svn commit: r296853 - in releng/10.3: crypto/openssh crypto/openssh/contrib crypto/openssh/contrib/redhat crypto/openssh/contrib/suse crypto/openssh/openbsd-compat crypto/openssh/regress crypto/ope...
Dag-Erling Smørgrav
des at FreeBSD.org
Mon Mar 14 13:05:15 UTC 2016
Author: des
Date: Mon Mar 14 13:05:13 2016
New Revision: 296853
URL: https://svnweb.freebsd.org/changeset/base/296853
Log:
MFS (r296781):
MFH (r296633): upgrade to 7.2p2 (fixes xauth command injection bug)
MFH (r296634): re-add aes-cbc to server-side default cipher list
MFH (r296651, r296657): fix gcc build of pam_ssh
PR: 207679
Security: CVE-2016-3115
Approved by: re (marius)
Added:
releng/10.3/crypto/openssh/platform-pledge.c
- copied unchanged from r296781, stable/10/crypto/openssh/platform-pledge.c
releng/10.3/crypto/openssh/regress/cert-file.sh
- copied unchanged from r296781, stable/10/crypto/openssh/regress/cert-file.sh
releng/10.3/crypto/openssh/regress/check-perm.c
- copied unchanged from r296781, stable/10/crypto/openssh/regress/check-perm.c
releng/10.3/crypto/openssh/sandbox-pledge.c
- copied unchanged from r296781, stable/10/crypto/openssh/sandbox-pledge.c
releng/10.3/crypto/openssh/sandbox-solaris.c
- copied unchanged from r296781, stable/10/crypto/openssh/sandbox-solaris.c
Deleted:
releng/10.3/crypto/openssh/roaming_client.c
releng/10.3/crypto/openssh/roaming_common.c
releng/10.3/crypto/openssh/roaming_dummy.c
releng/10.3/crypto/openssh/roaming_serv.c
Modified:
releng/10.3/crypto/openssh/ChangeLog
releng/10.3/crypto/openssh/FREEBSD-upgrade
releng/10.3/crypto/openssh/Makefile.in
releng/10.3/crypto/openssh/README
releng/10.3/crypto/openssh/README.platform
releng/10.3/crypto/openssh/auth-bsdauth.c
releng/10.3/crypto/openssh/auth-krb5.c
releng/10.3/crypto/openssh/auth-options.c
releng/10.3/crypto/openssh/auth-pam.c
releng/10.3/crypto/openssh/auth.h
releng/10.3/crypto/openssh/auth2-pubkey.c
releng/10.3/crypto/openssh/authfd.c
releng/10.3/crypto/openssh/authfd.h
releng/10.3/crypto/openssh/authfile.c
releng/10.3/crypto/openssh/channels.c
releng/10.3/crypto/openssh/cipher.c
releng/10.3/crypto/openssh/clientloop.c
releng/10.3/crypto/openssh/clientloop.h
releng/10.3/crypto/openssh/config.h
releng/10.3/crypto/openssh/configure.ac
releng/10.3/crypto/openssh/contrib/redhat/openssh.spec
releng/10.3/crypto/openssh/contrib/ssh-copy-id
releng/10.3/crypto/openssh/contrib/ssh-copy-id.1
releng/10.3/crypto/openssh/contrib/suse/openssh.spec
releng/10.3/crypto/openssh/defines.h
releng/10.3/crypto/openssh/dh.h
releng/10.3/crypto/openssh/includes.h
releng/10.3/crypto/openssh/kex.c
releng/10.3/crypto/openssh/kex.h
releng/10.3/crypto/openssh/kexc25519s.c
releng/10.3/crypto/openssh/kexdhs.c
releng/10.3/crypto/openssh/kexecdhs.c
releng/10.3/crypto/openssh/kexgexs.c
releng/10.3/crypto/openssh/key.c
releng/10.3/crypto/openssh/key.h
releng/10.3/crypto/openssh/krl.c
releng/10.3/crypto/openssh/krl.h
releng/10.3/crypto/openssh/loginrec.c
releng/10.3/crypto/openssh/misc.c
releng/10.3/crypto/openssh/monitor.c
releng/10.3/crypto/openssh/monitor_wrap.c
releng/10.3/crypto/openssh/monitor_wrap.h
releng/10.3/crypto/openssh/mux.c
releng/10.3/crypto/openssh/myproposal.h
releng/10.3/crypto/openssh/opacket.c
releng/10.3/crypto/openssh/opacket.h
releng/10.3/crypto/openssh/openbsd-compat/bsd-misc.c
releng/10.3/crypto/openssh/openbsd-compat/bsd-misc.h
releng/10.3/crypto/openssh/openbsd-compat/bsd-poll.h
releng/10.3/crypto/openssh/openbsd-compat/glob.c
releng/10.3/crypto/openssh/openbsd-compat/glob.h
releng/10.3/crypto/openssh/openbsd-compat/openbsd-compat.h
releng/10.3/crypto/openssh/openbsd-compat/port-solaris.c
releng/10.3/crypto/openssh/openbsd-compat/port-solaris.h
releng/10.3/crypto/openssh/openbsd-compat/realpath.c
releng/10.3/crypto/openssh/packet.c
releng/10.3/crypto/openssh/packet.h
releng/10.3/crypto/openssh/platform.h
releng/10.3/crypto/openssh/readconf.c
releng/10.3/crypto/openssh/readconf.h
releng/10.3/crypto/openssh/readpass.c
releng/10.3/crypto/openssh/regress/Makefile
releng/10.3/crypto/openssh/regress/agent-ptrace.sh
releng/10.3/crypto/openssh/regress/dhgex.sh
releng/10.3/crypto/openssh/regress/hostkey-rotate.sh
releng/10.3/crypto/openssh/regress/keys-command.sh
releng/10.3/crypto/openssh/regress/keyscan.sh
releng/10.3/crypto/openssh/regress/limit-keytype.sh
releng/10.3/crypto/openssh/regress/principals-command.sh
releng/10.3/crypto/openssh/regress/proxy-connect.sh
releng/10.3/crypto/openssh/regress/rekey.sh
releng/10.3/crypto/openssh/regress/setuid-allowed.c
releng/10.3/crypto/openssh/regress/sftp-chroot.sh
releng/10.3/crypto/openssh/regress/unittests/sshkey/test_file.c
releng/10.3/crypto/openssh/regress/unittests/sshkey/test_fuzz.c
releng/10.3/crypto/openssh/regress/unittests/sshkey/test_sshkey.c
releng/10.3/crypto/openssh/roaming.h
releng/10.3/crypto/openssh/sandbox-seccomp-filter.c
releng/10.3/crypto/openssh/sandbox-systrace.c
releng/10.3/crypto/openssh/scp.1
releng/10.3/crypto/openssh/scp.c
releng/10.3/crypto/openssh/servconf.c
releng/10.3/crypto/openssh/serverloop.c
releng/10.3/crypto/openssh/session.c
releng/10.3/crypto/openssh/sftp-client.c
releng/10.3/crypto/openssh/sftp-client.h
releng/10.3/crypto/openssh/sftp-server-main.c
releng/10.3/crypto/openssh/sftp-server.c
releng/10.3/crypto/openssh/sftp.1
releng/10.3/crypto/openssh/sftp.c
releng/10.3/crypto/openssh/ssh-add.c
releng/10.3/crypto/openssh/ssh-agent.1
releng/10.3/crypto/openssh/ssh-agent.c
releng/10.3/crypto/openssh/ssh-dss.c
releng/10.3/crypto/openssh/ssh-ecdsa.c
releng/10.3/crypto/openssh/ssh-keygen.1
releng/10.3/crypto/openssh/ssh-keygen.c
releng/10.3/crypto/openssh/ssh-keyscan.1
releng/10.3/crypto/openssh/ssh-keyscan.c
releng/10.3/crypto/openssh/ssh-keysign.8
releng/10.3/crypto/openssh/ssh-keysign.c
releng/10.3/crypto/openssh/ssh-pkcs11-client.c
releng/10.3/crypto/openssh/ssh-pkcs11-helper.c
releng/10.3/crypto/openssh/ssh-pkcs11.c
releng/10.3/crypto/openssh/ssh-rsa.c
releng/10.3/crypto/openssh/ssh.1
releng/10.3/crypto/openssh/ssh.c
releng/10.3/crypto/openssh/ssh.h
releng/10.3/crypto/openssh/ssh2.h
releng/10.3/crypto/openssh/ssh_api.c
releng/10.3/crypto/openssh/ssh_config
releng/10.3/crypto/openssh/ssh_config.5
releng/10.3/crypto/openssh/ssh_namespace.h
releng/10.3/crypto/openssh/sshbuf-getput-basic.c
releng/10.3/crypto/openssh/sshbuf.c
releng/10.3/crypto/openssh/sshbuf.h
releng/10.3/crypto/openssh/sshconnect.c
releng/10.3/crypto/openssh/sshconnect.h
releng/10.3/crypto/openssh/sshconnect1.c
releng/10.3/crypto/openssh/sshconnect2.c
releng/10.3/crypto/openssh/sshd.8
releng/10.3/crypto/openssh/sshd.c
releng/10.3/crypto/openssh/sshd_config
releng/10.3/crypto/openssh/sshd_config.5
releng/10.3/crypto/openssh/ssherr.c
releng/10.3/crypto/openssh/sshkey.c
releng/10.3/crypto/openssh/sshkey.h
releng/10.3/crypto/openssh/sshlogin.c
releng/10.3/crypto/openssh/uidswap.c
releng/10.3/crypto/openssh/version.h
releng/10.3/crypto/openssh/xmalloc.c
releng/10.3/crypto/openssh/xmalloc.h
releng/10.3/lib/libpam/modules/pam_ssh/Makefile
releng/10.3/lib/libpam/modules/pam_ssh/pam_ssh.c
releng/10.3/secure/lib/libssh/Makefile
releng/10.3/secure/libexec/sftp-server/Makefile
releng/10.3/secure/libexec/ssh-keysign/Makefile
releng/10.3/secure/libexec/ssh-pkcs11-helper/Makefile
releng/10.3/secure/usr.bin/scp/Makefile
releng/10.3/secure/usr.bin/sftp/Makefile
releng/10.3/secure/usr.bin/ssh-add/Makefile
releng/10.3/secure/usr.bin/ssh-agent/Makefile
releng/10.3/secure/usr.bin/ssh-keygen/Makefile
releng/10.3/secure/usr.bin/ssh-keyscan/Makefile
releng/10.3/secure/usr.bin/ssh/Makefile
releng/10.3/secure/usr.sbin/sshd/Makefile
Directory Properties:
releng/10.3/ (props changed)
Modified: releng/10.3/crypto/openssh/ChangeLog
==============================================================================
--- releng/10.3/crypto/openssh/ChangeLog Mon Mar 14 13:04:40 2016 (r296852)
+++ releng/10.3/crypto/openssh/ChangeLog Mon Mar 14 13:05:13 2016 (r296853)
@@ -1,7615 +1,8905 @@
-commit c88ac102f0eb89f2eaa314cb2e2e0ca3c890c443
+commit 5c35450a0c901d9375fb23343a8dc82397da5f75
Author: Damien Miller <djm at mindrot.org>
-Date: Thu Jan 14 11:08:19 2016 +1100
+Date: Thu Mar 10 05:04:48 2016 +1100
- bump version numbers
+ update versions for release
-commit 302bc21e6fadacb04b665868cd69b625ef69df90
+commit 9d47b8d3f50c3a6282896df8274147e3b9a38c56
Author: Damien Miller <djm at mindrot.org>
-Date: Thu Jan 14 11:04:04 2016 +1100
+Date: Thu Mar 10 05:03:39 2016 +1100
- openssh-7.1p2
+ sanitise characters destined for xauth(1)
+
+ reported by github.com/tintinweb
-commit 6b33763242c063e4e0593877e835eeb1fd1b60aa
-Author: Damien Miller <djm at mindrot.org>
-Date: Thu Jan 14 11:02:58 2016 +1100
+commit 72b061d4ba0f909501c595d709ea76e06b01e5c9
+Author: Darren Tucker <dtucker at zip.com.au>
+Date: Fri Feb 26 14:40:04 2016 +1100
- forcibly disable roaming support in the client
+ Add a note about using xlc on AIX.
-commit 34d364f0d2e1e30a444009f0e04299bb7c94ba13
-Author: djm at openbsd.org <djm at openbsd.org>
-Date: Mon Oct 5 17:11:21 2015 +0000
+commit fd4e4f2416baa2e6565ea49d52aade296bad3e28
+Author: Darren Tucker <dtucker at zip.com.au>
+Date: Wed Feb 24 10:44:25 2016 +1100
- upstream commit
+ Skip PrintLastLog in config dump mode.
- some more bzero->explicit_bzero, from Michael McConville
-
- Upstream-ID: 17f19545685c33327db2efdc357c1c9225ff00d0
+ When DISABLE_LASTLOG is set, do not try to include PrintLastLog in the
+ config dump since it'll be reported as UNKNOWN.
-commit 8f5b93026797b9f7fba90d0c717570421ccebbd3
-Author: guenther at openbsd.org <guenther at openbsd.org>
-Date: Fri Sep 11 08:50:04 2015 +0000
+commit 99135c764fa250801da5ec3b8d06cbd0111caae8
+Author: Damien Miller <djm at mindrot.org>
+Date: Tue Feb 23 20:17:23 2016 +1100
+
+ update spec/README versions ahead of release
+
+commit b86a334aaaa4d1e643eb1fd71f718573d6d948b5
+Author: Damien Miller <djm at mindrot.org>
+Date: Tue Feb 23 20:16:53 2016 +1100
+
+ put back portable patchlevel to p1
+
+commit 555dd35ff176847e3c6bd068ba2e8db4022eb24f
+Author: djm at openbsd.org <djm at openbsd.org>
+Date: Tue Feb 23 09:14:34 2016 +0000
upstream commit
- Use explicit_bzero() when zeroing before free()
-
- from Michael McConville (mmcconv1 (at) sccs.swarthmore.edu)
- ok millert@ djm@
+ openssh-7.2
- Upstream-ID: 2e3337db046c3fe70c7369ee31515ac73ec00f50
+ Upstream-ID: 9db776b26014147fc907ece8460ef2bcb0f11e78
-commit d77148e3a3ef6c29b26ec74331455394581aa257
-Author: djm at openbsd.org <djm at openbsd.org>
-Date: Sun Nov 8 21:59:11 2015 +0000
+commit 1acc058d0a7913838c830ed998a1a1fb5b7864bf
+Author: Damien Miller <djm at mindrot.org>
+Date: Tue Feb 23 16:12:13 2016 +1100
- upstream commit
+ Disable tests where fs perms are incorrect
- fix OOB read in packet code caused by missing return
- statement found by Ben Hawkes; ok markus@ deraadt@
+ Some tests have strict requirements on the filesystem permissions
+ for certain files and directories. This adds a regress/check-perm
+ tool that copies the relevant logic from sshd to exactly test
+ the paths in question. This lets us skip tests when the local
+ filesystem doesn't conform to our expectations rather than
+ continuing and failing the test run.
- Upstream-ID: a3e3a85434ebfa0690d4879091959591f30efc62
+ ok dtucker@
-commit 076d849e17ab12603627f87b301e2dca71bae518
+commit 39f303b1f36d934d8410b05625f25c7bcb75db4d
Author: Damien Miller <djm at mindrot.org>
-Date: Sat Nov 14 18:44:49 2015 +1100
+Date: Tue Feb 23 12:56:59 2016 +1100
- read back from libcrypto RAND when privdropping
+ fix sandbox on OSX Lion
- makes certain libcrypto implementations cache a /dev/urandom fd
- in preparation of sandboxing. Based on patch by Greg Hartman.
+ sshd was failing with:
+
+ ssh_sandbox_child: sandbox_init: dlopen(/usr/lib/libsandbox.1.dylib, 261):cw
+ image not found [preauth]
+
+ caused by chroot before sandboxing. Avoid by explicitly linking libsandbox
+ to sshd. Spotted by Darren.
-commit f72adc0150011a28f177617a8456e1f83733099d
+commit 0d1451a32c7436e6d3d482351e776bc5e7824ce4
Author: djm at openbsd.org <djm at openbsd.org>
-Date: Sun Dec 13 22:42:23 2015 +0000
+Date: Tue Feb 23 01:34:14 2016 +0000
upstream commit
- unbreak connections with peers that set
- first_kex_follows; fix from Matt Johnston va bz#2515
+ fix spurious error message when incorrect passphrase
+ entered for keys; reported by espie@ ok deraadt@
- Upstream-ID: decc88ec4fc7515594fdb42b04aa03189a44184b
+ Upstream-ID: 58b2e46e63ed6912ed1ee780bd3bd8560f9a5899
-commit 04bd8d019ccd906cac1a2b362517b8505f3759e6
-Author: djm at openbsd.org <djm at openbsd.org>
-Date: Tue Jan 12 23:42:54 2016 +0000
+commit 09d87d79741beb85768b5e788d7dfdf4bc3543dc
+Author: sobrado at openbsd.org <sobrado at openbsd.org>
+Date: Sat Feb 20 23:06:23 2016 +0000
upstream commit
- use explicit_bzero() more liberally in the buffer code; ok
- deraadt
+ set ssh(1) protocol version to 2 only.
- Upstream-ID: 0ece37069fd66bc6e4f55eb1321f93df372b65bf
+ ok djm@
+
+ Upstream-ID: e168daf9d27d7e392e3c9923826bd8e87b2b3a10
-commit e91346dc2bbf460246df2ab591b7613908c1b0ad
-Author: Damien Miller <djm at mindrot.org>
-Date: Fri Aug 21 14:49:03 2015 +1000
+commit 9262e07826ba5eebf8423f7ac9e47ec488c47869
+Author: sobrado at openbsd.org <sobrado at openbsd.org>
+Date: Sat Feb 20 23:02:39 2016 +0000
- we don't use Github for issues/pull-requests
+ upstream commit
+
+ add missing ~/.ssh/id_ecdsa and ~/.ssh/id_ed25519 to
+ IdentityFile.
+
+ ok djm@
+
+ Upstream-ID: 6ce99466312e4ae7708017c3665e3edb976f70cf
-commit a4f5b507c708cc3dc2c8dd2d02e4416d7514dc23
-Author: Damien Miller <djm at mindrot.org>
-Date: Fri Aug 21 14:43:55 2015 +1000
+commit c12f0fdce8f985fca8d71829fd64c5b89dc777f5
+Author: sobrado at openbsd.org <sobrado at openbsd.org>
+Date: Sat Feb 20 23:01:46 2016 +0000
- fix URL for connect.c
+ upstream commit
+
+ AddressFamily defaults to any.
+
+ ok djm@
+
+ Upstream-ID: 0d94aa06a4b889bf57a7f631c45ba36d24c13e0c
-commit d026a8d3da0f8186598442997c7d0a28e7275414
-Author: Damien Miller <djm at mindrot.org>
-Date: Fri Aug 21 13:47:10 2015 +1000
+commit 907091acb188b1057d50c2158f74c3ecf1c2302b
+Author: Darren Tucker <dtucker at zip.com.au>
+Date: Fri Feb 19 09:05:39 2016 +1100
- update version numbers for 7.1
+ Make Solaris privs code build on older systems.
+
+ Not all systems with Solaris privs have priv_basicset so factor that
+ out and provide backward compatibility code. Similarly, not all have
+ PRIV_NET_ACCESS so wrap that in #ifdef. Based on code from
+ alex at cooperi.net and djm@ with help from carson at taltos.org and
+ wieland at purdue.edu.
-commit 78f8f589f0ca1c9f41e5a9bae3cda5ce8a6b42ed
+commit 292a8dee14e5e67dcd1b49ba5c7b9023e8420d59
Author: djm at openbsd.org <djm at openbsd.org>
-Date: Fri Aug 21 03:45:26 2015 +0000
+Date: Wed Feb 17 22:20:14 2016 +0000
upstream commit
- openssh-7.1
+ rekey refactor broke SSH1; spotted by Tom G. Christensen
- Upstream-ID: ff7b1ef4b06caddfb45e08ba998128c88be3d73f
+ Upstream-ID: 43f0d57928cc077c949af0bfa71ef574dcb58243
-commit 32a181980c62fce94f7f9ffaf6a79d90f0c309cf
+commit 3a13cb543df9919aec2fc6b75f3dd3802facaeca
Author: djm at openbsd.org <djm at openbsd.org>
-Date: Fri Aug 21 03:42:19 2015 +0000
+Date: Wed Feb 17 08:57:34 2016 +0000
upstream commit
- fix inverted logic that broke PermitRootLogin; reported
- by Mantas Mikulenas; ok markus@
+ rsa-sha2-512,rsa-sha2-256 cannot be selected explicitly
+ in *KeyTypes options yet. Remove them from the lists of algorithms for now.
+ committing on behalf of markus@ ok djm@
- Upstream-ID: 260dd6a904c1bb7e43267e394b1c9cf70bdd5ea5
+ Upstream-ID: c6e8820eb8e610ac21551832c0c89684a9a51bb7
-commit ce445b0ed927e45bd5bdce8f836eb353998dd65c
-Author: deraadt at openbsd.org <deraadt at openbsd.org>
-Date: Thu Aug 20 22:32:42 2015 +0000
+commit a685ae8d1c24fb7c712c55a4f3280ee76f5f1e4b
+Author: jmc at openbsd.org <jmc at openbsd.org>
+Date: Wed Feb 17 07:38:19 2016 +0000
upstream commit
- Do not cast result of malloc/calloc/realloc* if stdlib.h
- is in scope ok krw millert
-
- Upstream-ID: 5e50ded78cadf3841556649a16cc4b1cb6c58667
-
-commit 05291e5288704d1a98bacda269eb5a0153599146
-Author: naddy at openbsd.org <naddy at openbsd.org>
-Date: Thu Aug 20 19:20:06 2015 +0000
-
- upstream commit
+ since these pages now clearly tell folks to avoid v1,
+ normalise the docs from a v2 perspective (i.e. stop pointing out which bits
+ are v2 only);
- In the certificates section, be consistent about using
- "host_key" and "user_key" for the respective key types. ok sthen@ deraadt@
+ ok/tweaks djm ok markus
- Upstream-ID: 9e037ea3b15577b238604c5533e082a3947f13cb
+ Upstream-ID: eb474f8c36fb6a532dc05c282f7965e38dcfa129
-commit 8543d4ef6f2e9f98c3e6b77c894ceec30c5e4ae4
+commit c5c3f3279a0e4044b8de71b70d3570d692d0f29d
Author: djm at openbsd.org <djm at openbsd.org>
-Date: Wed Aug 19 23:21:42 2015 +0000
+Date: Wed Feb 17 05:29:04 2016 +0000
upstream commit
- Better compat matching for WinSCP, add compat matching
- for FuTTY (fork of PuTTY); ok markus@ deraadt@
+ make sandboxed privilege separation the default, not just
+ for new installs; "absolutely" deraadt@
- Upstream-ID: 24001d1ac115fa3260fbdc329a4b9aeb283c5389
+ Upstream-ID: 5221ef3b927d2df044e9aa3f5db74ae91743f69b
-commit ec6eda16ebab771aa3dfc90629b41953b999cb1e
-Author: djm at openbsd.org <djm at openbsd.org>
-Date: Wed Aug 19 23:19:01 2015 +0000
+commit eb3f7337a651aa01d5dec019025e6cdc124ed081
+Author: jmc at openbsd.org <jmc at openbsd.org>
+Date: Tue Feb 16 07:47:54 2016 +0000
upstream commit
- fix double-free() in error path of DSA key generation
- reported by Mateusz Kocielski; ok markus@
+ no need to state that protocol 2 is the default twice;
- Upstream-ID: 4735d8f888b10599a935fa1b374787089116713c
+ Upstream-ID: b1e4c36b0c2e12e338e5b66e2978f2ac953b95eb
-commit 45b0eb752c94954a6de046bfaaf129e518ad4b5b
+commit e7901efa9b24e5b0c7e74f2c5520d47eead4d005
Author: djm at openbsd.org <djm at openbsd.org>
-Date: Wed Aug 19 23:18:26 2015 +0000
+Date: Tue Feb 16 05:11:04 2016 +0000
upstream commit
- fix free() of uninitialised pointer reported by Mateusz
- Kocielski; ok markus@
+ Replace list of ciphers and MACs adjacent to -1/-2 flag
+ descriptions in ssh(1) with a strong recommendation not to use protocol 1.
+ Add a similar warning to the Protocol option descriptions in ssh_config(5)
+ and sshd_config(5);
- Upstream-ID: 519552b050618501a06b7b023de5cb104e2c5663
+ prompted by and ok mmcc@
+
+ Upstream-ID: 961f99e5437d50e636feca023978950a232ead5e
-commit c837643b93509a3ef538cb6624b678c5fe32ff79
+commit 5a0fcb77287342e2fc2ba1cee79b6af108973dc2
Author: djm at openbsd.org <djm at openbsd.org>
-Date: Wed Aug 19 23:17:51 2015 +0000
+Date: Tue Feb 16 03:37:48 2016 +0000
upstream commit
- fixed unlink([uninitialised memory]) reported by Mateusz
- Kocielski; ok markus@
+ add a "Close session" log entry (at loglevel=verbose) to
+ correspond to the existing "Starting session" one. Also include the session
+ id number to make multiplexed sessions more apparent.
- Upstream-ID: 14a0c4e7d891f5a8dabc4b89d4f6b7c0d5a20109
+ feedback and ok dtucker@
+
+ Upstream-ID: e72d2ac080e02774376325136e532cb24c2e617c
-commit 1f8d3d629cd553031021068eb9c646a5f1e50994
-Author: jmc at openbsd.org <jmc at openbsd.org>
-Date: Fri Aug 14 15:32:41 2015 +0000
+commit 624fd395b559820705171f460dd33d67743d13d6
+Author: djm at openbsd.org <djm at openbsd.org>
+Date: Wed Feb 17 02:24:17 2016 +0000
upstream commit
- match myproposal.h order; from brian conway (i snuck in a
- tweak while here)
-
- ok dtucker
+ include bad $SSH_CONNECTION in failure output
- Upstream-ID: 35174a19b5237ea36aa3798f042bf5933b772c67
+ Upstream-Regress-ID: b22d72edfde78c403aaec2b9c9753ef633cc0529
-commit 1dc8d93ce69d6565747eb44446ed117187621b26
-Author: deraadt at openbsd.org <deraadt at openbsd.org>
-Date: Thu Aug 6 14:53:21 2015 +0000
+commit 60d860e54b4f199e5e89963b1c086981309753cb
+Author: Darren Tucker <dtucker at zip.com.au>
+Date: Wed Feb 17 13:37:09 2016 +1100
- upstream commit
-
- add prohibit-password as a synonymn for without-password,
- since the without-password is causing too many questions. Harden it to ban
- all but pubkey, hostbased, and GSSAPI auth (when the latter is enabled) from
- djm, ok markus
+ Rollback addition of va_start.
- Upstream-ID: d53317d7b28942153e6236d3fd6e12ceb482db7a
+ va_start was added in 0f754e29dd3760fc0b172c1220f18b753fb0957e, however
+ it has the wrong number of args and it's not usable in non-variadic
+ functions anyway so it breaks things (for example Solaris 2.6 as
+ reported by Tom G. Christensen).i ok djm@
-commit 90a95a4745a531b62b81ce3b025e892bdc434de5
-Author: Damien Miller <djm at mindrot.org>
-Date: Tue Aug 11 13:53:41 2015 +1000
+commit 2fee909c3cee2472a98b26eb82696297b81e0d38
+Author: Darren Tucker <dtucker at zip.com.au>
+Date: Wed Feb 17 09:48:15 2016 +1100
- update version in README
+ Look for gethostbyname in libresolv and libnsl.
+
+ Should fix build problem on Solaris 2.6 reported by Tom G. Christensen.
-commit 318c37743534b58124f1bab37a8a0087a3a9bd2f
+commit 5ac712d81a84396aab441a272ec429af5b738302
Author: Damien Miller <djm at mindrot.org>
-Date: Tue Aug 11 13:53:09 2015 +1000
+Date: Tue Feb 16 10:45:02 2016 +1100
- update versions in *.spec
+ make existing ssh_malloc_init only for __OpenBSD__
-commit 5e75f5198769056089fb06c4d738ab0e5abc66f7
-Author: Damien Miller <djm at mindrot.org>
-Date: Tue Aug 11 13:34:12 2015 +1000
+commit 24c9bded569d9f2449ded73f92fb6d12db7a9eec
+Author: djm at openbsd.org <djm at openbsd.org>
+Date: Mon Feb 15 23:32:37 2016 +0000
- set sshpam_ctxt to NULL after free
+ upstream commit
- Avoids use-after-free in monitor when privsep child is compromised.
- Reported by Moritz Jodeit; ok dtucker@
-
-commit d4697fe9a28dab7255c60433e4dd23cf7fce8a8b
-Author: Damien Miller <djm at mindrot.org>
-Date: Tue Aug 11 13:33:24 2015 +1000
-
- Don't resend username to PAM; it already has it.
+ memleak of algorithm name in mm_answer_sign; reported by
+ Jakub Jelen
- Pointed out by Moritz Jodeit; ok dtucker@
+ Upstream-ID: ccd742cd25952240ebd23d7d4d6b605862584d08
-commit 88763a6c893bf3dfe951ba9271bf09715e8d91ca
-Author: Darren Tucker <dtucker at zip.com.au>
-Date: Mon Jul 27 12:14:25 2015 +1000
+commit ffb1e7e896139a42ceb78676f637658f44612411
+Author: dtucker at openbsd.org <dtucker at openbsd.org>
+Date: Mon Feb 15 09:47:49 2016 +0000
- Import updated moduli file from OpenBSD.
+ upstream commit
+
+ Add a function to enable security-related malloc_options.
+ With and ok deraadt@, something similar has been in the snaps for a while.
+
+ Upstream-ID: 43a95523b832b7f3b943d2908662191110c380ed
-commit 55b263fb7cfeacb81aaf1c2036e0394c881637da
+commit ef39e8c0497ff0564990a4f9e8b7338b3ba3507c
Author: Damien Miller <djm at mindrot.org>
-Date: Mon Aug 10 11:13:44 2015 +1000
+Date: Tue Feb 16 10:34:39 2016 +1100
- let principals-command.sh work for noexec /var/run
+ sync ssh-copy-id with upstream 783ef08b0a75
-commit 2651e34cd11b1aac3a0fe23b86d8c2ff35c07897
-Author: Damien Miller <djm at mindrot.org>
-Date: Thu Aug 6 11:43:42 2015 +1000
+commit d2d772f55b19bb0e8d03c2fe1b9bb176d9779efd
+Author: djm at openbsd.org <djm at openbsd.org>
+Date: Fri Feb 12 00:20:30 2016 +0000
- work around echo -n / sed behaviour in tests
+ upstream commit
+
+ avoid fatal() for PKCS11 tokens that present empty key IDs
+ bz#1773, ok markus@
+
+ Upstream-ID: 044a764fee526f2c4a9d530bd10695422d01fc54
-commit d85dad81778c1aa8106acd46930b25fdf0d15b2a
+commit e4c918a6c721410792b287c9fd21356a1bed5805
Author: djm at openbsd.org <djm at openbsd.org>
-Date: Wed Aug 5 05:27:33 2015 +0000
+Date: Thu Feb 11 02:56:32 2016 +0000
upstream commit
- adjust for RSA minimum modulus switch; ok deraadt@
+ sync crypto algorithm lists in ssh_config(5) and
+ sshd_config(5) with current reality. bz#2527
- Upstream-Regress-ID: 5a72c83431b96224d583c573ca281cd3a3ebfdae
+ Upstream-ID: d7fd1b6c1ed848d866236bcb1d7049d2bb9b2ff6
-commit 57e8e229bad5fe6056b5f1199665f5f7008192c6
+commit e30cabfa4ab456a30b3224f7f545f1bdfc4a2517
Author: djm at openbsd.org <djm at openbsd.org>
-Date: Tue Aug 4 05:23:06 2015 +0000
+Date: Thu Feb 11 02:21:34 2016 +0000
upstream commit
- backout SSH_RSA_MINIMUM_MODULUS_SIZE increase for this
- release; problems spotted by sthen@ ok deraadt@ markus@
+ fix regression in openssh-6.8 sftp client: existing
+ destination directories would incorrectly terminate recursive uploads;
+ bz#2528
- Upstream-ID: d0bd60dde9e8c3cd7030007680371894c1499822
+ Upstream-ID: 3306be469f41f26758e3d447987ac6d662623e18
-commit f097d0ea1e0889ca0fa2e53a00214e43ab7fa22a
+commit 714e367226ded4dc3897078be48b961637350b05
Author: djm at openbsd.org <djm at openbsd.org>
-Date: Sun Aug 2 09:56:42 2015 +0000
+Date: Tue Feb 9 05:30:04 2016 +0000
upstream commit
- openssh 7.0; ok deraadt@
+ turn off more old crypto in the client: hmac-md5, ripemd,
+ truncated HMACs, RC4, blowfish. ok markus@ dtucker@
- Upstream-ID: c63afdef537f57f28ae84145c5a8e29e9250221f
+ Upstream-ID: 96aa11c2c082be45267a690c12f1d2aae6acd46e
-commit 3d5728a0f6874ce4efb16913a12963595070f3a9
-Author: chris at openbsd.org <chris at openbsd.org>
-Date: Fri Jul 31 15:38:09 2015 +0000
+commit 5a622844ff7f78dcb75e223399f9ef0977e8d0a3
+Author: djm at openbsd.org <djm at openbsd.org>
+Date: Mon Feb 8 23:40:12 2016 +0000
upstream commit
- Allow PermitRootLogin to be overridden by config
-
- ok markus@ deeradt@
+ don't attempt to percent_expand() already-canonicalised
+ addresses, avoiding unnecessary failures when attempting to connect to scoped
+ IPv6 addresses (that naturally contain '%' characters)
- Upstream-ID: 5cf3e26ed702888de84e2dc9d0054ccf4d9125b4
+ Upstream-ID: f24569cffa1a7cbde5f08dc739a72f4d78aa5c6a
-commit 6f941396b6835ad18018845f515b0c4fe20be21a
+commit 19bcf2ea2d17413f2d9730dd2a19575ff86b9b6a
Author: djm at openbsd.org <djm at openbsd.org>
-Date: Thu Jul 30 23:09:15 2015 +0000
+Date: Mon Feb 8 10:57:07 2016 +0000
upstream commit
- fix pty permissions; patch from Nikolay Edigaryev; ok
- deraadt
+ refactor activation of rekeying
- Upstream-ID: 40ff076d2878b916fbfd8e4f45dbe5bec019e550
+ This makes automatic rekeying internal to the packet code (previously
+ the server and client loops needed to assist). In doing to it makes
+ application of rekey limits more accurate by accounting for packets
+ about to be sent as well as packets queued during rekeying events
+ themselves.
+
+ Based on a patch from dtucker@ which was in turn based on a patch
+ Aleksander Adamowski in bz#2521; ok markus@
+
+ Upstream-ID: a441227fd64f9739850ca97b4cf794202860fcd8
-commit f4373ed1e8fbc7c8ce3fc4ea97d0ba2e0c1d7ef0
-Author: deraadt at openbsd.org <deraadt at openbsd.org>
-Date: Thu Jul 30 19:23:02 2015 +0000
+commit 603ba41179e4b53951c7b90ee95b6ef3faa3f15d
+Author: naddy at openbsd.org <naddy at openbsd.org>
+Date: Fri Feb 5 13:28:19 2016 +0000
upstream commit
- change default: PermitRootLogin without-password matching
- install script changes coming as well ok djm markus
+ Only check errno if read() has returned an error. EOF is
+ not an error. This fixes a problem where the mux master would sporadically
+ fail to notice that the client had exited. ok mikeb@ djm@
- Upstream-ID: 0e2a6c4441daf5498b47a61767382bead5eb8ea6
+ Upstream-ID: 3c2dadc21fac6ef64665688aac8a75fffd57ae53
-commit 0c30ba91f87fcda7e975e6ff8a057f624e87ea1c
-Author: Damien Miller <djm at mindrot.org>
-Date: Thu Jul 30 12:31:39 2015 +1000
+commit 56d7dac790693ce420d225119283bc355cff9185
+Author: jsg at openbsd.org <jsg at openbsd.org>
+Date: Fri Feb 5 04:31:21 2016 +0000
- downgrade OOM adjustment logging: verbose -> debug
+ upstream commit
+
+ avoid an uninitialised value when NumberOfPasswordPrompts
+ is 0 ok markus@ djm@
+
+ Upstream-ID: 11b068d83c2865343aeb46acf1e9eec00f829b6b
-commit f9eca249d4961f28ae4b09186d7dc91de74b5895
+commit deae7d52d59c5019c528f977360d87fdda15d20b
Author: djm at openbsd.org <djm at openbsd.org>
-Date: Thu Jul 30 00:01:34 2015 +0000
+Date: Fri Feb 5 03:07:06 2016 +0000
upstream commit
- Allow ssh_config and sshd_config kex parameters options be
- prefixed by a '+' to indicate that the specified items be appended to the
- default rather than replacing it.
-
- approach suggested by dtucker@, feedback dlg@, ok markus@
+ mention internal DH-GEX fallback groups; bz#2302
- Upstream-ID: 0f901137298fc17095d5756ff1561a7028e8882a
+ Upstream-ID: e7b395fcca3122cd825515f45a2e41c9a157e09e
-commit 5cefe769105a2a2e3ca7479d28d9a325d5ef0163
+commit cac3b6665f884d46192c0dc98a64112e8b11a766
Author: djm at openbsd.org <djm at openbsd.org>
-Date: Wed Jul 29 08:34:54 2015 +0000
+Date: Fri Feb 5 02:37:56 2016 +0000
upstream commit
- fix bug in previous; was printing incorrect string for
- failed host key algorithms negotiation
+ better description for MaxSessions; bz#2531
- Upstream-ID: 22c0dc6bc61930513065d92e11f0753adc4c6e6e
+ Upstream-ID: e2c0d74ee185cd1a3e9d4ca1f1b939b745b354da
-commit f319912b0d0e1675b8bb051ed8213792c788bcb2
+commit 5ef4b0fdcc7a239577a754829b50022b91ab4712
+Author: Damien Miller <djm at mindrot.org>
+Date: Wed Jan 27 17:45:56 2016 +1100
+
+ avoid FreeBSD RCS Id in comment
+
+ Change old $FreeBSD version string in comment so it doesn't
+ become an RCS ident downstream; requested by des AT des.no
+
+commit 696d12683c90d20a0a9c5f4275fc916b7011fb04
Author: djm at openbsd.org <djm at openbsd.org>
-Date: Wed Jul 29 04:43:06 2015 +0000
+Date: Thu Feb 4 23:43:48 2016 +0000
upstream commit
- include the peer's offer when logging a failure to
- negotiate a mutual set of algorithms (kex, pubkey, ciphers, etc.) ok markus@
+ printf argument casts to avoid warnings on strict
+ compilers
- Upstream-ID: bbb8caabf5c01790bb845f5ce135565248d7c796
+ Upstream-ID: 7b9f6712cef01865ad29070262d366cf13587c9c
-commit b6ea0e573042eb85d84defb19227c89eb74cf05a
-Author: djm at openbsd.org <djm at openbsd.org>
-Date: Tue Jul 28 23:20:42 2015 +0000
+commit 5658ef2501e785fbbdf5de2dc33b1ff7a4dca73a
+Author: millert at openbsd.org <millert at openbsd.org>
+Date: Mon Feb 1 21:18:17 2016 +0000
upstream commit
- add Cisco to the list of clients that choke on the
- hostkeys update extension. Pointed out by Howard Kash
+ Avoid ugly "DISPLAY "(null)" invalid; disabling X11
+ forwarding" message when DISPLAY is not set. This could also result in a
+ crash on systems with a printf that doesn't handle NULL. OK djm@
- Upstream-ID: c9eadde28ecec056c73d09ee10ba4570dfba7e84
+ Upstream-ID: 20ee0cfbda678a247264c20ed75362042b90b412
-commit 3f628c7b537291c1019ce86af90756fb4e66d0fd
-Author: guenther at openbsd.org <guenther at openbsd.org>
-Date: Mon Jul 27 16:29:23 2015 +0000
+commit 537f88ec7bcf40bd444ac5584c707c5588c55c43
+Author: dtucker at openbsd.org <dtucker at openbsd.org>
+Date: Fri Jan 29 05:18:15 2016 +0000
upstream commit
- Permit kbind(2) use in the sandbox now, to ease testing
- of ld.so work using it
-
- reminded by miod@, ok deraadt@
+ Add regression test for RekeyLimit parsing of >32bit values
+ (4G and 8G).
- Upstream-ID: 523922e4d1ba7a091e3824e77a8a3c818ee97413
+ Upstream-Regress-ID: 548390350c62747b6234f522a99c319eee401328
-commit ebe27ebe520098bbc0fe58945a87ce8490121edb
-Author: millert at openbsd.org <millert at openbsd.org>
-Date: Mon Jul 20 18:44:12 2015 +0000
+commit 4c6cb8330460f94e6c7ae28a364236d4188156a3
+Author: dtucker at openbsd.org <dtucker at openbsd.org>
+Date: Fri Jan 29 23:04:46 2016 +0000
upstream commit
- Move .Pp before .Bl, not after to quiet mandoc -Tlint.
- Noticed by jmc@
+ Remove leftover roaming dead code. ok djm markus.
- Upstream-ID: 59fadbf8407cec4e6931e50c53cfa0214a848e23
+ Upstream-ID: 13d1f9c8b65a5109756bcfd3b74df949d53615be
-commit d5d91d0da819611167782c66ab629159169d94d4
-Author: millert at openbsd.org <millert at openbsd.org>
-Date: Mon Jul 20 18:42:35 2015 +0000
+commit 28136471809806d6246ef41e4341467a39fe2f91
+Author: djm at openbsd.org <djm at openbsd.org>
+Date: Fri Jan 29 05:46:01 2016 +0000
upstream commit
- Sync usage with SYNOPSIS
+ include packet type of non-data packets in debug3 output;
+ ok markus dtucker
- Upstream-ID: 7a321a170181a54f6450deabaccb6ef60cf3f0b7
+ Upstream-ID: 034eaf639acc96459b9c5ce782db9fcd8bd02d41
-commit 79ec2142fbc68dd2ed9688608da355fc0b1ed743
-Author: millert at openbsd.org <millert at openbsd.org>
-Date: Mon Jul 20 15:39:52 2015 +0000
+commit 6fd6e28daccafaa35f02741036abe64534c361a1
+Author: dtucker at openbsd.org <dtucker at openbsd.org>
+Date: Fri Jan 29 03:31:03 2016 +0000
upstream commit
- Better desciption of Unix domain socket forwarding.
- bz#2423; ok jmc@
+ Revert "account for packets buffered but not yet
+ processed" change as it breaks for very small RekeyLimit values due to
+ continuous rekeying. ok djm@
- Upstream-ID: 85e28874726897e3f26ae50dfa2e8d2de683805d
-
-commit d56fd1828074a4031b18b8faa0bf949669eb18a0
-Author: Damien Miller <djm at mindrot.org>
-Date: Mon Jul 20 11:19:51 2015 +1000
-
- make realpath.c compile -Wsign-compare clean
+ Upstream-ID: 7e03f636cb45ab60db18850236ccf19079182a19
-commit c63c9a691dca26bb7648827f5a13668832948929
-Author: djm at openbsd.org <djm at openbsd.org>
-Date: Mon Jul 20 00:30:01 2015 +0000
+commit 921ff00b0ac429666fb361d2d6cb1c8fff0006cb
+Author: dtucker at openbsd.org <dtucker at openbsd.org>
+Date: Fri Jan 29 02:54:45 2016 +0000
upstream commit
- mention that the default of UseDNS=no implies that
- hostnames cannot be used for host matching in sshd_config and
- authorized_keys; bz#2045, ok dtucker@
+ Allow RekeyLimits in excess of 4G up to 2**63 bits
+ (limited by the return type of scan_scaled). Part of bz#2521, ok djm.
- Upstream-ID: 0812705d5f2dfa59aab01f2764ee800b1741c4e1
+ Upstream-ID: 13bea82be566b9704821b1ea05bf7804335c7979
-commit 63ebcd0005e9894fcd6871b7b80aeea1fec0ff76
-Author: djm at openbsd.org <djm at openbsd.org>
-Date: Sat Jul 18 08:02:17 2015 +0000
+commit c0060a65296f01d4634f274eee184c0e93ba0f23
+Author: dtucker at openbsd.org <dtucker at openbsd.org>
+Date: Fri Jan 29 02:42:46 2016 +0000
upstream commit
- don't ignore PKCS#11 hosted keys that return empty
- CKA_ID; patch by Jakub Jelen via bz#2429; ok markus
+ Account for packets buffered but not yet processed when
+ computing whether or not it is time to perform rekeying. bz#2521, based
+ loosely on a patch from olo at fb.com, ok djm@
- Upstream-ID: 2f7c94744eb0342f8ee8bf97b2351d4e00116485
+ Upstream-ID: 67e268b547f990ed220f3cb70a5624d9bda12b8c
-commit b15fd989c8c62074397160147a8d5bc34b3f3c63
+commit 44cf930e670488c85c9efeb373fa5f4b455692ac
Author: djm at openbsd.org <djm at openbsd.org>
-Date: Sat Jul 18 08:00:21 2015 +0000
+Date: Wed Jan 27 06:44:58 2016 +0000
upstream commit
- skip uninitialised PKCS#11 slots; patch from Jakub Jelen
- in bz#2427 ok markus@
+ change old $FreeBSD version string in comment so it doesn't
+ become an RCS ident downstream; requested by des AT des.no
- Upstream-ID: 744c1e7796e237ad32992d0d02148e8a18f27d29
+ Upstream-ID: 8ca558c01f184e596b45e4fc8885534b2c864722
-commit 5b64f85bb811246c59ebab70aed331f26ba37b18
+commit ebacd377769ac07d1bf3c75169644336056b7060
Author: djm at openbsd.org <djm at openbsd.org>
-Date: Sat Jul 18 07:57:14 2015 +0000
+Date: Wed Jan 27 00:53:12 2016 +0000
upstream commit
- only query each keyboard-interactive device once per
- authentication request regardless of how many times it is listed; ok markus@
+ make the debug messages a bit more useful here
- Upstream-ID: d73fafba6e86030436ff673656ec1f33d9ffeda1
+ Upstream-ID: 478ccd4e897e0af8486b294aa63aa3f90ab78d64
-commit cd7324d0667794eb5c236d8a4e0f236251babc2d
-Author: djm at openbsd.org <djm at openbsd.org>
-Date: Fri Jul 17 03:34:27 2015 +0000
+commit 458abc2934e82034c5c281336d8dc0f910aecad3
+Author: jsg at openbsd.org <jsg at openbsd.org>
+Date: Sat Jan 23 05:31:35 2016 +0000
upstream commit
- remove -u flag to diff (only used for error output) to make
- things easier for -portable
+ Zero a stack buffer with explicit_bzero() instead of
+ memset() when returning from client_loop() for consistency with
+ buffer_free()/sshbuf_free().
- Upstream-Regress-ID: a5d6777d2909540d87afec3039d9bb2414ade548
+ ok dtucker@ deraadt@ djm@
+
+ Upstream-ID: bc9975b2095339811c3b954694d7d15ea5c58f66
-commit deb8d99ecba70b67f4af7880b11ca8768df9ec3a
-Author: djm at openbsd.org <djm at openbsd.org>
-Date: Fri Jul 17 03:09:19 2015 +0000
+commit 65a3c0dacbc7dbb75ddb6a70ebe22d8de084d0b0
+Author: dtucker at openbsd.org <dtucker at openbsd.org>
+Date: Wed Jan 20 09:22:39 2016 +0000
upstream commit
- direct-streamlocal at openssh.com Unix domain foward
- messages do not contain a "reserved for future use" field and in fact,
- serverloop.c checks that there isn't one. Remove erroneous mention from
- PROTOCOL description. bz#2421 from Daniel Black
+ Include sys/time.h for gettimeofday. From sortie at
+ maxsi.org.
- Upstream-ID: 3d51a19e64f72f764682f1b08f35a8aa810a43ac
+ Upstream-ID: 6ed0c33b836d9de0a664cd091e86523ecaa2fb3b
-commit 356b61f365405b5257f5b2ab446e5d7bd33a7b52
-Author: djm at openbsd.org <djm at openbsd.org>
-Date: Fri Jul 17 03:04:27 2015 +0000
+commit fc77ccdc2ce6d5d06628b8da5048a6a5f6ffca5a
+Author: markus at openbsd.org <markus at openbsd.org>
+Date: Thu Jan 14 22:56:56 2016 +0000
upstream commit
- describe magic for setting up Unix domain socket fowards
- via the mux channel; bz#2422 patch from Daniel Black
+ fd leaks; report Qualys Security Advisory team; ok
+ deraadt@
- Upstream-ID: 943080fe3864715c423bdeb7c920bb30c4eee861
+ Upstream-ID: 4ec0f12b9d8fa202293c9effa115464185aa071d
-commit d3e2aee41487d55b8d7d40f538b84ff1db7989bc
-Author: Darren Tucker <dtucker at zip.com.au>
-Date: Fri Jul 17 12:52:34 2015 +1000
+commit a306863831c57ec5fad918687cc5d289ee8e2635
+Author: markus at openbsd.org <markus at openbsd.org>
+Date: Thu Jan 14 16:17:39 2016 +0000
- Check if realpath works on nonexistent files.
-
- On some platforms the native realpath doesn't work with non-existent
- files (this is actually specified in some versions of POSIX), however
- the sftp spec says its realpath with "canonicalize any given path name".
- On those platforms, use realpath from the compat library.
+ upstream commit
- In addition, when compiling with -DFORTIFY_SOURCE, glibc redefines
- the realpath symbol to the checked version, so redefine ours to
- something else so we pick up the compat version we want.
+ remove roaming support; ok djm@
- bz#2428, ok djm@
+ Upstream-ID: 2cab8f4b197bc95776fb1c8dc2859dad0c64dc56
-commit 25b14610dab655646a109db5ef8cb4c4bf2a48a0
-Author: djm at openbsd.org <djm at openbsd.org>
-Date: Fri Jul 17 02:47:45 2015 +0000
+commit 6ef49e83e30688504552ac10875feabd5521565f
+Author: deraadt at openbsd.org <deraadt at openbsd.org>
+Date: Thu Jan 14 14:34:34 2016 +0000
upstream commit
- fix incorrect test for SSH1 keys when compiled without SSH1
- support
+ Disable experimental client-side roaming support. Server
+ side was disabled/gutted for years already, but this aspect was surprisingly
+ forgotten. Thanks for report from Qualys
- Upstream-ID: 6004d720345b8e481c405e8ad05ce2271726e451
+ Upstream-ID: 2328004b58f431a554d4c1bf67f5407eae3389df
-commit df56a8035d429b2184ee94aaa7e580c1ff67f73a
+commit 8d7b523b96d3be180572d9d338cedaafc0570f60
+Author: Damien Miller <djm at mindrot.org>
+Date: Thu Jan 14 11:08:19 2016 +1100
+
+ bump version numbers
+
+commit 8c3d512a1fac8b9c83b4d0c9c3f2376290bd84ca
+Author: Damien Miller <djm at mindrot.org>
+Date: Thu Jan 14 11:04:04 2016 +1100
+
+ openssh-7.1p2
+
+commit e6c85f8889c5c9eb04796fdb76d2807636b9eef5
+Author: Damien Miller <djm at mindrot.org>
+Date: Fri Jan 15 01:30:36 2016 +1100
+
+ forcibly disable roaming support in the client
+
+commit ed4ce82dbfa8a3a3c8ea6fa0db113c71e234416c
Author: djm at openbsd.org <djm at openbsd.org>
-Date: Wed Jul 15 08:00:11 2015 +0000
+Date: Wed Jan 13 23:04:47 2016 +0000
upstream commit
- fix NULL-deref when SSH1 reenabled
+ eliminate fallback from untrusted X11 forwarding to trusted
+ forwarding when the X server disables the SECURITY extension; Reported by
+ Thomas Hoger; ok deraadt@
- Upstream-ID: f22fd805288c92b3e9646782d15b48894b2d5295
+ Upstream-ID: f76195bd2064615a63ef9674a0e4096b0713f938
-commit 41e38c4d49dd60908484e6703316651333f16b93
+commit 9a728cc918fad67c8a9a71201088b1e150340ba4
Author: djm at openbsd.org <djm at openbsd.org>
-Date: Wed Jul 15 07:19:50 2015 +0000
+Date: Tue Jan 12 23:42:54 2016 +0000
upstream commit
- regen RSA1 test keys; the last batch was missing their
- private parts
+ use explicit_bzero() more liberally in the buffer code; ok
+ deraadt
- Upstream-Regress-ID: 7ccf437305dd63ff0b48dd50c5fd0f4d4230c10a
+ Upstream-ID: 0ece37069fd66bc6e4f55eb1321f93df372b65bf
-commit 5bf0933184cb622ca3f96d224bf3299fd2285acc
-Author: markus at openbsd.org <markus at openbsd.org>
-Date: Fri Jul 10 06:23:25 2015 +0000
+commit 4626cbaf78767fc8e9c86dd04785386c59ae0839
+Author: Damien Miller <djm at mindrot.org>
+Date: Fri Jan 8 14:24:56 2016 +1100
- upstream commit
+ Support Illumos/Solaris fine-grained privileges
- Adapt tests, now that DSA if off by default; use
- PubkeyAcceptedKeyTypes and PubkeyAcceptedKeyTypes to test DSA.
+ Includes a pre-auth privsep sandbox and several pledge()
+ emulations. bz#2511, patch by Alex Wilson.
- Upstream-Regress-ID: 0ff2a3ff5ac1ce5f92321d27aa07b98656efcc5c
+ ok dtucker@
-commit 7a6e3fd7b41dbd3756b6bf9acd67954c0b1564cc
-Author: markus at openbsd.org <markus at openbsd.org>
-Date: Tue Jul 7 14:54:16 2015 +0000
+commit 422d1b3ee977ff4c724b597fb2e437d38fc8de9d
+Author: djm at openbsd.org <djm at openbsd.org>
+Date: Thu Dec 31 00:33:52 2015 +0000
upstream commit
- regen test data after mktestdata.sh changes
+ fix three bugs in KRL code related to (unused) signature
+ support: verification length was being incorrectly calculated, multiple
+ signatures were being incorrectly processed and a NULL dereference that
+ occurred when signatures were verified. Reported by Carl Jackson
- Upstream-Regress-ID: 3495ecb082b9a7c048a2d7c5c845d3bf181d25a4
+ Upstream-ID: e705e97ad3ccce84291eaa651708dd1b9692576b
-commit 7c8c174c69f681d4910fa41c37646763692b28e2
-Author: markus at openbsd.org <markus at openbsd.org>
-Date: Tue Jul 7 14:53:30 2015 +0000
+commit 6074c84bf95d00f29cc7d5d3cd3798737851aa1a
+Author: djm at openbsd.org <djm at openbsd.org>
+Date: Wed Dec 30 23:46:14 2015 +0000
upstream commit
- adapt tests to new minimum RSA size and default FP format
+ unused prototype
- Upstream-Regress-ID: a4b30afd174ce82b96df14eb49fb0b81398ffd0e
+ Upstream-ID: f3eef4389d53ed6c0d5c77dcdcca3060c745da97
-commit 6a977a4b68747ade189e43d302f33403fd4a47ac
-Author: djm at openbsd.org <djm at openbsd.org>
-Date: Fri Jul 3 04:39:23 2015 +0000
*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
More information about the svn-src-all
mailing list