version 1.15, 2023/10/10 22:35:56 |
version 1.16, 2023/10/10 23:19:35 |
|
|
<li>Replace strncpy() with strlcpy() in mg(1). |
<li>Replace strncpy() with strlcpy() in mg(1). |
<li>Skip checking permissions of conffile with access(2). |
<li>Skip checking permissions of conffile with access(2). |
</ul> |
</ul> |
<li>On aarch64 architectures improve how BTI control flow integretry |
<li>On aarch64 architectures improve how BTI control flow integrity |
enforcement is implemented in the executable entry point and enable |
enforcement is implemented in the executable entry point and enable |
support for BTI control flow integrety checks in libc assembly |
support for BTI control flow integrity checks in libc assembly |
functions. |
functions. |
|
|
</ul> |
</ul> |
|
|
|
|
<li>Security improvements: |
<li>Security improvements: |
<ul> |
<ul> |
<li>Change malloc(3) chunk sizes to be fine grained. [needs better explaination] |
<li>Change malloc(3) chunk sizes to be fine grained. [needs better explanation] |
<li>In malloc(3), check all chunks in the delayed free list for write-after-free. |
<li>In malloc(3), check all chunks in the delayed free list for write-after-free. |
</ul> |
</ul> |
|
|
|
|
<ul> |
<ul> |
<li>In isakmpd(8), avoid a double free in ec_init() when using the OpenSSL API. |
<li>In isakmpd(8), avoid a double free in ec_init() when using the OpenSSL API. |
<li>In iked(8), do not treat the return value of i2d_ECDSA_SIG() as |
<li>In iked(8), do not treat the return value of i2d_ECDSA_SIG() as |
lenght as it can be negative. |
length as it can be negative. |
<li>Prepare isakmpd(8) for a libcrypto library that is lacking binary field |
<li>Prepare isakmpd(8) for a libcrypto library that is lacking binary field |
support. |
support. |
<li>In isakmpd(8), avoid a potential crash by addind a missing NULL check. |
<li>In isakmpd(8), avoid a potential crash by adding a missing NULL check. |
|
|
</ul> |
</ul> |
<li>In <a href="https://man.openbsd.org/bgpd.8">bgpd(8)</a>, |
<li>In <a href="https://man.openbsd.org/bgpd.8">bgpd(8)</a>, |
|
|
<li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>, |
<li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>, |
<a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, |
<a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, |
<a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>: |
<a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>: |
remove vestigal support for KRL |
remove vestigial support for KRL |
signatures When the KRL format was originally defined, it included |
signatures When the KRL format was originally defined, it included |
support for signing of KRL objects. However, the code to sign KRLs |
support for signing of KRL objects. However, the code to sign KRLs |
and verify KRL signatues was never completed in OpenSSH. This |
and verify KRL signatures was never completed in OpenSSH. This |
release removes the partially-implemented code to verify KRLs. |
release removes the partially-implemented code to verify KRLs. |
All OpenSSH tools now ignore KRL_SECTION_SIGNATURE sections in |
All OpenSSH tools now ignore KRL_SECTION_SIGNATURE sections in |
KRL files. |
KRL files. |
|
|
the resultant file would be erroneously truncated. |
the resultant file would be erroneously truncated. |
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: |
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: |
don't incorrectly disable hostname canonicalization when |
don't incorrectly disable hostname canonicalization when |
CanonicalizeHostname=yes and ProxyJump was expicitly set to |
CanonicalizeHostname=yes and ProxyJump was explicitly set to |
"none". |
"none". |
<li><a href="https://man.openbsd.org/scp.1">scp(1)</a>: |
<li><a href="https://man.openbsd.org/scp.1">scp(1)</a>: |
when copying local to remote, check that the source file |
when copying local to remote, check that the source file |