===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/67.html,v
retrieving revision 1.67
retrieving revision 1.68
diff -u -r1.67 -r1.68
--- www/67.html	2020/05/12 09:46:23	1.67
+++ www/67.html	2020/05/12 14:02:42	1.68
@@ -1174,8 +1174,14 @@
     </ul>
   </ul>
 
-<li>OpenSSH 8.1
+<li>OpenSSH 8.3
   <ul>
+    <li>Potentially incompatible changes.
+      <ul>
+	<li><a href="https://man.openbsd.org/sftp">sftp(1)</a>:
+	    reject an argument of "-1" in the same way as ssh(1) and
+	    scp(1) do instead of accepting and silently ignoring it.
+	</ul>
     <li>New Features
       <ul>
 	<li>Allowed use of the IgnoreRhosts directive anywhere in an <a
@@ -1184,6 +1190,8 @@
 	<li>Added TOKEN percent expansion (i.e. userid, hostnames etc.) to <a
 	    href="https://man.openbsd.org/ssh">ssh(1)</a> LocalForward and
 	    RemoteForward when used for Unix domain socket forwarding.
+	<li>all: allow loading public keys from the unencrypted envelope of a
+	    private key file if no corresponding public key file is present.
 	<li>Gave <a
 	    href="https://man.openbsd.org/ssh-keygen">ssh-keygen(1)</a> the
 	    ability to dump the contents of a binary key revocation list with
@@ -1232,36 +1240,73 @@
 	    user presence was tested before a security key was made.
         <li>Added direct support for U2F/FIDO2 security keys in <a
 	    href="https://man.openbsd.org/ssh">ssh(1)</a>.
-
         <li>Added initial infrastructure for U2F/FIDO support in <a
 	    href="https://man.openbsd.org/ssh">ssh(1)</a>.
-
 	<li>Notified the user via TTY or $SSH_ASKPASS when <a
 	    href="https://man.openbsd.org/ssh">ssh(1)</a> security keys must be
 	    tapped/touched in order to perform a signature operation.
 	<li>Enabled ed25519 support in <a
 	    href="https://man.openbsd.org/ssh">ssh(1)</a>.
-
-
       </ul>
     <li>Bugfixes
       <ul>
 	<li>Detected and prevented simple <a
-		href="https://man.openbsd.org/ssh">ssh(1)</a> configuration loops when
-		using ProxyJump.
-	<li>Fixed PIN entry bugs on FIDO <a
-		href="https://man.openbsd.org/ssh-keygen">ssh-keygen(1)</a>.
+	    href="https://man.openbsd.org/ssh">ssh(1)</a> configuration loops when
+	    using ProxyJump.
+	<li>Fixed PIN entry bugs on FIDO in <a
+	    href="https://man.openbsd.org/ssh-keygen">ssh-keygen(1)</a>.
 	<li>Fixed <a
-		href="https://man.openbsd.org/ssh-keygen">ssh-keygen(1)</a> not
-		displaying the authenticator touch prompt.
+	    href="https://man.openbsd.org/ssh-keygen">ssh-keygen(1)</a> not
+	    displaying the authenticator touch prompt.
 	<li>Prevented a timeout in <a
-		href="https://man.openbsd.org/ssh">ssh(1)</a> when the server doesn't
-		immediately send a banner, such as with multiplexers like sslh.
+	    href="https://man.openbsd.org/ssh">ssh(1)</a> when the server doesn't
+	    immediately send a banner, such as with multiplexers like sslh.
 	<li>Adjusted on-wire signature encoding for ecdsh-sk <a
-		href="https://man.openbsd.org/ssh">ssh(1)</a> keys to better match
-		ec25519-sk keys.
+	    href="https://man.openbsd.org/ssh">ssh(1)</a> keys to better match
+	    ec25519-sk keys.
 	<li>Fixed a potential NULL dereference for revoked hostkeys in <a
-		href="https://man.openbsd.org/ssh">ssh(1)</a>.
+	    href="https://man.openbsd.org/ssh">ssh(1)</a>.
+	<li>ssh(1): fix IdentitiesOnly=yes to also apply to keys loaded from
+	    a PKCS11Provider
+	<li>ssh-keygen(1): avoid NULL dereference when trying to convert an
+	    invalid RFC4716 private key.
+	<li>scp(2): when performing remote-to-remote copies using "scp -3",
+	    start the second ssh(1) channel with BatchMode=yes enabled to
+	    avoid confusing and non-deterministic ordering of prompts.
+ 	<li>ssh(1): fix incorrect error message for "too many known hosts
+	    files."
+	<li>ssh(1): make failures when establishing "Tunnel" forwarding
+	    terminate the connection when ExitOnForwardFailure is enabled
+	<li>ssh-keygen(1): fix printing of fingerprints on private keys and add
+	    a regression test for same.
+	<li>sshd(8): document order of checking AuthorizedKeysFile (first) and
+	    AuthorizedKeysCommand (subsequently, if the file doesn't match)
+	<li>sshd(8): document that /etc/hosts.equiv and /etc/shosts.equiv are
+	    not considered for HostbasedAuthentication when the target user is
+	    root
+	<li>ssh(1), ssh-keygen(1): fix NULL dereference in private certificate
+	    key parsing (oss-fuzz #20074).
+	<li>ssh(1), sshd(8): more consistency between sets of %TOKENS are
+	    accepted in various configuration options.
+	<li>ssh(1), ssh-keygen(1): improve error messages for some common
+	    PKCS#11 C_Login failure cases
+	<li>ssh(1), sshd(8): make error messages for problems during SSH banner
+	    exchange consistent with other SSH transport-layer error messages
+	    and ensure they include the relevant IP addresses
+	<li>various: fix a number of spelling errors in comments and debug/error
+	    messages
+ 	<li>ssh-keygen(1), ssh-add(1): when downloading FIDO2 resident keys
+	    from a token, don't prompt for a PIN until the token has told us
+	    that it needs one. Avoids double-prompting on devices that
+	    implement on-device authentication.
+ 	<li>sshd(8), ssh-keygen(1): no-touch-required FIDO certificate option
+	    should be an extension, not a critical option.
+ 	<li>ssh(1), ssh-keygen(1), ssh-add(1): offer a better error message
+	    when trying to use a FIDO key function and SecurityKeyProvider is
+	    empty.
+	<li>ssh-add(1), ssh-agent(8): ensure that a key lifetime fits within
+	    the values allowed by the wire format (u32). Prevents integer
+	    wraparound of the timeout values
 	</ul>
   </ul>