===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/74.html,v
retrieving revision 1.12
retrieving revision 1.13
diff -c -r1.12 -r1.13
*** www/74.html 2023/10/10 21:40:23 1.12
--- www/74.html 2023/10/10 22:11:09 1.13
***************
*** 398,404 ****
!
OpenSSH 9.5
- Potentially incompatible changes
! OpenSSH 9.5 and OpenSSH 9.4
- Potentially incompatible changes
***************
*** 412,417 ****
--- 412,421 ----
subsystem commands and arguments. This may change behaviour for exotic
configurations, but the most common subsystem configuration
(sftp-server) is unlikely to be affected.
+ - ssh-agent(1):
+ PKCS#11 modules must now be specified by their full
+ paths. Previously dlopen(3) could search for them in system
+ library directories.
- New features
***************
*** 429,435 ****
implement a ping capability. These messages use numbers in the "local
extensions" number space and are advertised using a "ping@openssh.com"
ext-info message with a string version number of "0".
! - sshd(8): allow override of Subsystem directives in sshd Match blocks.
- Bugfixes
--- 433,469 ----
implement a ping capability. These messages use numbers in the "local
extensions" number space and are advertised using a "ping@openssh.com"
ext-info message with a string version number of "0".
! - sshd(8):
! allow override of Subsystem directives in sshd Match blocks.
!
- ssh(1):
! allow forwarding Unix Domain sockets via ssh -W.
!
- ssh(1):
! add support for configuration tags to ssh(1).
! This adds a ssh_config(5) "Tag" directive and corresponding
! "Match tag" predicate that may be used to select blocks of
! configuration similar to the pf.conf(5) keywords of the same
! name.
!
- ssh(1):
! add a "match localnetwork" predicate. This allows matching
! on the addresses of available network interfaces and may be used to
! vary the effective client configuration based on network location.
!
- ssh(1),
! sshd(8),
! ssh-keygen(1):
! infrastructure support for KRL
! extensions. This defines wire formats for optional KRL extensions
! and implements parsing of the new submessages. No actual extensions
! are supported at this point.
!
- sshd(8):
! AuthorizedPrincipalsCommand and AuthorizedKeysCommand now
! accept two additional %-expansion sequences: %D which expands to
! the routing domain of the connected session and %C which expands
! to the addresses and port numbers for the source and destination
! of the connection.
!
- ssh-keygen(1):
! increase the default work factor (rounds) for the
! bcrypt KDF used to derive symmetric encryption keys for passphrase
! protected key files by 50%.
- Bugfixes
***************
*** 448,461 ****
- sshd(8):
limit artificial login delay to a reasonable maximum (5s)
and don't delay at all for the "none" authentication mechanism.
!
- sshd(8): Log errors in kex_exchange_identification() with level
verbose instead of error to reduce preauth log spam. All of those
get logged with a more generic error message by sshpkt_fatal().
- sshd(8):
correct math for ClientAliveInterval that caused the probes
to be sent less frequently than configured.
!
- fix regression in OpenSSH 9.4 (mux.c r1.99) that caused
! multiplexed sessions to ignore SIGINT under some circumstances.
--- 482,557 ----
sshd(8):
limit artificial login delay to a reasonable maximum (5s)
and don't delay at all for the "none" authentication mechanism.
! sshd(8):
! Log errors in kex_exchange_identification() with level
verbose instead of error to reduce preauth log spam. All of those
get logged with a more generic error message by sshpkt_fatal().
sshd(8):
correct math for ClientAliveInterval that caused the probes
to be sent less frequently than configured.
! ssh-agent(1):
! improve isolation between loaded PKCS#11 modules
! by running separate ssh-pkcs11-helpers for each loaded provider.
! ssh(1):
! make -f (fork after authentication) work correctly with
! multiplexed connections, including ControlPersist.
! ssh(1):
! make ConnectTimeout apply to multiplexing sockets and not
! just to network connections.
! ssh-agent(1),
! ssh(1):
! improve defences against invalid PKCS#11
! modules being loaded by checking that the requested module
! contains the required symbol before loading it.
! sshd(8):
! fix AuthorizedPrincipalsCommand when AuthorizedKeysCommand
! appears before it in sshd_config. Since OpenSSH 8.7 the
! AuthorizedPrincipalsCommand directive was incorrectly ignored in
! this situation.
! sshd(8),
! ssh(1),
! ssh-keygen(1):
! remove vestigal support for KRL
! signatures When the KRL format was originally defined, it included
! support for signing of KRL objects. However, the code to sign KRLs
! and verify KRL signatues was never completed in OpenSSH. This
! release removes the partially-implemented code to verify KRLs.
! All OpenSSH tools now ignore KRL_SECTION_SIGNATURE sections in
! KRL files.
! All: fix a number of memory leaks and unreachable/harmless integer
! overflows.
! ssh-agent(1),
! ssh(1):
! don't truncate strings logged from PKCS#11 modules
! sshd(8),
! ssh(1):
! better validate CASignatureAlgorithms in
! ssh_config and sshd_config. Previously this directive would accept
! certificate algorithm names, but these were unusable in practice as
! OpenSSH does not support CA chains.
! ssh(1):
! make ssh -Q CASignatureAlgorithms
only list signature
! algorithms that are valid for CA signing. Previous behaviour was
! to list all signing algorithms, including certificate algorithms.
! ssh-keyscan(1):
! gracefully handle systems where rlimits or the
! maximum number of open files is larger than INT_MAX
! ssh-keygen(1):
! fix "no comment" not showing on when running
! ssh-keygen -l
on multiple keys where one has a comment
! and other following keys do not.
! scp(1),
! sftp(1):
! adjust ftruncate() logic to handle servers that
! reorder requests. Previously, if the server reordered requests then
! the resultant file would be erroneously truncated.
! ssh(1):
! don't incorrectly disable hostname canonicalization when
! CanonicalizeHostname=yes and ProxyJump was expicitly set to
! "none".
! scp(1):
! when copying local to remote, check that the source file
! exists before opening an SFTP connection to the server.