===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/62.html,v
retrieving revision 1.55
retrieving revision 1.56
diff -c -r1.55 -r1.56
*** www/62.html 2017/10/05 15:58:43 1.55
--- www/62.html 2017/10/05 16:22:08 1.56
***************
*** 446,452 ****
- Security:
- New/changed features:
--- 446,453 ----
- Security:
! - sftp-server(8): in read-only mode, sftp-server was incorrectly
! permitting creation of zero-length files.
- New/changed features:
***************
*** 455,465 ****
config file instead of giving it on the client's command
line.
The feature allows to automate tasks using ssh config.
! - ...
- The following significant bugs have been fixed in this release:
--- 456,547 ----
config file instead of giving it on the client's command
line.
The feature allows to automate tasks using ssh config.
!
- sshd(8): add ExposeAuthInfo option that enables writing details of
! the authentication methods used (including public keys where
! applicable) to a file that is exposed via a $SSH_USER_AUTH
! environment variable in the subsequent session.
!
- ssh(1): add support for reverse dynamic forwarding. In this mode,
! ssh will act as a SOCKS4/5 proxy and forward connections
! to destinations requested by the remote SOCKS client. This mode
! is requested using extended syntax for the -R and RemoteForward
! options and, because it is implemented solely at the client,
! does not require the server be updated to be supported.
!
- sshd(8): allow LogLevel directive in sshd_config Match blocks.
!
- ssh-keygen(1): allow inclusion of arbitrary string or flag
! certificate extensions and critical options.`
!
- ssh-keygen(1): allow ssh-keygen to use a key held in ssh-agent as
! a CA when signing certificates.
!
- ssh(1)/sshd(8): allow IPQoS=none in ssh/sshd to not set an explicit
! ToS/DSCP value and just use the operating system default.
!
- ssh-add(1): added -q option to make ssh-add quiet on success.
!
- ssh(1): expand the StrictHostKeyChecking option with two new
! settings. The first "accept-new" will automatically accept
! hitherto-unseen keys but will refuse connections for changed or
! invalid hostkeys. This is a safer subset of the current behaviour
! of StrictHostKeyChecking=no. The second setting "off", is a synonym
! for the current behaviour of StrictHostKeyChecking=no: accept new
! host keys, and continue connection for hosts with incorrect
! hostkeys. A future release will change the meaning of
! StrictHostKeyChecking=no to the behaviour of "accept-new".
!
- ssh(1): add SyslogFacility option to ssh(1) matching the equivalent
! option in sshd(8).
- The following significant bugs have been fixed in this release:
! - ssh(1): use HostKeyAlias if specified instead of hostname for
! matching host certificate principal names
!
- sftp(1): implement sorting for globbed ls.
!
- ssh(1): add a user@host prefix to client's "Permission denied"
! messages, useful in particular when using "stacked" connections
! (e.g. ssh -J) where it's not clear which host is denying.
!
- ssh(1): accept unknown EXT_INFO extension values that contain \0
! characters. These are legal, but would previously cause fatal
! connection errors if received.
!
- ssh(1)/sshd(8): repair compression statistics printed at
! connection exit.
!
- sftp(1): print '?' instead of incorrect link count (that the
! protocol doesn't provide) for remote listings.
!
- ssh(1): return failure rather than fatal() for more cases during
! session multiplexing negotiations. Causes the session to fall back
! to a non-mux connection if they occur.
!
- ssh(1): mention that the server may send debug messages to explain
! public key authentication problems under some circumstances.
!
- Translate OpenSSL error codes to better report incorrect passphrase
! errors when loading private keys.
!
- sshd(8): adjust compatibility patterns for WinSCP to correctly
! identify versions that implement only the legacy DH group exchange
! scheme.
!
- ssh(1): print the "Killed by signal 1" message only at LogLevel
! verbose so that it is not shown at the default level; prevents it
! from appearing during ssh -J and equivalent ProxyCommand configs.
!
- ssh-keygen(1): when generating all hostkeys (ssh-keygen -A), clobber
! existing keys if they exist but are zero length. zero-length keys
! could previously be made if ssh-keygen failed or was interrupted part
! way through generating them.
!
- ssh(1): fix pledge(2) violation in the escape sequence "~&" used to
! place the current session in the background.
!
- ssh-keyscan(1): avoid double-close() on file descriptors.
!
- sshd(8): avoid reliance on shared use of pointers shared between
! monitor and child sshd processes.
!
- sshd_config(8): document available AuthenticationMethods.
!
- ssh(1): avoid truncation in some login prompts.
!
- ssh(1): make "--" before the hostname terminate argument processing
! after the hostname too.
!
- ssh-keygen(1): switch from aes256-cbc to aes256-ctr for encrypting
! new-style private keys. Fixes problems related to private key
! handling for no-OpenSSL builds.
!
- ssh(1): warn and do not attempt to use keys when the public and
! private halves do not match.
!
- sftp(1): don't print verbose error message when ssh disconnects
! from under sftp.
!
- sshd(8): fix keepalive scheduling problem: activity on a forwarded
! port from preventing the keepalive from being sent.
!
- sshd(8): when started without root privileges, don't require the
! privilege separation user or path to exist. Makes running the
! regression tests easier without touching the filesystem.
!
- Make integrity.sh regression tests more robust against timeouts.
!
- ssh(1)/sshd(8): correctness fix for channels implementation: accept
! channel IDs greater than 0x7FFFFFFF.