version 1.46, 2018/03/27 04:53:39 |
version 1.47, 2018/03/27 05:01:30 |
|
|
|
|
<li>OpenSMTPD 6.0.4 |
<li>OpenSMTPD 6.0.4 |
<ul> |
<ul> |
<li>... |
<li>Add <b>spf walk</b> option to |
|
<a href="https://man.openbsd.org/smtpctl.8">smtpctl(8)</a> |
</ul> |
</ul> |
<p> |
<p> |
|
|
<li>OpenSSH 7.7 |
<li>OpenSSH 7.7 |
<ul> |
<ul> |
<li>Security: |
|
<ul> |
|
<li>... |
|
</ul> |
|
<li>New/changed features: |
<li>New/changed features: |
<ul> |
<ul> |
<li>... |
<li>All: Add experimental support for PQC XMSS keys (Extended Hash- |
|
Based Signatures) based on the algorithm described in |
|
https://tools.ietf.org/html/draft-irtf-cfrg-xmss-hash-based-signatures-12 |
|
The XMSS signature code is experimental and not compiled in by |
|
default. |
|
<li>sshd(8): Add a "rdomain" criteria for the sshd_config Match keyword |
|
to allow conditional configuration that depends on which routing |
|
domain a connection was received on (currently supported on OpenBSD |
|
and Linux). |
|
<li>sshd_config(5): Add an optional rdomain qualifier to the |
|
ListenAddress directive to allow listening on different routing |
|
domains. This is supported only on OpenBSD and Linux at present. |
|
<li>sshd_config(5): Add RDomain directive to allow the authenticated |
|
session to be placed in an explicit routing domain. This is only |
|
supported on OpenBSD at present. |
|
<li>sshd(8): Add "expiry-time" option for authorized_keys files to |
|
allow for expiring keys. |
|
<li>ssh(1): Add a BindInterface option to allow binding the outgoing |
|
connection to an interface's address (basically a more usable |
|
BindAddress) |
|
<li>ssh(1): Expose device allocated for tun/tap forwarding via a new |
|
%T expansion for LocalCommand. This allows LocalCommand to be used |
|
to prepare the interface. |
|
<li>sshd(8): Expose the device allocated for tun/tap forwarding via a |
|
new SSH_TUNNEL environment variable. This allows automatic setup of |
|
the interface and surrounding network configuration automatically on |
|
the server. |
|
<li>ssh(1)/scp(1)/sftp(1): Add URI support to ssh, sftp and scp, e.g. |
|
ssh://user@host or sftp://user@host/path. Additional connection |
|
parameters described in draft-ietf-secsh-scp-sftp-ssh-uri-04 are not |
|
implemented since the ssh fingerprint format in the draft uses the |
|
deprecated MD5 hash with no way to specify the any other algorithm. |
|
<li>ssh-keygen(1): Allow certificate validity intervals that specify |
|
only a start or stop time (instead of both or neither). |
|
<li>sftp(1): Allow "cd" and "lcd" commands with no explicit path |
|
argument. lcd will change to the local user's home directory as |
|
usual. cd will change to the starting directory for session (because |
|
the protocol offers no way to obtain the remote user's home |
|
directory). bz#2760 |
|
<li>sshd(8): When doing a config test with sshd -T, only require the |
|
attributes that are actually used in Match criteria rather than (an |
|
incomplete list of) all criteria. |
</ul> |
</ul> |
<li>The following significant bugs have been fixed in this release: |
<li>The following significant bugs have been fixed in this release: |
<ul> |
<ul> |
<li>... |
<li>ssh(1)/sshd(8): More strictly check signature types during key |
|
exchange against what was negotiated. Prevents downgrade of RSA |
|
signatures made with SHA-256/512 to SHA-1. |
|
<li>sshd(8): Fix support for client that advertise a protocol version |
|
of "1.99" (indicating that they are prepared to accept both SSHv1 and |
|
SSHv2). This was broken in OpenSSH 7.6 during the removal of SSHv1 |
|
support. bz#2810 |
|
<li>ssh(1): Warn when the agent returns a ssh-rsa (SHA1) signature when |
|
a rsa-sha2-256/512 signature was requested. This condition is possible |
|
when an old or non-OpenSSH agent is in use. bz#2799 |
|
<li>ssh-agent(1): Fix regression introduce in 7.6 that caused ssh-agent |
|
to fatally exit if presented an invalid signature request message. |
|
<li>sshd_config(5): Accept yes/no flag options case-insensitively, as |
|
has been the case in ssh_config(5) for a long time. bz#2664 |
|
<li>ssh(1): Improve error reporting for failures during connection. |
|
Under some circumstances misleading errors were being shows. bz#2814 |
|
<li>ssh-keyscan(1): Add -D option to allow printing of results directly |
|
in SSHFP format. bz#2821 |
|
<li>regress tests: fix PuTTY interop test broken in last release's SSHv1 |
|
removal. bz#2823 |
|
<li>ssh(1): Compatibility fix for some servers that erroneously drop the |
|
connection when the IUTF8 (RFC8160) option is sent. |
|
<li>scp(1): Disable RemoteCommand and RequestTTY in the ssh session |
|
started by scp (sftp was already doing this.) |
|
<li>ssh-keygen(1): Refuse to create a certificate with an unusable |
|
number of principals. |
|
<li>ssh-keygen(1): Fatally exit if ssh-keygen is unable to write all the |
|
public key during key generation. Previously it would silently |
|
ignore errors writing the comment and terminating newline. |
|
<li>ssh(1): Do not modify hostname arguments that are addresses by |
|
automatically forcing them to lower-case. Instead canonicalise them |
|
to resolve ambiguities (e.g. ::0001 => ::1) before they are matched |
|
against known_hosts. bz#2763 |
|
<li>ssh(1): Don't accept junk after "yes" or "no" responses to hostkey |
|
prompts. bz#2803 |
|
<li>sftp(1): Have sftp print a warning about shell cleanliness when |
|
decoding the first packet fails, which is usually caused by shells |
|
polluting stdout of non-interactive startups. bz#2800 |
|
<li>ssh(1)/sshd(8): Switch timers in packet code from using wall-clock |
|
time to monotonic time, allowing the packet layer to better function |
|
over a clock step and avoiding possible integer overflows during |
|
steps. |
|
<li>Numerous manual page fixes and improvements. |
</ul> |
</ul> |
</ul> |
</ul> |
<p> |
<p> |