svn commit: r221444 - in projects/largeSMP: contrib/top
crypto/openssh crypto/openssh/openbsd-compat
etc/periodic/daily etc/rc.d lib/libc/string release
sbin/mount_nfs secure/lib/libssh secure/usr....
Attilio Rao
attilio at FreeBSD.org
Wed May 4 15:45:24 UTC 2011
Author: attilio
Date: Wed May 4 15:45:23 2011
New Revision: 221444
URL: http://svn.freebsd.org/changeset/base/221444
Log:
MFC
Added:
projects/largeSMP/crypto/openssh/audit-linux.c
- copied unchanged from r221443, head/crypto/openssh/audit-linux.c
projects/largeSMP/crypto/openssh/bufec.c
- copied unchanged from r221443, head/crypto/openssh/bufec.c
projects/largeSMP/crypto/openssh/kexecdh.c
- copied unchanged from r221443, head/crypto/openssh/kexecdh.c
projects/largeSMP/crypto/openssh/kexecdhc.c
- copied unchanged from r221443, head/crypto/openssh/kexecdhc.c
projects/largeSMP/crypto/openssh/kexecdhs.c
- copied unchanged from r221443, head/crypto/openssh/kexecdhs.c
projects/largeSMP/crypto/openssh/openbsd-compat/charclass.h
- copied unchanged from r221443, head/crypto/openssh/openbsd-compat/charclass.h
projects/largeSMP/crypto/openssh/openbsd-compat/timingsafe_bcmp.c
- copied unchanged from r221443, head/crypto/openssh/openbsd-compat/timingsafe_bcmp.c
projects/largeSMP/crypto/openssh/ssh-ecdsa.c
- copied unchanged from r221443, head/crypto/openssh/ssh-ecdsa.c
projects/largeSMP/sys/compat/linux/linux_videodev2.h
- copied unchanged from r221443, head/sys/compat/linux/linux_videodev2.h
projects/largeSMP/sys/compat/linux/linux_videodev2_compat.h
- copied unchanged from r221443, head/sys/compat/linux/linux_videodev2_compat.h
projects/largeSMP/tools/regression/security/cap_test/
- copied from r221443, head/tools/regression/security/cap_test/
Modified:
projects/largeSMP/crypto/openssh/ChangeLog
projects/largeSMP/crypto/openssh/LICENCE
projects/largeSMP/crypto/openssh/PROTOCOL
projects/largeSMP/crypto/openssh/PROTOCOL.agent
projects/largeSMP/crypto/openssh/PROTOCOL.certkeys
projects/largeSMP/crypto/openssh/PROTOCOL.mux
projects/largeSMP/crypto/openssh/README
projects/largeSMP/crypto/openssh/atomicio.c
projects/largeSMP/crypto/openssh/atomicio.h
projects/largeSMP/crypto/openssh/audit-bsm.c
projects/largeSMP/crypto/openssh/audit.c
projects/largeSMP/crypto/openssh/audit.h
projects/largeSMP/crypto/openssh/auth-options.c
projects/largeSMP/crypto/openssh/auth-rsa.c
projects/largeSMP/crypto/openssh/auth.c
projects/largeSMP/crypto/openssh/auth1.c
projects/largeSMP/crypto/openssh/auth2-jpake.c
projects/largeSMP/crypto/openssh/auth2-pubkey.c
projects/largeSMP/crypto/openssh/auth2.c
projects/largeSMP/crypto/openssh/authfd.c
projects/largeSMP/crypto/openssh/authfile.c
projects/largeSMP/crypto/openssh/bufaux.c
projects/largeSMP/crypto/openssh/buffer.h
projects/largeSMP/crypto/openssh/canohost.c
projects/largeSMP/crypto/openssh/channels.c
projects/largeSMP/crypto/openssh/cipher-3des1.c
projects/largeSMP/crypto/openssh/cipher-acss.c
projects/largeSMP/crypto/openssh/cipher-aes.c
projects/largeSMP/crypto/openssh/cipher-bf1.c
projects/largeSMP/crypto/openssh/cipher-ctr.c
projects/largeSMP/crypto/openssh/clientloop.c
projects/largeSMP/crypto/openssh/compress.c
projects/largeSMP/crypto/openssh/config.h
projects/largeSMP/crypto/openssh/config.h.in
projects/largeSMP/crypto/openssh/defines.h
projects/largeSMP/crypto/openssh/dns.c
projects/largeSMP/crypto/openssh/entropy.c
projects/largeSMP/crypto/openssh/hostfile.c
projects/largeSMP/crypto/openssh/hostfile.h
projects/largeSMP/crypto/openssh/includes.h
projects/largeSMP/crypto/openssh/jpake.c
projects/largeSMP/crypto/openssh/kex.c
projects/largeSMP/crypto/openssh/kex.h
projects/largeSMP/crypto/openssh/kexdhc.c
projects/largeSMP/crypto/openssh/kexdhs.c
projects/largeSMP/crypto/openssh/kexgexc.c
projects/largeSMP/crypto/openssh/kexgexs.c
projects/largeSMP/crypto/openssh/key.c
projects/largeSMP/crypto/openssh/key.h
projects/largeSMP/crypto/openssh/loginrec.c
projects/largeSMP/crypto/openssh/loginrec.h
projects/largeSMP/crypto/openssh/misc.c
projects/largeSMP/crypto/openssh/misc.h
projects/largeSMP/crypto/openssh/moduli.c
projects/largeSMP/crypto/openssh/monitor.c
projects/largeSMP/crypto/openssh/monitor_wrap.c
projects/largeSMP/crypto/openssh/mux.c
projects/largeSMP/crypto/openssh/myproposal.h
projects/largeSMP/crypto/openssh/openbsd-compat/bindresvport.c
projects/largeSMP/crypto/openssh/openbsd-compat/bsd-misc.c
projects/largeSMP/crypto/openssh/openbsd-compat/bsd-misc.h
projects/largeSMP/crypto/openssh/openbsd-compat/glob.c
projects/largeSMP/crypto/openssh/openbsd-compat/glob.h
projects/largeSMP/crypto/openssh/openbsd-compat/openbsd-compat.h
projects/largeSMP/crypto/openssh/openbsd-compat/openssl-compat.c
projects/largeSMP/crypto/openssh/openbsd-compat/openssl-compat.h
projects/largeSMP/crypto/openssh/openbsd-compat/port-linux.c
projects/largeSMP/crypto/openssh/openbsd-compat/port-linux.h
projects/largeSMP/crypto/openssh/openbsd-compat/port-solaris.c
projects/largeSMP/crypto/openssh/openbsd-compat/port-solaris.h
projects/largeSMP/crypto/openssh/packet.c
projects/largeSMP/crypto/openssh/packet.h
projects/largeSMP/crypto/openssh/pathnames.h
projects/largeSMP/crypto/openssh/platform.c
projects/largeSMP/crypto/openssh/platform.h
projects/largeSMP/crypto/openssh/readconf.c
projects/largeSMP/crypto/openssh/readconf.h
projects/largeSMP/crypto/openssh/readpass.c
projects/largeSMP/crypto/openssh/schnorr.c
projects/largeSMP/crypto/openssh/scp.1
projects/largeSMP/crypto/openssh/scp.c
projects/largeSMP/crypto/openssh/servconf.c
projects/largeSMP/crypto/openssh/servconf.h
projects/largeSMP/crypto/openssh/session.c
projects/largeSMP/crypto/openssh/sftp-client.c
projects/largeSMP/crypto/openssh/sftp-client.h
projects/largeSMP/crypto/openssh/sftp-server.c
projects/largeSMP/crypto/openssh/sftp.1
projects/largeSMP/crypto/openssh/sftp.c
projects/largeSMP/crypto/openssh/ssh-add.1
projects/largeSMP/crypto/openssh/ssh-add.c
projects/largeSMP/crypto/openssh/ssh-agent.1
projects/largeSMP/crypto/openssh/ssh-agent.c
projects/largeSMP/crypto/openssh/ssh-dss.c
projects/largeSMP/crypto/openssh/ssh-keygen.1
projects/largeSMP/crypto/openssh/ssh-keygen.c
projects/largeSMP/crypto/openssh/ssh-keyscan.1
projects/largeSMP/crypto/openssh/ssh-keyscan.c
projects/largeSMP/crypto/openssh/ssh-keysign.8
projects/largeSMP/crypto/openssh/ssh-keysign.c
projects/largeSMP/crypto/openssh/ssh-rsa.c
projects/largeSMP/crypto/openssh/ssh.1
projects/largeSMP/crypto/openssh/ssh.c
projects/largeSMP/crypto/openssh/ssh2.h
projects/largeSMP/crypto/openssh/ssh_config
projects/largeSMP/crypto/openssh/ssh_config.5
projects/largeSMP/crypto/openssh/ssh_namespace.h
projects/largeSMP/crypto/openssh/sshconnect.c
projects/largeSMP/crypto/openssh/sshconnect.h
projects/largeSMP/crypto/openssh/sshconnect2.c
projects/largeSMP/crypto/openssh/sshd.8
projects/largeSMP/crypto/openssh/sshd.c
projects/largeSMP/crypto/openssh/sshd_config
projects/largeSMP/crypto/openssh/sshd_config.5
projects/largeSMP/crypto/openssh/sshlogin.c
projects/largeSMP/crypto/openssh/uuencode.c
projects/largeSMP/crypto/openssh/uuencode.h
projects/largeSMP/crypto/openssh/version.h
projects/largeSMP/etc/periodic/daily/450.status-security
projects/largeSMP/etc/periodic/daily/800.scrub-zfs
projects/largeSMP/etc/rc.d/sshd
projects/largeSMP/lib/libc/string/ffs.3
projects/largeSMP/release/generate-release.sh
projects/largeSMP/sbin/mount_nfs/mount_nfs.8
projects/largeSMP/secure/lib/libssh/Makefile
projects/largeSMP/secure/usr.sbin/sshd/Makefile
projects/largeSMP/share/man/man9/make_dev.9
projects/largeSMP/sys/cddl/compat/opensolaris/sys/systm.h
projects/largeSMP/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_ioctl.c
projects/largeSMP/sys/compat/linux/linux_ioctl.c
projects/largeSMP/sys/compat/linux/linux_ioctl.h
projects/largeSMP/sys/compat/linux/linux_videodev.h
projects/largeSMP/sys/dev/ae/if_ae.c
projects/largeSMP/sys/dev/age/if_age.c
projects/largeSMP/sys/dev/alc/if_alc.c
projects/largeSMP/sys/dev/ale/if_ale.c
projects/largeSMP/sys/dev/ath/ath_hal/ar5416/ar5416_reset.c
projects/largeSMP/sys/dev/bce/if_bce.c
projects/largeSMP/sys/dev/bfe/if_bfe.c
projects/largeSMP/sys/dev/bge/if_bge.c
projects/largeSMP/sys/dev/dc/dcphy.c
projects/largeSMP/sys/dev/dc/pnphy.c
projects/largeSMP/sys/dev/ed/if_ed_pccard.c
projects/largeSMP/sys/dev/et/if_et.c
projects/largeSMP/sys/dev/fxp/if_fxp.c
projects/largeSMP/sys/dev/hme/if_hme.c
projects/largeSMP/sys/dev/jme/if_jme.c
projects/largeSMP/sys/dev/lge/if_lge.c
projects/largeSMP/sys/dev/mii/acphy.c
projects/largeSMP/sys/dev/mii/amphy.c
projects/largeSMP/sys/dev/mii/atphy.c
projects/largeSMP/sys/dev/mii/axphy.c
projects/largeSMP/sys/dev/mii/bmtphy.c
projects/largeSMP/sys/dev/mii/brgphy.c
projects/largeSMP/sys/dev/mii/ciphy.c
projects/largeSMP/sys/dev/mii/e1000phy.c
projects/largeSMP/sys/dev/mii/exphy.c
projects/largeSMP/sys/dev/mii/gentbi.c
projects/largeSMP/sys/dev/mii/icsphy.c
projects/largeSMP/sys/dev/mii/inphy.c
projects/largeSMP/sys/dev/mii/ip1000phy.c
projects/largeSMP/sys/dev/mii/jmphy.c
projects/largeSMP/sys/dev/mii/lxtphy.c
projects/largeSMP/sys/dev/mii/mii.c
projects/largeSMP/sys/dev/mii/mii.h
projects/largeSMP/sys/dev/mii/mii_physubr.c
projects/largeSMP/sys/dev/mii/miidevs
projects/largeSMP/sys/dev/mii/miivar.h
projects/largeSMP/sys/dev/mii/mlphy.c
projects/largeSMP/sys/dev/mii/nsgphy.c
projects/largeSMP/sys/dev/mii/nsphy.c
projects/largeSMP/sys/dev/mii/nsphyter.c
projects/largeSMP/sys/dev/mii/pnaphy.c
projects/largeSMP/sys/dev/mii/qsphy.c
projects/largeSMP/sys/dev/mii/rdcphy.c
projects/largeSMP/sys/dev/mii/rgephy.c
projects/largeSMP/sys/dev/mii/rlphy.c
projects/largeSMP/sys/dev/mii/rlswitch.c
projects/largeSMP/sys/dev/mii/ruephy.c
projects/largeSMP/sys/dev/mii/smcphy.c
projects/largeSMP/sys/dev/mii/tdkphy.c
projects/largeSMP/sys/dev/mii/tlphy.c
projects/largeSMP/sys/dev/mii/truephy.c
projects/largeSMP/sys/dev/mii/ukphy.c
projects/largeSMP/sys/dev/mii/xmphy.c
projects/largeSMP/sys/dev/nfe/if_nfe.c
projects/largeSMP/sys/dev/nge/if_nge.c
projects/largeSMP/sys/dev/nve/if_nve.c
projects/largeSMP/sys/dev/pcn/if_pcn.c
projects/largeSMP/sys/dev/sf/if_sf.c
projects/largeSMP/sys/dev/sge/if_sge.c
projects/largeSMP/sys/dev/sis/if_sis.c
projects/largeSMP/sys/dev/ste/if_ste.c
projects/largeSMP/sys/dev/tx/if_tx.c
projects/largeSMP/sys/dev/usb/net/if_aue.c
projects/largeSMP/sys/dev/usb/net/if_axe.c
projects/largeSMP/sys/dev/usb/net/if_rue.c
projects/largeSMP/sys/dev/usb/net/if_udav.c
projects/largeSMP/sys/dev/vr/if_vr.c
projects/largeSMP/sys/dev/vte/if_vte.c
projects/largeSMP/sys/dev/wb/if_wb.c
projects/largeSMP/sys/fs/nfs/nfs_commonport.c
projects/largeSMP/sys/fs/nfsclient/nfs_clsubs.c
projects/largeSMP/sys/fs/nfsclient/nfs_clvfsops.c
projects/largeSMP/sys/fs/nfsclient/nfs_clvnops.c
projects/largeSMP/sys/geom/geom_dev.c
projects/largeSMP/sys/geom/label/g_label.c
projects/largeSMP/sys/kern/kern_conf.c
projects/largeSMP/sys/mips/atheros/if_arge.c
projects/largeSMP/sys/mips/cavium/octe/octe.c
projects/largeSMP/sys/mips/idt/if_kr.c
projects/largeSMP/sys/modules/mii/Makefile
projects/largeSMP/sys/net80211/ieee80211_adhoc.c
projects/largeSMP/sys/net80211/ieee80211_hostap.c
projects/largeSMP/sys/net80211/ieee80211_input.h
projects/largeSMP/sys/net80211/ieee80211_mesh.c
projects/largeSMP/sys/net80211/ieee80211_sta.c
projects/largeSMP/sys/net80211/ieee80211_wds.c
projects/largeSMP/sys/netinet/sctp_asconf.c
projects/largeSMP/sys/netinet/sctp_auth.c
projects/largeSMP/sys/netinet/sctputil.c
projects/largeSMP/sys/netinet6/sctp6_usrreq.c
projects/largeSMP/sys/nfs/nfs_diskless.c
projects/largeSMP/sys/nfs/nfssvc.h
projects/largeSMP/sys/nfsclient/nfs_vfsops.c
projects/largeSMP/sys/nfsclient/nfs_vnops.c
projects/largeSMP/sys/nfsclient/nfsargs.h
projects/largeSMP/sys/sys/conf.h
projects/largeSMP/usr.bin/nfsstat/nfsstat.c
Directory Properties:
projects/largeSMP/ (props changed)
projects/largeSMP/cddl/contrib/opensolaris/ (props changed)
projects/largeSMP/contrib/bind9/ (props changed)
projects/largeSMP/contrib/binutils/ (props changed)
projects/largeSMP/contrib/bzip2/ (props changed)
projects/largeSMP/contrib/dialog/ (props changed)
projects/largeSMP/contrib/ee/ (props changed)
projects/largeSMP/contrib/expat/ (props changed)
projects/largeSMP/contrib/file/ (props changed)
projects/largeSMP/contrib/gcc/ (props changed)
projects/largeSMP/contrib/gdb/ (props changed)
projects/largeSMP/contrib/gdtoa/ (props changed)
projects/largeSMP/contrib/gnu-sort/ (props changed)
projects/largeSMP/contrib/groff/ (props changed)
projects/largeSMP/contrib/less/ (props changed)
projects/largeSMP/contrib/libpcap/ (props changed)
projects/largeSMP/contrib/libstdc++/ (props changed)
projects/largeSMP/contrib/llvm/ (props changed)
projects/largeSMP/contrib/llvm/tools/clang/ (props changed)
projects/largeSMP/contrib/ncurses/ (props changed)
projects/largeSMP/contrib/netcat/ (props changed)
projects/largeSMP/contrib/ntp/ (props changed)
projects/largeSMP/contrib/one-true-awk/ (props changed)
projects/largeSMP/contrib/openbsm/ (props changed)
projects/largeSMP/contrib/openpam/ (props changed)
projects/largeSMP/contrib/pf/ (props changed)
projects/largeSMP/contrib/sendmail/ (props changed)
projects/largeSMP/contrib/tcpdump/ (props changed)
projects/largeSMP/contrib/tcsh/ (props changed)
projects/largeSMP/contrib/top/ (props changed)
projects/largeSMP/contrib/top/install-sh (props changed)
projects/largeSMP/contrib/tzcode/stdtime/ (props changed)
projects/largeSMP/contrib/tzcode/zic/ (props changed)
projects/largeSMP/contrib/tzdata/ (props changed)
projects/largeSMP/contrib/wpa/ (props changed)
projects/largeSMP/contrib/xz/ (props changed)
projects/largeSMP/crypto/openssh/ (props changed)
projects/largeSMP/crypto/openssl/ (props changed)
projects/largeSMP/gnu/lib/ (props changed)
projects/largeSMP/gnu/usr.bin/binutils/ (props changed)
projects/largeSMP/gnu/usr.bin/cc/cc_tools/ (props changed)
projects/largeSMP/gnu/usr.bin/gdb/ (props changed)
projects/largeSMP/lib/libc/ (props changed)
projects/largeSMP/lib/libc/stdtime/ (props changed)
projects/largeSMP/lib/libutil/ (props changed)
projects/largeSMP/lib/libz/ (props changed)
projects/largeSMP/sbin/ (props changed)
projects/largeSMP/sbin/ipfw/ (props changed)
projects/largeSMP/share/mk/bsd.arch.inc.mk (props changed)
projects/largeSMP/share/zoneinfo/ (props changed)
projects/largeSMP/sys/ (props changed)
projects/largeSMP/sys/amd64/include/xen/ (props changed)
projects/largeSMP/sys/boot/ (props changed)
projects/largeSMP/sys/boot/i386/efi/ (props changed)
projects/largeSMP/sys/boot/ia64/efi/ (props changed)
projects/largeSMP/sys/boot/ia64/ski/ (props changed)
projects/largeSMP/sys/boot/powerpc/boot1.chrp/ (props changed)
projects/largeSMP/sys/boot/powerpc/ofw/ (props changed)
projects/largeSMP/sys/cddl/contrib/opensolaris/ (props changed)
projects/largeSMP/sys/conf/ (props changed)
projects/largeSMP/sys/contrib/dev/acpica/ (props changed)
projects/largeSMP/sys/contrib/octeon-sdk/ (props changed)
projects/largeSMP/sys/contrib/pf/ (props changed)
projects/largeSMP/sys/contrib/x86emu/ (props changed)
projects/largeSMP/usr.bin/calendar/ (props changed)
projects/largeSMP/usr.bin/csup/ (props changed)
projects/largeSMP/usr.bin/procstat/ (props changed)
projects/largeSMP/usr.sbin/ndiscvt/ (props changed)
projects/largeSMP/usr.sbin/zic/ (props changed)
Modified: projects/largeSMP/crypto/openssh/ChangeLog
==============================================================================
--- projects/largeSMP/crypto/openssh/ChangeLog Wed May 4 14:55:57 2011 (r221443)
+++ projects/largeSMP/crypto/openssh/ChangeLog Wed May 4 15:45:23 2011 (r221444)
@@ -1,3 +1,742 @@
+20110403
+ - (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
+ [contrib/suse/openssh.spec] Prepare for 5.8p2 release.
+ - Release 5.8p2
+
+20110329
+ - (djm) [entropy.c] closefrom() before running ssh-rand-helper; leftover fds
+ noticed by tmraz AT redhat.com
+
+20110221
+ - (dtucker) [contrib/cygwin/ssh-host-config] From Corinna: revamp of the
+ Cygwin-specific service installer script ssh-host-config. The actual
+ functionality is the same, the revisited version is just more
+ exact when it comes to check for problems which disallow to run
+ certain aspects of the script. So, part of this script and the also
+ rearranged service helper script library "csih" is to check if all
+ the tools required to run the script are available on the system.
+ The new script also is more thorough to inform the user why the
+ script failed. Patch from vinschen at redhat com.
+
+20110206
+ - (dtucker) [openbsd-compat/port-linux.c] Bug #1851: fix syntax error in
+ selinux code. Patch from Leonardo Chiquitto
+ - (dtucker) [contrib/cygwin/ssh-{host,user}-config] Add ECDSA key
+ generation and simplify. Patch from Corinna Vinschen.
+
+20110204
+ - OpenBSD CVS Sync
+ - djm at cvs.openbsd.org 2011/01/31 21:42:15
+ [PROTOCOL.mux]
+ cut'n'pasto; from bert.wesarg AT googlemail.com
+ - djm at cvs.openbsd.org 2011/02/04 00:44:21
+ [key.c]
+ fix uninitialised nonce variable; reported by Mateusz Kocielski
+ - djm at cvs.openbsd.org 2011/02/04 00:44:43
+ [version.h]
+ openssh-5.8
+ - (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
+ [contrib/suse/openssh.spec] update versions in docs and spec files.
+ - Release OpenSSH 5.8p1
+
+20110128
+ - (djm) [openbsd-compat/port-linux.c] Check whether SELinux is enabled
+ before attempting setfscreatecon(). Check whether matchpathcon()
+ succeeded before using its result. Patch from cjwatson AT debian.org;
+ bz#1851
+
+20110125
+ - (djm) [configure.ac Makefile.in ssh.c openbsd-compat/port-linux.c
+ openbsd-compat/port-linux.h] Move SELinux-specific code from ssh.c to
+ port-linux.c to avoid compilation errors. Add -lselinux to ssh when
+ building with SELinux support to avoid linking failure; report from
+ amk AT spamfence.net; ok dtucker
+
+20110122
+ - (dtucker) [configure.ac openbsd-compat/openssl-compat.{c,h}] Add
+ RSA_get_default_method() for the benefit of openssl versions that don't
+ have it (at least openssl-engine-0.9.6b). Found and tested by Kevin Brott,
+ ok djm at .
+ - OpenBSD CVS Sync
+ - djm at cvs.openbsd.org 2011/01/22 09:18:53
+ [version.h]
+ crank to OpenSSH-5.7
+ - (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
+ [contrib/suse/openssh.spec] update versions in docs and spec files.
+ - (djm) Release 5.7p1
+
+20110119
+ - (tim) [contrib/caldera/openssh.spec] Use CFLAGS from Makefile instead
+ of RPM so build completes. Signatures were changed to .asc since 4.1p1.
+ - (djm) [configure.ac] Disable ECC on OpenSSL <0.9.8g. Releases prior to
+ 0.9.8 lacked it, and 0.9.8a through 0.9.8d have proven buggy in pre-
+ release testing (random crashes and failure to load ECC keys).
+ ok dtucker@
+
+20110117
+ - (djm) [regress/Makefile] use $TEST_SSH_KEYGEN instead of the one in
+ $PATH, fix cleanup of droppings; reported by openssh AT
+ roumenpetrov.info; ok dtucker@
+ - (djm) [regress/agent-ptrace.sh] Fix false failure on OS X by adding
+ its unique snowflake of a gdb error to the ones we look for.
+ - (djm) [regress/agent-getpeereid.sh] leave stdout attached when running
+ ssh-add to avoid $SUDO failures on Linux
+ - (dtucker) [openbsd-compat/port-linux.c] Bug #1838: Add support for the new
+ Linux OOM-killer magic values that changed in 2.6.36 kernels, with fallback
+ to the old values. Feedback from vapier at gentoo org and djm, ok djm.
+ - (djm) [configure.ac regress/agent-getpeereid.sh regress/multiplex.sh]
+ [regress/sftp-glob.sh regress/test-exec.sh] Rework how feature tests are
+ disabled on platforms that do not support them; add a "config_defined()"
+ shell function that greps for defines in config.h and use them to decide
+ on feature tests.
+ Convert a couple of existing grep's over config.h to use the new function
+ Add a define "FILESYSTEM_NO_BACKSLASH" for filesystem that can't represent
+ backslash characters in filenames, enable it for Cygwin and use it to turn
+ of tests for quotes backslashes in sftp-glob.sh.
+ based on discussion with vinschen AT redhat.com and dtucker@; ok dtucker@
+ - (tim) [regress/agent-getpeereid.sh] shell portability fix.
+ - (dtucker) [openbsd-compat/port-linux.c] Fix minor bug caught by -Werror on
+ the tinderbox.
+ - (dtucker) [LICENCE Makefile.in audit-bsm.c audit-linux.c audit.c audit.h
+ configure.ac defines.h loginrec.c] Bug #1402: add linux audit subsystem
+ support, based on patches from Tomas Mraz and jchadima at redhat.
+
+20110116
+ - (dtucker) [Makefile.in configure.ac regress/kextype.sh] Skip sha256-based
+ on configurations that don't have it.
+ - OpenBSD CVS Sync
+ - djm at cvs.openbsd.org 2011/01/16 11:50:05
+ [clientloop.c]
+ Use atomicio when flushing protocol 1 std{out,err} buffers at
+ session close. This was a latent bug exposed by setting a SIGCHLD
+ handler and spotted by kevin.brott AT gmail.com; ok dtucker@
+ - djm at cvs.openbsd.org 2011/01/16 11:50:36
+ [sshconnect.c]
+ reset the SIGPIPE handler when forking to execute child processes;
+ ok dtucker@
+ - djm at cvs.openbsd.org 2011/01/16 12:05:59
+ [clientloop.c]
+ a couple more tweaks to the post-close protocol 1 stderr/stdout flush:
+ now that we use atomicio(), convert them from while loops to if statements
+ add test and cast to compile cleanly with -Wsigned
+
+20110114
+ - OpenBSD CVS Sync
+ - djm at cvs.openbsd.org 2011/01/13 21:54:53
+ [mux.c]
+ correct error messages; patch from bert.wesarg AT googlemail.com
+ - djm at cvs.openbsd.org 2011/01/13 21:55:25
+ [PROTOCOL.mux]
+ correct protocol names and add a couple of missing protocol number
+ defines; patch from bert.wesarg AT googlemail.com
+ - (djm) [Makefile.in] Use shell test to disable ecdsa key generating in
+ host-key-force target rather than a substitution that is replaced with a
+ comment so that the Makefile.in is still a syntactically valid Makefile
+ (useful to run the distprep target)
+ - (tim) [regress/cert-hostkey.sh] Typo. Missing $ on variable name.
+ - (tim) [regress/cert-hostkey.sh] Add missing TEST_SSH_ECC guard around some
+ ecdsa bits.
+
+20110113
+ - (djm) [misc.c] include time.h for nanosleep() prototype
+ - (tim) [Makefile.in] test the ECC bits if we have the capability. ok djm
+ - (tim) [Makefile.in configure.ac opensshd.init.in] Add support for generating
+ ecdsa keys. ok djm.
+ - (djm) [entropy.c] cast OPENSSL_VERSION_NUMBER to u_long to avoid
+ gcc warning on platforms where it defaults to int
+ - (djm) [regress/Makefile] add a few more generated files to the clean
+ target
+ - (djm) [myproposal.h] Fix reversed OPENSSL_VERSION_NUMBER test and bad
+ #define that was causing diffie-hellman-group-exchange-sha256 to be
+ incorrectly disabled
+ - (djm) [regress/kextype.sh] Testing diffie-hellman-group-exchange-sha256
+ should not depend on ECC support
+
+20110112
+ - OpenBSD CVS Sync
+ - nicm at cvs.openbsd.org 2010/10/08 21:48:42
+ [openbsd-compat/glob.c]
+ Extend GLOB_LIMIT to cover readdir and stat and bump the malloc limit
+ from ARG_MAX to 64K.
+ Fixes glob-using programs (notably ftp) able to be triggered to hit
+ resource limits.
+ Idea from a similar NetBSD change, original problem reported by jasper at .
+ ok millert tedu jasper
+ - djm at cvs.openbsd.org 2011/01/12 01:53:14
+ avoid some integer overflows mostly with GLOB_APPEND and GLOB_DOOFFS
+ and sanity check arguments (these will be unnecessary when we switch
+ struct glob members from being type into to size_t in the future);
+ "looks ok" tedu@ feedback guenther@
+ - (djm) [configure.ac] Turn on -Wno-unused-result for gcc >= 4.4 to avoid
+ silly warnings on write() calls we don't care succeed or not.
+ - (djm) [configure.ac] Fix broken test for gcc >= 4.4 with per-compiler
+ flag tests that don't depend on gcc version at all; suggested by and
+ ok dtucker@
+
+20110111
+ - (tim) [regress/host-expand.sh] Fix for building outside of read only
+ source tree.
+ - (djm) [platform.c] Some missing includes that show up under -Werror
+ - OpenBSD CVS Sync
+ - djm at cvs.openbsd.org 2011/01/08 10:51:51
+ [clientloop.c]
+ use host and not options.hostname, as the latter may have unescaped
+ substitution characters
+ - djm at cvs.openbsd.org 2011/01/11 06:06:09
+ [sshlogin.c]
+ fd leak on error paths; from zinovik@
+ NB. Id sync only; we use loginrec.c that was also audited and fixed
+ recently
+ - djm at cvs.openbsd.org 2011/01/11 06:13:10
+ [clientloop.c ssh-keygen.c sshd.c]
+ some unsigned long long casts that make things a bit easier for
+ portable without resorting to dropping PRIu64 formats everywhere
+
+20110109
+ - (djm) [Makefile.in] list ssh_host_ecdsa key in PATHSUBS; spotted by
+ openssh AT roumenpetrov.info
+
+20110108
+ - (djm) [regress/keytype.sh] s/echo -n/echon/ to repair failing regress
+ test on OSX and others. Reported by imorgan AT nas.nasa.gov
+
+20110107
+ - (djm) [regress/cert-hostkey.sh regress/cert-userkey.sh] fix shell test
+ for no-ECC case. Patch from cristian.ionescu-idbohrn AT axis.com
+ - djm at cvs.openbsd.org 2011/01/06 22:23:53
+ [ssh.c]
+ unbreak %n expansion in LocalCommand; patch from bert.wesarg AT
+ googlemail.com; ok markus@
+ - djm at cvs.openbsd.org 2011/01/06 22:23:02
+ [clientloop.c]
+ when exiting due to ServerAliveTimeout, mention the hostname that caused
+ it (useful with backgrounded controlmaster)
+ - djm at cvs.openbsd.org 2011/01/06 22:46:21
+ [regress/Makefile regress/host-expand.sh]
+ regress test for LocalCommand %n expansion from bert.wesarg AT
+ googlemail.com; ok markus@
+ - djm at cvs.openbsd.org 2011/01/06 23:01:35
+ [sshconnect.c]
+ reset SIGCHLD handler to SIG_DFL when execuring LocalCommand;
+ ok markus@
+
+20110106
+ - (djm) OpenBSD CVS Sync
+ - markus at cvs.openbsd.org 2010/12/08 22:46:03
+ [scp.1 scp.c]
+ add a new -3 option to scp: Copies between two remote hosts are
+ transferred through the local host. Without this option the data
+ is copied directly between the two remote hosts. ok djm@ (bugzilla #1837)
+ - jmc at cvs.openbsd.org 2010/12/09 14:13:33
+ [scp.1 scp.c]
+ scp.1: grammer fix
+ scp.c: add -3 to usage()
+ - markus at cvs.openbsd.org 2010/12/14 11:59:06
+ [sshconnect.c]
+ don't mention key type in key-changed-warning, since we also print
+ this warning if a new key type appears. ok djm@
+ - djm at cvs.openbsd.org 2010/12/15 00:49:27
+ [readpass.c]
+ fix ControlMaster=ask regression
+ reset SIGCHLD handler before fork (and restore it after) so we don't miss
+ the the askpass child's exit status. Correct test for exit status/signal to
+ account for waitpid() failure; with claudio@ ok claudio@ markus@
+ - djm at cvs.openbsd.org 2010/12/24 21:41:48
+ [auth-options.c]
+ don't send the actual forced command in a debug message; ok markus deraadt
+ - otto at cvs.openbsd.org 2011/01/04 20:44:13
+ [ssh-keyscan.c]
+ handle ecdsa-sha2 with various key lengths; hint and ok djm@
+
+20110104
+ - (djm) [configure.ac Makefile.in] Use mandoc as preferred manpage
+ formatter if it is present, followed by nroff and groff respectively.
+ Fixes distprep target on OpenBSD (which has bumped groff/nroff to ports
+ in favour of mandoc). feedback and ok tim
+
+20110103
+ - (djm) [Makefile.in] revert local hack I didn't intend to commit
+
+20110102
+ - (djm) [loginrec.c] Fix some fd leaks on error paths. ok dtucker
+ - (djm) [configure.ac] Check whether libdes is needed when building
+ with Heimdal krb5 support. On OpenBSD this library no longer exists,
+ so linking it unconditionally causes a build failure; ok dtucker
+
+20101226
+ - (dtucker) OpenBSD CVS Sync
+ - djm at cvs.openbsd.org 2010/12/08 04:02:47
+ [ssh_config.5 sshd_config.5]
+ explain that IPQoS arguments are separated by whitespace; iirc requested
+ by jmc@ a while back
+
+20101205
+ - (dtucker) openbsd-compat/openssl-compat.c] remove sleep leftover from
+ debugging. Spotted by djm.
+ - (dtucker) OpenBSD CVS Sync
+ - djm at cvs.openbsd.org 2010/12/03 23:49:26
+ [schnorr.c]
+ check that g^x^q === 1 mod p; recommended by JPAKE author Feng Hao
+ (this code is still disabled, but apprently people are treating it as
+ a reference implementation)
+ - djm at cvs.openbsd.org 2010/12/03 23:55:27
+ [auth-rsa.c]
+ move check for revoked keys to run earlier (in auth_rsa_key_allowed)
+ bz#1829; patch from ldv AT altlinux.org; ok markus@
+ - djm at cvs.openbsd.org 2010/12/04 00:18:01
+ [sftp-server.c sftp.1 sftp-client.h sftp.c PROTOCOL sftp-client.c]
+ add a protocol extension to support a hard link operation. It is
+ available through the "ln" command in the client. The old "ln"
+ behaviour of creating a symlink is available using its "-s" option
+ or through the preexisting "symlink" command; based on a patch from
+ miklos AT szeredi.hu in bz#1555; ok markus@
+ - djm at cvs.openbsd.org 2010/12/04 13:31:37
+ [hostfile.c]
+ fix fd leak; spotted and ok dtucker
+ - djm at cvs.openbsd.org 2010/12/04 00:21:19
+ [regress/sftp-cmds.sh]
+ adjust for hard-link support
+ - (dtucker) [regress/Makefile] Id sync.
+
+20101204
+ - (djm) [openbsd-compat/bindresvport.c] Use arc4random_uniform(range)
+ instead of (arc4random() % range)
+ - (dtucker) [configure.ac moduli.c openbsd-compat/openssl-compat.{c,h}] Add
+ shims for the new, non-deprecated OpenSSL key generation functions for
+ platforms that don't have the new interfaces.
+
+20101201
+ - OpenBSD CVS Sync
+ - deraadt at cvs.openbsd.org 2010/11/20 05:12:38
+ [auth2-pubkey.c]
+ clean up cases of ;;
+ - djm at cvs.openbsd.org 2010/11/21 01:01:13
+ [clientloop.c misc.c misc.h ssh-agent.1 ssh-agent.c]
+ honour $TMPDIR for client xauth and ssh-agent temporary directories;
+ feedback and ok markus@
+ - djm at cvs.openbsd.org 2010/11/21 10:57:07
+ [authfile.c]
+ Refactor internals of private key loading and saving to work on memory
+ buffers rather than directly on files. This will make a few things
+ easier to do in the future; ok markus@
+ - djm at cvs.openbsd.org 2010/11/23 02:35:50
+ [auth.c]
+ use strict_modes already passed as function argument over referencing
+ global options.strict_modes
+ - djm at cvs.openbsd.org 2010/11/23 23:57:24
+ [clientloop.c]
+ avoid NULL deref on receiving a channel request on an unknown or invalid
+ channel; report bz#1842 from jchadima AT redhat.com; ok dtucker@
+ - djm at cvs.openbsd.org 2010/11/24 01:24:14
+ [channels.c]
+ remove a debug() that pollutes stderr on client connecting to a server
+ in debug mode (channel_close_fds is called transitively from the session
+ code post-fork); bz#1719, ok dtucker
+ - djm at cvs.openbsd.org 2010/11/25 04:10:09
+ [session.c]
+ replace close() loop for fds 3->64 with closefrom();
+ ok markus deraadt dtucker
+ - djm at cvs.openbsd.org 2010/11/26 05:52:49
+ [scp.c]
+ Pass through ssh command-line flags and options when doing remote-remote
+ transfers, e.g. to enable agent forwarding which is particularly useful
+ in this case; bz#1837 ok dtucker@
+ - markus at cvs.openbsd.org 2010/11/29 18:57:04
+ [authfile.c]
+ correctly load comment for encrypted rsa1 keys;
+ report/fix Joachim Schipper; ok djm@
+ - djm at cvs.openbsd.org 2010/11/29 23:45:51
+ [auth.c hostfile.c hostfile.h ssh.c ssh_config.5 sshconnect.c]
+ [sshconnect.h sshconnect2.c]
+ automatically order the hostkeys requested by the client based on
+ which hostkeys are already recorded in known_hosts. This avoids
+ hostkey warnings when connecting to servers with new ECDSA keys
+ that are preferred by default; with markus@
+
+20101124
+ - (dtucker) [platform.c session.c] Move the getluid call out of session.c and
+ into the platform-specific code Only affects SCO, tested by and ok tim at .
+ - (djm) [loginrec.c] Relax permission requirement on btmp logs to allow
+ group read/write. ok dtucker@
+ - (dtucker) [packet.c] Remove redundant local declaration of "int tos".
+ - (djm) [defines.h] Add IP DSCP defines
+
+20101122
+ - (dtucker) Bug #1840: fix warning when configuring --with-ssl-engine, patch
+ from vapier at gentoo org.
+
+20101120
+ - OpenBSD CVS Sync
+ - djm at cvs.openbsd.org 2010/11/05 02:46:47
+ [packet.c]
+ whitespace KNF
+ - djm at cvs.openbsd.org 2010/11/10 01:33:07
+ [kexdhc.c kexdhs.c kexgexc.c kexgexs.c key.c moduli.c]
+ use only libcrypto APIs that are retained with OPENSSL_NO_DEPRECATED.
+ these have been around for years by this time. ok markus
+ - djm at cvs.openbsd.org 2010/11/13 23:27:51
+ [clientloop.c misc.c misc.h packet.c packet.h readconf.c readconf.h]
+ [servconf.c servconf.h session.c ssh.c ssh_config.5 sshd_config.5]
+ allow ssh and sshd to set arbitrary TOS/DSCP/QoS values instead of
+ hardcoding lowdelay/throughput.
+
+ bz#1733 patch from philipp AT redfish-solutions.com; ok markus@ deraadt@
+ - jmc at cvs.openbsd.org 2010/11/15 07:40:14
+ [ssh_config.5]
+ libary -> library;
+ - jmc at cvs.openbsd.org 2010/11/18 15:01:00
+ [scp.1 sftp.1 ssh.1 sshd_config.5]
+ add IPQoS to the various -o lists, and zap some trailing whitespace;
+
+20101111
+ - (djm) [servconf.c ssh-add.c ssh-keygen.c] don't look for ECDSA keys on
+ platforms that don't support ECC. Fixes some spurious warnings reported
+ by tim@
+
+20101109
+ - (tim) [regress/kextype.sh] Not all platforms have time in /usr/bin.
+ Feedback from dtucker@
+ - (tim) [configure.ac openbsd-compat/bsd-misc.h openbsd-compat/bsd-misc.c] Add
+ support for platforms missing isblank(). ok djm@
+
+20101108
+ - (tim) [regress/Makefile] Fixes to allow building/testing outside source
+ tree.
+ - (tim) [regress/kextype.sh] Shell portability fix.
+
+20101107
+ - (dtucker) [platform.c] includes.h instead of defines.h so that we get
+ the correct typedefs.
+
+20101105
+ - (djm) [loginrec.c loginrec.h] Use correct uid_t/pid_t types instead of
+ int. Should fix bz#1817 cleanly; ok dtucker@
+ - OpenBSD CVS Sync
+ - djm at cvs.openbsd.org 2010/09/22 12:26:05
+ [regress/Makefile regress/kextype.sh]
+ regress test for each of the key exchange algorithms that we support
+ - djm at cvs.openbsd.org 2010/10/28 11:22:09
+ [authfile.c key.c key.h ssh-keygen.c]
+ fix a possible NULL deref on loading a corrupt ECDH key
+
+ store ECDH group information in private keys files as "named groups"
+ rather than as a set of explicit group parameters (by setting
+ the OPENSSL_EC_NAMED_CURVE flag). This makes for shorter key files and
+ retrieves the group's OpenSSL NID that we need for various things.
+ - jmc at cvs.openbsd.org 2010/10/28 18:33:28
+ [scp.1 ssh-add.1 ssh-keygen.1 ssh.1 ssh_config.5 sshd.8 sshd_config.5]
+ knock out some "-*- nroff -*-" lines;
+ - djm at cvs.openbsd.org 2010/11/04 02:45:34
+ [sftp-server.c]
+ umask should be parsed as octal. reported by candland AT xmission.com;
+ ok markus@
+ - (dtucker) [configure.ac platform.{c,h} session.c
+ openbsd-compat/port-solaris.{c,h}] Bug #1824: Add Solaris Project support.
+ Patch from cory.erickson at csu mnscu edu with a bit of rework from me.
+ ok djm@
+ - (dtucker) [platform.c platform.h session.c] Add a platform hook to run
+ after the user's groups are established and move the selinux calls into it.
+ - (dtucker) [platform.c session.c] Move the AIX setpcred+chroot hack into
+ platform.c
+ - (dtucker) [platform.c session.c] Move the BSDI setpgrp into platform.c.
+ - (dtucker) [platform.c] Only call setpgrp on BSDI if running as root to
+ retain previous behavior.
+ - (dtucker) [platform.c session.c] Move the PAM credential establishment for
+ the LOGIN_CAP case into platform.c.
+ - (dtucker) platform.c session.c] Move the USE_LIBIAF fragment into
+ platform.c
+ - (dtucker) [platform.c session.c] Move aix_usrinfo frament into platform.c.
+ - (dtucker) [platform.c session.c] Move irix setusercontext fragment into
+ platform.c.
+ - (dtucker) [platform.c session.c] Move PAM credential establishment for the
+ non-LOGIN_CAP case into platform.c.
+ - (dtucker) [platform.c platform.h session.c] Move the Cygwin special-case
+ check into platform.c
+ - (dtucker) [regress/keytype.sh] Import new test.
+ - (dtucker) [Makefile configure.ac regress/Makefile regress/keytype.sh]
+ Import recent changes to regress/Makefile, pass a flag to enable ECC tests
+ from configure through to regress/Makefile and use it in the tests.
+ - (dtucker) [regress/kextype.sh] Add missing "test".
+ - (dtucker) [regress/kextype.sh] Make sha256 test depend on ECC. This is not
+ strictly correct since while ECC requires sha256 the reverse is not true
+ however it does prevent spurious test failures.
+ - (dtucker) [platform.c] Need servconf.h and extern options.
+
+20101025
+ - (tim) [openbsd-compat/glob.h] Remove sys/cdefs.h include that came with
+ 1.12 to unbreak Solaris build.
+ ok djm@
+ - (dtucker) [defines.h] Use SIZE_T_MAX for SIZE_MAX for platforms that have a
+ native one.
+
+20101024
+ - (dtucker) [includes.h] Add missing ifdef GLOB_HAS_GL_STATV to fix build.
+ - (dtucker) [regress/cert-hostkey.sh] Disable ECC-based tests on platforms
+ which don't have ECC support in libcrypto.
+ - (dtucker) [regress/cert-userkey.sh] Disable ECC-based tests on platforms
+ which don't have ECC support in libcrypto.
+ - (dtucker) [defines.h] Add SIZE_MAX for the benefit of platforms that don't
+ have it.
+ - (dtucker) OpenBSD CVS Sync
+ - sthen at cvs.openbsd.org 2010/10/23 22:06:12
+ [sftp.c]
+ escape '[' in filename tab-completion; fix a type while there.
+ ok djm@
+
+20101021
+ - OpenBSD CVS Sync
+ - dtucker at cvs.openbsd.org 2010/10/12 02:22:24
+ [mux.c]
+ Typo in confirmation message. bz#1827, patch from imorgan at
+ nas nasa gov
+ - djm at cvs.openbsd.org 2010/08/31 12:24:09
+ [regress/cert-hostkey.sh regress/cert-userkey.sh]
+ tests for ECDSA certificates
+
+20101011
+ - (djm) [canohost.c] Zero a4 instead of addr to better match type.
+ bz#1825, reported by foo AT mailinator.com
+ - (djm) [sshconnect.c] Need signal.h for prototype for kill(2)
+
+20101011
+ - (djm) [configure.ac] Use = instead of == in shell tests. Patch from
+ dr AT vasco.com
+
+20101007
+ - (djm) [ssh-agent.c] Fix type for curve name.
+ - (djm) OpenBSD CVS Sync
+ - matthew at cvs.openbsd.org 2010/09/24 13:33:00
+ [misc.c misc.h configure.ac openbsd-compat/openbsd-compat.h]
+ [openbsd-compat/timingsafe_bcmp.c]
+ Add timingsafe_bcmp(3) to libc, mention that it's already in the
+ kernel in kern(9), and remove it from OpenSSH.
+ ok deraadt@, djm@
+ NB. re-added under openbsd-compat/ for portable OpenSSH
+ - djm at cvs.openbsd.org 2010/09/25 09:30:16
+ [sftp.c configure.ac openbsd-compat/glob.c openbsd-compat/glob.h]
+ make use of new glob(3) GLOB_KEEPSTAT extension to save extra server
+ rountrips to fetch per-file stat(2) information.
+ NB. update openbsd-compat/ glob(3) implementation from OpenBSD libc to
+ match.
+ - djm at cvs.openbsd.org 2010/09/26 22:26:33
+ [sftp.c]
+ when performing an "ls" in columnated (short) mode, only call
+ ioctl(TIOCGWINSZ) once to get the window width instead of per-
+ filename
+ - djm at cvs.openbsd.org 2010/09/30 11:04:51
+ [servconf.c]
+ prevent free() of string in .rodata when overriding AuthorizedKeys in
+ a Match block; patch from rein AT basefarm.no
+ - djm at cvs.openbsd.org 2010/10/01 23:05:32
+ [cipher-3des1.c cipher-bf1.c cipher-ctr.c openbsd-compat/openssl-compat.h]
+ adapt to API changes in openssl-1.0.0a
+ NB. contains compat code to select correct API for older OpenSSL
+ - djm at cvs.openbsd.org 2010/10/05 05:13:18
+ [sftp.c sshconnect.c]
+ use default shell /bin/sh if $SHELL is ""; ok markus@
+ - djm at cvs.openbsd.org 2010/10/06 06:39:28
+ [clientloop.c ssh.c sshconnect.c sshconnect.h]
+ kill proxy command on fatal() (we already kill it on clean exit);
+ ok markus@
+ - djm at cvs.openbsd.org 2010/10/06 21:10:21
+ [sshconnect.c]
+ swapped args to kill(2)
+ - (djm) [openbsd-compat/glob.c] restore ARG_MAX compat code.
+ - (djm) [cipher-acss.c] Add missing header.
+ - (djm) [openbsd-compat/Makefile.in] Actually link timingsafe_bcmp
+
+20100924
+ - (djm) OpenBSD CVS Sync
+ - naddy at cvs.openbsd.org 2010/09/10 15:19:29
+ [ssh-keygen.1]
+ * mention ECDSA in more places
+ * less repetition in FILES section
+ * SSHv1 keys are still encrypted with 3DES
+ help and ok jmc@
+ - djm at cvs.openbsd.org 2010/09/11 21:44:20
+ [ssh.1]
+ mention RFC 5656 for ECC stuff
+ - jmc at cvs.openbsd.org 2010/09/19 21:30:05
+ [sftp.1]
+ more wacky macro fixing;
+ - djm at cvs.openbsd.org 2010/09/20 04:41:47
+ [ssh.c]
+ install a SIGCHLD handler to reap expiried child process; ok markus@
+ - djm at cvs.openbsd.org 2010/09/20 04:50:53
+ [jpake.c schnorr.c]
+ check that received values are smaller than the group size in the
+ disabled and unfinished J-PAKE code.
+ avoids catastrophic security failure found by Sebastien Martini
+ - djm at cvs.openbsd.org 2010/09/20 04:54:07
+ [jpake.c]
+ missing #include
+ - djm at cvs.openbsd.org 2010/09/20 07:19:27
+ [mux.c]
+ "atomically" create the listening mux socket by binding it on a temorary
+ name and then linking it into position after listen() has succeeded.
+ this allows the mux clients to determine that the server socket is
+ either ready or stale without races. stale server sockets are now
+ automatically removed
+ ok deraadt
+ - djm at cvs.openbsd.org 2010/09/22 05:01:30
+ [kex.c kex.h kexecdh.c kexecdhc.c kexecdhs.c readconf.c readconf.h]
+ [servconf.c servconf.h ssh_config.5 sshconnect2.c sshd.c sshd_config.5]
+ add a KexAlgorithms knob to the client and server configuration to allow
+ selection of which key exchange methods are used by ssh(1) and sshd(8)
+ and their order of preference.
+ ok markus@
+ - jmc at cvs.openbsd.org 2010/09/22 08:30:08
+ [ssh.1 ssh_config.5]
+ ssh.1: add kexalgorithms to the -o list
+ ssh_config.5: format the kexalgorithms in a more consistent
+ (prettier!) way
+ ok djm
+ - djm at cvs.openbsd.org 2010/09/22 22:58:51
+ [atomicio.c atomicio.h misc.c misc.h scp.c sftp-client.c]
+ [sftp-client.h sftp.1 sftp.c]
+ add an option per-read/write callback to atomicio
+
+ factor out bandwidth limiting code from scp(1) into a generic bandwidth
+ limiter that can be attached using the atomicio callback mechanism
+
+ add a bandwidth limit option to sftp(1) using the above
+ "very nice" markus@
+ - jmc at cvs.openbsd.org 2010/09/23 13:34:43
+ [sftp.c]
+ add [-l limit] to usage();
+ - jmc at cvs.openbsd.org 2010/09/23 13:36:46
+ [scp.1 sftp.1]
+ add KexAlgorithms to the -o list;
+
+20100910
+ - (dtucker) [openbsd-compat/port-linux.c] Check is_selinux_enabled for exact
+ return code since it can apparently return -1 under some conditions. From
+ openssh bugs werbittewas de, ok djm@
+ - OpenBSD CVS Sync
+ - djm at cvs.openbsd.org 2010/08/31 12:33:38
+ [ssh-add.c ssh-agent.c ssh-keygen.c ssh-keysign.c ssh.c sshd.c]
+ reintroduce commit from tedu@, which I pulled out for release
+ engineering:
+ OpenSSL_add_all_algorithms is the name of the function we have a
+ man page for, so use that. ok djm
+ - jmc at cvs.openbsd.org 2010/08/31 17:40:54
+ [ssh-agent.1]
+ fix some macro abuse;
+ - jmc at cvs.openbsd.org 2010/08/31 21:14:58
+ [ssh.1]
+ small text tweak to accommodate previous;
+ - naddy at cvs.openbsd.org 2010/09/01 15:21:35
+ [servconf.c]
+ pick up ECDSA host key by default; ok djm@
+ - markus at cvs.openbsd.org 2010/09/02 16:07:25
+ [ssh-keygen.c]
+ permit -b 256, 384 or 521 as key size for ECDSA; ok djm@
+ - markus at cvs.openbsd.org 2010/09/02 16:08:39
+ [ssh.c]
+ unbreak ControlPersist=yes for ControlMaster=yes; ok djm@
+ - naddy at cvs.openbsd.org 2010/09/02 17:21:50
+ [ssh-keygen.c]
+ Switch ECDSA default key size to 256 bits, which according to RFC5656
+ should still be better than our current RSA-2048 default.
+ ok djm@, markus@
+ - jmc at cvs.openbsd.org 2010/09/03 11:09:29
+ [scp.1]
+ add an EXIT STATUS section for /usr/bin;
+ - jmc at cvs.openbsd.org 2010/09/04 09:38:34
+ [ssh-add.1 ssh.1]
+ two more EXIT STATUS sections;
+ - naddy at cvs.openbsd.org 2010/09/06 17:10:19
+ [sshd_config]
+ add ssh_host_ecdsa_key to /etc; from Mattieu Baptiste
+ <mattieu.b at gmail.com>
+ ok deraadt@
+ - djm at cvs.openbsd.org 2010/09/08 03:54:36
+ [authfile.c]
+ typo
+ - deraadt at cvs.openbsd.org 2010/09/08 04:13:31
+ [compress.c]
+ work around name-space collisions some buggy compilers (looking at you
+ gcc, at least in earlier versions, but this does not forgive your current
+ transgressions) seen between zlib and openssl
+ ok djm
+ - djm at cvs.openbsd.org 2010/09/09 10:45:45
+ [kex.c kex.h kexecdh.c key.c key.h monitor.c ssh-ecdsa.c]
+ ECDH/ECDSA compliance fix: these methods vary the hash function they use
+ (SHA256/384/512) depending on the length of the curve in use. The previous
+ code incorrectly used SHA256 in all cases.
+
+ This fix will cause authentication failure when using 384 or 521-bit curve
+ keys if one peer hasn't been upgraded and the other has. (256-bit curve
+ keys work ok). In particular you may need to specify HostkeyAlgorithms
+ when connecting to a server that has not been upgraded from an upgraded
+ client.
+
+ ok naddy@
+ - (djm) [authfd.c authfile.c bufec.c buffer.h configure.ac kex.h kexecdh.c]
+ [kexecdhc.c kexecdhs.c key.c key.h myproposal.h packet.c readconf.c]
+ [ssh-agent.c ssh-ecdsa.c ssh-keygen.c ssh.c] Disable ECDH and ECDSA on
+ platforms that don't have the requisite OpenSSL support. ok dtucker@
+ - (dtucker) [kex.h key.c packet.h ssh-agent.c ssh.c] A few more ECC ifdefs
+ for missing headers and compiler warnings.
+
+20100831
+ - OpenBSD CVS Sync
+ - jmc at cvs.openbsd.org 2010/08/08 19:36:30
+ [ssh-keysign.8 ssh.1 sshd.8]
+ use the same template for all FILES sections; i.e. -compact/.Pp where we
+ have multiple items, and .Pa for path names;
+ - tedu at cvs.openbsd.org 2010/08/12 23:34:39
+ [ssh-add.c ssh-agent.c ssh-keygen.c ssh-keysign.c ssh.c sshd.c]
+ OpenSSL_add_all_algorithms is the name of the function we have a man page
+ for, so use that. ok djm
+ - djm at cvs.openbsd.org 2010/08/16 04:06:06
+ [ssh-add.c ssh-agent.c ssh-keygen.c ssh-keysign.c ssh.c sshd.c]
+ backout previous temporarily; discussed with deraadt@
+ - djm at cvs.openbsd.org 2010/08/31 09:58:37
+ [auth-options.c auth1.c auth2.c bufaux.c buffer.h kex.c key.c packet.c]
+ [packet.h ssh-dss.c ssh-rsa.c]
+ Add buffer_get_cstring() and related functions that verify that the
+ string extracted from the buffer contains no embedded \0 characters*
+ This prevents random (possibly malicious) crap from being appended to
+ strings where it would not be noticed if the string is used with
+ a string(3) function.
+
+ Use the new API in a few sensitive places.
+
+ * actually, we allow a single one at the end of the string for now because
+ we don't know how many deployed implementations get this wrong, but don't
+ count on this to remain indefinitely.
+ - djm at cvs.openbsd.org 2010/08/31 11:54:45
+ [PROTOCOL PROTOCOL.agent PROTOCOL.certkeys auth2-jpake.c authfd.c]
+ [authfile.c buffer.h dns.c kex.c kex.h key.c key.h monitor.c]
+ [monitor_wrap.c myproposal.h packet.c packet.h pathnames.h readconf.c]
+ [ssh-add.1 ssh-add.c ssh-agent.1 ssh-agent.c ssh-keygen.1 ssh-keygen.c]
+ [ssh-keyscan.1 ssh-keyscan.c ssh-keysign.8 ssh.1 ssh.c ssh2.h]
+ [ssh_config.5 sshconnect.c sshconnect2.c sshd.8 sshd.c sshd_config.5]
+ [uuencode.c uuencode.h bufec.c kexecdh.c kexecdhc.c kexecdhs.c ssh-ecdsa.c]
+ Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and
+ host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer
+ better performance than plain DH and DSA at the same equivalent symmetric
+ key length, as well as much shorter keys.
+
+ Only the mandatory sections of RFC5656 are implemented, specifically the
+ three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and
+ ECDSA. Point compression (optional in RFC5656 is NOT implemented).
+
+ Certificate host and user keys using the new ECDSA key types are supported.
+
+ Note that this code has not been tested for interoperability and may be
+ subject to change.
+
+ feedback and ok markus@
+ - (djm) [Makefile.in] Add new ECC files
+ - (djm) [bufec.c kexecdh.c kexecdhc.c kexecdhs.c ssh-ecdsa.c] include
+ includes.h
+
+20100827
+ - (dtucker) [contrib/redhat/sshd.init] Bug #1810: initlog is deprecated,
+ remove. Patch from martynas at venck us
+
20100823
- (djm) Release OpenSSH-5.6p1
@@ -517,2746 +1256,3 @@
ok markus@
-20100410
- - (dtucker) [configure.ac] Put the check for the existence of getaddrinfo
- back so we disable the IPv6 tests if we don't have it.
-
-20100409
- - (dtucker) [contrib/cygwin/Makefile] Don't overwrite files with the wrong
- ones. Based on a patch from Roumen Petrov.
- - (dtucker) [configure.ac] Bug #1744: use pkg-config for libedit flags if we
- have it and the path is not provided to --with-libedit. Based on a patch
- from Iain Morgan.
- - (dtucker) [configure.ac defines.h loginrec.c logintest.c] Bug #1732: enable
- utmpx support on FreeBSD where possible. Patch from Ed Schouten, ok djm@
-
-20100326
- - (djm) [openbsd-compat/bsd-arc4random.c] Fix preprocessor detection
- for arc4random_buf() and arc4random_uniform(); from Josh Gilkerson
- - (dtucker) [configure.ac] Bug #1741: Add section for Haiku, patch originally
- by Ingo Weinhold via Scott McCreary, ok djm@
- - (djm) OpenBSD CVS Sync
- - djm at cvs.openbsd.org 2010/03/25 23:38:28
- [servconf.c]
- from portable: getcwd(NULL, 0) doesn't work on all platforms, so
- use a stack buffer; ok dtucker@
- - djm at cvs.openbsd.org 2010/03/26 00:26:58
- [ssh.1]
- mention that -S none disables connection sharing; from Colin Watson
- - (djm) [session.c] Allow ChrootDirectory to work on SELinux platforms -
- set up SELinux execution context before chroot() call. From Russell
- Coker via Colin watson; bz#1726 ok dtucker@
- - (djm) [channels.c] Check for EPFNOSUPPORT as a socket() errno; bz#1721
- ok dtucker@
- - (dtucker) Bug #1725: explicitly link libX11 into gnome-ssh-askpass2 using
- pkg-config, patch from Colin Watson. Needed for newer linkers (ie gold).
- - (djm) [contrib/ssh-copy-id] Don't blow up when the agent has no keys;
- bz#1723 patch from Adeodato Simóvia Colin Watson; ok dtucker@
- - (dtucker) OpenBSD CVS Sync
- - dtucker at cvs.openbsd.org 2010/03/26 01:06:13
- [ssh_config.5]
- Reformat default value of PreferredAuthentications entry (current
- formatting implies ", " is acceptable as a separator, which it's not.
- ok djm@
-
-20100324
- - (dtucker) [contrib/cygwin/ssh-host-config] Mount the Windows directory
- containing the services file explicitely case-insensitive. This allows to
- tweak the Windows services file reliably. Patch from vinschen at redhat.
-
-20100321
- - (djm) OpenBSD CVS Sync
- - jmc at cvs.openbsd.org 2010/03/08 09:41:27
- [ssh-keygen.1]
- sort the list of constraints (to -O); ok djm
- - jmc at cvs.openbsd.org 2010/03/10 07:40:35
- [ssh-keygen.1]
- typos; from Ross Richardson
- closes prs 6334 and 6335
- - djm at cvs.openbsd.org 2010/03/10 23:27:17
- [auth2-pubkey.c]
- correct certificate logging and make it more consistent between
- authorized_keys and TrustedCAKeys; ok markus@
- - djm at cvs.openbsd.org 2010/03/12 01:06:25
- [servconf.c]
- unbreak AuthorizedKeys option with a $HOME-relative path; reported by
- vinschen AT redhat.com, ok dtucker@
- - markus at cvs.openbsd.org 2010/03/12 11:37:40
- [servconf.c]
- do not prepend AuthorizedKeysFile with getcwd(), unbreaks relative paths
- free() (not xfree()) the buffer returned by getcwd()
- - djm at cvs.openbsd.org 2010/03/13 21:10:38
- [clientloop.c]
- protocol conformance fix: send language tag when disconnecting normally;
- spotted by 1.41421 AT gmail.com, ok markus@ deraadt@
- - djm at cvs.openbsd.org 2010/03/13 21:45:46
- [ssh-keygen.1]
- Certificates are named *-cert.pub, not *_cert.pub; committing a diff
- from stevesk@ ok me
- - jmc at cvs.openbsd.org 2010/03/13 23:38:13
- [ssh-keygen.1]
- fix a formatting error (args need quoted); noted by stevesk
- - stevesk at cvs.openbsd.org 2010/03/15 19:40:02
- [key.c key.h ssh-keygen.c]
- also print certificate type (user or host) for ssh-keygen -L
- ok djm kettenis
- - stevesk at cvs.openbsd.org 2010/03/16 15:46:52
- [auth-options.c]
- spelling in error message. ok djm kettenis
- - djm at cvs.openbsd.org 2010/03/16 16:36:49
- [version.h]
- crank version to openssh-5.5 since we have a few fixes since 5.4;
- requested deraadt@ kettenis@
- - (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
- [contrib/suse/openssh.spec] Crank version numbers
-
-20100314
- - (djm) [ssh-pkcs11-helper.c] Move #ifdef to after #defines to fix
- compilation failure when !HAVE_DLOPEN. Reported by felix-mindrot
- AT fefe.de
- - (djm) [Makefile.in] Respecify -lssh after -lopenbsd-compat for
- ssh-pkcs11-helper to repair static builds (we do the same for
- ssh-keyscan). Reported by felix-mindrot AT fefe.de
-
-20100312
- - (tim) [Makefile.in] Now that scard is gone, no need to make $(datadir)
- - (tim) [Makefile.in] Add missing $(EXEEXT) to install targets.
- Patch from Corinna Vinschen.
- - (tim) [contrib/cygwin/Makefile] Fix list of documentation files to install
- on a Cygwin installation. Patch from Corinna Vinschen.
-
-20100311
- - (tim) [contrib/suse/openssh.spec] crank version number here too.
- report by imorgan AT nas.nasa.gov
-
-20100309
- - (dtucker) [configure.ac] Use a proper AC_CHECK_DECL for BROKEN_GETADDRINFO
- so setting it in CFLAGS correctly skips IPv6 tests.
-
-20100428
- - (djm) OpenBSD CVS Sync
- - djm at cvs.openbsd.org 2010/03/07 22:16:01
- [ssh-keygen.c]
- make internal strptime string match strftime format;
- suggested by vinschen AT redhat.com and markus@
- - djm at cvs.openbsd.org 2010/03/08 00:28:55
- [ssh-keygen.1]
- document permit-agent-forwarding certificate constraint; patch from
- stevesk@
- - djm at cvs.openbsd.org 2010/03/07 22:01:32
- [version.h]
- openssh-5.4
- - (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
- crank version numbers
- - (djm) Release OpenSSH-5.4p1
-
-20100307
- - (dtucker) [auth.c] Bug #1710: call setauthdb on AIX before getpwuid so that
- it gets the passwd struct from the LAM that knows about the user which is
- not necessarily the default. Patch from Alexandre Letourneau.
- - (dtucker) [session.c] Bug #1567: move setpcred call to before chroot and
- do not set real uid, since that's needed for the chroot, and will be set
- by permanently_set_uid.
- - (dtucker) [session.c] Also initialize creds to NULL for handing to
- setpcred.
- - (dtucker) OpenBSD CVS Sync
- - dtucker at cvs.openbsd.org 2010/03/07 11:57:13
- [auth-rhosts.c monitor.c monitor_wrap.c session.c auth-options.c sshd.c]
- Hold authentication debug messages until after successful authentication.
- Fixes an info leak of environment variables specified in authorized_keys,
- reported by Jacob Appelbaum. ok djm@
-
-20100305
- - OpenBSD CVS Sync
- - jmc at cvs.openbsd.org 2010/03/04 12:51:25
- [ssh.1 sshd_config.5]
- tweak previous;
- - djm at cvs.openbsd.org 2010/03/04 20:35:08
- [ssh-keygen.1 ssh-keygen.c]
- Add a -L flag to print the contents of a certificate; ok markus@
- - jmc at cvs.openbsd.org 2010/03/04 22:52:40
- [ssh-keygen.1]
- fix Bk/Ek;
- - djm at cvs.openbsd.org 2010/03/04 23:17:25
- [sshd_config.5]
- missing word; spotted by jmc@
- - djm at cvs.openbsd.org 2010/03/04 23:19:29
- [ssh.1 sshd.8]
- move section on CA and revoked keys from ssh.1 to sshd.8's known hosts
- format section and rework it a bit; requested by jmc@
- - djm at cvs.openbsd.org 2010/03/04 23:27:25
- [auth-options.c ssh-keygen.c]
- "force-command" is not spelled "forced-command"; spotted by
- imorgan AT nas.nasa.gov
- - djm at cvs.openbsd.org 2010/03/05 02:58:11
- [auth.c]
- make the warning for a revoked key louder and more noticable
- - jmc at cvs.openbsd.org 2010/03/05 06:50:35
- [ssh.1 sshd.8]
- tweak previous;
- - jmc at cvs.openbsd.org 2010/03/05 08:31:20
- [ssh.1]
- document certificate authentication; help/ok djm
- - djm at cvs.openbsd.org 2010/03/05 10:28:21
- [ssh-add.1 ssh.1 ssh_config.5]
- mention loading of certificate files from [private]-cert.pub when
- they are present; feedback and ok jmc@
- - (tim) [ssh-pkcs11.c] Fix "non-constant initializer" errors in older
- compilers. OK djm@
- - (djm) [ssh-rand-helper.c] declare optind, avoiding compilation failure
- on some platforms
- - (djm) [configure.ac] set -fno-strict-aliasing for gcc4; ok dtucker@
-
-20100304
- - (djm) [ssh-keygen.c] Use correct local variable, instead of
- maybe-undefined global "optarg"
- - (djm) [contrib/redhat/openssh.spec] Replace obsolete BuildPreReq
- on XFree86-devel with neutral /usr/include/X11/Xlib.h;
- imorgan AT nas.nasa.gov in bz#1731
- - (djm) [.cvsignore] Ignore ssh-pkcs11-helper
- - (djm) [regress/Makefile] Cleanup sshd_proxy_orig
- - OpenBSD CVS Sync
- - djm at cvs.openbsd.org 2010/03/03 01:44:36
- [auth-options.c key.c]
- reject strings with embedded ASCII nul chars in certificate key IDs,
- principal names and constraints
- - djm at cvs.openbsd.org 2010/03/03 22:49:50
- [sshd.8]
- the authorized_keys option for CA keys is "cert-authority", not
- "from=cert-authority". spotted by imorgan AT nas.nasa.gov
- - djm at cvs.openbsd.org 2010/03/03 22:50:40
- [PROTOCOL.certkeys]
- s/similar same/similar/; from imorgan AT nas.nasa.gov
- - djm at cvs.openbsd.org 2010/03/04 01:44:57
- [key.c]
- use buffer_get_string_ptr_ret() where we are checking the return
- value explicitly instead of the fatal()-causing buffer_get_string_ptr()
- - djm at cvs.openbsd.org 2010/03/04 10:36:03
- [auth-rh-rsa.c auth-rsa.c auth.c auth.h auth2-hostbased.c auth2-pubkey.c]
- [authfile.c authfile.h hostfile.c hostfile.h servconf.c servconf.h]
- [ssh-keygen.c ssh.1 sshconnect.c sshd_config.5]
- Add a TrustedUserCAKeys option to sshd_config to specify CA keys that
- are trusted to authenticate users (in addition than doing it per-user
- in authorized_keys).
-
- Add a RevokedKeys option to sshd_config and a @revoked marker to
- known_hosts to allow keys to me revoked and banned for user or host
- authentication.
-
- feedback and ok markus@
- - djm at cvs.openbsd.org 2010/03/03 00:47:23
- [regress/cert-hostkey.sh regress/cert-userkey.sh]
- add an extra test to ensure that authentication with the wrong
- certificate fails as it should (and it does)
- - djm at cvs.openbsd.org 2010/03/04 10:38:23
- [regress/cert-hostkey.sh regress/cert-userkey.sh]
- additional regression tests for revoked keys and TrustedUserCAKeys
-
-20100303
- - (djm) [PROTOCOL.certkeys] Add RCS Ident
- - OpenBSD CVS Sync
- - jmc at cvs.openbsd.org 2010/02/26 22:09:28
- [ssh-keygen.1 ssh.1 sshd.8]
- tweak previous;
- - otto at cvs.openbsd.org 2010/03/01 11:07:06
- [ssh-add.c]
- zap what seems to be a left-over debug message; ok markus@
- - djm at cvs.openbsd.org 2010/03/02 23:20:57
- [ssh-keygen.c]
- POSIX strptime is stricter than OpenBSD's so do a little dance to
- appease it.
- - (djm) [regress/cert-userkey.sh] s/echo -n/echon/ here too
-
-20100302
*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
More information about the svn-src-projects
mailing list