===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/60.html,v
retrieving revision 1.38
retrieving revision 1.39
diff -c -r1.38 -r1.39
*** www/60.html	2016/08/01 20:11:23	1.38
--- www/60.html	2016/08/02 14:26:55	1.39
***************
*** 306,328 ****
      <ul>
      <li>Security:
        <ul>
!       <li>...
        </ul>
-     <li>Potentially-incompatible changes:
-       <ul>
-       <li>...
-       </ul>
      <li>New/changed features:
        <ul>
!       <li>...
        </ul>
      <li>The following significant bugs have been fixed in this release:
        <ul>
        <li>In <a href="http://man.openbsd.org/scp.1">scp(1)</a>
!         and <a href="http://man.openbsd.org/sftp.1">sftp(1)</a>,
!         prevent screwing up terminal settings by escaping bytes
!         not forming ASCII or UTF-8 characters. 
!       <li>...
        </ul>
      </ul>
  <p>
--- 306,413 ----
      <ul>
      <li>Security:
        <ul>
!       <li><a href="http://man.openbsd.org/sshd.8">sshd(8)</a>:
!           Mitigate a potential denial-of-service attack against the system's
!           <a href="http://man.openbsd.org/crypt.3">crypt(3)</a>
!           function via
!           <a href="http://man.openbsd.org/sshd.8">sshd(8)</a>.
!           An attacker could send very long passwords that would cause
!           excessive CPU use in
!           <a href="http://man.openbsd.org/crypt.3">crypt(3)</a>.
!           <a href="http://man.openbsd.org/sshd.8">sshd(8)</a>
!           now refuses to accept password authentication requests of length
!           greater than 1024 characters.
!       <li><a href="http://man.openbsd.org/sshd.8">sshd(8)</a>:
!           Mitigate timing differences in password authentication that could be
!           used to discern valid from invalid account names when long passwords
!           were sent and particular password hashing algorithms are in use on
!           the server.  CVE-2016-6210.
!       <li><a href="http://man.openbsd.org/ssh.1">ssh(1)</a>,
!           <a href="http://man.openbsd.org/sshd.8">sshd(8)</a>:
!           Fix observable timing weakness in the <i>CBC padding oracle
!           countermeasures</i>.  Note that CBC ciphers are disabled by default
!           and only included for legacy compatibility.
!       <li><a href="http://man.openbsd.org/ssh.1">ssh(1)</a>,
!           <a href="http://man.openbsd.org/sshd.8">sshd(8)</a>:
!           Improve ordering ordering of MAC verification for
!           <i>Encrypt-then-MAC</i> (EtM) mode transport MAC algorithms to
!           verify the MAC before decrypting any ciphertext.  This removes the
!           possibility of timing differences leaking facts about the plaintext,
!           though no such leakage is known.
        </ul>
      <li>New/changed features:
        <ul>
!       <li><a href="http://man.openbsd.org/ssh.1">ssh(1)</a>:
!           Add a <tt>ProxyJump</tt> option and corresponding <tt>-J</tt>
!           command-line flag to allow simplified indirection through a one or
!           more SSH bastions or "jump hosts".
!       <li><a href="http://man.openbsd.org/ssh.1">ssh(1)</a>:
!           Add an <tt>IdentityAgent</tt> option to allow specifying specific
!           agent sockets instead of accepting one from the environment.
!       <li><a href="http://man.openbsd.org/ssh.1">ssh(1)</a>:
!           Allow <tt>ExitOnForwardFailure</tt> and <tt>ClearAllForwardings</tt>
!           to be optionally overridden when using <tt>ssh -W</tt>.  (bz#2577)
!       <li><a href="http://man.openbsd.org/ssh.1">ssh(1)</a>,
!           <a href="http://man.openbsd.org/sshd.8">sshd(8)</a>:
!           Implement support for the IUTF8 terminal mode as per
!           <i>draft-sgtatham-secsh-iutf8-00</i>.
!       <li><a href="http://man.openbsd.org/ssh.1">ssh(1)</a>,
!           <a href="http://man.openbsd.org/sshd.8">sshd(8)</a>:
!           Add support for additional <i>fixed Diffie-Hellman 2K</i>, <i>4K</i>
!           and <i>8K</i> groups from <i>draft-ietf-curdle-ssh-kex-sha2-03</i>.
!       <li><a href="http://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>,
!           <a href="http://man.openbsd.org/ssh.1">ssh(1)</a>,
!           <a href="http://man.openbsd.org/sshd.8">sshd(8)</a>:
!           support SHA256 and SHA512 RSA signatures in certificates.
!       <li><a href="http://man.openbsd.org/ssh.1">ssh(1)</a>:
!           Add an <tt>Include</tt> directive for
!           <a href="http://man.openbsd.org/ssh_config.5">ssh_config(5)</a>
!           files.
!       <li><a href="http://man.openbsd.org/ssh.1">ssh(1)</a>:
!           Permit UTF-8 characters in pre-authentication banners sent from the
!           server.  (bz#2058)
        </ul>
      <li>The following significant bugs have been fixed in this release:
        <ul>
        <li>In <a href="http://man.openbsd.org/scp.1">scp(1)</a>
!           and <a href="http://man.openbsd.org/sftp.1">sftp(1)</a>,
!           prevent screwing up terminal settings by escaping bytes
!           not forming ASCII or UTF-8 characters. 
!       <li><a href="http://man.openbsd.org/ssh.1">ssh(1)</a>,
!           <a href="http://man.openbsd.org/sshd.8">sshd(8)</a>:
!           Reduce the syslog level of some relatively common protocol events
!           from <tt>LOG_CRIT</tt>.  (bz#2585)
!       <li><a href="http://man.openbsd.org/sshd.8">sshd(8)</a>:
!           Refuse <tt>AuthenticationMethods=""</tt> in configurations and accept
!           <tt>AuthenticationMethods=any</tt> for the default behaviour of not
!           requiring multiple authentication.  (bz#2398)
!       <li><a href="http://man.openbsd.org/sshd.8">sshd(8)</a>:
!           Remove obsolete and misleading <tt>"POSSIBLE BREAK-IN ATTEMPT!"</tt>
!           message when forward and reverse DNS don't match.  (bz#2585)
!       <li><a href="http://man.openbsd.org/ssh.1">ssh(1)</a>:
!           Close <tt>ControlPersist</tt> background process stderr except in
!           debug mode or when logging to syslog.  (bz#1988)
!       <li>misc: Make PROTOCOL description for
!           <i>direct-streamlocal@openssh.com</i> channel open messages match
!           deployed code.  (bz#2529)
!       <li><a href="http://man.openbsd.org/ssh.1">ssh(1)</a>:
!           Deduplicate <tt>LocalForward</tt> and <tt>RemoteForward</tt> entries
!           to fix failures when both <tt>ExitOnForwardFailure</tt> and
!           <tt>hostname</tt> canonicalisation are enabled.  (bz#2562)
!       <li><a href="http://man.openbsd.org/sshd.8">sshd(8)</a>:
!           Remove fallback from moduli to obsolete "primes" file that was
!           deprecated in 2001.  (bz#2559)
!       <li><a href="http://man.openbsd.org/sshd_config.5">sshd_config(5)</a>:
!           Correct description of <tt>UseDNS</tt>: it affects ssh hostname
!           processing for <tt>authorized_keys</tt>, not <tt>known_hosts</tt>.
!           (bz#2554)
!       <li><a href="http://man.openbsd.org/ssh.1">ssh(1)</a>:
!           Fix authentication using lone certificate keys in an agent without
!           corresponding private keys on the filesystem.  (bz#2550)
!       <li><a href="http://man.openbsd.org/sshd.8">sshd(8)</a>:
!           Send <tt>ClientAliveInterval</tt> pings when a time-based
!           <tt>RekeyLimit</tt> is set; previously keepalive packets were not
!           being sent.  (bz#2252)
        </ul>
      </ul>
  <p>