===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/60.html,v
retrieving revision 1.38
retrieving revision 1.39
diff -u -r1.38 -r1.39
--- www/60.html 2016/08/01 20:11:23 1.38
+++ www/60.html 2016/08/02 14:26:55 1.39
@@ -306,23 +306,108 @@
- Security:
- - ...
+
- sshd(8):
+ Mitigate a potential denial-of-service attack against the system's
+ crypt(3)
+ function via
+ sshd(8).
+ An attacker could send very long passwords that would cause
+ excessive CPU use in
+ crypt(3).
+ sshd(8)
+ now refuses to accept password authentication requests of length
+ greater than 1024 characters.
+
- sshd(8):
+ Mitigate timing differences in password authentication that could be
+ used to discern valid from invalid account names when long passwords
+ were sent and particular password hashing algorithms are in use on
+ the server. CVE-2016-6210.
+
- ssh(1),
+ sshd(8):
+ Fix observable timing weakness in the CBC padding oracle
+ countermeasures. Note that CBC ciphers are disabled by default
+ and only included for legacy compatibility.
+
- ssh(1),
+ sshd(8):
+ Improve ordering ordering of MAC verification for
+ Encrypt-then-MAC (EtM) mode transport MAC algorithms to
+ verify the MAC before decrypting any ciphertext. This removes the
+ possibility of timing differences leaking facts about the plaintext,
+ though no such leakage is known.
- - Potentially-incompatible changes:
-
- New/changed features:
- - ...
+
- ssh(1):
+ Add a ProxyJump option and corresponding -J
+ command-line flag to allow simplified indirection through a one or
+ more SSH bastions or "jump hosts".
+
- ssh(1):
+ Add an IdentityAgent option to allow specifying specific
+ agent sockets instead of accepting one from the environment.
+
- ssh(1):
+ Allow ExitOnForwardFailure and ClearAllForwardings
+ to be optionally overridden when using ssh -W. (bz#2577)
+
- ssh(1),
+ sshd(8):
+ Implement support for the IUTF8 terminal mode as per
+ draft-sgtatham-secsh-iutf8-00.
+
- ssh(1),
+ sshd(8):
+ Add support for additional fixed Diffie-Hellman 2K, 4K
+ and 8K groups from draft-ietf-curdle-ssh-kex-sha2-03.
+
- ssh-keygen(1),
+ ssh(1),
+ sshd(8):
+ support SHA256 and SHA512 RSA signatures in certificates.
+
- ssh(1):
+ Add an Include directive for
+ ssh_config(5)
+ files.
+
- ssh(1):
+ Permit UTF-8 characters in pre-authentication banners sent from the
+ server. (bz#2058)
- The following significant bugs have been fixed in this release:
- In scp(1)
- and sftp(1),
- prevent screwing up terminal settings by escaping bytes
- not forming ASCII or UTF-8 characters.
-
- ...
+ and sftp(1),
+ prevent screwing up terminal settings by escaping bytes
+ not forming ASCII or UTF-8 characters.
+
- ssh(1),
+ sshd(8):
+ Reduce the syslog level of some relatively common protocol events
+ from LOG_CRIT. (bz#2585)
+
- sshd(8):
+ Refuse AuthenticationMethods="" in configurations and accept
+ AuthenticationMethods=any for the default behaviour of not
+ requiring multiple authentication. (bz#2398)
+
- sshd(8):
+ Remove obsolete and misleading "POSSIBLE BREAK-IN ATTEMPT!"
+ message when forward and reverse DNS don't match. (bz#2585)
+
- ssh(1):
+ Close ControlPersist background process stderr except in
+ debug mode or when logging to syslog. (bz#1988)
+
- misc: Make PROTOCOL description for
+ direct-streamlocal@openssh.com channel open messages match
+ deployed code. (bz#2529)
+
- ssh(1):
+ Deduplicate LocalForward and RemoteForward entries
+ to fix failures when both ExitOnForwardFailure and
+ hostname canonicalisation are enabled. (bz#2562)
+
- sshd(8):
+ Remove fallback from moduli to obsolete "primes" file that was
+ deprecated in 2001. (bz#2559)
+
- sshd_config(5):
+ Correct description of UseDNS: it affects ssh hostname
+ processing for authorized_keys, not known_hosts.
+ (bz#2554)
+
- ssh(1):
+ Fix authentication using lone certificate keys in an agent without
+ corresponding private keys on the filesystem. (bz#2550)
+
- sshd(8):
+ Send ClientAliveInterval pings when a time-based
+ RekeyLimit is set; previously keepalive packets were not
+ being sent. (bz#2252)