www/74.html - diff

Return to 74.html CVS log

Up to [local] / www

Diff for /www/74.html between version 1.12 and 1.13

-version 1.12, 2023/10/10 21:40:23
+version 1.13, 2023/10/10 22:11:09
 Line 398
 Line 398
 Line 398
      </ul>
    </ul>
- <li>OpenSSH 9.5
+ <li>OpenSSH 9.5 and OpenSSH 9.4
    <ul>
    <li>Potentially incompatible changes
      <ul>
 Line 412
 Line 412
 Line 412
          subsystem commands and arguments. This may change behaviour for exotic
          configurations, but the most common subsystem configuration
          (sftp-server) is unlikely to be affected.
+     <li><a href="https://man.openbsd.org/ssh-agent.1">ssh-agent(1)</a>:
+         PKCS#11 modules must now be specified by their full
+         paths. Previously dlopen(3) could search for them in system
+         library directories.
      </ul>
    <li>New features
      <ul>
-Line 429
+Line 433
 Line 429
 Line 433
          implement a ping capability. These messages use numbers in the "local
          extensions" number space and are advertised using a "ping@openssh.com"
          ext-info message with a string version number of "0".
-    <li>sshd(8): allow override of Subsystem directives in sshd Match blocks.
+     <li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>:
+         allow override of Subsystem directives in sshd Match blocks.
+     <li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>:
+         allow forwarding Unix Domain sockets via ssh -W.
+     <li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>:
+         add support for configuration tags to ssh(1).
+         This adds a ssh_config(5) "Tag" directive and corresponding
+         "Match tag" predicate that may be used to select blocks of
+         configuration similar to the pf.conf(5) keywords of the same
+         name.
+     <li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>:
+          add a "match localnetwork" predicate. This allows matching
+          on the addresses of available network interfaces and may be used to
+          vary the effective client configuration based on network location.
+     <li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>,
+         <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>,
+         <a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>:
+         infrastructure support for KRL
+         extensions.  This defines wire formats for optional KRL extensions
+         and implements parsing of the new submessages. No actual extensions
+         are supported at this point.
+     <li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>:
+         AuthorizedPrincipalsCommand and AuthorizedKeysCommand now
+         accept two additional %-expansion sequences: %D which expands to
+         the routing domain of the connected session and %C which expands
+         to the addresses and port numbers for the source and destination
+         of the connection.
+     <li><a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>:
+         increase the default work factor (rounds) for the
+         bcrypt KDF used to derive symmetric encryption keys for passphrase
+         protected key files by 50%.
      </ul>
    <li>Bugfixes
      <ul>
-Line 448
+Line 482
 Line 448
 Line 482
      <li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>:
          limit artificial login delay to a reasonable maximum (5s)
          and don't delay at all for the "none" authentication mechanism.
-     <li>sshd(8): Log errors in kex_exchange_identification() with level
+     <li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>:
+         Log errors in kex_exchange_identification() with level
          verbose instead of error to reduce preauth log spam. All of those
          get logged with a more generic error message by sshpkt_fatal().
      <li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>:
          correct math for ClientAliveInterval that caused the probes
          to be sent less frequently than configured.
-     <li>fix regression in OpenSSH 9.4 (mux.c r1.99) that caused
+     <li><a href="https://man.openbsd.org/ssh-agent.1">ssh-agent(1)</a>:
-         multiplexed sessions to ignore SIGINT under some circumstances.
+         improve isolation between loaded PKCS#11 modules
+         by running separate ssh-pkcs11-helpers for each loaded provider.
+     <li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>:
+         make -f (fork after authentication) work correctly with
+         multiplexed connections, including ControlPersist.
+     <li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>:
+         make ConnectTimeout apply to multiplexing sockets and not
+         just to network connections.
+     <li><a href="https://man.openbsd.org/ssh-agent.1">ssh-agent(1)</a>,
+         <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>:
+         improve defences against invalid PKCS#11
+         modules being loaded by checking that the requested module
+         contains the required symbol before loading it.
+     <li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>:
+         fix AuthorizedPrincipalsCommand when AuthorizedKeysCommand
+         appears before it in sshd_config. Since OpenSSH 8.7 the
+         AuthorizedPrincipalsCommand directive was incorrectly ignored in
+         this situation.
+     <li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>,
+         <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>,
+         <a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>:
+         remove vestigal support for KRL
+         signatures When the KRL format was originally defined, it included
+         support for signing of KRL objects. However, the code to sign KRLs
+         and verify KRL signatues was never completed in OpenSSH. This
+         release removes the partially-implemented code to verify KRLs.
+         All OpenSSH tools now ignore KRL_SECTION_SIGNATURE sections in
+         KRL files.
+      <li>All: fix a number of memory leaks and unreachable/harmless integer
+         overflows.
+     <li><a href="https://man.openbsd.org/ssh-agent.1">ssh-agent(1)</a>,
+         <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>:
+         don't truncate strings logged from PKCS#11 modules
+     <li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>,
+         <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>:
+         better validate CASignatureAlgorithms in
+         ssh_config and sshd_config. Previously this directive would accept
+         certificate algorithm names, but these were unusable in practice as
+         OpenSSH does not support CA chains.
+     <li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>:
+         make <code>ssh -Q CASignatureAlgorithms</code> only list signature
+         algorithms that are valid for CA signing. Previous behaviour was
+         to list all signing algorithms, including certificate algorithms.
+     <li><a href="https://man.openbsd.org/ssh-keyscan.1">ssh-keyscan(1)</a>:
+         gracefully handle systems where rlimits or the
+         maximum number of open files is larger than INT_MAX
+     <li><a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>:
+         fix "no comment" not showing on when running
+         <code>ssh-keygen -l</code> on multiple keys where one has a comment
+         and other following keys do not.
+     <li><a href="https://man.openbsd.org/scp.1">scp(1)</a>,
+     <li><a href="https://man.openbsd.org/sftp.1">sftp(1)</a>:
+         adjust ftruncate() logic to handle servers that
+         reorder requests. Previously, if the server reordered requests then
+         the resultant file would be erroneously truncated.
+     <li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>:
+         don't incorrectly disable hostname canonicalization when
+         CanonicalizeHostname=yes and ProxyJump was expicitly set to
+         "none".
+     <li><a href="https://man.openbsd.org/scp.1">scp(1)</a>:
+         when copying local to remote, check that the source file
+         exists before opening an SFTP connection to the server.
      </ul>
    </ul>