===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/73.html,v
retrieving revision 1.13
retrieving revision 1.14
diff -c -r1.13 -r1.14
*** www/73.html 2023/04/03 00:00:12 1.13
--- www/73.html 2023/04/03 00:16:00 1.14
***************
*** 794,812 ****
!
OpenSSH 9.3.
- Security
- Potentially-incompatible changes
!
- Bugfixes
!
--- 794,941 ----
! OpenSSH 9.3 and OpenSSH 9.2
! This release of OpenBSD includes the changes made to OpenSSH since release 9.1:
- Security
! - ssh-add(1): when adding smartcard keys to ssh-agent(1) with the
! per-hop destination constraints (ssh-add -h ...) added in OpenSSH
! 8.9, a logic error prevented the constraints from being
! communicated to the agent. This resulted in the keys being added
! without constraints. The common cases of non-smartcard keys and
! keys without destination constraints are unaffected. This problem
! was reported by Luci Stanescu.
!
- ssh(1): Portable OpenSSH provides an implementation of the
! getrrsetbyname(3) function if the standard library does not
! provide it, for use by the VerifyHostKeyDNS feature. A
! specifically crafted DNS response could cause this function to
! perform an out-of-bounds read of adjacent stack data, but this
! condition does not appear to be exploitable beyond denial-of-
! service to the ssh(1) client.
! The getrrsetbyname(3) replacement is only included if the system's
! standard library lacks this function and portable OpenSSH was not
! compiled with the ldns library (--with-ldns). getrrsetbyname(3) is
! only invoked if using VerifyHostKeyDNS to fetch SSHFP records. This
! problem was found by the Coverity static analyzer.
! - sshd(8): fix a pre-authentication double-free memory fault
! introduced in OpenSSH 9.1. This is not believed to be exploitable,
! and it occurs in the unprivileged pre-auth process that is
! subject to chroot(2) and is further sandboxed on most major
! platforms.
!
- ssh(8): in OpenSSH releases after 8.7, the PermitRemoteOpen option
! would ignore its first argument unless it was one of the special
! keywords "any" or "none", causing the permission list to fail open
! if only one permission was specified. bz3515
!
- ssh(1): if the CanonicalizeHostname and CanonicalizePermittedCNAMEs
! options were enabled, and the system/libc resolver did not check
! that names in DNS responses were valid, then use of these options
! could allow an attacker with control of DNS to include invalid
! characters (possibly including wildcards) in names added to
! known_hosts files when they were updated. These names would still
! have to match the CanonicalizePermittedCNAMEs allow-list, so
! practical exploitation appears unlikely.
!
- Potentially-incompatible changes
!
! - ssh(1): add a new EnableEscapeCommandline ssh_config(5) option that
! controls whether the client-side ~C escape sequence that provides a
! command-line is available. Among other things, the ~C command-line
! could be used to add additional port-forwards at runtime.
! This option defaults to "no", disabling the ~C command-line that
! was previously enabled by default. Turning off the command-line
! allows platforms that support sandboxing of the ssh(1) client
! (currently only OpenBSD) to use a stricter default sandbox policy.
!
! - New features
!
! - ssh-keygen(1), ssh-keyscan(1): accept -Ohashalg=sha1|sha256 when
! outputting SSHFP fingerprints to allow algorithm selection. bz3493
!
- sshd(8): add a `sshd -G` option that parses and prints the
! effective configuration without attempting to load private keys
! and perform other checks. This allows usage of the option before
! keys have been generated and for configuration evaluation and
! verification by unprivileged users.
!
- sshd(8): add support for channel inactivity timeouts via a new
! sshd_config(5) ChannelTimeout directive. This allows channels that
! have not seen traffic in a configurable interval to be
! automatically closed. Different timeouts may be applied to session,
! X11, agent and TCP forwarding channels.
!
- sshd(8): add a sshd_config UnusedConnectionTimeout option to
! terminate client connections that have no open channels for a
! length of time. This complements the ChannelTimeout option above.
!
- sshd(8): add a -V (version) option to sshd like the ssh client has.
!
- ssh(1): add a "Host" line to the output of ssh -G showing the
! original hostname argument. bz3343
!
- scp(1), sftp(1): add a -X option to both scp(1) and sftp(1) to
! allow control over some SFTP protocol parameters: the copy buffer
! length and the number of in-flight requests, both of which are used
! during upload/download. Previously these could be controlled in
! sftp(1) only. This makes them available in both SFTP protocol
! clients using the same option character sequence.
!
- ssh-keyscan(1): allow scanning of complete CIDR address ranges,
! e.g. "ssh-keyscan 192.168.0.0/24". If a CIDR range is passed, then
! it will be expanded to all possible addresses in the range
! including the all-0s and all-1s addresses. bz#976
!
- ssh(1): support dynamic remote port forwarding in escape
! command-line's -R processing. bz#3499
!
- Bugfixes
!
! - scp(1), sftp(1): fix progressmeter corruption on wide displays;
! bz3534
!
- ssh-add(1), ssh-keygen(1): use RSA/SHA256 when testing usability
! of private keys as some systems are starting to disable RSA/SHA1
! in libcrypto.
!
- sftp-server(8): fix a memory leak. GHPR363
!
- ssh(1), sshd(8), ssh-keyscan(1): remove vestigal protocol
! compatibility code and simplify what's left.
!
- Fix a number of low-impact Coverity static analysis findings.
! These include several reported via bz2687
!
- ssh_config(5), sshd_config(5): mention that some options are not
! first-match-wins.
!
- Rework logging for the regression tests. Regression tests will now
! capture separate logs for each ssh and sshd invocation in a test.
!
- ssh(1): make `ssh -Q CASignatureAlgorithms` work as the manpage
! says it should; bz3532.
!
- ssh(1): ensure that there is a terminating newline when adding a
! new entry to known_hosts; bz3529
!
- ssh(1): when restoring non-blocking mode to stdio fds, restore
! exactly the flags that ssh started with and don't just clobber them
! with zero, as this could also remove the append flag from the set.
! bz3523
!
- ssh(1): avoid printf("%s", NULL) if using UserKnownHostsFile=none
! and a hostkey in one of the system known hosts file changes.
!
- scp(1): switch scp from using pipes to a socket-pair for
! communication with its ssh sub-processes, matching how sftp(1)
! operates.
!
- sshd(8): clear signal mask early in main(); sshd may have been
! started with one or more signals masked (sigprocmask(2) is not
! cleared on fork/exec) and this could interfere with various things,
! e.g. the login grace timer. Execution environments that fail to
! clear the signal mask before running sshd are clearly broken, but
! apparently they do exist.
!
- ssh(1): warn if no host keys for hostbased auth can be loaded.
!
- sshd(8): Add server debugging for hostbased auth that is queued and
! sent to the client after successful authentication, but also logged
! to assist in diagnosis of HostbasedAuthentication problems. bz3507
!
- ssh(1): document use of the IdentityFile option as being usable to
! list public keys as well as private keys. GHPR352
!
- sshd(8): check for and disallow MaxStartups values less than or
! equal to zero during config parsing, rather than failing later at
! runtime. bz3489
!
- ssh-keygen(1): fix parsing of hex cert expiry times specified on
! the command-line when acting as a CA.
!
- scp(1): when scp(1) is using the SFTP protocol for transport (the
! default), better match scp/rcp's handling of globs that don't match
! the globbed characters but do match literally (e.g. trying to
! transfer a file named "foo.[1]"). Previously scp(1) in SFTP mode
! would not match these pathnames but legacy scp/rcp mode would.
! bz3488
!
- ssh-agent(1): document the "-O no-restrict-websafe" command-line
! option.
!
- ssh(1): honour user's umask(2) if it is more restrictive then the
! ssh default (022).