svn commit: r313010 - in vendor-crypto/openssh/dist: . contrib contrib/cygwin contrib/redhat contrib/suse openbsd-compat openbsd-compat/regress regress regress/misc regress/misc/kexfuzz regress/uni...
Dag-Erling Smørgrav
des at FreeBSD.org
Tue Jan 31 12:29:50 UTC 2017
Author: des
Date: Tue Jan 31 12:29:48 2017
New Revision: 313010
URL: https://svnweb.freebsd.org/changeset/base/313010
Log:
Vendor import of OpenSSH 7.3p1.
Added:
vendor-crypto/openssh/dist/.skipped-commit-ids
vendor-crypto/openssh/dist/openbsd-compat/bsd-err.c
vendor-crypto/openssh/dist/platform-tracing.c
vendor-crypto/openssh/dist/regress/cfginclude.sh
vendor-crypto/openssh/dist/regress/misc/
vendor-crypto/openssh/dist/regress/misc/Makefile
vendor-crypto/openssh/dist/regress/misc/kexfuzz/
vendor-crypto/openssh/dist/regress/misc/kexfuzz/Makefile
vendor-crypto/openssh/dist/regress/misc/kexfuzz/README
vendor-crypto/openssh/dist/regress/misc/kexfuzz/kexfuzz.c
vendor-crypto/openssh/dist/regress/sshcfgparse.sh
vendor-crypto/openssh/dist/regress/unittests/utf8/
vendor-crypto/openssh/dist/regress/unittests/utf8/Makefile
vendor-crypto/openssh/dist/regress/unittests/utf8/tests.c
vendor-crypto/openssh/dist/utf8.c
vendor-crypto/openssh/dist/utf8.h
Deleted:
vendor-crypto/openssh/dist/.cvsignore
vendor-crypto/openssh/dist/openbsd-compat/.cvsignore
vendor-crypto/openssh/dist/openbsd-compat/regress/.cvsignore
vendor-crypto/openssh/dist/regress/.cvsignore
vendor-crypto/openssh/dist/roaming.h
vendor-crypto/openssh/dist/scard/
Modified:
vendor-crypto/openssh/dist/ChangeLog
vendor-crypto/openssh/dist/INSTALL
vendor-crypto/openssh/dist/Makefile.in
vendor-crypto/openssh/dist/PROTOCOL
vendor-crypto/openssh/dist/PROTOCOL.agent
vendor-crypto/openssh/dist/PROTOCOL.certkeys
vendor-crypto/openssh/dist/PROTOCOL.chacha20poly1305
vendor-crypto/openssh/dist/README
vendor-crypto/openssh/dist/audit-linux.c
vendor-crypto/openssh/dist/auth-krb5.c
vendor-crypto/openssh/dist/auth-options.c
vendor-crypto/openssh/dist/auth-pam.c
vendor-crypto/openssh/dist/auth-pam.h
vendor-crypto/openssh/dist/auth-passwd.c
vendor-crypto/openssh/dist/auth-rh-rsa.c
vendor-crypto/openssh/dist/auth-rhosts.c
vendor-crypto/openssh/dist/auth.c
vendor-crypto/openssh/dist/auth.h
vendor-crypto/openssh/dist/auth2-chall.c
vendor-crypto/openssh/dist/auth2-hostbased.c
vendor-crypto/openssh/dist/auth2.c
vendor-crypto/openssh/dist/authfile.c
vendor-crypto/openssh/dist/canohost.c
vendor-crypto/openssh/dist/canohost.h
vendor-crypto/openssh/dist/channels.c
vendor-crypto/openssh/dist/cipher-bf1.c
vendor-crypto/openssh/dist/cipher.c
vendor-crypto/openssh/dist/clientloop.c
vendor-crypto/openssh/dist/compat.c
vendor-crypto/openssh/dist/config.h.in
vendor-crypto/openssh/dist/configure
vendor-crypto/openssh/dist/configure.ac
vendor-crypto/openssh/dist/contrib/cygwin/README
vendor-crypto/openssh/dist/contrib/redhat/openssh.spec
vendor-crypto/openssh/dist/contrib/ssh-copy-id
vendor-crypto/openssh/dist/contrib/suse/openssh.spec
vendor-crypto/openssh/dist/defines.h
vendor-crypto/openssh/dist/dh.c
vendor-crypto/openssh/dist/dh.h
vendor-crypto/openssh/dist/kex.c
vendor-crypto/openssh/dist/kex.h
vendor-crypto/openssh/dist/kexc25519.c
vendor-crypto/openssh/dist/kexdh.c
vendor-crypto/openssh/dist/kexdhc.c
vendor-crypto/openssh/dist/kexdhs.c
vendor-crypto/openssh/dist/kexgexs.c
vendor-crypto/openssh/dist/key.c
vendor-crypto/openssh/dist/log.c
vendor-crypto/openssh/dist/log.h
vendor-crypto/openssh/dist/mac.c
vendor-crypto/openssh/dist/mac.h
vendor-crypto/openssh/dist/misc.c
vendor-crypto/openssh/dist/misc.h
vendor-crypto/openssh/dist/moduli
vendor-crypto/openssh/dist/moduli.0
vendor-crypto/openssh/dist/monitor.c
vendor-crypto/openssh/dist/monitor_fdpass.c
vendor-crypto/openssh/dist/monitor_wrap.c
vendor-crypto/openssh/dist/monitor_wrap.h
vendor-crypto/openssh/dist/mux.c
vendor-crypto/openssh/dist/myproposal.h
vendor-crypto/openssh/dist/opacket.h
vendor-crypto/openssh/dist/openbsd-compat/Makefile.in
vendor-crypto/openssh/dist/openbsd-compat/arc4random.c
vendor-crypto/openssh/dist/openbsd-compat/bindresvport.c
vendor-crypto/openssh/dist/openbsd-compat/bsd-asprintf.c
vendor-crypto/openssh/dist/openbsd-compat/bsd-misc.c
vendor-crypto/openssh/dist/openbsd-compat/bsd-misc.h
vendor-crypto/openssh/dist/openbsd-compat/bsd-snprintf.c
vendor-crypto/openssh/dist/openbsd-compat/inet_aton.c
vendor-crypto/openssh/dist/openbsd-compat/openbsd-compat.h
vendor-crypto/openssh/dist/openbsd-compat/port-solaris.h
vendor-crypto/openssh/dist/openbsd-compat/vis.c
vendor-crypto/openssh/dist/openbsd-compat/vis.h
vendor-crypto/openssh/dist/openbsd-compat/xcrypt.c
vendor-crypto/openssh/dist/packet.c
vendor-crypto/openssh/dist/packet.h
vendor-crypto/openssh/dist/pathnames.h
vendor-crypto/openssh/dist/platform.c
vendor-crypto/openssh/dist/platform.h
vendor-crypto/openssh/dist/progressmeter.c
vendor-crypto/openssh/dist/readconf.c
vendor-crypto/openssh/dist/readconf.h
vendor-crypto/openssh/dist/regress/Makefile
vendor-crypto/openssh/dist/regress/agent-getpeereid.sh
vendor-crypto/openssh/dist/regress/cert-hostkey.sh
vendor-crypto/openssh/dist/regress/cert-userkey.sh
vendor-crypto/openssh/dist/regress/cfgparse.sh
vendor-crypto/openssh/dist/regress/connect-privsep.sh
vendor-crypto/openssh/dist/regress/forwarding.sh
vendor-crypto/openssh/dist/regress/integrity.sh
vendor-crypto/openssh/dist/regress/modpipe.c
vendor-crypto/openssh/dist/regress/netcat.c
vendor-crypto/openssh/dist/regress/test-exec.sh
vendor-crypto/openssh/dist/regress/unittests/Makefile
vendor-crypto/openssh/dist/regress/unittests/sshbuf/test_sshbuf_misc.c
vendor-crypto/openssh/dist/regress/unittests/sshkey/test_sshkey.c
vendor-crypto/openssh/dist/regress/unittests/test_helper/Makefile
vendor-crypto/openssh/dist/sandbox-seccomp-filter.c
vendor-crypto/openssh/dist/scp.0
vendor-crypto/openssh/dist/scp.1
vendor-crypto/openssh/dist/scp.c
vendor-crypto/openssh/dist/servconf.c
vendor-crypto/openssh/dist/serverloop.c
vendor-crypto/openssh/dist/session.c
vendor-crypto/openssh/dist/session.h
vendor-crypto/openssh/dist/sftp-client.c
vendor-crypto/openssh/dist/sftp-server.0
vendor-crypto/openssh/dist/sftp-server.c
vendor-crypto/openssh/dist/sftp.0
vendor-crypto/openssh/dist/sftp.1
vendor-crypto/openssh/dist/sftp.c
vendor-crypto/openssh/dist/ssh-add.0
vendor-crypto/openssh/dist/ssh-agent.0
vendor-crypto/openssh/dist/ssh-agent.1
vendor-crypto/openssh/dist/ssh-agent.c
vendor-crypto/openssh/dist/ssh-dss.c
vendor-crypto/openssh/dist/ssh-ecdsa.c
vendor-crypto/openssh/dist/ssh-ed25519.c
vendor-crypto/openssh/dist/ssh-keygen.0
vendor-crypto/openssh/dist/ssh-keygen.1
vendor-crypto/openssh/dist/ssh-keygen.c
vendor-crypto/openssh/dist/ssh-keyscan.0
vendor-crypto/openssh/dist/ssh-keyscan.c
vendor-crypto/openssh/dist/ssh-keysign.0
vendor-crypto/openssh/dist/ssh-pkcs11-helper.0
vendor-crypto/openssh/dist/ssh-rsa.c
vendor-crypto/openssh/dist/ssh.0
vendor-crypto/openssh/dist/ssh.1
vendor-crypto/openssh/dist/ssh.c
vendor-crypto/openssh/dist/ssh1.h
vendor-crypto/openssh/dist/ssh2.h
vendor-crypto/openssh/dist/ssh_api.c
vendor-crypto/openssh/dist/ssh_config.0
vendor-crypto/openssh/dist/ssh_config.5
vendor-crypto/openssh/dist/sshbuf-getput-basic.c
vendor-crypto/openssh/dist/sshbuf-misc.c
vendor-crypto/openssh/dist/sshbuf.h
vendor-crypto/openssh/dist/sshconnect2.c
vendor-crypto/openssh/dist/sshd.0
vendor-crypto/openssh/dist/sshd.c
vendor-crypto/openssh/dist/sshd_config
vendor-crypto/openssh/dist/sshd_config.0
vendor-crypto/openssh/dist/sshd_config.5
vendor-crypto/openssh/dist/sshkey.c
vendor-crypto/openssh/dist/sshkey.h
vendor-crypto/openssh/dist/ttymodes.c
vendor-crypto/openssh/dist/ttymodes.h
vendor-crypto/openssh/dist/version.h
Added: vendor-crypto/openssh/dist/.skipped-commit-ids
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ vendor-crypto/openssh/dist/.skipped-commit-ids Tue Jan 31 12:29:48 2017 (r313010)
@@ -0,0 +1,11 @@
+321065a95a7ccebdd5fd08482a1e19afbf524e35 Update DH groups
+d4f699a421504df35254cf1c6f1a7c304fb907ca Remove 1k bit groups
+aafe246655b53b52bc32c8a24002bc262f4230f7 Remove intermediate moduli
+8fa9cd1dee3c3339ae329cf20fb591db6d605120 put back SSH1 for 6.9
+f31327a48dd4103333cc53315ec53fe65ed8a17a Generate new moduli
+edbfde98c40007b7752a4ac106095e060c25c1ef Regen moduli
+052fd565e3ff2d8cec3bc957d1788f50c827f8e2 Switch to tame-based sandbox
+7cf73737f357492776223da1c09179fa6ba74660 Remove moduli <2k
+180d84674be1344e45a63990d60349988187c1ae Update moduli
+f6ae971186ba68d066cd102e57d5b0b2c211a5ee systrace is dead.
+96c5054e3e1f170c6276902d5bc65bb3b87a2603 remove DEBUGLIBS from Makefile
Modified: vendor-crypto/openssh/dist/ChangeLog
==============================================================================
--- vendor-crypto/openssh/dist/ChangeLog Tue Jan 31 07:13:01 2017 (r313009)
+++ vendor-crypto/openssh/dist/ChangeLog Tue Jan 31 12:29:48 2017 (r313010)
@@ -1,8905 +1,9202 @@
-commit 5c35450a0c901d9375fb23343a8dc82397da5f75
+commit 99522ba7ec6963a05c04a156bf20e3ba3605987c
Author: Damien Miller <djm at mindrot.org>
-Date: Thu Mar 10 05:04:48 2016 +1100
+Date: Thu Jul 28 08:54:27 2016 +1000
- update versions for release
-
-commit 9d47b8d3f50c3a6282896df8274147e3b9a38c56
-Author: Damien Miller <djm at mindrot.org>
-Date: Thu Mar 10 05:03:39 2016 +1100
-
- sanitise characters destined for xauth(1)
+ define _OPENBSD_SOURCE for reallocarray on NetBSD
- reported by github.com/tintinweb
+ Report by and debugged with Hisashi T Fujinaka, dtucker nailed
+ the problem (lack of prototype causing return type confusion).
-commit 72b061d4ba0f909501c595d709ea76e06b01e5c9
-Author: Darren Tucker <dtucker at zip.com.au>
-Date: Fri Feb 26 14:40:04 2016 +1100
+commit 3e1e076550c27c6bbdddf36d8f42bd79fbaaa187
+Author: Damien Miller <djm at mindrot.org>
+Date: Wed Jul 27 08:25:42 2016 +1000
- Add a note about using xlc on AIX.
+ KNF
-commit fd4e4f2416baa2e6565ea49d52aade296bad3e28
-Author: Darren Tucker <dtucker at zip.com.au>
-Date: Wed Feb 24 10:44:25 2016 +1100
+commit d99ee9c4e5e217e7d05eeec84e9ce641f4675331
+Author: Damien Miller <djm at mindrot.org>
+Date: Wed Jul 27 08:25:23 2016 +1000
- Skip PrintLastLog in config dump mode.
-
- When DISABLE_LASTLOG is set, do not try to include PrintLastLog in the
- config dump since it'll be reported as UNKNOWN.
+ Linux auditing also needs packet.h
-commit 99135c764fa250801da5ec3b8d06cbd0111caae8
+commit 393bd381a45884b589baa9aed4394f1d250255ca
Author: Damien Miller <djm at mindrot.org>
-Date: Tue Feb 23 20:17:23 2016 +1100
+Date: Wed Jul 27 08:18:05 2016 +1000
- update spec/README versions ahead of release
+ fix auditing on Linux
+
+ get_remote_ipaddr() was replaced with ssh_remote_ipaddr()
-commit b86a334aaaa4d1e643eb1fd71f718573d6d948b5
+commit 80e766fb089de4f3c92b1600eb99e9495e37c992
Author: Damien Miller <djm at mindrot.org>
-Date: Tue Feb 23 20:16:53 2016 +1100
+Date: Sun Jul 24 21:50:13 2016 +1000
- put back portable patchlevel to p1
+ crank version numbers
-commit 555dd35ff176847e3c6bd068ba2e8db4022eb24f
+commit b1a478792d458f2e938a302e64bab2b520edc1b3
Author: djm at openbsd.org <djm at openbsd.org>
-Date: Tue Feb 23 09:14:34 2016 +0000
+Date: Sun Jul 24 11:45:36 2016 +0000
upstream commit
- openssh-7.2
+ openssh-7.3
- Upstream-ID: 9db776b26014147fc907ece8460ef2bcb0f11e78
+ Upstream-ID: af106a7eb665f642648cf1993e162c899f358718
-commit 1acc058d0a7913838c830ed998a1a1fb5b7864bf
-Author: Damien Miller <djm at mindrot.org>
-Date: Tue Feb 23 16:12:13 2016 +1100
+commit 353766e0881f069aeca30275ab706cd60a1a8fdd
+Author: Darren Tucker <dtucker at zip.com.au>
+Date: Sat Jul 23 16:14:42 2016 +1000
- Disable tests where fs perms are incorrect
+ Move Cygwin IPPORT_RESERVED overrride to defines.h
- Some tests have strict requirements on the filesystem permissions
- for certain files and directories. This adds a regress/check-perm
- tool that copies the relevant logic from sshd to exactly test
- the paths in question. This lets us skip tests when the local
- filesystem doesn't conform to our expectations rather than
- continuing and failing the test run.
-
- ok dtucker@
+ Patch from vinschen at redhat.com.
-commit 39f303b1f36d934d8410b05625f25c7bcb75db4d
-Author: Damien Miller <djm at mindrot.org>
-Date: Tue Feb 23 12:56:59 2016 +1100
+commit 368dd977ae07afb93f4ecea23615128c95ab2b32
+Author: djm at openbsd.org <djm at openbsd.org>
+Date: Sat Jul 23 02:54:08 2016 +0000
- fix sandbox on OSX Lion
-
- sshd was failing with:
+ upstream commit
- ssh_sandbox_child: sandbox_init: dlopen(/usr/lib/libsandbox.1.dylib, 261):cw
- image not found [preauth]
+ fix pledge violation with ssh -f; reported by Valentin
+ Kozamernik ok dtucker@
- caused by chroot before sandboxing. Avoid by explicitly linking libsandbox
- to sshd. Spotted by Darren.
+ Upstream-ID: a61db7988db88d9dac3c4dd70e18876a8edf84aa
-commit 0d1451a32c7436e6d3d482351e776bc5e7824ce4
+commit f00211e3c6d24d6ea2b64b4b1209f671f6c1d42e
Author: djm at openbsd.org <djm at openbsd.org>
-Date: Tue Feb 23 01:34:14 2016 +0000
+Date: Fri Jul 22 07:00:46 2016 +0000
upstream commit
- fix spurious error message when incorrect passphrase
- entered for keys; reported by espie@ ok deraadt@
+ improve wording; suggested by jmc@
- Upstream-ID: 58b2e46e63ed6912ed1ee780bd3bd8560f9a5899
+ Upstream-ID: 55cb0a24c8e0618b3ceec80998dc82c85db2d2f8
-commit 09d87d79741beb85768b5e788d7dfdf4bc3543dc
-Author: sobrado at openbsd.org <sobrado at openbsd.org>
-Date: Sat Feb 20 23:06:23 2016 +0000
+commit 83cbca693c3b0719270e6a0f2efe3f9ee93a65b8
+Author: dtucker at openbsd.org <dtucker at openbsd.org>
+Date: Fri Jul 22 05:46:11 2016 +0000
upstream commit
- set ssh(1) protocol version to 2 only.
-
- ok djm@
+ Lower loglevel for "Authenticated with partial success"
+ message similar to other similar level. bz#2599, patch from cgallek at
+ gmail.com, ok markus@
- Upstream-ID: e168daf9d27d7e392e3c9923826bd8e87b2b3a10
+ Upstream-ID: 3faab814e947dc7b2e292edede23e94c608cb4dd
-commit 9262e07826ba5eebf8423f7ac9e47ec488c47869
-Author: sobrado at openbsd.org <sobrado at openbsd.org>
-Date: Sat Feb 20 23:02:39 2016 +0000
+commit 10358abd087ab228b7ce2048efc4f3854a9ab9a6
+Author: Damien Miller <djm at mindrot.org>
+Date: Fri Jul 22 14:06:36 2016 +1000
- upstream commit
-
- add missing ~/.ssh/id_ecdsa and ~/.ssh/id_ed25519 to
- IdentityFile.
-
- ok djm@
+ retry waitpid on EINTR failure
- Upstream-ID: 6ce99466312e4ae7708017c3665e3edb976f70cf
+ patch from Jakub Jelen on bz#2581; ok dtucker@
-commit c12f0fdce8f985fca8d71829fd64c5b89dc777f5
-Author: sobrado at openbsd.org <sobrado at openbsd.org>
-Date: Sat Feb 20 23:01:46 2016 +0000
+commit da88a70a89c800e74ea8e5661ffa127a3cc79a92
+Author: djm at openbsd.org <djm at openbsd.org>
+Date: Fri Jul 22 03:47:36 2016 +0000
upstream commit
- AddressFamily defaults to any.
-
- ok djm@
-
- Upstream-ID: 0d94aa06a4b889bf57a7f631c45ba36d24c13e0c
-
-commit 907091acb188b1057d50c2158f74c3ecf1c2302b
-Author: Darren Tucker <dtucker at zip.com.au>
-Date: Fri Feb 19 09:05:39 2016 +1100
-
- Make Solaris privs code build on older systems.
+ constify a few functions' arguments; patch from Jakub
+ Jelen bz#2581
- Not all systems with Solaris privs have priv_basicset so factor that
- out and provide backward compatibility code. Similarly, not all have
- PRIV_NET_ACCESS so wrap that in #ifdef. Based on code from
- alex at cooperi.net and djm@ with help from carson at taltos.org and
- wieland at purdue.edu.
+ Upstream-ID: f2043f51454ea37830ff6ad60c8b32b4220f448d
-commit 292a8dee14e5e67dcd1b49ba5c7b9023e8420d59
+commit c36d91bd4ebf767f310f7cea88d61d1c15f53ddf
Author: djm at openbsd.org <djm at openbsd.org>
-Date: Wed Feb 17 22:20:14 2016 +0000
+Date: Fri Jul 22 03:39:13 2016 +0000
upstream commit
- rekey refactor broke SSH1; spotted by Tom G. Christensen
+ move debug("%p", key) to before key is free'd; probable
+ undefined behaviour on strict compilers; reported by Jakub Jelen bz#2581
- Upstream-ID: 43f0d57928cc077c949af0bfa71ef574dcb58243
+ Upstream-ID: 767f323e1f5819508a0e35e388ec241bac2f953a
-commit 3a13cb543df9919aec2fc6b75f3dd3802facaeca
+commit 286f5a77c3bfec1e8892ca268087ac885ac871bf
Author: djm at openbsd.org <djm at openbsd.org>
-Date: Wed Feb 17 08:57:34 2016 +0000
+Date: Fri Jul 22 03:35:11 2016 +0000
upstream commit
- rsa-sha2-512,rsa-sha2-256 cannot be selected explicitly
- in *KeyTypes options yet. Remove them from the lists of algorithms for now.
- committing on behalf of markus@ ok djm@
+ reverse the order in which -J/JumpHost proxies are visited to
+ be more intuitive and document
- Upstream-ID: c6e8820eb8e610ac21551832c0c89684a9a51bb7
+ reported by and manpage bits naddy@
+
+ Upstream-ID: 3a68fd6a841fd6cf8cedf6552a9607ba99df179a
-commit a685ae8d1c24fb7c712c55a4f3280ee76f5f1e4b
-Author: jmc at openbsd.org <jmc at openbsd.org>
-Date: Wed Feb 17 07:38:19 2016 +0000
+commit fcd135c9df440bcd2d5870405ad3311743d78d97
+Author: dtucker at openbsd.org <dtucker at openbsd.org>
+Date: Thu Jul 21 01:39:35 2016 +0000
upstream commit
- since these pages now clearly tell folks to avoid v1,
- normalise the docs from a v2 perspective (i.e. stop pointing out which bits
- are v2 only);
+ Skip passwords longer than 1k in length so clients can't
+ easily DoS sshd by sending very long passwords, causing it to spend CPU
+ hashing them. feedback djm@, ok markus at .
- ok/tweaks djm ok markus
+ Brought to our attention by tomas.kuthan at oracle.com, shilei-c at
+ 360.cn and coredump at autistici.org
- Upstream-ID: eb474f8c36fb6a532dc05c282f7965e38dcfa129
+ Upstream-ID: d0af7d4a2190b63ba1d38eec502bc4be0be9e333
-commit c5c3f3279a0e4044b8de71b70d3570d692d0f29d
-Author: djm at openbsd.org <djm at openbsd.org>
-Date: Wed Feb 17 05:29:04 2016 +0000
+commit 324583e8fb3935690be58790425793df619c6d4d
+Author: naddy at openbsd.org <naddy at openbsd.org>
+Date: Wed Jul 20 10:45:27 2016 +0000
upstream commit
- make sandboxed privilege separation the default, not just
- for new installs; "absolutely" deraadt@
+ Do not clobber the global jump_host variables when
+ parsing an inactive configuration. ok djm@
- Upstream-ID: 5221ef3b927d2df044e9aa3f5db74ae91743f69b
+ Upstream-ID: 5362210944d91417d5976346d41ac0b244350d31
-commit eb3f7337a651aa01d5dec019025e6cdc124ed081
+commit 32d921c323b989d28405e78d0a8923d12913d737
Author: jmc at openbsd.org <jmc at openbsd.org>
-Date: Tue Feb 16 07:47:54 2016 +0000
+Date: Tue Jul 19 12:59:16 2016 +0000
upstream commit
- no need to state that protocol 2 is the default twice;
+ tweak previous;
- Upstream-ID: b1e4c36b0c2e12e338e5b66e2978f2ac953b95eb
+ Upstream-ID: f3c1a5b3f05dff366f60c028728a2b43f15ff534
-commit e7901efa9b24e5b0c7e74f2c5520d47eead4d005
-Author: djm at openbsd.org <djm at openbsd.org>
-Date: Tue Feb 16 05:11:04 2016 +0000
+commit d7eabc86fa049a12ba2c3fb198bd1d51b37f7025
+Author: dtucker at openbsd.org <dtucker at openbsd.org>
+Date: Tue Jul 19 11:38:53 2016 +0000
upstream commit
- Replace list of ciphers and MACs adjacent to -1/-2 flag
- descriptions in ssh(1) with a strong recommendation not to use protocol 1.
- Add a similar warning to the Protocol option descriptions in ssh_config(5)
- and sshd_config(5);
-
- prompted by and ok mmcc@
+ Allow wildcard for PermitOpen hosts as well as ports.
+ bz#2582, patch from openssh at mzpqnxow.com and jjelen at redhat.com. ok
+ markus@
- Upstream-ID: 961f99e5437d50e636feca023978950a232ead5e
+ Upstream-ID: af0294e9b9394c4e16e991424ca0a47a7cc605f2
-commit 5a0fcb77287342e2fc2ba1cee79b6af108973dc2
-Author: djm at openbsd.org <djm at openbsd.org>
-Date: Tue Feb 16 03:37:48 2016 +0000
+commit b98a2a8348e907b3d71caafd80f0be8fdd075943
+Author: markus at openbsd.org <markus at openbsd.org>
+Date: Mon Jul 18 11:35:33 2016 +0000
upstream commit
- add a "Close session" log entry (at loglevel=verbose) to
- correspond to the existing "Starting session" one. Also include the session
- id number to make multiplexed sessions more apparent.
-
- feedback and ok dtucker@
+ Reduce timing attack against obsolete CBC modes by always
+ computing the MAC over a fixed size of data. Reported by Jean Paul
+ Degabriele, Kenny Paterson, Torben Hansen and Martin Albrecht. ok djm@
- Upstream-ID: e72d2ac080e02774376325136e532cb24c2e617c
+ Upstream-ID: f20a13279b00ba0afbacbcc1f04e62e9d41c2912
-commit 624fd395b559820705171f460dd33d67743d13d6
-Author: djm at openbsd.org <djm at openbsd.org>
-Date: Wed Feb 17 02:24:17 2016 +0000
+commit dbf788b4d9d9490a5fff08a7b09888272bb10fcc
+Author: Darren Tucker <dtucker at zip.com.au>
+Date: Thu Jul 21 14:17:31 2016 +1000
- upstream commit
-
- include bad $SSH_CONNECTION in failure output
+ Search users for one with a valid salt.
- Upstream-Regress-ID: b22d72edfde78c403aaec2b9c9753ef633cc0529
+ If the root account is locked (eg password "!!" or "*LK*") keep looking
+ until we find a user with a valid salt to use for crypting passwords of
+ invalid users. ok djm@
-commit 60d860e54b4f199e5e89963b1c086981309753cb
+commit e8b58f48fbb1b524fb4f0d4865fa0005d6a4b782
Author: Darren Tucker <dtucker at zip.com.au>
-Date: Wed Feb 17 13:37:09 2016 +1100
+Date: Mon Jul 18 17:22:49 2016 +1000
- Rollback addition of va_start.
+ Explicitly specify source files for regress tools.
- va_start was added in 0f754e29dd3760fc0b172c1220f18b753fb0957e, however
- it has the wrong number of args and it's not usable in non-variadic
- functions anyway so it breaks things (for example Solaris 2.6 as
- reported by Tom G. Christensen).i ok djm@
+ Since adding $(REGRESSLIBS), $? is wrong because it includes only the
+ changed source files. $< seems like it'd be right however it doesn't
+ seem to work on some non-GNU makes, so do what works everywhere.
-commit 2fee909c3cee2472a98b26eb82696297b81e0d38
+commit eac1bbd06872c273f16ac0f9976b0aef026b701b
Author: Darren Tucker <dtucker at zip.com.au>
-Date: Wed Feb 17 09:48:15 2016 +1100
+Date: Mon Jul 18 17:12:22 2016 +1000
- Look for gethostbyname in libresolv and libnsl.
-
- Should fix build problem on Solaris 2.6 reported by Tom G. Christensen.
+ Conditionally include err.h.
-commit 5ac712d81a84396aab441a272ec429af5b738302
-Author: Damien Miller <djm at mindrot.org>
-Date: Tue Feb 16 10:45:02 2016 +1100
+commit 0a454147568746c503f669e1ba861f76a2e7a585
+Author: Darren Tucker <dtucker at zip.com.au>
+Date: Mon Jul 18 16:26:26 2016 +1000
- make existing ssh_malloc_init only for __OpenBSD__
+ Remove local implementation of err, errx.
+
+ We now have a shared implementation in libopenbsd-compat.
-commit 24c9bded569d9f2449ded73f92fb6d12db7a9eec
+commit eb999a4590846ba4d56ddc90bd07c23abfbab7b1
Author: djm at openbsd.org <djm at openbsd.org>
-Date: Mon Feb 15 23:32:37 2016 +0000
+Date: Mon Jul 18 06:08:01 2016 +0000
upstream commit
- memleak of algorithm name in mm_answer_sign; reported by
- Jakub Jelen
+ Add some unsigned overflow checks for extra_pad. None of
+ these are reachable with the amount of padding that we use internally.
+ bz#2566, pointed out by Torben Hansen. ok markus@
- Upstream-ID: ccd742cd25952240ebd23d7d4d6b605862584d08
+ Upstream-ID: 4d4be8450ab2fc1b852d5884339f8e8c31c3fd76
-commit ffb1e7e896139a42ceb78676f637658f44612411
-Author: dtucker at openbsd.org <dtucker at openbsd.org>
-Date: Mon Feb 15 09:47:49 2016 +0000
+commit c71ba790c304545464bb494de974cdf0f4b5cf1e
+Author: Darren Tucker <dtucker at zip.com.au>
+Date: Mon Jul 18 15:43:25 2016 +1000
- upstream commit
-
- Add a function to enable security-related malloc_options.
- With and ok deraadt@, something similar has been in the snaps for a while.
+ Add dependency on libs for unit tests.
- Upstream-ID: 43a95523b832b7f3b943d2908662191110c380ed
+ Makes "./configure && make tests" work again. ok djm@
-commit ef39e8c0497ff0564990a4f9e8b7338b3ba3507c
-Author: Damien Miller <djm at mindrot.org>
-Date: Tue Feb 16 10:34:39 2016 +1100
+commit 8199d0311aea3e6fd0284c9025e7a83f4ece79e8
+Author: Darren Tucker <dtucker at zip.com.au>
+Date: Mon Jul 18 13:47:39 2016 +1000
- sync ssh-copy-id with upstream 783ef08b0a75
+ Correct location for kexfuzz in clean target.
-commit d2d772f55b19bb0e8d03c2fe1b9bb176d9779efd
-Author: djm at openbsd.org <djm at openbsd.org>
-Date: Fri Feb 12 00:20:30 2016 +0000
+commit 01558b7b07af43da774d3a11a5c51fa9c310849d
+Author: Darren Tucker <dtucker at zip.com.au>
+Date: Mon Jul 18 09:33:25 2016 +1000
- upstream commit
+ Handle PAM_MAXTRIES from modules.
- avoid fatal() for PKCS11 tokens that present empty key IDs
- bz#1773, ok markus@
+ bz#2249: handle the case where PAM returns PAM_MAXTRIES by ceasing to offer
+ password and keyboard-interative authentication methods. Should prevent
+ "sshd ignoring max retries" warnings in the log. ok djm@
- Upstream-ID: 044a764fee526f2c4a9d530bd10695422d01fc54
+ It probably won't trigger with keyboard-interactive in the default
+ configuration because the retry counter is stored in module-private
+ storage which goes away with the sshd PAM process (see bz#688). On the
+ other hand, those cases probably won't log a warning either.
-commit e4c918a6c721410792b287c9fd21356a1bed5805
+commit 65c6c6b567ab5ab12945a5ad8e0ab3a8c26119cc
Author: djm at openbsd.org <djm at openbsd.org>
-Date: Thu Feb 11 02:56:32 2016 +0000
+Date: Sun Jul 17 04:20:16 2016 +0000
upstream commit
- sync crypto algorithm lists in ssh_config(5) and
- sshd_config(5) with current reality. bz#2527
+ support UTF-8 characters in ssh(1) banners using
+ schwarze@'s safe fmprintf printer; bz#2058
- Upstream-ID: d7fd1b6c1ed848d866236bcb1d7049d2bb9b2ff6
+ feedback schwarze@ ok dtucker@
+
+ Upstream-ID: a72ce4e3644c957643c9524eea2959e41b91eea7
-commit e30cabfa4ab456a30b3224f7f545f1bdfc4a2517
-Author: djm at openbsd.org <djm at openbsd.org>
-Date: Thu Feb 11 02:21:34 2016 +0000
+commit e4eb7d910976fbfc7ce3e90c95c11b07b483d0d7
+Author: jmc at openbsd.org <jmc at openbsd.org>
+Date: Sat Jul 16 06:57:55 2016 +0000
upstream commit
- fix regression in openssh-6.8 sftp client: existing
- destination directories would incorrectly terminate recursive uploads;
- bz#2528
+ - add proxyjump to the options list - formatting fixes -
+ update usage()
- Upstream-ID: 3306be469f41f26758e3d447987ac6d662623e18
+ ok djm
+
+ Upstream-ID: 43d318e14ce677a2eec8f21ef5ba2f9f68a59457
-commit 714e367226ded4dc3897078be48b961637350b05
-Author: djm at openbsd.org <djm at openbsd.org>
-Date: Tue Feb 9 05:30:04 2016 +0000
+commit af1f084857621f14bd9391aba8033d35886c2455
+Author: dtucker at openbsd.org <dtucker at openbsd.org>
+Date: Fri Jul 15 05:01:58 2016 +0000
upstream commit
- turn off more old crypto in the client: hmac-md5, ripemd,
- truncated HMACs, RC4, blowfish. ok markus@ dtucker@
+ Reduce the syslog level of some relatively common protocol
+ events from LOG_CRIT by replacing fatal() calls with logdie(). Part of
+ bz#2585, ok djm@
- Upstream-ID: 96aa11c2c082be45267a690c12f1d2aae6acd46e
+ Upstream-ID: 9005805227c94edf6ac02a160f0e199638d288e5
-commit 5a622844ff7f78dcb75e223399f9ef0977e8d0a3
-Author: djm at openbsd.org <djm at openbsd.org>
-Date: Mon Feb 8 23:40:12 2016 +0000
+commit bd5f2b78b69cf38d6049a0de445a79c8595e4a1f
+Author: Damien Miller <djm at mindrot.org>
+Date: Fri Jul 15 19:14:48 2016 +1000
- upstream commit
+ missing openssl/dh.h
+
+commit 4a984fd342effe5f0aad874a0d538c4322d973c0
+Author: Damien Miller <djm at mindrot.org>
+Date: Fri Jul 15 18:47:07 2016 +1000
+
+ cast to avoid type warning in error message
+
+commit 5abfb15ced985c340359ae7fb65a625ed3692b3e
+Author: Darren Tucker <dtucker at zip.com.au>
+Date: Fri Jul 15 14:48:30 2016 +1000
+
+ Move VA_COPY macro into compat header.
- don't attempt to percent_expand() already-canonicalised
- addresses, avoiding unnecessary failures when attempting to connect to scoped
- IPv6 addresses (that naturally contain '%' characters)
+ Some AIX compilers unconditionally undefine va_copy but don't set it back
+ to an internal function, causing link errors. In some compat code we
+ already use VA_COPY instead so move the two existing instances into the
+ shared header and use for sshbuf-getput-basic.c too. Should fix building
+ with at lease some versions of AIX's compiler. bz#2589, ok djm@
+
+commit 832b7443b7a8e181c95898bc5d73497b7190decd
+Author: Damien Miller <djm at mindrot.org>
+Date: Fri Jul 15 14:45:34 2016 +1000
+
+ disable ciphers not supported by OpenSSL
- Upstream-ID: f24569cffa1a7cbde5f08dc739a72f4d78aa5c6a
+ bz#2466 ok dtucker@
-commit 19bcf2ea2d17413f2d9730dd2a19575ff86b9b6a
+commit 5fbe93fc6fbb2fe211e035703dec759d095e3dd8
+Author: Damien Miller <djm at mindrot.org>
+Date: Fri Jul 15 13:54:31 2016 +1000
+
+ add a --disable-pkcs11 knob
+
+commit 679ce88ec2a8e2fe6515261c489e8c1449bb9da9
+Author: Damien Miller <djm at mindrot.org>
+Date: Fri Jul 15 13:44:38 2016 +1000
+
+ fix newline escaping for unsupported_algorithms
+
+ The hmac-ripemd160 was incorrect and could lead to broken
+ Makefiles on systems that lacked support for it, but I made
+ all the others consistent too.
+
+commit ed877ef653847d056bb433975d731b7a1132a979
Author: djm at openbsd.org <djm at openbsd.org>
-Date: Mon Feb 8 10:57:07 2016 +0000
+Date: Fri Jul 15 00:24:30 2016 +0000
upstream commit
- refactor activation of rekeying
+ Add a ProxyJump ssh_config(5) option and corresponding -J
+ ssh(1) command-line flag to allow simplified indirection through a SSH
+ bastion or "jump host".
- This makes automatic rekeying internal to the packet code (previously
- the server and client loops needed to assist). In doing to it makes
- application of rekey limits more accurate by accounting for packets
- about to be sent as well as packets queued during rekeying events
- themselves.
+ These options construct a proxy command that connects to the
+ specified jump host(s) (more than one may be specified) and uses
+ port-forwarding to establish a connection to the next destination.
- Based on a patch from dtucker@ which was in turn based on a patch
- Aleksander Adamowski in bz#2521; ok markus@
+ This codifies the safest way of indirecting connections through SSH
+ servers and makes it easy to use.
- Upstream-ID: a441227fd64f9739850ca97b4cf794202860fcd8
+ ok markus@
+
+ Upstream-ID: fa899cb8b26d889da8f142eb9774c1ea36b04397
-commit 603ba41179e4b53951c7b90ee95b6ef3faa3f15d
-Author: naddy at openbsd.org <naddy at openbsd.org>
-Date: Fri Feb 5 13:28:19 2016 +0000
+commit 5c02dd126206a26785379e80f2d3848e4470b711
+Author: Darren Tucker <dtucker at zip.com.au>
+Date: Fri Jul 15 12:56:39 2016 +1000
- upstream commit
+ Map umac_ctx struct name too.
- Only check errno if read() has returned an error. EOF is
- not an error. This fixes a problem where the mux master would sporadically
- fail to notice that the client had exited. ok mikeb@ djm@
+ Prevents size mismatch linker warnings on Solaris 11.
+
+commit 283b97ff33ea2c641161950849931bd578de6946
+Author: Darren Tucker <dtucker at zip.com.au>
+Date: Fri Jul 15 13:49:44 2016 +1000
+
+ Mitigate timing of disallowed users PAM logins.
- Upstream-ID: 3c2dadc21fac6ef64665688aac8a75fffd57ae53
+ When sshd decides to not allow a login (eg PermitRootLogin=no) and
+ it's using PAM, it sends a fake password to PAM so that the timing for
+ the failure is not noticeably different whether or not the password
+ is correct. This behaviour can be detected by sending a very long
+ password string which is slower to hash than the fake password.
+
+ Mitigate by constructing an invalid password that is the same length
+ as the one from the client and thus takes the same time to hash.
+ Diff from djm@
-commit 56d7dac790693ce420d225119283bc355cff9185
-Author: jsg at openbsd.org <jsg at openbsd.org>
-Date: Fri Feb 5 04:31:21 2016 +0000
+commit 9286875a73b2de7736b5e50692739d314cd8d9dc
+Author: Darren Tucker <dtucker at zip.com.au>
+Date: Fri Jul 15 13:32:45 2016 +1000
+
+ Determine appropriate salt for invalid users.
+
+ When sshd is processing a non-PAM login for a non-existent user it uses
+ the string from the fakepw structure as the salt for crypt(3)ing the
+ password supplied by the client. That string has a Blowfish prefix, so on
+ systems that don't understand that crypt will fail fast due to an invalid
+ salt, and even on those that do it may have significantly different timing
+ from the hash methods used for real accounts (eg sha512). This allows
+ user enumeration by, eg, sending large password strings. This was noted
+ by EddieEzra.Harari at verint.com (CVE-2016-6210).
+
+ To mitigate, use the same hash algorithm that root uses for hashing
+ passwords for users that do not exist on the system. ok djm@
+
+commit a162dd5e58ca5b224d7500abe35e1ef32b5de071
+Author: Darren Tucker <dtucker at zip.com.au>
+Date: Thu Jul 14 21:19:59 2016 +1000
+
+ OpenSSL 1.1.x not currently supported.
+
+commit 7df91b01fc558a33941c5c5f31abbcdc53a729fb
+Author: Darren Tucker <dtucker at zip.com.au>
+Date: Thu Jul 14 12:25:24 2016 +1000
+
+ Check for VIS_ALL.
+
+ If we don't have it, set BROKEN_STRNVIS to activate the compat replacement.
+
+commit ee67716f61f1042d5e67f91c23707cca5dcdd7d0
+Author: dtucker at openbsd.org <dtucker at openbsd.org>
+Date: Thu Jul 14 01:24:21 2016 +0000
upstream commit
- avoid an uninitialised value when NumberOfPasswordPrompts
- is 0 ok markus@ djm@
+ Correct equal in test.
- Upstream-ID: 11b068d83c2865343aeb46acf1e9eec00f829b6b
+ Upstream-Regress-ID: 4e32f7a5c57a619c4e8766cb193be2a1327ec37a
-commit deae7d52d59c5019c528f977360d87fdda15d20b
-Author: djm at openbsd.org <djm at openbsd.org>
-Date: Fri Feb 5 03:07:06 2016 +0000
+commit 372807c2065c8572fdc6478b25cc5ac363743073
+Author: tb at openbsd.org <tb at openbsd.org>
+Date: Mon Jul 11 21:38:13 2016 +0000
upstream commit
- mention internal DH-GEX fallback groups; bz#2302
+ Add missing "recvfd" pledge promise: Raf Czlonka reported
+ ssh coredumps when Control* keywords were set in ssh_config. This patch also
+ fixes similar problems with scp and sftp.
- Upstream-ID: e7b395fcca3122cd825515f45a2e41c9a157e09e
+ ok deraadt, looks good to millert
+
+ Upstream-ID: ca2099eade1ef3e87a79614fefa26a0297ad8a3b
-commit cac3b6665f884d46192c0dc98a64112e8b11a766
-Author: djm at openbsd.org <djm at openbsd.org>
-Date: Fri Feb 5 02:37:56 2016 +0000
+commit e0453f3df64bf485c61c7eb6bd12893eee9fe2cd
+Author: tedu at openbsd.org <tedu at openbsd.org>
+Date: Mon Jul 11 03:19:44 2016 +0000
upstream commit
- better description for MaxSessions; bz#2531
+ obsolete note about fascistloggin is obsolete. ok djm
+ dtucker
- Upstream-ID: e2c0d74ee185cd1a3e9d4ca1f1b939b745b354da
+ Upstream-ID: dae60df23b2bb0e89f42661ddd96a7b0d1b7215a
-commit 5ef4b0fdcc7a239577a754829b50022b91ab4712
+commit a2333584170a565adf4f209586772ef8053b10b8
+Author: Darren Tucker <dtucker at zip.com.au>
+Date: Thu Jul 14 10:59:09 2016 +1000
+
+ Add compat code for missing wcwidth.
+
+ If we don't have wcwidth force fallback implementations of nl_langinfo
+ and mbtowc. Based on advice from Ingo Schwarze.
+
+commit 8aaec7050614494014c47510b7e94daf6e644c62
Author: Damien Miller <djm at mindrot.org>
-Date: Wed Jan 27 17:45:56 2016 +1100
+Date: Thu Jul 14 09:48:48 2016 +1000
- avoid FreeBSD RCS Id in comment
+ fix missing include for systems with err.h
+
+commit 6310ef27a2567cda66d6cf0c1ad290ee1167f243
+Author: Darren Tucker <dtucker at zip.com.au>
+Date: Wed Jul 13 14:42:35 2016 +1000
+
+ Move err.h replacements into compat lib.
- Change old $FreeBSD version string in comment so it doesn't
- become an RCS ident downstream; requested by des AT des.no
+ Move implementations of err.h replacement functions into their own file
+ in the libopenbsd-compat so we can use them in kexfuzz.c too. ok djm@
-commit 696d12683c90d20a0a9c5f4275fc916b7011fb04
-Author: djm at openbsd.org <djm at openbsd.org>
-Date: Thu Feb 4 23:43:48 2016 +0000
+commit f3f2cc8386868f51440c45210098f65f9787449a
+Author: Darren Tucker <dtucker at zip.com.au>
+Date: Mon Jul 11 17:23:38 2016 +1000
- upstream commit
+ Check for wchar.h and langinfo.h
- printf argument casts to avoid warnings on strict
- compilers
+ Wrap includes in the appropriate #ifdefs.
+
+commit b9c50614eba9d90939b2b119b6e1b7e03b462278
+Author: Damien Miller <djm at mindrot.org>
+Date: Fri Jul 8 13:59:13 2016 +1000
+
+ whitelist more architectures for seccomp-bpf
- Upstream-ID: 7b9f6712cef01865ad29070262d366cf13587c9c
+ bz#2590 - testing and patch from Jakub Jelen
-commit 5658ef2501e785fbbdf5de2dc33b1ff7a4dca73a
-Author: millert at openbsd.org <millert at openbsd.org>
-Date: Mon Feb 1 21:18:17 2016 +0000
+commit 18813a32b6fd964037e0f5e1893cb4468ac6a758
+Author: guenther at openbsd.org <guenther at openbsd.org>
+Date: Mon Jul 4 18:01:44 2016 +0000
upstream commit
- Avoid ugly "DISPLAY "(null)" invalid; disabling X11
- forwarding" message when DISPLAY is not set. This could also result in a
- crash on systems with a printf that doesn't handle NULL. OK djm@
+ DEBUGLIBS has been broken since the gcc4 switch, so delete
+ it. CFLAGS contains -g by default anyway
- Upstream-ID: 20ee0cfbda678a247264c20ed75362042b90b412
+ problem noted by Edgar Pettijohn (edgar (at) pettijohn-web.com)
+ ok millert@ kettenis@ deraadt@
+
+ Upstream-Regress-ID: 4a0bb72f95c63f2ae9daa8a040ac23914bddb542
-commit 537f88ec7bcf40bd444ac5584c707c5588c55c43
-Author: dtucker at openbsd.org <dtucker at openbsd.org>
-Date: Fri Jan 29 05:18:15 2016 +0000
+commit 6d31193d0baa3da339c196ac49625b7ba1c2ecc7
+Author: djm at openbsd.org <djm at openbsd.org>
+Date: Fri Jul 8 03:44:42 2016 +0000
upstream commit
- Add regression test for RekeyLimit parsing of >32bit values
- (4G and 8G).
+ Improve crypto ordering for Encrypt-then-MAC (EtM) mode
+ MAC algorithms.
- Upstream-Regress-ID: 548390350c62747b6234f522a99c319eee401328
+ Previously we were computing the MAC, decrypting the packet and then
+ checking the MAC. This gave rise to the possibility of creating a
+ side-channel oracle in the decryption step, though no such oracle has
+ been identified.
+
+ This adds a mac_check() function that computes and checks the MAC in
+ one pass, and uses it to advance MAC checking for EtM algorithms to
+ before payload decryption.
+
+ Reported by Jean Paul Degabriele, Kenny Paterson, Torben Hansen and
+ Martin Albrecht. feedback and ok markus@
+
+ Upstream-ID: 1999bb67cab47dda5b10b80d8155fe83d4a1867b
-commit 4c6cb8330460f94e6c7ae28a364236d4188156a3
-Author: dtucker at openbsd.org <dtucker at openbsd.org>
-Date: Fri Jan 29 23:04:46 2016 +0000
+commit 71f5598f06941f645a451948c4a5125c83828e1c
+Author: guenther at openbsd.org <guenther at openbsd.org>
+Date: Mon Jul 4 18:01:44 2016 +0000
upstream commit
- Remove leftover roaming dead code. ok djm markus.
+ DEBUGLIBS has been broken since the gcc4 switch, so
+ delete it. CFLAGS contains -g by default anyway
- Upstream-ID: 13d1f9c8b65a5109756bcfd3b74df949d53615be
+ problem noted by Edgar Pettijohn (edgar (at) pettijohn-web.com)
+ ok millert@ kettenis@ deraadt@
+
+ Upstream-ID: 96c5054e3e1f170c6276902d5bc65bb3b87a2603
-commit 28136471809806d6246ef41e4341467a39fe2f91
-Author: djm at openbsd.org <djm at openbsd.org>
-Date: Fri Jan 29 05:46:01 2016 +0000
+commit e683fc6f1c8c7295648dbda679df8307786ec1ce
+Author: dtucker at openbsd.org <dtucker at openbsd.org>
+Date: Thu Jun 30 05:17:05 2016 +0000
upstream commit
- include packet type of non-data packets in debug3 output;
- ok markus dtucker
+ Explicitly check for 100% completion to avoid potential
+ floating point rounding error, which could cause progressmeter to report 99%
+ on completion. While there invert the test so the 100% case is clearer. with
+ & ok djm@
- Upstream-ID: 034eaf639acc96459b9c5ce782db9fcd8bd02d41
+ Upstream-ID: a166870c5878e422f3c71ff802e2ccd7032f715d
-commit 6fd6e28daccafaa35f02741036abe64534c361a1
-Author: dtucker at openbsd.org <dtucker at openbsd.org>
-Date: Fri Jan 29 03:31:03 2016 +0000
+commit 772e6cec0ed740fc7db618dc30b4134f5a358b43
+Author: jmc at openbsd.org <jmc at openbsd.org>
+Date: Wed Jun 29 17:14:28 2016 +0000
upstream commit
- Revert "account for packets buffered but not yet
- processed" change as it breaks for very small RekeyLimit values due to
- continuous rekeying. ok djm@
+ sort the -o list;
- Upstream-ID: 7e03f636cb45ab60db18850236ccf19079182a19
+ Upstream-ID: 1a97465ede8790b4d47cb618269978e07f41f8ac
-commit 921ff00b0ac429666fb361d2d6cb1c8fff0006cb
-Author: dtucker at openbsd.org <dtucker at openbsd.org>
-Date: Fri Jan 29 02:54:45 2016 +0000
+commit 46ecd19e554ccca15a7309cd1b6b44bc8e6b84af
+Author: djm at openbsd.org <djm at openbsd.org>
+Date: Thu Jun 23 05:17:51 2016 +0000
upstream commit
- Allow RekeyLimits in excess of 4G up to 2**63 bits
- (limited by the return type of scan_scaled). Part of bz#2521, ok djm.
+ fix AuthenticationMethods during configuration re-parse;
+ reported by Juan Francisco Cantero Hurtado
- Upstream-ID: 13bea82be566b9704821b1ea05bf7804335c7979
+ Upstream-ID: 8ffa1dac25c7577eca8238e825317ab20848f9b4
-commit c0060a65296f01d4634f274eee184c0e93ba0f23
-Author: dtucker at openbsd.org <dtucker at openbsd.org>
-Date: Fri Jan 29 02:42:46 2016 +0000
+commit 3147e7595d0f2f842a666c844ac53e6c7a253d7e
+Author: djm at openbsd.org <djm at openbsd.org>
+Date: Sun Jun 19 07:48:02 2016 +0000
upstream commit
- Account for packets buffered but not yet processed when
- computing whether or not it is time to perform rekeying. bz#2521, based
- loosely on a patch from olo at fb.com, ok djm@
+ revert 1.34; causes problems loading public keys
- Upstream-ID: 67e268b547f990ed220f3cb70a5624d9bda12b8c
+ reported by semarie@
+
+ Upstream-ID: b393794f8935c8b15d98a407fe7721c62d2ed179
-commit 44cf930e670488c85c9efeb373fa5f4b455692ac
-Author: djm at openbsd.org <djm at openbsd.org>
-Date: Wed Jan 27 06:44:58 2016 +0000
+commit ad23a75509f4320d43f628c50f0817e3ad12bfa7
+Author: jmc at openbsd.org <jmc at openbsd.org>
+Date: Fri Jun 17 06:33:30 2016 +0000
upstream commit
- change old $FreeBSD version string in comment so it doesn't
- become an RCS ident downstream; requested by des AT des.no
+ grammar fix;
- Upstream-ID: 8ca558c01f184e596b45e4fc8885534b2c864722
+ Upstream-ID: 5d5b21c80f1e81db367333ce0bb3e5874fb3e463
-commit ebacd377769ac07d1bf3c75169644336056b7060
+commit 5e28b1a2a3757548b40018cc2493540a17c82e27
Author: djm at openbsd.org <djm at openbsd.org>
-Date: Wed Jan 27 00:53:12 2016 +0000
+Date: Fri Jun 17 05:06:23 2016 +0000
upstream commit
- make the debug messages a bit more useful here
+ translate OpenSSL error codes to something more
+ meaninful; bz#2522 reported by Jakub Jelen, ok dtucker@
- Upstream-ID: 478ccd4e897e0af8486b294aa63aa3f90ab78d64
+ Upstream-ID: 4cb0795a366381724314e6515d57790c5930ffe5
-commit 458abc2934e82034c5c281336d8dc0f910aecad3
-Author: jsg at openbsd.org <jsg at openbsd.org>
-Date: Sat Jan 23 05:31:35 2016 +0000
+commit b64faeb5eda7eff8210c754d00464f9fe9d23de5
+Author: djm at openbsd.org <djm at openbsd.org>
+Date: Fri Jun 17 05:03:40 2016 +0000
upstream commit
- Zero a stack buffer with explicit_bzero() instead of
- memset() when returning from client_loop() for consistency with
- buffer_free()/sshbuf_free().
+ ban AuthenticationMethods="" and accept
+ AuthenticationMethods=any for the default behaviour of not requiring multiple
+ authentication
- ok dtucker@ deraadt@ djm@
+ bz#2398 from Jakub Jelen; ok dtucker@
- Upstream-ID: bc9975b2095339811c3b954694d7d15ea5c58f66
+ Upstream-ID: fabd7f44d59e4518d241d0d01e226435cc23cf27
-commit 65a3c0dacbc7dbb75ddb6a70ebe22d8de084d0b0
+commit 9816fc5daee5ca924dd5c4781825afbaab728877
Author: dtucker at openbsd.org <dtucker at openbsd.org>
-Date: Wed Jan 20 09:22:39 2016 +0000
+Date: Thu Jun 16 11:00:17 2016 +0000
upstream commit
- Include sys/time.h for gettimeofday. From sortie at
- maxsi.org.
+ Include stdarg.h for va_copy as per man page.
- Upstream-ID: 6ed0c33b836d9de0a664cd091e86523ecaa2fb3b
+ Upstream-ID: 105d6b2f1af2fbd9d91c893c436ab121434470bd
-commit fc77ccdc2ce6d5d06628b8da5048a6a5f6ffca5a
-Author: markus at openbsd.org <markus at openbsd.org>
-Date: Thu Jan 14 22:56:56 2016 +0000
+commit b6cf84b51bc0f5889db48bf29a0c771954ade283
+Author: jmc at openbsd.org <jmc at openbsd.org>
+Date: Thu Jun 16 06:10:45 2016 +0000
upstream commit
- fd leaks; report Qualys Security Advisory team; ok
- deraadt@
*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
More information about the svn-src-vendor
mailing list