| ee116499 | 27-Nov-2022 |
Antonio Huete Jimenez <tuxillo@quantumachine.net> |
vendor/OPENSSH: upgrade from 8.8p1 top 9.1p1
Summary of notable changes:
* sshd(8): fix an integer overflow in the user authentication path
* ssh(1), sshd(8), ssh-add(1), ssh-agent(1): add a syst
vendor/OPENSSH: upgrade from 8.8p1 top 9.1p1
Summary of notable changes:
* sshd(8): fix an integer overflow in the user authentication path
* ssh(1), sshd(8), ssh-add(1), ssh-agent(1): add a system for
restricting forwarding and use of keys added to ssh-agent(1)
* ssh(1): unbreak hostbased auth using RSA keys.
* sshd(8): fix truncation in rhosts/shosts path construction.
* ssh(1), sshd(8): use the hybrid Streamlined NTRU Prime + x25519 key
exchange method by default ("sntrup761x25519-sha512@openssh.com").
The NTRU algorithm is believed to resist attacks enabled by future
quantum computers.
* sftp(1): add a "cp" command to allow the sftp client to perform
server-side file copies.
* scp(1): fix a memory leak in argument processing.
* ssh-keygen(1): double free() in error path of file hashing step in
signing/verify code;
* ssh-keyscan(1): fix a one-byte overflow in SSH- banner processing.
Reported by Qualys
* sftp-server(8): add a "users-groups-by-id@openssh.com" extension
request that allows the client to obtain user/group names that
correspond to a set of uids/gids.
* sshd(8): improve logging of errors when opening authorized_keys
files.
For a detailed list of changes, please check:
https://www.openssh.com/releasenotes.html
show more ...
|
| 6f5ec8b5 | 27-Nov-2022 |
Antonio Huete Jimenez <tuxillo@quantumachine.net> |
libressl: Local modifications after the upgrade (refs #3333)
libressl:
- Adjust Makefiles to include a number of source files that have been
either added or moved around.
- Bump shlib.
-
libressl: Local modifications after the upgrade (refs #3333)
libressl:
- Adjust Makefiles to include a number of source files that have been
either added or moved around.
- Bump shlib.
- Forcibly compile in engines by removing OPENSSL_NO_ENGINE which no longer
seems to be valid to have a full build. We wanted to avoid doing hacks to
bypass the OPENSSL_NO_ENGINE requirement. As far as we know the engine
code is disabled anyways.
librecrypto:
- Adjust Makefiles to include a number of source files that have been
either added or moved around.
- Bump shlib.
ldns:
- Remove HAVE_EVP_DSS1 from config.h to avoid using removed LibreSSL API
functions.
crytpsetup:
- Adjustments to use the new API.
dc:
- Adjustments to use the new API.
nc:
- Add more source files to the Makefile from libtls, which are now required.
Testing-and-fixes: @dillon, @tuxillo, @aly
show more ...
|
| 0cbfa66c | 22-Jul-2020 |
Daniel Fojt <df@neosystem.org> |
vendor/openssh: upgrade from 8.0p1 to 8.3p1
Summary of notable changes:
- ssh(1), sshd(8), ssh-agent(1): add protection for private keys at
rest in RAM against speculation and memory side-channel
vendor/openssh: upgrade from 8.0p1 to 8.3p1
Summary of notable changes:
- ssh(1), sshd(8), ssh-agent(1): add protection for private keys at
rest in RAM against speculation and memory side-channel attacks like
Spectre, Meltdown and Rambleed, openssh 8.1 and later encrypts private
keys when they are not in use with a symmetric key that is derived from
a relatively large "prekey" consisting of random data (currently 16KB)
- ssh(1), sshd(8), ssh-keygen(1): openssh 8.2 removes the "ssh-rsa"
(RSA/SHA1) algorithm from those accepted for certificate signatures
(i.e. the client and server CASignatureAlgorithms option) and will
use the rsa-sha2-512 signature algorithm by default when the
ssh-keygen(1) CA signs new certificates
- ssh(1), sshd(8): openssh 8.2 removes diffie-hellman-group14-sha1 from
the default key exchange proposal for both the client and server
- ssh-keygen(1): the command-line options related to the generation and
screening of safe prime numbers used by the diffie-hellman-group-* key
exchange algorithms have changed, most options have been folded under
the -O flag
- support PKCS8 as an optional format for storage of private keys to disk,
native key format remains the default, but PKCS8 is a superior format to
PEM if interoperability with non-OpenSSH software is required
- ssh(1), sshd(8): prefer to use chacha20 from libcrypto
- sshd(8): the sshd listener process title visible to ps(1) has changed
to include information about the number of connections that are
currently attempting authentication and the limits configured
by MaxStartups
- sshd(8): when clients get denied by MaxStartups, send a notification
prior to the SSH2 protocol banner according to RFC4253 section 4.2
- sshd(8): add an Include sshd_config keyword that allows including
additional configuration files via glob(3) patterns
- sshd(8): make IgnoreRhosts a tri-state option: "yes" to ignore
rhosts/shosts, "no" allow rhosts/shosts or (new) "shosts-only"
to allow .shosts files but not .rhosts
- sshd(8): allow the IgnoreRhosts directive to appear anywhere in a
sshd_config, not just before any Match blocks
- ssh(1), sshd(8): allow prepending a list of algorithms to the default
set by starting the list with the '^' character, e.g.
"HostKeyAlgorithms ^ssh-ed25519"
- ssh(1): allow forwarding a different agent socket to the path specified
by $SSH_AUTH_SOCK, by extending the existing ForwardAgent option to
accepting an explicit path or the name of an environment variable in
addition to yes/no
- ssh(1): add %TOKEN percent expansion for the LocalFoward and
RemoteForward keywords when used for Unix domain socket forwarding
- ssh(1): allow %n to be expanded in ProxyCommand strings
- sftp(1): reject an argument of "-1" in the same way as ssh(1) and
scp(1) do instead of accepting and silently ignoring it
- sftp(1): check for user@host when parsing sftp target, this allows
user@[1.2.3.4] to work without a path
- sftp(1): fix a race condition in the SIGCHILD handler that could
turn in to a kill(-1)
For detailed list of all improvements, enhancements and bugfixes see
release notes:
https://www.openssh.com/releasenotes.html
show more ...
|