-
Notifications
You must be signed in to change notification settings - Fork 1
/
ChangeLog
9133 lines (6461 loc) · 298 KB
/
ChangeLog
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
commit e91346dc2bbf460246df2ab591b7613908c1b0ad
Author: Damien Miller <djm@mindrot.org>
Date: Fri Aug 21 14:49:03 2015 +1000
we don't use Github for issues/pull-requests
commit a4f5b507c708cc3dc2c8dd2d02e4416d7514dc23
Author: Damien Miller <djm@mindrot.org>
Date: Fri Aug 21 14:43:55 2015 +1000
fix URL for connect.c
commit d026a8d3da0f8186598442997c7d0a28e7275414
Author: Damien Miller <djm@mindrot.org>
Date: Fri Aug 21 13:47:10 2015 +1000
update version numbers for 7.1
commit 78f8f589f0ca1c9f41e5a9bae3cda5ce8a6b42ed
Author: djm@openbsd.org <djm@openbsd.org>
Date: Fri Aug 21 03:45:26 2015 +0000
upstream commit
openssh-7.1
Upstream-ID: ff7b1ef4b06caddfb45e08ba998128c88be3d73f
commit 32a181980c62fce94f7f9ffaf6a79d90f0c309cf
Author: djm@openbsd.org <djm@openbsd.org>
Date: Fri Aug 21 03:42:19 2015 +0000
upstream commit
fix inverted logic that broke PermitRootLogin; reported
by Mantas Mikulenas; ok markus@
Upstream-ID: 260dd6a904c1bb7e43267e394b1c9cf70bdd5ea5
commit ce445b0ed927e45bd5bdce8f836eb353998dd65c
Author: deraadt@openbsd.org <deraadt@openbsd.org>
Date: Thu Aug 20 22:32:42 2015 +0000
upstream commit
Do not cast result of malloc/calloc/realloc* if stdlib.h
is in scope ok krw millert
Upstream-ID: 5e50ded78cadf3841556649a16cc4b1cb6c58667
commit 05291e5288704d1a98bacda269eb5a0153599146
Author: naddy@openbsd.org <naddy@openbsd.org>
Date: Thu Aug 20 19:20:06 2015 +0000
upstream commit
In the certificates section, be consistent about using
"host_key" and "user_key" for the respective key types. ok sthen@ deraadt@
Upstream-ID: 9e037ea3b15577b238604c5533e082a3947f13cb
commit 8543d4ef6f2e9f98c3e6b77c894ceec30c5e4ae4
Author: djm@openbsd.org <djm@openbsd.org>
Date: Wed Aug 19 23:21:42 2015 +0000
upstream commit
Better compat matching for WinSCP, add compat matching
for FuTTY (fork of PuTTY); ok markus@ deraadt@
Upstream-ID: 24001d1ac115fa3260fbdc329a4b9aeb283c5389
commit ec6eda16ebab771aa3dfc90629b41953b999cb1e
Author: djm@openbsd.org <djm@openbsd.org>
Date: Wed Aug 19 23:19:01 2015 +0000
upstream commit
fix double-free() in error path of DSA key generation
reported by Mateusz Kocielski; ok markus@
Upstream-ID: 4735d8f888b10599a935fa1b374787089116713c
commit 45b0eb752c94954a6de046bfaaf129e518ad4b5b
Author: djm@openbsd.org <djm@openbsd.org>
Date: Wed Aug 19 23:18:26 2015 +0000
upstream commit
fix free() of uninitialised pointer reported by Mateusz
Kocielski; ok markus@
Upstream-ID: 519552b050618501a06b7b023de5cb104e2c5663
commit c837643b93509a3ef538cb6624b678c5fe32ff79
Author: djm@openbsd.org <djm@openbsd.org>
Date: Wed Aug 19 23:17:51 2015 +0000
upstream commit
fixed unlink([uninitialised memory]) reported by Mateusz
Kocielski; ok markus@
Upstream-ID: 14a0c4e7d891f5a8dabc4b89d4f6b7c0d5a20109
commit 1f8d3d629cd553031021068eb9c646a5f1e50994
Author: jmc@openbsd.org <jmc@openbsd.org>
Date: Fri Aug 14 15:32:41 2015 +0000
upstream commit
match myproposal.h order; from brian conway (i snuck in a
tweak while here)
ok dtucker
Upstream-ID: 35174a19b5237ea36aa3798f042bf5933b772c67
commit 1dc8d93ce69d6565747eb44446ed117187621b26
Author: deraadt@openbsd.org <deraadt@openbsd.org>
Date: Thu Aug 6 14:53:21 2015 +0000
upstream commit
add prohibit-password as a synonymn for without-password,
since the without-password is causing too many questions. Harden it to ban
all but pubkey, hostbased, and GSSAPI auth (when the latter is enabled) from
djm, ok markus
Upstream-ID: d53317d7b28942153e6236d3fd6e12ceb482db7a
commit 90a95a4745a531b62b81ce3b025e892bdc434de5
Author: Damien Miller <djm@mindrot.org>
Date: Tue Aug 11 13:53:41 2015 +1000
update version in README
commit 318c37743534b58124f1bab37a8a0087a3a9bd2f
Author: Damien Miller <djm@mindrot.org>
Date: Tue Aug 11 13:53:09 2015 +1000
update versions in *.spec
commit 5e75f5198769056089fb06c4d738ab0e5abc66f7
Author: Damien Miller <djm@mindrot.org>
Date: Tue Aug 11 13:34:12 2015 +1000
set sshpam_ctxt to NULL after free
Avoids use-after-free in monitor when privsep child is compromised.
Reported by Moritz Jodeit; ok dtucker@
commit d4697fe9a28dab7255c60433e4dd23cf7fce8a8b
Author: Damien Miller <djm@mindrot.org>
Date: Tue Aug 11 13:33:24 2015 +1000
Don't resend username to PAM; it already has it.
Pointed out by Moritz Jodeit; ok dtucker@
commit 88763a6c893bf3dfe951ba9271bf09715e8d91ca
Author: Darren Tucker <dtucker@zip.com.au>
Date: Mon Jul 27 12:14:25 2015 +1000
Import updated moduli file from OpenBSD.
commit 55b263fb7cfeacb81aaf1c2036e0394c881637da
Author: Damien Miller <djm@mindrot.org>
Date: Mon Aug 10 11:13:44 2015 +1000
let principals-command.sh work for noexec /var/run
commit 2651e34cd11b1aac3a0fe23b86d8c2ff35c07897
Author: Damien Miller <djm@mindrot.org>
Date: Thu Aug 6 11:43:42 2015 +1000
work around echo -n / sed behaviour in tests
commit d85dad81778c1aa8106acd46930b25fdf0d15b2a
Author: djm@openbsd.org <djm@openbsd.org>
Date: Wed Aug 5 05:27:33 2015 +0000
upstream commit
adjust for RSA minimum modulus switch; ok deraadt@
Upstream-Regress-ID: 5a72c83431b96224d583c573ca281cd3a3ebfdae
commit 57e8e229bad5fe6056b5f1199665f5f7008192c6
Author: djm@openbsd.org <djm@openbsd.org>
Date: Tue Aug 4 05:23:06 2015 +0000
upstream commit
backout SSH_RSA_MINIMUM_MODULUS_SIZE increase for this
release; problems spotted by sthen@ ok deraadt@ markus@
Upstream-ID: d0bd60dde9e8c3cd7030007680371894c1499822
commit f097d0ea1e0889ca0fa2e53a00214e43ab7fa22a
Author: djm@openbsd.org <djm@openbsd.org>
Date: Sun Aug 2 09:56:42 2015 +0000
upstream commit
openssh 7.0; ok deraadt@
Upstream-ID: c63afdef537f57f28ae84145c5a8e29e9250221f
commit 3d5728a0f6874ce4efb16913a12963595070f3a9
Author: chris@openbsd.org <chris@openbsd.org>
Date: Fri Jul 31 15:38:09 2015 +0000
upstream commit
Allow PermitRootLogin to be overridden by config
ok markus@ deeradt@
Upstream-ID: 5cf3e26ed702888de84e2dc9d0054ccf4d9125b4
commit 6f941396b6835ad18018845f515b0c4fe20be21a
Author: djm@openbsd.org <djm@openbsd.org>
Date: Thu Jul 30 23:09:15 2015 +0000
upstream commit
fix pty permissions; patch from Nikolay Edigaryev; ok
deraadt
Upstream-ID: 40ff076d2878b916fbfd8e4f45dbe5bec019e550
commit f4373ed1e8fbc7c8ce3fc4ea97d0ba2e0c1d7ef0
Author: deraadt@openbsd.org <deraadt@openbsd.org>
Date: Thu Jul 30 19:23:02 2015 +0000
upstream commit
change default: PermitRootLogin without-password matching
install script changes coming as well ok djm markus
Upstream-ID: 0e2a6c4441daf5498b47a61767382bead5eb8ea6
commit 0c30ba91f87fcda7e975e6ff8a057f624e87ea1c
Author: Damien Miller <djm@mindrot.org>
Date: Thu Jul 30 12:31:39 2015 +1000
downgrade OOM adjustment logging: verbose -> debug
commit f9eca249d4961f28ae4b09186d7dc91de74b5895
Author: djm@openbsd.org <djm@openbsd.org>
Date: Thu Jul 30 00:01:34 2015 +0000
upstream commit
Allow ssh_config and sshd_config kex parameters options be
prefixed by a '+' to indicate that the specified items be appended to the
default rather than replacing it.
approach suggested by dtucker@, feedback dlg@, ok markus@
Upstream-ID: 0f901137298fc17095d5756ff1561a7028e8882a
commit 5cefe769105a2a2e3ca7479d28d9a325d5ef0163
Author: djm@openbsd.org <djm@openbsd.org>
Date: Wed Jul 29 08:34:54 2015 +0000
upstream commit
fix bug in previous; was printing incorrect string for
failed host key algorithms negotiation
Upstream-ID: 22c0dc6bc61930513065d92e11f0753adc4c6e6e
commit f319912b0d0e1675b8bb051ed8213792c788bcb2
Author: djm@openbsd.org <djm@openbsd.org>
Date: Wed Jul 29 04:43:06 2015 +0000
upstream commit
include the peer's offer when logging a failure to
negotiate a mutual set of algorithms (kex, pubkey, ciphers, etc.) ok markus@
Upstream-ID: bbb8caabf5c01790bb845f5ce135565248d7c796
commit b6ea0e573042eb85d84defb19227c89eb74cf05a
Author: djm@openbsd.org <djm@openbsd.org>
Date: Tue Jul 28 23:20:42 2015 +0000
upstream commit
add Cisco to the list of clients that choke on the
hostkeys update extension. Pointed out by Howard Kash
Upstream-ID: c9eadde28ecec056c73d09ee10ba4570dfba7e84
commit 3f628c7b537291c1019ce86af90756fb4e66d0fd
Author: guenther@openbsd.org <guenther@openbsd.org>
Date: Mon Jul 27 16:29:23 2015 +0000
upstream commit
Permit kbind(2) use in the sandbox now, to ease testing
of ld.so work using it
reminded by miod@, ok deraadt@
Upstream-ID: 523922e4d1ba7a091e3824e77a8a3c818ee97413
commit ebe27ebe520098bbc0fe58945a87ce8490121edb
Author: millert@openbsd.org <millert@openbsd.org>
Date: Mon Jul 20 18:44:12 2015 +0000
upstream commit
Move .Pp before .Bl, not after to quiet mandoc -Tlint.
Noticed by jmc@
Upstream-ID: 59fadbf8407cec4e6931e50c53cfa0214a848e23
commit d5d91d0da819611167782c66ab629159169d94d4
Author: millert@openbsd.org <millert@openbsd.org>
Date: Mon Jul 20 18:42:35 2015 +0000
upstream commit
Sync usage with SYNOPSIS
Upstream-ID: 7a321a170181a54f6450deabaccb6ef60cf3f0b7
commit 79ec2142fbc68dd2ed9688608da355fc0b1ed743
Author: millert@openbsd.org <millert@openbsd.org>
Date: Mon Jul 20 15:39:52 2015 +0000
upstream commit
Better desciption of Unix domain socket forwarding.
bz#2423; ok jmc@
Upstream-ID: 85e28874726897e3f26ae50dfa2e8d2de683805d
commit d56fd1828074a4031b18b8faa0bf949669eb18a0
Author: Damien Miller <djm@mindrot.org>
Date: Mon Jul 20 11:19:51 2015 +1000
make realpath.c compile -Wsign-compare clean
commit c63c9a691dca26bb7648827f5a13668832948929
Author: djm@openbsd.org <djm@openbsd.org>
Date: Mon Jul 20 00:30:01 2015 +0000
upstream commit
mention that the default of UseDNS=no implies that
hostnames cannot be used for host matching in sshd_config and
authorized_keys; bz#2045, ok dtucker@
Upstream-ID: 0812705d5f2dfa59aab01f2764ee800b1741c4e1
commit 63ebcd0005e9894fcd6871b7b80aeea1fec0ff76
Author: djm@openbsd.org <djm@openbsd.org>
Date: Sat Jul 18 08:02:17 2015 +0000
upstream commit
don't ignore PKCS#11 hosted keys that return empty
CKA_ID; patch by Jakub Jelen via bz#2429; ok markus
Upstream-ID: 2f7c94744eb0342f8ee8bf97b2351d4e00116485
commit b15fd989c8c62074397160147a8d5bc34b3f3c63
Author: djm@openbsd.org <djm@openbsd.org>
Date: Sat Jul 18 08:00:21 2015 +0000
upstream commit
skip uninitialised PKCS#11 slots; patch from Jakub Jelen
in bz#2427 ok markus@
Upstream-ID: 744c1e7796e237ad32992d0d02148e8a18f27d29
commit 5b64f85bb811246c59ebab70aed331f26ba37b18
Author: djm@openbsd.org <djm@openbsd.org>
Date: Sat Jul 18 07:57:14 2015 +0000
upstream commit
only query each keyboard-interactive device once per
authentication request regardless of how many times it is listed; ok markus@
Upstream-ID: d73fafba6e86030436ff673656ec1f33d9ffeda1
commit cd7324d0667794eb5c236d8a4e0f236251babc2d
Author: djm@openbsd.org <djm@openbsd.org>
Date: Fri Jul 17 03:34:27 2015 +0000
upstream commit
remove -u flag to diff (only used for error output) to make
things easier for -portable
Upstream-Regress-ID: a5d6777d2909540d87afec3039d9bb2414ade548
commit deb8d99ecba70b67f4af7880b11ca8768df9ec3a
Author: djm@openbsd.org <djm@openbsd.org>
Date: Fri Jul 17 03:09:19 2015 +0000
upstream commit
direct-streamlocal@openssh.com Unix domain foward
messages do not contain a "reserved for future use" field and in fact,
serverloop.c checks that there isn't one. Remove erroneous mention from
PROTOCOL description. bz#2421 from Daniel Black
Upstream-ID: 3d51a19e64f72f764682f1b08f35a8aa810a43ac
commit 356b61f365405b5257f5b2ab446e5d7bd33a7b52
Author: djm@openbsd.org <djm@openbsd.org>
Date: Fri Jul 17 03:04:27 2015 +0000
upstream commit
describe magic for setting up Unix domain socket fowards
via the mux channel; bz#2422 patch from Daniel Black
Upstream-ID: 943080fe3864715c423bdeb7c920bb30c4eee861
commit d3e2aee41487d55b8d7d40f538b84ff1db7989bc
Author: Darren Tucker <dtucker@zip.com.au>
Date: Fri Jul 17 12:52:34 2015 +1000
Check if realpath works on nonexistent files.
On some platforms the native realpath doesn't work with non-existent
files (this is actually specified in some versions of POSIX), however
the sftp spec says its realpath with "canonicalize any given path name".
On those platforms, use realpath from the compat library.
In addition, when compiling with -DFORTIFY_SOURCE, glibc redefines
the realpath symbol to the checked version, so redefine ours to
something else so we pick up the compat version we want.
bz#2428, ok djm@
commit 25b14610dab655646a109db5ef8cb4c4bf2a48a0
Author: djm@openbsd.org <djm@openbsd.org>
Date: Fri Jul 17 02:47:45 2015 +0000
upstream commit
fix incorrect test for SSH1 keys when compiled without SSH1
support
Upstream-ID: 6004d720345b8e481c405e8ad05ce2271726e451
commit df56a8035d429b2184ee94aaa7e580c1ff67f73a
Author: djm@openbsd.org <djm@openbsd.org>
Date: Wed Jul 15 08:00:11 2015 +0000
upstream commit
fix NULL-deref when SSH1 reenabled
Upstream-ID: f22fd805288c92b3e9646782d15b48894b2d5295
commit 41e38c4d49dd60908484e6703316651333f16b93
Author: djm@openbsd.org <djm@openbsd.org>
Date: Wed Jul 15 07:19:50 2015 +0000
upstream commit
regen RSA1 test keys; the last batch was missing their
private parts
Upstream-Regress-ID: 7ccf437305dd63ff0b48dd50c5fd0f4d4230c10a
commit 5bf0933184cb622ca3f96d224bf3299fd2285acc
Author: markus@openbsd.org <markus@openbsd.org>
Date: Fri Jul 10 06:23:25 2015 +0000
upstream commit
Adapt tests, now that DSA if off by default; use
PubkeyAcceptedKeyTypes and PubkeyAcceptedKeyTypes to test DSA.
Upstream-Regress-ID: 0ff2a3ff5ac1ce5f92321d27aa07b98656efcc5c
commit 7a6e3fd7b41dbd3756b6bf9acd67954c0b1564cc
Author: markus@openbsd.org <markus@openbsd.org>
Date: Tue Jul 7 14:54:16 2015 +0000
upstream commit
regen test data after mktestdata.sh changes
Upstream-Regress-ID: 3495ecb082b9a7c048a2d7c5c845d3bf181d25a4
commit 7c8c174c69f681d4910fa41c37646763692b28e2
Author: markus@openbsd.org <markus@openbsd.org>
Date: Tue Jul 7 14:53:30 2015 +0000
upstream commit
adapt tests to new minimum RSA size and default FP format
Upstream-Regress-ID: a4b30afd174ce82b96df14eb49fb0b81398ffd0e
commit 6a977a4b68747ade189e43d302f33403fd4a47ac
Author: djm@openbsd.org <djm@openbsd.org>
Date: Fri Jul 3 04:39:23 2015 +0000
upstream commit
legacy v00 certificates are gone; adapt and don't try to
test them; "sure" markus@ dtucker@
Upstream-Regress-ID: c57321e69b3cd4a3b3396dfcc43f0803d047da12
commit 0c4123ad5e93fb90fee9c6635b13a6cdabaac385
Author: djm@openbsd.org <djm@openbsd.org>
Date: Wed Jul 1 23:11:18 2015 +0000
upstream commit
don't expect SSH v.1 in unittests
Upstream-Regress-ID: f8812b16668ba78e6a698646b2a652b90b653397
commit 3c099845798a817cdde513c39074ec2063781f18
Author: djm@openbsd.org <djm@openbsd.org>
Date: Mon Jun 15 06:38:50 2015 +0000
upstream commit
turn SSH1 back on to match src/usr.bin/ssh being tested
Upstream-Regress-ID: 6c4f763a2f0cc6893bf33983919e9030ae638333
commit b1dc2b33689668c75e95f873a42d5aea1f4af1db
Author: dtucker@openbsd.org <dtucker@openbsd.org>
Date: Mon Jul 13 04:57:14 2015 +0000
upstream commit
Add "PuTTY_Local:" to the clients to which we do not
offer DH-GEX. This was the string that was used for development versions
prior to September 2014 and they don't do RFC4419 DH-GEX, but unfortunately
there are some extant products based on those versions. bx2424 from Jay
Rouman, ok markus@ djm@
Upstream-ID: be34d41e18b966832fe09ca243d275b81882e1d5
commit 3a1638dda19bbc73d0ae02b4c251ce08e564b4b9
Author: markus@openbsd.org <markus@openbsd.org>
Date: Fri Jul 10 06:21:53 2015 +0000
upstream commit
Turn off DSA by default; add HostKeyAlgorithms to the
server and PubkeyAcceptedKeyTypes to the client side, so it still can be
tested or turned back on; feedback and ok djm@
Upstream-ID: 8450a9e6d83f80c9bfed864ff061dfc9323cec21
commit 16db0a7ee9a87945cc594d13863cfcb86038db59
Author: markus@openbsd.org <markus@openbsd.org>
Date: Thu Jul 9 09:49:46 2015 +0000
upstream commit
re-enable ed25519-certs if compiled w/o openssl; ok djm
Upstream-ID: e10c90808b001fd2c7a93778418e9b318f5c4c49
commit c355bf306ac33de6545ce9dac22b84a194601e2f
Author: markus@openbsd.org <markus@openbsd.org>
Date: Wed Jul 8 20:24:02 2015 +0000
upstream commit
no need to include the old buffer/key API
Upstream-ID: fb13c9f7c0bba2545f3eb0a0e69cb0030819f52b
commit a3cc48cdf9853f1e832d78cb29bedfab7adce1ee
Author: markus@openbsd.org <markus@openbsd.org>
Date: Wed Jul 8 19:09:25 2015 +0000
upstream commit
typedefs for Cipher&CipherContext are unused
Upstream-ID: 50e6a18ee92221d23ad173a96d5b6c42207cf9a7
commit a635bd06b5c427a57c3ae760d3a2730bb2c863c0
Author: markus@openbsd.org <markus@openbsd.org>
Date: Wed Jul 8 19:04:21 2015 +0000
upstream commit
xmalloc.h is unused
Upstream-ID: afb532355b7fa7135a60d944ca1e644d1d63cb58
commit 2521cf0e36c7f3f6b19f206da0af134f535e4a31
Author: markus@openbsd.org <markus@openbsd.org>
Date: Wed Jul 8 19:01:15 2015 +0000
upstream commit
compress.c is gone
Upstream-ID: 174fa7faa9b9643cba06164b5e498591356fbced
commit c65a7aa6c43aa7a308ee1ab8a96f216169ae9615
Author: djm@openbsd.org <djm@openbsd.org>
Date: Fri Jul 3 04:05:54 2015 +0000
upstream commit
another SSH_RSA_MINIMUM_MODULUS_SIZE that needed
cranking
Upstream-ID: 9d8826cafe96aab4ae8e2f6fd22800874b7ffef1
commit b1f383da5cd3cb921fc7776f17a14f44b8a31757
Author: djm@openbsd.org <djm@openbsd.org>
Date: Fri Jul 3 03:56:25 2015 +0000
upstream commit
add an XXX reminder for getting correct key paths from
sshd_config
Upstream-ID: feae52b209d7782ad742df04a4260e9fe41741db
commit 933935ce8d093996c34d7efa4d59113163080680
Author: djm@openbsd.org <djm@openbsd.org>
Date: Fri Jul 3 03:49:45 2015 +0000
upstream commit
refuse to generate or accept RSA keys smaller than 1024
bits; feedback and ok dtucker@
Upstream-ID: 7ea3d31271366ba264f06e34a3539bf1ac30f0ba
commit bdfd29f60b74f3e678297269dc6247a5699583c1
Author: djm@openbsd.org <djm@openbsd.org>
Date: Fri Jul 3 03:47:00 2015 +0000
upstream commit
turn off 1024 bit diffie-hellman-group1-sha1 key
exchange method (already off in server, this turns it off in the client by
default too) ok dtucker@
Upstream-ID: f59b88f449210ab7acf7d9d88f20f1daee97a4fa
commit c28fc62d789d860c75e23a9fa9fb250eb2beca57
Author: djm@openbsd.org <djm@openbsd.org>
Date: Fri Jul 3 03:43:18 2015 +0000
upstream commit
delete support for legacy v00 certificates; "sure"
markus@ dtucker@
Upstream-ID: b5b9bb5f9202d09e88f912989d74928601b6636f
commit 564d63e1b4a9637a209d42a9d49646781fc9caef
Author: djm@openbsd.org <djm@openbsd.org>
Date: Wed Jul 1 23:10:47 2015 +0000
upstream commit
Compile-time disable SSH v.1 again
Upstream-ID: 1d4b513a3a06232f02650b73bad25100d1b800af
commit 868109b650504dd9bcccdb1f51d0906f967c20ff
Author: djm@openbsd.org <djm@openbsd.org>
Date: Wed Jul 1 02:39:06 2015 +0000
upstream commit
twiddle PermitRootLogin back
Upstream-ID: 2bd23976305d0512e9f84d054e1fc23cd70b89f2
commit 7de4b03a6e4071d454b72927ffaf52949fa34545
Author: djm@openbsd.org <djm@openbsd.org>
Date: Wed Jul 1 02:32:17 2015 +0000
upstream commit
twiddle; (this commit marks the openssh-6.9 release)
Upstream-ID: 78500582819f61dd8adee36ec5cc9b9ac9351234
commit 1bf477d3cdf1a864646d59820878783d42357a1d
Author: djm@openbsd.org <djm@openbsd.org>
Date: Wed Jul 1 02:26:31 2015 +0000
upstream commit
better refuse ForwardX11Trusted=no connections attempted
after ForwardX11Timeout expires; reported by Jann Horn
Upstream-ID: bf0fddadc1b46a0334e26c080038313b4b6dea21
commit 47aa7a0f8551b471fcae0447c1d78464f6dba869
Author: djm@openbsd.org <djm@openbsd.org>
Date: Wed Jul 1 01:56:13 2015 +0000
upstream commit
put back default PermitRootLogin=no
Upstream-ID: 7bdedd5cead99c57ed5571f3b6b7840922d5f728
commit 984b064fe2a23733733262f88d2e1b2a1a501662
Author: djm@openbsd.org <djm@openbsd.org>
Date: Wed Jul 1 01:55:13 2015 +0000
upstream commit
openssh-6.9
Upstream-ID: 6cfe8e1904812531080e6ab6e752d7001b5b2d45
commit d921082ed670f516652eeba50705e1e9f6325346
Author: djm@openbsd.org <djm@openbsd.org>
Date: Wed Jul 1 01:55:00 2015 +0000
upstream commit
reset default PermitRootLogin to 'yes' (momentarily, for
release)
Upstream-ID: cad8513527066e65dd7a1c16363d6903e8cefa24
commit 66295e0e1ba860e527f191b6325d2d77dec4dbce
Author: Damien Miller <djm@mindrot.org>
Date: Wed Jul 1 11:49:12 2015 +1000
crank version numbers for release
commit 37035c07d4f26bb1fbe000d2acf78efdb008681d
Author: Damien Miller <djm@mindrot.org>
Date: Wed Jul 1 10:49:37 2015 +1000
s/--with-ssh1/--without-ssh1/
commit 629df770dbadc2accfbe1c81b3f31f876d0acd84
Author: djm@openbsd.org <djm@openbsd.org>
Date: Tue Jun 30 05:25:07 2015 +0000
upstream commit
fatal() when a remote window update causes the window
value to overflow. Reported by Georg Wicherski, ok markus@
Upstream-ID: ead397a9aceb3bf74ebfa5fcaf259d72e569f351
commit f715afebe735d61df3fd30ad72d9ac1c8bd3b5f2
Author: djm@openbsd.org <djm@openbsd.org>
Date: Tue Jun 30 05:23:25 2015 +0000
upstream commit
Fix math error in remote window calculations that causes
eventual stalls for datagram channels. Reported by Georg Wicherski, ok
markus@
Upstream-ID: be54059d11bf64e0d85061f7257f53067842e2ab
commit 52fb6b9b034fcfd24bf88cc7be313e9c31de9889
Author: Damien Miller <djm@mindrot.org>
Date: Tue Jun 30 16:05:40 2015 +1000
skip IPv6-related portions on hosts without IPv6
with Tim Rice
commit 512caddf590857af6aa12218461b5c0441028cf5
Author: djm@openbsd.org <djm@openbsd.org>
Date: Mon Jun 29 22:35:12 2015 +0000
upstream commit
add getpid to sandbox, reachable by grace_alarm_handler
reported by Jakub Jelen; bz#2419
Upstream-ID: d0da1117c16d4c223954995d35b0f47c8f684cd8
commit 78c2a4f883ea9aba866358e2acd9793a7f42ca93
Author: djm@openbsd.org <djm@openbsd.org>
Date: Fri Jun 26 05:13:20 2015 +0000
upstream commit
Fix \-escaping bug that caused forward path parsing to skip
two characters and skip past the end of the string.
Based on patch by Salvador Fandino; ok dtucker@
Upstream-ID: 7b879dc446335677cbe4cb549495636a0535f3bd
commit bc20205c91c9920361d12b15d253d4997dba494a
Author: Damien Miller <djm@mindrot.org>
Date: Thu Jun 25 09:51:39 2015 +1000
add missing pselect6
patch from Jakub Jelen
commit 9d27fb73b4a4e5e99cb880af790d5b1ce44f720a
Author: djm@openbsd.org <djm@openbsd.org>
Date: Wed Jun 24 23:47:23 2015 +0000
upstream commit
correct test to sshkey_sign(); spotted by Albert S.
Upstream-ID: 5f7347f40f0ca6abdaca2edb3bd62f4776518933
commit 7ed01a96a1911d8b4a9ef4f3d064e1923bfad7e3
Author: dtucker@openbsd.org <dtucker@openbsd.org>
Date: Wed Jun 24 01:49:19 2015 +0000
upstream commit
Revert previous commit. We still want to call setgroups
in the case where there are zero groups to remove any that we might otherwise
inherit (as pointed out by grawity at gmail.com) and since the 2nd argument
to setgroups is always a static global it's always valid to dereference in
this case. ok deraadt@ djm@
Upstream-ID: 895b5ac560a10befc6b82afa778641315725fd01
commit 882f8bf94f79528caa65b0ba71c185d705bb7195
Author: dtucker@openbsd.org <dtucker@openbsd.org>
Date: Wed Jun 24 01:49:19 2015 +0000
upstream commit
Revert previous commit. We still want to call setgroups in
the case where there are zero groups to remove any that we might otherwise
inherit (as pointed out by grawity at gmail.com) and since the 2nd argument
to setgroups is always a static global it's always valid to dereference in
this case. ok deraadt@ djm@
Upstream-ID: 895b5ac560a10befc6b82afa778641315725fd01
commit 9488538a726951e82b3a4374f3c558d72c80a89b
Author: djm@openbsd.org <djm@openbsd.org>
Date: Mon Jun 22 23:42:16 2015 +0000
upstream commit
Don't count successful partial authentication as failures
in monitor; this may have caused the monitor to refuse multiple
authentications that would otherwise have successfully completed; ok markus@
Upstream-ID: eb74b8e506714d0f649bd5c300f762a527af04a3
commit 63b78d003bd8ca111a736e6cea6333da50f5f09b
Author: dtucker@openbsd.org <dtucker@openbsd.org>
Date: Mon Jun 22 12:29:57 2015 +0000
upstream commit
Don't call setgroups if we have zero groups; there's no
guarantee that it won't try to deref the pointer. Based on a patch from mail
at quitesimple.org, ok djm deraadt
Upstream-ID: 2fff85e11d7a9a387ef7fddf41fbfaf566708ab1
commit 5c15e22c691c79a47747bcf5490126656f97cecd
Author: Damien Miller <djm@mindrot.org>
Date: Thu Jun 18 15:07:56 2015 +1000
fix syntax error
commit 596dbca82f3f567fb3d2d69af4b4e1d3ba1e6403
Author: jsing@openbsd.org <jsing@openbsd.org>
Date: Mon Jun 15 18:44:22 2015 +0000
upstream commit
If AuthorizedPrincipalsCommand is specified, however
AuthorizedPrincipalsFile is not (or is set to "none"), authentication will
potentially fail due to key_cert_check_authority() failing to locate a
principal that matches the username, even though an authorized principal has
already been matched in the output of the subprocess. Fix this by using the
same logic to determine if pw->pw_name should be passed, as is used to
determine if a authorized principal must be matched earlier on.
ok djm@
Upstream-ID: 43b42302ec846b0ea68aceb40677245391b9409d
commit aff3e94c0d75d0d0fa84ea392b50ab04f8c57905
Author: jsing@openbsd.org <jsing@openbsd.org>
Date: Mon Jun 15 18:42:19 2015 +0000
upstream commit
Make the arguments to match_principals_command() similar
to match_principals_file(), by changing the last argument a struct
sshkey_cert * and dereferencing key->cert in the caller.
No functional change.
ok djm@
Upstream-ID: 533f99b844b21b47342b32b62e198dfffcf8651c
commit 97e2e1596c202a4693468378b16b2353fd2d6c5e
Author: Damien Miller <djm@mindrot.org>
Date: Wed Jun 17 14:36:54 2015 +1000
trivial optimisation for seccomp-bpf
When doing arg inspection and the syscall doesn't match, skip
past the instruction that reloads the syscall into the accumulator,
since the accumulator hasn't been modified at this point.
commit 99f33d7304893bd9fa04d227cb6e870171cded19
Author: Damien Miller <djm@mindrot.org>
Date: Wed Jun 17 10:50:51 2015 +1000
aarch64 support for seccomp-bpf sandbox
Also resort and tidy syscall list. Based on patches by Jakub Jelen
bz#2361; ok dtucker@
commit 4ef702e1244633c1025ec7cfe044b9ab267097bf
Author: djm@openbsd.org <djm@openbsd.org>
Date: Mon Jun 15 01:32:50 2015 +0000
upstream commit
return failure on RSA signature error; reported by Albert S
Upstream-ID: e61bb93dbe0349625807b0810bc213a6822121fa
commit a170f22baf18af0b1acf2788b8b715605f41a1f9
Author: Tim Rice <tim@multitalents.net>
Date: Tue Jun 9 22:41:13 2015 -0700
Fix t12 rules for out of tree builds.
commit ec04dc4a5515c913121bc04ed261857e68fa5c18
Author: millert@openbsd.org <millert@openbsd.org>
Date: Fri Jun 5 15:13:13 2015 +0000
upstream commit
For "ssh -L 12345:/tmp/sock" don't fail with "No forward host
name." (we have a path, not a host name). Based on a diff from Jared
Yanovich. OK djm@
Upstream-ID: 2846b0a8c7de037e33657f95afbd282837fc213f
commit 732d61f417a6aea0aa5308b59cb0f563bcd6edd6
Author: djm@openbsd.org <djm@openbsd.org>
Date: Fri Jun 5 03:44:14 2015 +0000
upstream commit
typo: accidental repetition; bz#2386
Upstream-ID: 45e620d99f6bc301e5949d34a54027374991c88b
commit adfb24c69d1b6f5e758db200866c711e25a2ba73
Author: Darren Tucker <dtucker@zip.com.au>
Date: Fri Jun 5 14:51:40 2015 +1000
Add Linux powerpc64le and powerpcle entries.
Stopgap to resolve bz#2409 because we are so close to release and will
update config.guess and friends shortly after the release. ok djm@
commit a1195a0fdc9eddddb04d3e9e44c4775431cb77da
Merge: 6397eed d2480bc
Author: Tim Rice <tim@multitalents.net>
Date: Wed Jun 3 21:43:13 2015 -0700
Merge branch 'master' of git.mindrot.org:/var/git/openssh
commit 6397eedf953b2b973d2d7cbb504ab501a07f8ddc
Author: Tim Rice <tim@multitalents.net>
Date: Wed Jun 3 21:41:11 2015 -0700
Remove unneeded backslashes. Patch from Ángel González
commit d2480bcac1caf31b03068de877a47d6e1027bf6d