=================================================================== RCS file: /cvsrepo/anoncvs/cvs/www/70.html,v retrieving revision 1.80 retrieving revision 1.81 diff -c -r1.80 -r1.81 *** www/70.html 2021/10/07 15:31:31 1.80 --- www/70.html 2021/10/08 03:42:09 1.81 *************** *** 17,24 ****
! ! XXX Released Oct 14, 2021. (51st OpenBSD release)
Copyright 1997-2021, Theo de Raadt.
--- 17,24 ----
! ! XXX Released Oct 14, 2021. (51st OpenBSD release)
Copyright 1997-2021, Theo de Raadt.
*************** *** 768,823 **** !
  • OpenSSH 8.8 XXX !
      !
    • Security fixes !
        !
      • ... !
      !
    • Potentially incompatible changes !
        !
      • ... !
      !
    • New Features !
        !
      • ... !
      !
    • Bugfixes !
        !
      • ... !
  • mandoc 1.14.6
      --- 768,980 ----
    !
  • OpenSSH 8.8 !
      !
    • Security
        !
      • sshd(8): OpenSSH ! 8.5 introduced the LogVerbose keyword. When this option was ! enabled with a set of patterns that activated logging in code ! that runs in the low-privilege sandboxed sshd process, the log ! messages were constructed in such a way that printf(3) format ! strings could effectively be specified the low-privilege code. !
      • sshd(8) from ! OpenSSH 6.2 through 8.7 failed to correctly initialise ! supplemental groups when executing an AuthorizedKeysCommand or ! AuthorizedPrincipalsCommand, where a AuthorizedKeysCommandUser ! or AuthorizedPrincipalsCommandUser directive has been set to ! run the command as a different user.
      +
    • Potentially incompatible changes +
        +
      • A near-future release of OpenSSH will switch scp(1) from using + the legacy scp/rcp protocol to using SFTP by default. +
      • This release disables RSA signatures using the SHA-1 hash + algorithm by default. +
      • scp(1): this + release changes the behaviour of remote to remote copies + (e.g. "scp host-a:/path host-b:") to transfer through the + local host by default. This was previously available via the + -3 flag. This mode avoids the need to expose credentials on + the origin hop, avoids triplicate interpretation of filenames + by the shell (by the local system, the copy origin and the + destination) and, in conjunction with the SFTP support for + scp(1) mentioned + below, allows use of all authentication methods to the remote + hosts (previously, only non-interactive methods could be + used). A -R flag has been added to select the old behaviour. +
      • ssh(1)/sshd(8): both the + client and server are now using a stricter configuration file + parser. The new parser uses more shell-like rules for quotes, + space and escape characters. It is also more strict in + rejecting configurations that include options lacking + arguments. Previously some options (e.g. DenyUsers) could + appear on a line with no subsequent arguments. This release + will reject such configurations. The new parser will also + reject configurations with unterminated quotes and multiple + '=' characters after the option name. +
      • ssh(1): when using + SSHFP DNS records for host key verification, ssh(1) will verify + all matching records instead of just those with the specific + signature type requested. This may cause host key verification + problems if stale SSHFP records of a different or legacy + signature type exist alongside other records for a particular + host. +
      • ssh-keygen(1): + when generating a FIDO key and specifying an explicit + attestation challenge (using -Ochallenge), the challenge will + now be hashed by the builtin security key middleware. This + removes the (undocumented) requirement that challenges be + exactly 32 bytes in length and matches the expectations of + libfido2. +
      • sshd(8): + environment="..." directives in authorized_keys files are now + first-match-wins and limited to 1024 discrete environment + variable names. +
      + +
    • New features +
        +
      • scp(1): + experimental support for transfers using the SFTP protocol as + a replacement for the venerable SCP/RCP protocol that it has + traditionally used. SFTP offers more predictable filename + handling and does not require expansion of glob(3) patterns + via the shell on the remote side. +
      • sftp-server(8): + add a protocol extension to support expansion of ~/ and ~user/ + prefixed paths. This was added to support these paths when + used by scp(1) + while in SFTP mode. +
      • ssh(1): add a + ForkAfterAuthentication + ssh_config(5) + counterpart to the ssh(1) -f flag. +
      • ssh(1): add a + StdinNull directive to + ssh_config(5) + that allows the config file to do the same thing as -n does on + the ssh(1) + command- line. +
      • ssh(1): add a + SessionType directive to ssh_config, allowing the + configuration file to offer equivalent control to the -N (no + session) and -s (subsystem) command-line flags. +
      • ssh-keygen(1): + allowed signers files used by + ssh-keygen(1) + signatures now support listing key validity intervals + alongside they key, and + ssh-keygen(1) + can optionally check during signature verification whether a + specified time falls inside this interval. This feature is + intended for use by git to support signing and verifying + objects using ssh keys. +
      • ssh-keygen(8): + support printing of the full public key in a sshsig signature + via a -Oprint-pubkey flag. +
      • ssh(1): allow the + ssh_config(5) + CanonicalizePermittedCNAMEs directive to accept a "none" + argument to specify the default behaviour. +
      + +
    • Bugfixes +
        +
      • ssh(1)/ + sshd(8): start + time-based re-keying exactly on schedule in the client and + server mainloops. Previously the re-key timeout could expire + but re-keying would not start until a packet was sent or + received, causing a spin in select() if the connection was + quiescent. +
      • ssh-keygen(1): + avoid Y2038 problem in printing certificate validity + lifetimes. Dates past 2^31-1 seconds since epoch were + displayed incorrectly on some platforms. +
      • scp(1): allow + spaces to appear in usernames for local to remote and scp -3 + remote to remote copies. +
      • ssh(1)/ + sshd(8): remove + references to ChallengeResponseAuthentication in favour of + KbdInteractiveAuthentication. The former is what was in SSHv1, + the latter is what is in SSHv2 (RFC4256) + and they were treated as somewhat but not entirely equivalent. We + retain the old name as a deprecated alias so configuration + files continue to work as well as a reference in the man page + for people looking for it. +
      • ssh(1)/ + ssh-add(1)/ + ssh-keygen(1): + fix decoding of X.509 subject name when extracting a key from + a PKCS#11 certificate. +
      • ssh(1): restore + blocking status on stdio fds before close. + ssh(1) needs file + descriptors in non-blocking mode to operate but it was not + restoring the original state on exit. This could cause + problems with fds shared with other programs via the shell. +
      • ssh(1)/ + sshd(8): switch both + client and server mainloops from select(3) to + pselect(3). Avoids race conditions where a signal may arrive + immediately before select(3) and not be processed until an + event fires. +
      • ssh(1): sessions + started with ControlPersist were incorrectly executing a shell + when the -N (no shell) option was specified. +
      • ssh(1): check if + IPQoS or TunnelDevice are already set before + overriding. Prevents values in config files from overriding + values supplied on the command line. +
      • ssh(1): fix debug + message when finding a private key to match a certificate + being attempted for user authentication. Previously it would + print the certificate's path, whereas it was supposed to be + showing the private key's path. +
      • sshd(8): match + host certificates against host public keys, not private + keys. Allows use of certificates with private keys held in a + ssh-agent. +
      • ssh(1): add a + workaround for a bug in OpenSSH 7.4 sshd(8), + which allows RSA/SHA2 signatures for public key authentication but + fails to advertise this correctly via SSH2_MSG_EXT_INFO. This + causes clients of these server to incorrectly match + PubkeyAcceptedAlgorithmse and potentially refuse to offer + valid keys. +
      • sftp(1)/ + scp(1): degrade + gracefully if a sftp-server offers the limits@openssh.com + extension but fails when the client tries to invoke it. +
      • ssh(1): allow + ssh_config SetEnv to override $TERM, which is otherwise + handled specially by the protocol. Useful in ~/.ssh/config to + set TERM to something generic (e.g. "xterm" instead of + "xterm-256color") for destinations that lack terminfo entries. +
      • sftp-server(8): + the limits@openssh.com extension was incorrectly marked as an + operation that writes to the filesystem, which made it + unavailable in sftp-server read-only mode. +
      • ssh(1): fix SEGV + in UpdateHostkeys debug() message, triggered when the update + removed more host keys than remain present. +
      • scp(1): when using + the SFTP protocol, continue transferring files after a + transfer error occurs, better matching original scp/rcp + behaviour. +
      • ssh(1): fixed a + number of memory leaks in multiplexing, +
      • ssh-keygen(1): + avoid crash when using the -Y find-principals command. +
      • A number of documentation and manual improvements. +
      +
  • mandoc 1.14.6