===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/63.html,v
retrieving revision 1.46
retrieving revision 1.47
diff -u -r1.46 -r1.47
--- www/63.html 2018/03/27 04:53:39 1.46
+++ www/63.html 2018/03/27 05:01:30 1.47
@@ -414,23 +414,103 @@
OpenSMTPD 6.0.4
OpenSSH 7.7
- - Security:
-
- New/changed features:
- - ...
+
- All: Add experimental support for PQC XMSS keys (Extended Hash-
+ Based Signatures) based on the algorithm described in
+ https://tools.ietf.org/html/draft-irtf-cfrg-xmss-hash-based-signatures-12
+ The XMSS signature code is experimental and not compiled in by
+ default.
+
- sshd(8): Add a "rdomain" criteria for the sshd_config Match keyword
+ to allow conditional configuration that depends on which routing
+ domain a connection was received on (currently supported on OpenBSD
+ and Linux).
+
- sshd_config(5): Add an optional rdomain qualifier to the
+ ListenAddress directive to allow listening on different routing
+ domains. This is supported only on OpenBSD and Linux at present.
+
- sshd_config(5): Add RDomain directive to allow the authenticated
+ session to be placed in an explicit routing domain. This is only
+ supported on OpenBSD at present.
+
- sshd(8): Add "expiry-time" option for authorized_keys files to
+ allow for expiring keys.
+
- ssh(1): Add a BindInterface option to allow binding the outgoing
+ connection to an interface's address (basically a more usable
+ BindAddress)
+
- ssh(1): Expose device allocated for tun/tap forwarding via a new
+ %T expansion for LocalCommand. This allows LocalCommand to be used
+ to prepare the interface.
+
- sshd(8): Expose the device allocated for tun/tap forwarding via a
+ new SSH_TUNNEL environment variable. This allows automatic setup of
+ the interface and surrounding network configuration automatically on
+ the server.
+
- ssh(1)/scp(1)/sftp(1): Add URI support to ssh, sftp and scp, e.g.
+ ssh://user@host or sftp://user@host/path. Additional connection
+ parameters described in draft-ietf-secsh-scp-sftp-ssh-uri-04 are not
+ implemented since the ssh fingerprint format in the draft uses the
+ deprecated MD5 hash with no way to specify the any other algorithm.
+
- ssh-keygen(1): Allow certificate validity intervals that specify
+ only a start or stop time (instead of both or neither).
+
- sftp(1): Allow "cd" and "lcd" commands with no explicit path
+ argument. lcd will change to the local user's home directory as
+ usual. cd will change to the starting directory for session (because
+ the protocol offers no way to obtain the remote user's home
+ directory). bz#2760
+
- sshd(8): When doing a config test with sshd -T, only require the
+ attributes that are actually used in Match criteria rather than (an
+ incomplete list of) all criteria.
- The following significant bugs have been fixed in this release:
- - ...
+
- ssh(1)/sshd(8): More strictly check signature types during key
+ exchange against what was negotiated. Prevents downgrade of RSA
+ signatures made with SHA-256/512 to SHA-1.
+
- sshd(8): Fix support for client that advertise a protocol version
+ of "1.99" (indicating that they are prepared to accept both SSHv1 and
+ SSHv2). This was broken in OpenSSH 7.6 during the removal of SSHv1
+ support. bz#2810
+
- ssh(1): Warn when the agent returns a ssh-rsa (SHA1) signature when
+ a rsa-sha2-256/512 signature was requested. This condition is possible
+ when an old or non-OpenSSH agent is in use. bz#2799
+
- ssh-agent(1): Fix regression introduce in 7.6 that caused ssh-agent
+ to fatally exit if presented an invalid signature request message.
+
- sshd_config(5): Accept yes/no flag options case-insensitively, as
+ has been the case in ssh_config(5) for a long time. bz#2664
+
- ssh(1): Improve error reporting for failures during connection.
+ Under some circumstances misleading errors were being shows. bz#2814
+
- ssh-keyscan(1): Add -D option to allow printing of results directly
+ in SSHFP format. bz#2821
+
- regress tests: fix PuTTY interop test broken in last release's SSHv1
+ removal. bz#2823
+
- ssh(1): Compatibility fix for some servers that erroneously drop the
+ connection when the IUTF8 (RFC8160) option is sent.
+
- scp(1): Disable RemoteCommand and RequestTTY in the ssh session
+ started by scp (sftp was already doing this.)
+
- ssh-keygen(1): Refuse to create a certificate with an unusable
+ number of principals.
+
- ssh-keygen(1): Fatally exit if ssh-keygen is unable to write all the
+ public key during key generation. Previously it would silently
+ ignore errors writing the comment and terminating newline.
+
- ssh(1): Do not modify hostname arguments that are addresses by
+ automatically forcing them to lower-case. Instead canonicalise them
+ to resolve ambiguities (e.g. ::0001 => ::1) before they are matched
+ against known_hosts. bz#2763
+
- ssh(1): Don't accept junk after "yes" or "no" responses to hostkey
+ prompts. bz#2803
+
- sftp(1): Have sftp print a warning about shell cleanliness when
+ decoding the first packet fails, which is usually caused by shells
+ polluting stdout of non-interactive startups. bz#2800
+
- ssh(1)/sshd(8): Switch timers in packet code from using wall-clock
+ time to monotonic time, allowing the packet layer to better function
+ over a clock step and avoiding possible integer overflows during
+ steps.
+
- Numerous manual page fixes and improvements.