ee116499 | 27-Nov-2022 |
Antonio Huete Jimenez <tuxillo@quantumachine.net> |
vendor/OPENSSH: upgrade from 8.8p1 top 9.1p1
Summary of notable changes:
* sshd(8): fix an integer overflow in the user authentication path * ssh(1), sshd(8), ssh-add(1), ssh-agent(1): add a syst
vendor/OPENSSH: upgrade from 8.8p1 top 9.1p1
Summary of notable changes:
* sshd(8): fix an integer overflow in the user authentication path * ssh(1), sshd(8), ssh-add(1), ssh-agent(1): add a system for restricting forwarding and use of keys added to ssh-agent(1) * ssh(1): unbreak hostbased auth using RSA keys. * sshd(8): fix truncation in rhosts/shosts path construction. * ssh(1), sshd(8): use the hybrid Streamlined NTRU Prime + x25519 key exchange method by default ("sntrup761x25519-sha512@openssh.com"). The NTRU algorithm is believed to resist attacks enabled by future quantum computers. * sftp(1): add a "cp" command to allow the sftp client to perform server-side file copies. * scp(1): fix a memory leak in argument processing. * ssh-keygen(1): double free() in error path of file hashing step in signing/verify code; * ssh-keyscan(1): fix a one-byte overflow in SSH- banner processing. Reported by Qualys * sftp-server(8): add a "users-groups-by-id@openssh.com" extension request that allows the client to obtain user/group names that correspond to a set of uids/gids. * sshd(8): improve logging of errors when opening authorized_keys files.
For a detailed list of changes, please check: https://www.openssh.com/releasenotes.html
show more ...
|
6f5ec8b5 | 27-Nov-2022 |
Antonio Huete Jimenez <tuxillo@quantumachine.net> |
libressl: Local modifications after the upgrade (refs #3333)
libressl: - Adjust Makefiles to include a number of source files that have been either added or moved around. - Bump shlib. -
libressl: Local modifications after the upgrade (refs #3333)
libressl: - Adjust Makefiles to include a number of source files that have been either added or moved around. - Bump shlib. - Forcibly compile in engines by removing OPENSSL_NO_ENGINE which no longer seems to be valid to have a full build. We wanted to avoid doing hacks to bypass the OPENSSL_NO_ENGINE requirement. As far as we know the engine code is disabled anyways. librecrypto: - Adjust Makefiles to include a number of source files that have been either added or moved around. - Bump shlib. ldns: - Remove HAVE_EVP_DSS1 from config.h to avoid using removed LibreSSL API functions. crytpsetup: - Adjustments to use the new API. dc: - Adjustments to use the new API. nc: - Add more source files to the Makefile from libtls, which are now required.
Testing-and-fixes: @dillon, @tuxillo, @aly
show more ...
|
0cbfa66c | 22-Jul-2020 |
Daniel Fojt <df@neosystem.org> |
vendor/openssh: upgrade from 8.0p1 to 8.3p1
Summary of notable changes:
- ssh(1), sshd(8), ssh-agent(1): add protection for private keys at rest in RAM against speculation and memory side-channel
vendor/openssh: upgrade from 8.0p1 to 8.3p1
Summary of notable changes:
- ssh(1), sshd(8), ssh-agent(1): add protection for private keys at rest in RAM against speculation and memory side-channel attacks like Spectre, Meltdown and Rambleed, openssh 8.1 and later encrypts private keys when they are not in use with a symmetric key that is derived from a relatively large "prekey" consisting of random data (currently 16KB)
- ssh(1), sshd(8), ssh-keygen(1): openssh 8.2 removes the "ssh-rsa" (RSA/SHA1) algorithm from those accepted for certificate signatures (i.e. the client and server CASignatureAlgorithms option) and will use the rsa-sha2-512 signature algorithm by default when the ssh-keygen(1) CA signs new certificates
- ssh(1), sshd(8): openssh 8.2 removes diffie-hellman-group14-sha1 from the default key exchange proposal for both the client and server
- ssh-keygen(1): the command-line options related to the generation and screening of safe prime numbers used by the diffie-hellman-group-* key exchange algorithms have changed, most options have been folded under the -O flag
- support PKCS8 as an optional format for storage of private keys to disk, native key format remains the default, but PKCS8 is a superior format to PEM if interoperability with non-OpenSSH software is required
- ssh(1), sshd(8): prefer to use chacha20 from libcrypto
- sshd(8): the sshd listener process title visible to ps(1) has changed to include information about the number of connections that are currently attempting authentication and the limits configured by MaxStartups
- sshd(8): when clients get denied by MaxStartups, send a notification prior to the SSH2 protocol banner according to RFC4253 section 4.2
- sshd(8): add an Include sshd_config keyword that allows including additional configuration files via glob(3) patterns
- sshd(8): make IgnoreRhosts a tri-state option: "yes" to ignore rhosts/shosts, "no" allow rhosts/shosts or (new) "shosts-only" to allow .shosts files but not .rhosts
- sshd(8): allow the IgnoreRhosts directive to appear anywhere in a sshd_config, not just before any Match blocks
- ssh(1), sshd(8): allow prepending a list of algorithms to the default set by starting the list with the '^' character, e.g. "HostKeyAlgorithms ^ssh-ed25519"
- ssh(1): allow forwarding a different agent socket to the path specified by $SSH_AUTH_SOCK, by extending the existing ForwardAgent option to accepting an explicit path or the name of an environment variable in addition to yes/no
- ssh(1): add %TOKEN percent expansion for the LocalFoward and RemoteForward keywords when used for Unix domain socket forwarding
- ssh(1): allow %n to be expanded in ProxyCommand strings
- sftp(1): reject an argument of "-1" in the same way as ssh(1) and scp(1) do instead of accepting and silently ignoring it
- sftp(1): check for user@host when parsing sftp target, this allows user@[1.2.3.4] to work without a path
- sftp(1): fix a race condition in the SIGCHILD handler that could turn in to a kill(-1)
For detailed list of all improvements, enhancements and bugfixes see release notes:
https://www.openssh.com/releasenotes.html
show more ...
|