escaping bytes
! not forming ASCII or UTF-8 characters.
!
- ssh(1),
! sshd(8):
! Reduce the syslog level of some relatively common protocol events
! from LOG_CRIT. (bz#2585)
!
- sshd(8):
! Refuse AuthenticationMethods="" in configurations and accept
! AuthenticationMethods=any for the default behaviour of not
! requiring multiple authentication. (bz#2398)
!
- sshd(8):
! Remove obsolete and misleading "POSSIBLE BREAK-IN ATTEMPT!"
! message when forward and reverse DNS don't match. (bz#2585)
!
- ssh(1):
! Close ControlPersist background process stderr except in
! debug mode or when logging to syslog. (bz#1988)
!
- misc: Make PROTOCOL description for
! direct-streamlocal@openssh.com channel open messages match
! deployed code. (bz#2529)
!
- ssh(1):
! Deduplicate LocalForward and RemoteForward entries
! to fix failures when both ExitOnForwardFailure and
! hostname canonicalisation are enabled. (bz#2562)
!
- sshd(8):
! Remove fallback from moduli to obsolete "primes" file that was
! deprecated in 2001. (bz#2559)
!
- sshd_config(5):
! Correct description of UseDNS: it affects ssh hostname
! processing for authorized_keys, not known_hosts.
! (bz#2554)
!
- ssh(1):
! Fix authentication using lone certificate keys in an agent without
! corresponding private keys on the filesystem. (bz#2550)
!
- sshd(8):
! Send ClientAliveInterval pings when a time-based
! RekeyLimit is set; previously keepalive packets were not
! being sent. (bz#2252)