#
ee116499 |
| 27-Nov-2022 |
Antonio Huete Jimenez <tuxillo@quantumachine.net> |
vendor/OPENSSH: upgrade from 8.8p1 top 9.1p1
Summary of notable changes:
* sshd(8): fix an integer overflow in the user authentication path * ssh(1), sshd(8), ssh-add(1), ssh-agent(1): add a syst
vendor/OPENSSH: upgrade from 8.8p1 top 9.1p1
Summary of notable changes:
* sshd(8): fix an integer overflow in the user authentication path * ssh(1), sshd(8), ssh-add(1), ssh-agent(1): add a system for restricting forwarding and use of keys added to ssh-agent(1) * ssh(1): unbreak hostbased auth using RSA keys. * sshd(8): fix truncation in rhosts/shosts path construction. * ssh(1), sshd(8): use the hybrid Streamlined NTRU Prime + x25519 key exchange method by default ("sntrup761x25519-sha512@openssh.com"). The NTRU algorithm is believed to resist attacks enabled by future quantum computers. * sftp(1): add a "cp" command to allow the sftp client to perform server-side file copies. * scp(1): fix a memory leak in argument processing. * ssh-keygen(1): double free() in error path of file hashing step in signing/verify code; * ssh-keyscan(1): fix a one-byte overflow in SSH- banner processing. Reported by Qualys * sftp-server(8): add a "users-groups-by-id@openssh.com" extension request that allows the client to obtain user/group names that correspond to a set of uids/gids. * sshd(8): improve logging of errors when opening authorized_keys files.
For a detailed list of changes, please check: https://www.openssh.com/releasenotes.html
show more ...
|
Revision tags: v6.2.2, v6.2.1, v6.2.0, v6.3.0 |
|
#
50a69bb5 |
| 09-Oct-2021 |
Sascha Wildner <saw@online.de> |
Import OpenSSH-8.8p1
|
Revision tags: v6.0.1, v6.0.0, v6.0.0rc1, v6.1.0, v5.8.3, v5.8.2, v5.8.1, v5.8.0, v5.9.0, v5.8.0rc1, v5.6.3, v5.6.2, v5.6.1, v5.6.0, v5.6.0rc1, v5.7.0, v5.4.3, v5.4.2 |
|
#
664f4763 |
| 18-Apr-2019 |
zrj <rimvydas.jasinskas@gmail.com> |
Import OpenSSH-8.0p1
|
Revision tags: v5.4.1, v5.4.0, v5.5.0, v5.4.0rc1, v5.2.2, v5.2.1, v5.2.0, v5.3.0, v5.2.0rc, v5.0.2, v5.0.1, v5.0.0 |
|
#
ce74baca |
| 13-Oct-2017 |
Matthew Dillon <dillon@apollo.backplane.com> |
Import OpenSSH-7.6p1
|
Revision tags: v6.2.2, v6.2.1, v6.2.0, v6.3.0 |
|
#
50a69bb5 |
| 09-Oct-2021 |
Sascha Wildner <saw@online.de> |
Import OpenSSH-8.8p1
|
Revision tags: v6.0.1, v6.0.0, v6.0.0rc1, v6.1.0, v5.8.3, v5.8.2, v5.8.1, v5.8.0, v5.9.0, v5.8.0rc1, v5.6.3, v5.6.2, v5.6.1, v5.6.0, v5.6.0rc1, v5.7.0, v5.4.3, v5.4.2 |
|
#
664f4763 |
| 18-Apr-2019 |
zrj <rimvydas.jasinskas@gmail.com> |
Import OpenSSH-8.0p1
|
#
2c9c1408 |
| 13-Oct-2017 |
Matthew Dillon <dillon@apollo.backplane.com> |
Import OpenSSH-7.6p1
* Import OpeNSSH-7.6p1. Couldn't really merge from the vendor branch so just brought it in.
* Adjustments for WARNS issues
|
Revision tags: v5.4.1, v5.4.0, v5.5.0, v5.4.0rc1, v5.2.2, v5.2.1, v5.2.0, v5.3.0, v5.2.0rc, v5.0.2, v5.0.1, v5.0.0 |
|
#
ce74baca |
| 13-Oct-2017 |
Matthew Dillon <dillon@apollo.backplane.com> |
Import OpenSSH-7.6p1
|
Revision tags: v5.0.0rc2, v5.1.0, v5.0.0rc1, v4.8.1, v4.8.0, v4.6.2, v4.9.0, v4.8.0rc, v4.6.1 |
|
#
e9778795 |
| 04-Aug-2016 |
Peter Avalos <pavalos@dragonflybsd.org> |
Import OpenSSH-7.3p1.
|
Revision tags: v4.6.0, v4.6.0rc2, v4.6.0rc, v4.7.0, v4.4.3, v4.4.2, v4.4.1, v4.4.0, v4.5.0, v4.4.0rc, v4.2.4, v4.3.1, v4.2.3, v4.2.1, v4.2.0, v4.0.6, v4.3.0, v4.2.0rc, v4.0.5, v4.0.4, v4.0.3, v4.0.2 |
|
#
36e94dc5 |
| 26-Nov-2014 |
Peter Avalos <pavalos@dragonflybsd.org> |
Import OpenSSH-6.7p1.
|
Revision tags: v4.0.1, v4.0.0, v4.0.0rc3, v4.0.0rc2, v4.0.0rc, v4.1.0, v3.8.2, v3.8.1, v3.6.3, v3.8.0, v3.8.0rc2, v3.9.0, v3.8.0rc, v3.6.2, v3.6.1, v3.6.0, v3.7.1, v3.6.0rc, v3.7.0, v3.4.3, v3.4.2, v3.4.0, v3.4.1, v3.4.0rc, v3.5.0, v3.2.2, v3.2.1, v3.2.0, v3.3.0, v3.0.3, v3.0.2, v3.0.1, v3.1.0, v3.0.0 |
|
#
86d7f5d3 |
| 26-Nov-2011 |
John Marino <draco@marino.st> |
Initial import of binutils 2.22 on the new vendor branch
Future versions of binutils will also reside on this branch rather than continuing to create new binutils branches for each new version.
|
Revision tags: v2.12.0, v2.13.0, v2.10.1, v2.11.0, v2.10.0 |
|
#
9f304aaf |
| 09-Apr-2011 |
Peter Avalos <pavalos@dragonflybsd.org> |
Import OpenSSH-5.8p1.
* Fix vulnerability in legacy certificate signing introduced in OpenSSH-5.6.
* Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (
Import OpenSSH-5.8p1.
* Fix vulnerability in legacy certificate signing introduced in OpenSSH-5.6.
* Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
* sftp(1)/sftp-server(8): add a protocol extension to support a hard link operation. It is available through the "ln" command in the client. The old "ln" behaviour of creating a symlink is available using its "-s" option or through the preexisting "symlink" command
* scp(1): Add a new -3 option to scp: Copies between two remote hosts are transferred through the local host. Without this option the data is copied directly between the two remote hosts.
* ssh(1): automatically order the hostkeys requested by the client based on which hostkeys are already recorded in known_hosts. This avoids hostkey warnings when connecting to servers with new ECDSA keys, since these are now preferred when learning hostkeys for the first time.
* ssh(1)/sshd(8): add a new IPQoS option to specify arbitrary TOS/DSCP/QoS values instead of hardcoding lowdelay/throughput.
* ssh(1): "atomically" create the listening mux socket by binding it on a temporary name and then linking it into position after listen() has succeeded. This allows the mux clients to determine that the server socket is either ready or stale without races. stale server sockets are now automatically removed.
* ssh(1)/sshd(8): add a KexAlgorithms knob to the client and server configuration to allow selection of which key exchange methods are used by ssh(1) and sshd(8) and their order of preference.
* sftp(1)/scp(1): factor out bandwidth limiting code from scp(1) into a generic bandwidth limiter that can be attached using the atomicio callback mechanism and use it to add a bandwidth limit option to sftp(1).
BugFixes:
* ssh(1)/ssh-agent(1): honour $TMPDIR for client xauth and ssh-agent temporary directories.
* ssh(1): avoid NULL deref on receiving a channel request on an unknown or invalid channel;
* sshd(8): remove a debug() that pollutes stderr on client connecting to a server in debug mode
* scp(1): pass through ssh command-line flags and options when doing remote-remote transfers, e.g. to enable agent forwarding which is particularly useful in this case;
* sftp-server(8): umask should be parsed as octal
* sftp(1): escape '[' in filename tab-completion
* ssh(1): Typo in confirmation message.
* sshd(8): prevent free() of string in .rodata when overriding AuthorizedKeys in a Match block
* sshd(8): Use default shell /bin/sh if $SHELL is ""
* ssh(1): kill proxy command on fatal() (we already killed it on clean exit);
* ssh(1): install a SIGCHLD handler to reap expiried child process;
* sshd(8): Use correct uid_t/pid_t types instead of int.
show more ...
|
Revision tags: v2.9.1, v2.8.2, v2.8.1, v2.8.0, v2.9.0 |
|
#
856ea928 |
| 29-Sep-2010 |
Peter Avalos <pavalos@dragonflybsd.org> |
Import OpenSSH-5.6p1.
|
Revision tags: v2.6.3, v2.7.3, v2.6.2, v2.7.2, v2.7.1, v2.6.1, v2.7.0, v2.6.0 |
|
#
40c002af |
| 09-Jan-2010 |
Peter Avalos <pavalos@theshell.com> |
Upgrade to OpenSSH-5.3p1.
General Bugfixes:
* Do not limit home directory paths to 256 characters. bz#1615 * Several minor documentation and correctness fixes.
Portable OpenSSH Bugfixes:
* Mov
Upgrade to OpenSSH-5.3p1.
General Bugfixes:
* Do not limit home directory paths to 256 characters. bz#1615 * Several minor documentation and correctness fixes.
Portable OpenSSH Bugfixes:
* Move the deletion of PAM credentials on logout to after the session close. bz#1534 * Accept ENOSYS as a fallback error when attempting atomic rename(). bz#1535 * Fix detection of krb5-config. bz#1639 * Fix test for server-assigned remote forwarding port for non-root users. bz#1578
show more ...
|
Revision tags: v2.5.1, v2.4.1, v2.5.0, v2.4.0, v2.3.2 |
|
#
cb5eb4f1 |
| 20-Jun-2009 |
Peter Avalos <pavalos@theshell.com> |
Upgrade to OpenSSH-5.2p1.
Security:
* This release changes the default cipher order to prefer the AES CTR modes and the revised "arcfour256" mode to CBC mode ciphers that are susceptible to
Upgrade to OpenSSH-5.2p1.
Security:
* This release changes the default cipher order to prefer the AES CTR modes and the revised "arcfour256" mode to CBC mode ciphers that are susceptible to CPNI-957037 "Plaintext Recovery Attack Against SSH".
* This release also adds countermeasures to mitigate CPNI-957037-style attacks against the SSH protocol's use of CBC-mode ciphers. Upon detection of an invalid packet length or Message Authentication Code, ssh/sshd will continue reading up to the maximum supported packet length rather than immediately terminating the connection. This eliminates most of the known differences in behaviour that leaked information about the plaintext of injected data which formed the basis of this attack. We believe that these attacks are rendered infeasible by these changes.
New features:
* Added a -y option to ssh(1) to force logging to syslog rather than stderr, which is useful when running daemonised (ssh -f)
* The sshd_config(5) ForceCommand directive now accepts commandline arguments for the internal-sftp server.
* The ssh(1) ~C escape commandline now support runtime creation of dynamic (-D) port forwards.
* Support the SOCKS4A protocol in ssh(1) dynamic (-D) forwards. (bz#1482)
* Support remote port forwarding with a listen port of '0'. This informs the server that it should dynamically allocate a listen port and report it back to the client. (bz#1003)
* sshd(8) now supports setting PermitEmptyPasswords and AllowAgentForwarding in Match blocks
Bug and documentation fixes
* Repair a ssh(1) crash introduced in openssh-5.1 when the client is sent a zero-length banner (bz#1496)
* Due to interoperability problems with certain broken SSH implementations, the eow@openssh.com and no-more-sessions@openssh.com protocol extensions are now only sent to peers that identify themselves as OpenSSH.
* Make ssh(1) send the correct channel number for SSH2_MSG_CHANNEL_SUCCESS and SSH2_MSG_CHANNEL_FAILURE messages to avoid triggering 'Non-public channel' error messages on sshd(8) in openssh-5.1.
* Avoid printing 'Non-public channel' warnings in sshd(8), since the ssh(1) has sent incorrect channel numbers since ~2004 (this reverts a behaviour introduced in openssh-5.1).
* Avoid double-free in ssh(1) ~C escape -L handler (bz#1539)
* Correct fail-on-error behaviour in sftp(1) batchmode for remote stat operations. (bz#1541)
* Disable nonfunctional ssh(1) ~C escape handler in multiplex slave connections. (bz#1543)
* Avoid hang in ssh(1) when attempting to connect to a server that has MaxSessions=0 set.
* Multiple fixes to sshd(8) configuration test (-T) mode
* Several core and portable OpenSSH bugs fixed: 1380, 1412, 1418, 1419, 1421, 1490, 1491, 1492, 1514, 1515, 1518, 1520, 1538, 1540
* Many manual page improvements.
show more ...
|
#
18de8d7f |
| 20-Jun-2009 |
Peter Avalos <pavalos@theshell.com> |
Move openssh-5/ to openssh/. We don't need a versioned directory.
|