diff options
author | Colin Watson <cjwatson@debian.org> | 2018-10-19 21:29:01 +0100 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2018-10-19 21:29:01 +0100 |
commit | 3d246f10429fc9a37b98eabef94fe8dc7c61002b (patch) | |
tree | 1f35b42b5e5f462d35ba452e4dcfa188ce0543fd /ChangeLog | |
parent | e6547182a54f0f268ee36e7c99319eeddffbaff2 (diff) | |
parent | aede1c34243a6f7feae2fb2cb686ade5f9be6f3d (diff) |
Import openssh_7.9p1.orig.tar.gz
Diffstat (limited to 'ChangeLog')
-rw-r--r-- | ChangeLog | 1683 |
1 files changed, 824 insertions, 859 deletions
@@ -1,3 +1,827 @@ | |||
1 | commit aede1c34243a6f7feae2fb2cb686ade5f9be6f3d | ||
2 | Author: Damien Miller <djm@mindrot.org> | ||
3 | Date: Wed Oct 17 11:01:20 2018 +1100 | ||
4 | |||
5 | Require OpenSSL 1.1.x series 1.1.0g or greater | ||
6 | |||
7 | Previous versions have a bug with EVP_CipherInit() when passed a | ||
8 | NULL EVP_CIPHER, per https://github.com/openssl/openssl/pull/4613 | ||
9 | |||
10 | ok dtucker@ | ||
11 | |||
12 | commit 08300c211409c212e010fe2e2f2883e573a04ce2 | ||
13 | Author: Damien Miller <djm@mindrot.org> | ||
14 | Date: Wed Oct 17 08:12:02 2018 +1100 | ||
15 | |||
16 | unbreak compilation with --with-ssl-engine | ||
17 | |||
18 | Missing last argument to OPENSSL_init_crypto() | ||
19 | |||
20 | commit 1673274aee67ce0eb6f00578b6f3d2bcbd58f937 | ||
21 | Author: Darren Tucker <dtucker@dtucker.net> | ||
22 | Date: Tue Oct 16 14:45:57 2018 +1100 | ||
23 | |||
24 | Remove gcc spectre mitigation flags. | ||
25 | |||
26 | Current impementions of the gcc spectre mitigation flags cause | ||
27 | miscompilations when combined with other flags and do not provide much | ||
28 | protection. Found by fweimer at redhat.com, ok djm@ | ||
29 | |||
30 | commit 4e23deefd7959ef83c73ed9cce574423438f6133 | ||
31 | Author: Damien Miller <djm@mindrot.org> | ||
32 | Date: Tue Oct 16 10:51:52 2018 +1100 | ||
33 | |||
34 | Avoid deprecated OPENSSL_config when using 1.1.x | ||
35 | |||
36 | OpenSSL 1.1.x soft-deprecated OPENSSL_config in favour of | ||
37 | OPENSSL_init_crypto; pointed out by Jakub Jelen | ||
38 | |||
39 | commit 797cdd9c8468ed1125ce60d590ae3f1397866af4 | ||
40 | Author: Darren Tucker <dtucker@dtucker.net> | ||
41 | Date: Fri Oct 12 16:58:47 2018 +1100 | ||
42 | |||
43 | Don't avoid our *sprintf replacements. | ||
44 | |||
45 | Don't let systems with broken printf(3) avoid our replacements | ||
46 | via asprintf(3)/vasprintf(3) calling libc internally. From djm@ | ||
47 | |||
48 | commit e526127cbd2f8ad88fb41229df0c9b850c722830 | ||
49 | Author: Darren Tucker <dtucker@dtucker.net> | ||
50 | Date: Fri Oct 12 16:43:35 2018 +1100 | ||
51 | |||
52 | Check if snprintf understands %zu. | ||
53 | |||
54 | If the platforms snprintf and friends don't understand %zu, use the | ||
55 | compat replacement. Prevents segfaults on those platforms. | ||
56 | |||
57 | commit cf39f875191708c5f2f1a3c1c9019f106e74aea3 | ||
58 | Author: Damien Miller <djm@mindrot.org> | ||
59 | Date: Fri Oct 12 09:48:05 2018 +1100 | ||
60 | |||
61 | remove stale link, tweak | ||
62 | |||
63 | commit a7205e68decf7de2005810853b4ce6b222b65e2a | ||
64 | Author: Damien Miller <djm@mindrot.org> | ||
65 | Date: Fri Oct 12 09:47:20 2018 +1100 | ||
66 | |||
67 | update version numbers ahead of release | ||
68 | |||
69 | commit 1a4a9cf80f5b92b9d1dadd0bfa8867c04d195391 | ||
70 | Author: djm@openbsd.org <djm@openbsd.org> | ||
71 | Date: Thu Oct 11 03:48:04 2018 +0000 | ||
72 | |||
73 | upstream: don't send new-style rsa-sha2-*-cert-v01@openssh.com names to | ||
74 | |||
75 | older OpenSSH that can't handle them. spotted by Adam Eijdenberg; ok dtucker | ||
76 | |||
77 | OpenBSD-Commit-ID: 662bbc402e3d7c9b6c322806269698106a6ae631 | ||
78 | |||
79 | commit dc8ddcdf1a95e011c263486c25869bb5bf4e30ec | ||
80 | Author: Damien Miller <djm@mindrot.org> | ||
81 | Date: Thu Oct 11 13:08:59 2018 +1100 | ||
82 | |||
83 | update depends | ||
84 | |||
85 | commit 26841ac265603fd2253e6832e03602823dbb4022 | ||
86 | Author: Damien Miller <djm@mindrot.org> | ||
87 | Date: Thu Oct 11 13:02:11 2018 +1100 | ||
88 | |||
89 | some more duplicated key algorithm lines | ||
90 | |||
91 | From Adam Eijdenberg | ||
92 | |||
93 | commit 5d9d17603bfbb620195a4581025052832b4c4adc | ||
94 | Author: Damien Miller <djm@mindrot.org> | ||
95 | Date: Thu Oct 11 11:56:36 2018 +1100 | ||
96 | |||
97 | fix duplicated algorithm specification lines | ||
98 | |||
99 | Spotted by Adam Eijdenberg | ||
100 | |||
101 | commit ebfafd9c7a5b2a7fb515ee95dbe0e44e11d0a663 | ||
102 | Author: djm@openbsd.org <djm@openbsd.org> | ||
103 | Date: Thu Oct 11 00:52:46 2018 +0000 | ||
104 | |||
105 | upstream: typo in plain RSA algorithm counterpart names for | ||
106 | |||
107 | certificates; spotted by Adam Eijdenberg; ok dtucker@ | ||
108 | |||
109 | OpenBSD-Commit-ID: bfcdeb6f4fc9e7607f5096574c8f118f2e709e00 | ||
110 | |||
111 | commit c29b111e7d87c2324ff71c80653dd8da168c13b9 | ||
112 | Author: Damien Miller <djm@mindrot.org> | ||
113 | Date: Thu Oct 11 11:29:35 2018 +1100 | ||
114 | |||
115 | check pw_passwd != NULL here too | ||
116 | |||
117 | Again, for systems with broken NIS implementations. | ||
118 | |||
119 | Prompted by coolbugcheckers AT gmail.com | ||
120 | |||
121 | commit fe8e8f349a553ef4c567acd418aac769a82b7729 | ||
122 | Author: Damien Miller <djm@mindrot.org> | ||
123 | Date: Thu Oct 11 11:03:15 2018 +1100 | ||
124 | |||
125 | check for NULL return from shadow_pw() | ||
126 | |||
127 | probably unreachable on this platform; pointed out by | ||
128 | coolbugcheckers AT gmail.com | ||
129 | |||
130 | commit acc59cbe7a1fb169e1c3caba65a39bd74d6e030d | ||
131 | Author: deraadt@openbsd.org <deraadt@openbsd.org> | ||
132 | Date: Wed Oct 10 16:43:49 2018 +0000 | ||
133 | |||
134 | upstream: introducing openssh 7.9 | ||
135 | |||
136 | OpenBSD-Commit-ID: 42d526a9fe01a40dd299ac58014d3349adf40e25 | ||
137 | |||
138 | commit 12731158c75c8760a8bea06350eeb3e763fe1a07 | ||
139 | Author: Damien Miller <djm@mindrot.org> | ||
140 | Date: Thu Oct 11 10:29:29 2018 +1100 | ||
141 | |||
142 | supply callback to PEM_read_bio_PrivateKey | ||
143 | |||
144 | OpenSSL 1.1.0i has changed the behaviour of their PEM APIs, | ||
145 | so that empty passphrases are interpreted differently. This | ||
146 | probabalistically breaks loading some keys, because the PEM format | ||
147 | is terrible and doesn't include a proper MAC. | ||
148 | |||
149 | Avoid this by providing a basic callback to avoid passing empty | ||
150 | passphrases to OpenSSL in cases where one is required. | ||
151 | |||
152 | Based on patch from Jakub Jelen in bz#2913; ok dtucker@ | ||
153 | |||
154 | commit d1d301a1dd5d6cc3a9ed93ab7ab09dda4cb456e0 | ||
155 | Author: Damien Miller <djm@mindrot.org> | ||
156 | Date: Wed Oct 10 14:57:00 2018 +1100 | ||
157 | |||
158 | in pick_salt() avoid dereference of NULL passwords | ||
159 | |||
160 | Apparently some NIS implementations can leave pw->pw_passwd (or the | ||
161 | shadow equivalent) NULL. | ||
162 | |||
163 | bz#2909; based on patch from Todd Eigenschink | ||
164 | |||
165 | commit edbb6febccee084d212fdc0cb05b40cb1c646ab1 | ||
166 | Author: djm@openbsd.org <djm@openbsd.org> | ||
167 | Date: Tue Oct 9 05:42:23 2018 +0000 | ||
168 | |||
169 | upstream: Treat all PEM_read_bio_PrivateKey() errors when a passphrase | ||
170 | |||
171 | is specified as "incorrect passphrase" instead of trying to choose between | ||
172 | that and "invalid format". | ||
173 | |||
174 | libcrypto can return ASN1 parsing errors rather than the expected | ||
175 | decrypt error in certain infrequent cases when trying to decrypt/parse | ||
176 | PEM private keys when supplied with an invalid passphrase. | ||
177 | |||
178 | Report and repro recipe from Thomas Deutschmann in bz#2901 | ||
179 | |||
180 | ok markus@ | ||
181 | |||
182 | OpenBSD-Commit-ID: b1d4cd92395f9743f81c0d23aab2524109580870 | ||
183 | |||
184 | commit 2581333d564d8697837729b3d07d45738eaf5a54 | ||
185 | Author: naddy@openbsd.org <naddy@openbsd.org> | ||
186 | Date: Fri Oct 5 14:26:09 2018 +0000 | ||
187 | |||
188 | upstream: Support using service names for port numbers. | ||
189 | |||
190 | * Try to resolve a port specification with getservbyname(3) if a | ||
191 | numeric conversion fails. | ||
192 | * Make the "Port" option in ssh_config handle its argument as a | ||
193 | port rather than a plain integer. | ||
194 | |||
195 | ok dtucker@ deraadt@ | ||
196 | |||
197 | OpenBSD-Commit-ID: e7f03633133205ab3dfbc67f9df7475fabae660d | ||
198 | |||
199 | commit e0d6501e86734c48c8c503f81e1c0926e98c5c4c | ||
200 | Author: djm@openbsd.org <djm@openbsd.org> | ||
201 | Date: Thu Oct 4 07:47:35 2018 +0000 | ||
202 | |||
203 | upstream: when the peer sends a channel-close message, make sure we | ||
204 | |||
205 | close the local extended read fd (stderr) along with the regular read fd | ||
206 | (stdout). Avoids weird stuck processed in multiplexing mode. | ||
207 | |||
208 | Report and analysis by Nelson Elhage and Geoffrey Thomas in bz#2863 | ||
209 | |||
210 | ok dtucker@ markus@ | ||
211 | |||
212 | OpenBSD-Commit-ID: a48a2467fe938de4de69d2e7193d5fa701f12ae9 | ||
213 | |||
214 | commit 6f1aabb128246f445e33b8844fad3de9cb1d18cb | ||
215 | Author: djm@openbsd.org <djm@openbsd.org> | ||
216 | Date: Thu Oct 4 01:04:52 2018 +0000 | ||
217 | |||
218 | upstream: factor out channel status formatting from | ||
219 | |||
220 | channel_open_message() so we can use it in other debug messages | ||
221 | |||
222 | OpenBSD-Commit-ID: 9c3903ca28fcabad57f566c9d0045b41ab7d52ba | ||
223 | |||
224 | commit f1dd179e122bdfdb7ca3072d9603607740efda05 | ||
225 | Author: djm@openbsd.org <djm@openbsd.org> | ||
226 | Date: Thu Oct 4 00:10:11 2018 +0000 | ||
227 | |||
228 | upstream: include a little more information about the status and | ||
229 | |||
230 | disposition of channel's extended (stderr) fd; makes debugging some things a | ||
231 | bit easier. No behaviour change. | ||
232 | |||
233 | OpenBSD-Commit-ID: 483eb6467dc7d5dbca8eb109c453e7a43075f7ce | ||
234 | |||
235 | commit 2d1428b11c8b6f616f070f2ecedce12328526944 | ||
236 | Author: djm@openbsd.org <djm@openbsd.org> | ||
237 | Date: Thu Oct 4 00:04:41 2018 +0000 | ||
238 | |||
239 | upstream: explicit_bzero here to be consistent with other kex*.c; | ||
240 | |||
241 | report from coolbugcheckers AT gmail.com | ||
242 | |||
243 | OpenBSD-Commit-ID: a90f146c5b5f5b1408700395e394f70b440856cb | ||
244 | |||
245 | commit 5eff5b858e717e901e6af6596306a114de9f79f2 | ||
246 | Author: djm@openbsd.org <djm@openbsd.org> | ||
247 | Date: Wed Oct 3 06:38:35 2018 +0000 | ||
248 | |||
249 | upstream: Allow ssh_config IdentityAgent directive to accept | ||
250 | |||
251 | environment variable names as well as explicit paths. ok dtucker@ | ||
252 | |||
253 | OpenBSD-Commit-ID: 2f0996e103876c53d8c9dd51dcce9889d700767b | ||
254 | |||
255 | commit a46ac4d86b25414d78b632e8173578b37e5f8a83 | ||
256 | Author: djm@openbsd.org <djm@openbsd.org> | ||
257 | Date: Tue Oct 2 12:51:58 2018 +0000 | ||
258 | |||
259 | upstream: mention INFO@openssh.com for sending SIGINFO | ||
260 | |||
261 | OpenBSD-Commit-ID: 132471eeb0df658210afd27852fe65131b26e900 | ||
262 | |||
263 | commit ff3a411cae0b484274b7900ef52ff4dad3e12876 | ||
264 | Author: Damien Miller <djm@mindrot.org> | ||
265 | Date: Tue Oct 2 22:49:40 2018 +1000 | ||
266 | |||
267 | only support SIGINFO on systems with SIGINFO | ||
268 | |||
269 | commit cd98925c6405e972dc9f211afc7e75e838abe81c | ||
270 | Author: djm@openbsd.org <djm@openbsd.org> | ||
271 | Date: Tue Oct 2 12:40:07 2018 +0000 | ||
272 | |||
273 | upstream: Add server support for signalling sessions via the SSH | ||
274 | |||
275 | channel/ session protocol. Signalling is only supported to sesssions that are | ||
276 | not subsystems and were not started with a forced command. | ||
277 | |||
278 | Long requested in bz#1424 | ||
279 | |||
280 | Based on a patch from markus@ and reworked by dtucker@; | ||
281 | ok markus@ dtucker@ | ||
282 | |||
283 | OpenBSD-Commit-ID: 4bea826f575862eaac569c4bedd1056a268be1c3 | ||
284 | |||
285 | commit dba50258333f2604a87848762af07ba2cc40407a | ||
286 | Author: djm@openbsd.org <djm@openbsd.org> | ||
287 | Date: Wed Sep 26 07:32:44 2018 +0000 | ||
288 | |||
289 | upstream: remove big ugly TODO comment from start of file. Some of | ||
290 | |||
291 | the mentioned tasks are obsolete and, of the remainder, most are already | ||
292 | captured in PROTOCOL.mux where they better belong | ||
293 | |||
294 | OpenBSD-Commit-ID: 16d9d76dee42a5bb651c9d6740f7f0ef68aeb407 | ||
295 | |||
296 | commit 92b61a38ee9b765f5049f03cd1143e13f3878905 | ||
297 | Author: djm@openbsd.org <djm@openbsd.org> | ||
298 | Date: Wed Sep 26 07:30:05 2018 +0000 | ||
299 | |||
300 | upstream: Document mux proxy mode; added by Markus in openssh-7.4 | ||
301 | |||
302 | Also add a little bit of information about the overall packet format | ||
303 | |||
304 | OpenBSD-Commit-ID: bdb6f6ea8580ef96792e270cae7857786ad84a95 | ||
305 | |||
306 | commit 9d883a1ce4f89b175fd77405ff32674620703fb2 | ||
307 | Author: djm@openbsd.org <djm@openbsd.org> | ||
308 | Date: Wed Sep 26 01:48:57 2018 +0000 | ||
309 | |||
310 | upstream: s/process_mux_master/mux_master_process/ in mux master | ||
311 | |||
312 | function names, | ||
313 | |||
314 | Gives better symmetry with the existing mux_client_*() names and makes | ||
315 | it more obvious when a message comes from the master vs client (they | ||
316 | are interleved in ControlMaster=auto mode). | ||
317 | |||
318 | no functional change beyond prefixing a could of log messages with | ||
319 | __func__ where they were previously lacking. | ||
320 | |||
321 | OpenBSD-Commit-ID: b01f7c3fdf92692e1713a822a89dc499333daf75 | ||
322 | |||
323 | commit c2fa53cd6462da82d3a851dc3a4a3f6b920337c8 | ||
324 | Author: Darren Tucker <dtucker@dtucker.net> | ||
325 | Date: Sat Sep 22 14:41:24 2018 +1000 | ||
326 | |||
327 | Remove unused variable in _ssh_compat_fflush. | ||
328 | |||
329 | commit d1b3540c21212624af907488960d703c7d987b42 | ||
330 | Author: Darren Tucker <dtucker@dtucker.net> | ||
331 | Date: Thu Sep 20 18:08:43 2018 +1000 | ||
332 | |||
333 | Import updated moduli. | ||
334 | |||
335 | commit b5e412a8993ad17b9e1141c78408df15d3d987e1 | ||
336 | Author: djm@openbsd.org <djm@openbsd.org> | ||
337 | Date: Fri Sep 21 12:46:22 2018 +0000 | ||
338 | |||
339 | upstream: Allow ssh_config ForwardX11Timeout=0 to disable the | ||
340 | |||
341 | timeout and allow X11 connections in untrusted mode indefinitely. ok dtucker@ | ||
342 | |||
343 | OpenBSD-Commit-ID: ea1ceed3f540b48e5803f933e59a03b20db10c69 | ||
344 | |||
345 | commit cb24d9fcc901429d77211f274031653476864ec6 | ||
346 | Author: djm@openbsd.org <djm@openbsd.org> | ||
347 | Date: Fri Sep 21 12:23:17 2018 +0000 | ||
348 | |||
349 | upstream: when compiled with GSSAPI support, cache supported method | ||
350 | |||
351 | OIDs by calling ssh_gssapi_prepare_supported_oids() regardless of whether | ||
352 | GSSAPI authentication is enabled in the main config. | ||
353 | |||
354 | This avoids sandbox violations for configurations that enable GSSAPI | ||
355 | auth later, e.g. | ||
356 | |||
357 | Match user djm | ||
358 | GSSAPIAuthentication yes | ||
359 | |||
360 | bz#2107; ok dtucker@ | ||
361 | |||
362 | OpenBSD-Commit-ID: a5dd42d87c74e27cfb712b15b0f97ab20e0afd1d | ||
363 | |||
364 | commit bbc8af72ba68da014d4de6e21a85eb5123384226 | ||
365 | Author: djm@openbsd.org <djm@openbsd.org> | ||
366 | Date: Fri Sep 21 12:20:12 2018 +0000 | ||
367 | |||
368 | upstream: In sshkey_in_file(), ignore keys that are considered for | ||
369 | |||
370 | being too short (i.e. SSH_ERR_KEY_LENGTH). These keys will not be considered | ||
371 | to be "in the file". This allows key revocation lists to contain short keys | ||
372 | without the entire revocation list being considered invalid. | ||
373 | |||
374 | bz#2897; ok dtucker | ||
375 | |||
376 | OpenBSD-Commit-ID: d9f3d857d07194a42ad7e62889a74dc3f9d9924b | ||
377 | |||
378 | commit 383a33d160cefbfd1b40fef81f72eadbf9303a66 | ||
379 | Author: djm@openbsd.org <djm@openbsd.org> | ||
380 | Date: Fri Sep 21 03:11:36 2018 +0000 | ||
381 | |||
382 | upstream: Treat connections with ProxyJump specified the same as ones | ||
383 | |||
384 | with a ProxyCommand set with regards to hostname canonicalisation (i.e. don't | ||
385 | try to canonicalise the hostname unless CanonicalizeHostname is set to | ||
386 | 'always'). | ||
387 | |||
388 | Patch from Sven Wegener via bz#2896 | ||
389 | |||
390 | OpenBSD-Commit-ID: 527ff501cf98bf65fb4b29ed0cb847dda10f4d37 | ||
391 | |||
392 | commit 0cbed248ed81584129b67c348dbb801660f25a6a | ||
393 | Author: djm@openbsd.org <djm@openbsd.org> | ||
394 | Date: Thu Sep 20 23:40:16 2018 +0000 | ||
395 | |||
396 | upstream: actually make CASignatureAlgorithms available as a config | ||
397 | |||
398 | option | ||
399 | |||
400 | OpenBSD-Commit-ID: 93fa7ff58314ed7b1ab7744090a6a91232e6ae52 | ||
401 | |||
402 | commit 62528870c0ec48cd86a37dd7320fb85886c3e6ee | ||
403 | Author: dtucker@openbsd.org <dtucker@openbsd.org> | ||
404 | Date: Thu Sep 20 08:07:03 2018 +0000 | ||
405 | |||
406 | upstream: Import updated moduli. | ||
407 | |||
408 | OpenBSD-Commit-ID: 04431e8e7872f49a2129bf080a6b73c19d576d40 | ||
409 | |||
410 | commit e6933a2ffa0659d57f3c7b7c457b2c62b2a84613 | ||
411 | Author: jmc@openbsd.org <jmc@openbsd.org> | ||
412 | Date: Thu Sep 20 06:58:48 2018 +0000 | ||
413 | |||
414 | upstream: reorder CASignatureAlgorithms, and add them to the | ||
415 | |||
416 | various -o lists; ok djm | ||
417 | |||
418 | OpenBSD-Commit-ID: ecb88baecc3c54988b4d1654446ea033da359288 | ||
419 | |||
420 | commit aa083aa9624ea7b764d5a81c4c676719a1a3e42b | ||
421 | Author: djm@openbsd.org <djm@openbsd.org> | ||
422 | Date: Thu Sep 20 03:31:49 2018 +0000 | ||
423 | |||
424 | upstream: fix "ssh -Q sig" to show correct signature algorithm list | ||
425 | |||
426 | (it was erroneously showing certificate algorithms); prompted by markus@ | ||
427 | |||
428 | OpenBSD-Commit-ID: 1cdee002f2f0c21456979deeb887fc889afb154d | ||
429 | |||
430 | commit ecac7e1f7add6b28874959a11f2238d149dc2c07 | ||
431 | Author: djm@openbsd.org <djm@openbsd.org> | ||
432 | Date: Thu Sep 20 03:30:44 2018 +0000 | ||
433 | |||
434 | upstream: add CASignatureAlgorithms option for the client, allowing | ||
435 | |||
436 | it to specify which signature algorithms may be used by CAs when signing | ||
437 | certificates. Useful if you want to ban RSA/SHA1; ok markus@ | ||
438 | |||
439 | OpenBSD-Commit-ID: 9159e5e9f67504829bf53ff222057307a6e3230f | ||
440 | |||
441 | commit 86e5737c39153af134158f24d0cab5827cbd5852 | ||
442 | Author: djm@openbsd.org <djm@openbsd.org> | ||
443 | Date: Thu Sep 20 03:28:06 2018 +0000 | ||
444 | |||
445 | upstream: Add sshd_config CASignatureAlgorithms option to allow | ||
446 | |||
447 | control over which signature algorithms a CA may use when signing | ||
448 | certificates. In particular, this allows a sshd to ban certificates signed | ||
449 | with RSA/SHA1. | ||
450 | |||
451 | ok markus@ | ||
452 | |||
453 | OpenBSD-Commit-ID: b05c86ef8b52b913ed48d54a9b9c1a7714d96bac | ||
454 | |||
455 | commit f80e68ea7d62e2dfafc12f1a60ab544ae4033a0f | ||
456 | Author: djm@openbsd.org <djm@openbsd.org> | ||
457 | Date: Wed Sep 19 02:03:02 2018 +0000 | ||
458 | |||
459 | upstream: Make "ssh-add -q" do what it says on the tin: silence | ||
460 | |||
461 | output from successful operations. | ||
462 | |||
463 | Based on patch from Thijs van Dijk; ok dtucker@ deraadt@ | ||
464 | |||
465 | OpenBSD-Commit-ID: c4f754ecc055c10af166116ce7515104aa8522e1 | ||
466 | |||
467 | commit 5e532320e9e51de720d5f3cc2596e95d29f6e98f | ||
468 | Author: millert@openbsd.org <millert@openbsd.org> | ||
469 | Date: Mon Sep 17 15:40:14 2018 +0000 | ||
470 | |||
471 | upstream: When choosing a prime from the moduli file, avoid | ||
472 | |||
473 | re-using the linenum variable for something that is not a line number to | ||
474 | avoid the confusion that resulted in the bug in rev. 1.64. This also lets us | ||
475 | pass the actual linenum to parse_prime() so the error messages include the | ||
476 | correct line number. OK markus@ some time ago. | ||
477 | |||
478 | OpenBSD-Commit-ID: 4d8e5d3e924d6e8eb70053e3defa23c151a00084 | ||
479 | |||
480 | commit cce8cbe0ed7d1ba3a575310e0b63c193326ae616 | ||
481 | Author: Darren Tucker <dtucker@dtucker.net> | ||
482 | Date: Sat Sep 15 19:44:06 2018 +1000 | ||
483 | |||
484 | Fix openssl-1.1 fallout for --without-openssl. | ||
485 | |||
486 | ok djm@ | ||
487 | |||
488 | commit 149519b9f201dac755f3cba4789f4d76fecf0ee1 | ||
489 | Author: Damien Miller <djm@mindrot.org> | ||
490 | Date: Sat Sep 15 19:37:48 2018 +1000 | ||
491 | |||
492 | add futex(2) syscall to seccomp sandbox | ||
493 | |||
494 | Apparently needed for some glibc/openssl combinations. | ||
495 | |||
496 | Patch from Arkadiusz Miśkiewicz | ||
497 | |||
498 | commit 4488ae1a6940af704c4dbf70f55bf2f756a16536 | ||
499 | Author: Damien Miller <djm@mindrot.org> | ||
500 | Date: Sat Sep 15 19:36:55 2018 +1000 | ||
501 | |||
502 | really add source for authopt_fuzz this time | ||
503 | |||
504 | commit 9201784b4a257c8345fbd740bcbdd70054885707 | ||
505 | Author: Damien Miller <djm@mindrot.org> | ||
506 | Date: Sat Sep 15 19:35:40 2018 +1000 | ||
507 | |||
508 | remove accidentally checked-in authopt_fuzz binary | ||
509 | |||
510 | commit beb9e522dc7717df08179f9e59f36b361bfa14ab | ||
511 | Author: djm@openbsd.org <djm@openbsd.org> | ||
512 | Date: Fri Sep 14 05:26:27 2018 +0000 | ||
513 | |||
514 | upstream: second try, deals properly with missing and private-only | ||
515 | |||
516 | Use consistent format in debug log for keys readied, offered and | ||
517 | received during public key authentication. | ||
518 | |||
519 | This makes it a little easier to see what is going on, as each message | ||
520 | now contains (where available) the key filename, its type and fingerprint, | ||
521 | and whether the key is hosted in an agent or a token. | ||
522 | |||
523 | OpenBSD-Commit-ID: f1c6a8e9cfc4e108c359db77f24f9a40e1e25ea7 | ||
524 | |||
525 | commit 6bc5a24ac867bfdc3ed615589d69ac640f51674b | ||
526 | Author: Damien Miller <djm@mindrot.org> | ||
527 | Date: Fri Sep 14 15:16:34 2018 +1000 | ||
528 | |||
529 | fuzzer harness for authorized_keys option parsing | ||
530 | |||
531 | commit 6c8b82fc6929b6a9a3f645151b6ec26c5507d9ef | ||
532 | Author: djm@openbsd.org <djm@openbsd.org> | ||
533 | Date: Fri Sep 14 04:44:04 2018 +0000 | ||
534 | |||
535 | upstream: revert following; deals badly with agent keys | ||
536 | |||
537 | revision 1.285 | ||
538 | date: 2018/09/14 04:17:12; author: djm; state: Exp; lines: +47 -26; commitid: lflGFcNb2X2HebaK; | ||
539 | Use consistent format in debug log for keys readied, offered and | ||
540 | received during public key authentication. | ||
541 | |||
542 | This makes it a little easier to see what is going on, as each message | ||
543 | now contains the key filename, its type and fingerprint, and whether | ||
544 | the key is hosted in an agent or a token. | ||
545 | |||
546 | OpenBSD-Commit-ID: e496bd004e452d4b051f33ed9ae6a54ab918f56d | ||
547 | |||
548 | commit 6da046f9c3374ce7e269ded15d8ff8bc45017301 | ||
549 | Author: djm@openbsd.org <djm@openbsd.org> | ||
550 | Date: Fri Sep 14 04:17:44 2018 +0000 | ||
551 | |||
552 | upstream: garbage-collect moribund ssh_new_private() API. | ||
553 | |||
554 | OpenBSD-Commit-ID: 7c05bf13b094093dfa01848a9306c82eb6e95f6c | ||
555 | |||
556 | commit 1f24ac5fc05252ceb1c1d0e8cab6a283b883c780 | ||
557 | Author: djm@openbsd.org <djm@openbsd.org> | ||
558 | Date: Fri Sep 14 04:17:12 2018 +0000 | ||
559 | |||
560 | upstream: Use consistent format in debug log for keys readied, | ||
561 | |||
562 | offered and received during public key authentication. | ||
563 | |||
564 | This makes it a little easier to see what is going on, as each message | ||
565 | now contains the key filename, its type and fingerprint, and whether | ||
566 | the key is hosted in an agent or a token. | ||
567 | |||
568 | OpenBSD-Commit-ID: 2a01d59285a8a7e01185bb0a43316084b4f06a1f | ||
569 | |||
570 | commit 488c9325bb7233e975dbfbf89fa055edc3d3eddc | ||
571 | Author: millert@openbsd.org <millert@openbsd.org> | ||
572 | Date: Thu Sep 13 15:23:32 2018 +0000 | ||
573 | |||
574 | upstream: Fix warnings caused by user_from_uid() and group_from_gid() | ||
575 | |||
576 | now returning const char *. | ||
577 | |||
578 | OpenBSD-Commit-ID: b5fe571ea77cfa7b9035062829ab05eb87d7cc6f | ||
579 | |||
580 | commit 0aa1f230846ebce698e52051a107f3127024a05a | ||
581 | Author: Damien Miller <djm@mindrot.org> | ||
582 | Date: Fri Sep 14 10:31:47 2018 +1000 | ||
583 | |||
584 | allow SIGUSR1 as synonym for SIGINFO | ||
585 | |||
586 | Lets users on those unfortunate operating systems that lack SIGINFO | ||
587 | still be able to obtain progress information from unit tests :) | ||
588 | |||
589 | commit d64e78526596f098096113fcf148216798c327ff | ||
590 | Author: Damien Miller <djm@mindrot.org> | ||
591 | Date: Thu Sep 13 19:05:48 2018 +1000 | ||
592 | |||
593 | add compat header | ||
594 | |||
595 | commit a3fd8074e2e2f06602e25618721f9556c731312c | ||
596 | Author: djm@openbsd.org <djm@openbsd.org> | ||
597 | Date: Thu Sep 13 09:03:20 2018 +0000 | ||
598 | |||
599 | upstream: missed a bit of openssl-1.0.x API in this unittest | ||
600 | |||
601 | OpenBSD-Regress-ID: a73a54d7f7381856a3f3a2d25947bee7a9a5dbc9 | ||
602 | |||
603 | commit 86e0a9f3d249d5580390daf58e015e68b01cef10 | ||
604 | Author: djm@openbsd.org <djm@openbsd.org> | ||
605 | Date: Thu Sep 13 05:06:51 2018 +0000 | ||
606 | |||
607 | upstream: use only openssl-1.1.x API here too | ||
608 | |||
609 | OpenBSD-Regress-ID: ae877064597c349954b1b443769723563cecbc8f | ||
610 | |||
611 | commit 48f54b9d12c1c79fba333bc86d455d8f4cda8cfc | ||
612 | Author: Damien Miller <djm@mindrot.org> | ||
613 | Date: Thu Sep 13 12:13:50 2018 +1000 | ||
614 | |||
615 | adapt -portable to OpenSSL 1.1x API | ||
616 | |||
617 | Polyfill missing API with replacement functions extracted from LibreSSL | ||
618 | |||
619 | commit 86112951d63d48839f035b5795be62635a463f99 | ||
620 | Author: Damien Miller <djm@mindrot.org> | ||
621 | Date: Thu Sep 13 12:12:42 2018 +1000 | ||
622 | |||
623 | forgot to stage these test files in commit d70d061 | ||
624 | |||
625 | commit 482d23bcacdd3664f21cc82a5135f66fc598275f | ||
626 | Author: djm@openbsd.org <djm@openbsd.org> | ||
627 | Date: Thu Sep 13 02:08:33 2018 +0000 | ||
628 | |||
629 | upstream: hold our collective noses and use the openssl-1.1.x API in | ||
630 | |||
631 | OpenSSH; feedback and ok tb@ jsing@ markus@ | ||
632 | |||
633 | OpenBSD-Commit-ID: cacbcac87ce5da0d3ca7ef1b38a6f7fb349e4417 | ||
634 | |||
635 | commit d70d061828730a56636ab6f1f24fe4a8ccefcfc1 | ||
636 | Author: djm@openbsd.org <djm@openbsd.org> | ||
637 | Date: Wed Sep 12 01:36:45 2018 +0000 | ||
638 | |||
639 | upstream: Include certs with multiple RSA signature variants in | ||
640 | |||
641 | test data Ensure that cert->signature_key is populated correctly | ||
642 | |||
643 | OpenBSD-Regress-ID: 56e68f70fe46cb3a193ca207385bdb301fd6603a | ||
644 | |||
645 | commit f803b2682992cfededd40c91818b653b5d923ef5 | ||
646 | Author: djm@openbsd.org <djm@openbsd.org> | ||
647 | Date: Wed Sep 12 01:23:48 2018 +0000 | ||
648 | |||
649 | upstream: test revocation by explicit hash and by fingerprint | ||
650 | |||
651 | OpenBSD-Regress-ID: 079c18a9ab9663f4af419327c759fc1e2bc78fd8 | ||
652 | |||
653 | commit 2de78bc7da70e1338b32feeefcc6045cf49efcd4 | ||
654 | Author: djm@openbsd.org <djm@openbsd.org> | ||
655 | Date: Wed Sep 12 01:22:43 2018 +0000 | ||
656 | |||
657 | upstream: s/sshkey_demote/sshkey_from_private/g | ||
658 | |||
659 | OpenBSD-Regress-ID: 782bde7407d94a87aa8d1db7c23750e09d4443c4 | ||
660 | |||
661 | commit 41c115a5ea1cb79a6a3182773c58a23f760e8076 | ||
662 | Author: Damien Miller <djm@mindrot.org> | ||
663 | Date: Wed Sep 12 16:50:01 2018 +1000 | ||
664 | |||
665 | delete the correct thing; kexfuzz binary | ||
666 | |||
667 | commit f0fcd7e65087db8c2496f13ed39d772f8e38b088 | ||
668 | Author: djm@openbsd.org <djm@openbsd.org> | ||
669 | Date: Wed Sep 12 06:18:59 2018 +0000 | ||
670 | |||
671 | upstream: fix edit mistake; spotted by jmc@ | ||
672 | |||
673 | OpenBSD-Commit-ID: dd724e1c52c9d6084f4cd260ec7e1b2b138261c6 | ||
674 | |||
675 | commit 4cc259bac699f4d2a5c52b92230f9e488c88a223 | ||
676 | Author: djm@openbsd.org <djm@openbsd.org> | ||
677 | Date: Wed Sep 12 01:34:02 2018 +0000 | ||
678 | |||
679 | upstream: add SSH_ALLOWED_CA_SIGALGS - the default list of | ||
680 | |||
681 | signature algorithms that are allowed for CA signatures. Notably excludes | ||
682 | ssh-dsa. | ||
683 | |||
684 | ok markus@ | ||
685 | |||
686 | OpenBSD-Commit-ID: 1628e4181dc8ab71909378eafe5d06159a22deb4 | ||
687 | |||
688 | commit ba9e788315b1f6a350f910cb2a9e95b2ce584e89 | ||
689 | Author: djm@openbsd.org <djm@openbsd.org> | ||
690 | Date: Wed Sep 12 01:32:54 2018 +0000 | ||
691 | |||
692 | upstream: add sshkey_check_cert_sigtype() that checks a | ||
693 | |||
694 | cert->signature_type against a supplied whitelist; ok markus | ||
695 | |||
696 | OpenBSD-Commit-ID: caadb8073292ed7a9535e5adc067d11d356d9302 | ||
697 | |||
698 | commit a70fd4ad7bd9f2ed223ff635a3d41e483057f23b | ||
699 | Author: djm@openbsd.org <djm@openbsd.org> | ||
700 | Date: Wed Sep 12 01:31:30 2018 +0000 | ||
701 | |||
702 | upstream: add cert->signature_type field and keep it in sync with | ||
703 | |||
704 | certificate signature wrt loading and certification operations; ok markus@ | ||
705 | |||
706 | OpenBSD-Commit-ID: e8b8b9f76b66707a0cd926109c4383db8f664df3 | ||
707 | |||
708 | commit 357128ac48630a9970e3af0e6ff820300a28da47 | ||
709 | Author: djm@openbsd.org <djm@openbsd.org> | ||
710 | Date: Wed Sep 12 01:30:10 2018 +0000 | ||
711 | |||
712 | upstream: Add "ssh -Q sig" to allow listing supported signature | ||
713 | |||
714 | algorithms ok markus@ | ||
715 | |||
716 | OpenBSD-Commit-ID: 7a8c6eb6c249dc37823ba5081fce64876d10fe2b | ||
717 | |||
718 | commit 9405c6214f667be604a820c6823b27d0ea77937d | ||
719 | Author: djm@openbsd.org <djm@openbsd.org> | ||
720 | Date: Wed Sep 12 01:21:34 2018 +0000 | ||
721 | |||
722 | upstream: allow key revocation by SHA256 hash and allow ssh-keygen | ||
723 | |||
724 | to create KRLs using SHA256/base64 key fingerprints; ok markus@ | ||
725 | |||
726 | OpenBSD-Commit-ID: a0590fd34e7f1141f2873ab3acc57442560e6a94 | ||
727 | |||
728 | commit 50e2687ee0941c0ea216d6ffea370ffd2c1f14b9 | ||
729 | Author: djm@openbsd.org <djm@openbsd.org> | ||
730 | Date: Wed Sep 12 01:19:12 2018 +0000 | ||
731 | |||
732 | upstream: log certificate fingerprint in authentication | ||
733 | |||
734 | success/failure message (previously we logged only key ID and CA key | ||
735 | fingerprint). | ||
736 | |||
737 | ok markus@ | ||
738 | |||
739 | OpenBSD-Commit-ID: a8ef2d172b7f1ddbcce26d6434b2de6d94f6c05d | ||
740 | |||
741 | commit de37ca909487d23e5844aca289b3f5e75d3f1e1f | ||
742 | Author: dtucker@openbsd.org <dtucker@openbsd.org> | ||
743 | Date: Fri Sep 7 04:26:56 2018 +0000 | ||
744 | |||
745 | upstream: Add FALLTHROUGH comments where appropriate. Patch from | ||
746 | |||
747 | jjelen at redhat via bz#2687. | ||
748 | |||
749 | OpenBSD-Commit-ID: c48eb457be697a19d6d2950c6d0879f3ccc851d3 | ||
750 | |||
751 | commit 247766cd3111d5d8c6ea39833a3257ca8fb820f2 | ||
752 | Author: djm@openbsd.org <djm@openbsd.org> | ||
753 | Date: Fri Sep 7 01:42:54 2018 +0000 | ||
754 | |||
755 | upstream: ssh -MM requires confirmation for all operations that | ||
756 | |||
757 | change the multiplexing state, not just new sessions. | ||
758 | |||
759 | mention that confirmation is checked via ssh-askpass | ||
760 | |||
761 | OpenBSD-Commit-ID: 0f1b45551ebb9cc5c9a4fe54ad3b23ce90f1f5c2 | ||
762 | |||
763 | commit db8bb80e3ac1bcb3e1305d846cd98c6b869bf03f | ||
764 | Author: mestre@openbsd.org <mestre@openbsd.org> | ||
765 | Date: Tue Aug 28 12:25:53 2018 +0000 | ||
766 | |||
767 | upstream: fix misplaced parenthesis inside if-clause. it's harmless | ||
768 | |||
769 | and the only issue is showing an unknown error (since it's not defined) | ||
770 | during fatal(), if it ever an error occurs inside that condition. | ||
771 | |||
772 | OK deraadt@ markus@ djm@ | ||
773 | |||
774 | OpenBSD-Commit-ID: acb0a8e6936bfbe590504752d01d1d251a7101d8 | ||
775 | |||
776 | commit 086cc614f550b7d4f100c95e472a6b6b823938ab | ||
777 | Author: mestre@openbsd.org <mestre@openbsd.org> | ||
778 | Date: Tue Aug 28 12:17:45 2018 +0000 | ||
779 | |||
780 | upstream: fix build with DEBUG_PK enabled | ||
781 | |||
782 | OK dtucker@ | ||
783 | |||
784 | OpenBSD-Commit-ID: ec1568cf27726e9638a0415481c20c406e7b441c | ||
785 | |||
786 | commit 2678833013e97f8b18f09779b7f70bcbf5eb2ab2 | ||
787 | Author: Darren Tucker <dtucker@dtucker.net> | ||
788 | Date: Fri Sep 7 14:41:53 2018 +1000 | ||
789 | |||
790 | Handle ngroups>_SC_NGROUPS_MAX. | ||
791 | |||
792 | Based on github pull request #99 from Darren Maffat at Oracle: Solaris' | ||
793 | getgrouplist considers _SC_NGROUPS_MAX more of a guideline and can return | ||
794 | a larger number of groups. In this case, retry getgrouplist with a | ||
795 | larger array and defer allocating groups_byname. ok djm@ | ||
796 | |||
797 | commit 039bf2a81797b8f3af6058d34005a4896a363221 | ||
798 | Author: Darren Tucker <dtucker@dtucker.net> | ||
799 | Date: Fri Sep 7 14:06:57 2018 +1000 | ||
800 | |||
801 | Initial len for the fmt=NULL case. | ||
802 | |||
803 | Patch from jjelen at redhat via bz#2687. (OpenSSH never calls | ||
804 | setproctitle with a null format so len is always initialized). | ||
805 | |||
806 | commit ea9c06e11d2e8fb2f4d5e02f8a41e23d2bd31ca9 | ||
807 | Author: Darren Tucker <dtucker@dtucker.net> | ||
808 | Date: Fri Sep 7 14:01:39 2018 +1000 | ||
809 | |||
810 | Include stdlib.h. | ||
811 | |||
812 | Patch from jjelen at redhat via bz#2687. | ||
813 | |||
814 | commit 9617816dbe73ec4d65075f4d897443f63a97c87f | ||
815 | Author: Damien Miller <djm@mindrot.org> | ||
816 | Date: Mon Aug 27 13:08:01 2018 +1000 | ||
817 | |||
818 | document some more regress control env variables | ||
819 | |||
820 | Specifically SKIP_UNIT, USE_VALGRING and LTESTS. Sort the list of | ||
821 | environment variables. | ||
822 | |||
823 | Based on patch from Jakub Jelen | ||
824 | |||
1 | commit 71508e06fab14bc415a79a08f5535ad7bffa93d9 | 825 | commit 71508e06fab14bc415a79a08f5535ad7bffa93d9 |
2 | Author: Damien Miller <djm@mindrot.org> | 826 | Author: Damien Miller <djm@mindrot.org> |
3 | Date: Thu Aug 23 15:41:42 2018 +1000 | 827 | Date: Thu Aug 23 15:41:42 2018 +1000 |
@@ -8880,862 +9704,3 @@ Date: Thu Oct 20 03:42:09 2016 +1100 | |||
8880 | Remote channels .orig and .rej files. | 9704 | Remote channels .orig and .rej files. |
8881 | 9705 | ||
8882 | These files were incorrectly added during an OpenBSD sync. | 9706 | These files were incorrectly added during an OpenBSD sync. |
8883 | |||
8884 | commit 246aa842a4ad368d8ce030495e657ef3a0e1f95c | ||
8885 | Author: dtucker@openbsd.org <dtucker@openbsd.org> | ||
8886 | Date: Tue Oct 18 17:32:54 2016 +0000 | ||
8887 | |||
8888 | upstream commit | ||
8889 | |||
8890 | Remove channel_input_port_forward_request(); the only caller | ||
8891 | was the recently-removed SSH1 server code so it's now dead code. ok markus@ | ||
8892 | |||
8893 | Upstream-ID: 05453983230a1f439562535fec2818f63f297af9 | ||
8894 | |||
8895 | commit 2c6697c443d2c9c908260eed73eb9143223e3ec9 | ||
8896 | Author: millert@openbsd.org <millert@openbsd.org> | ||
8897 | Date: Tue Oct 18 12:41:22 2016 +0000 | ||
8898 | |||
8899 | upstream commit | ||
8900 | |||
8901 | Install a signal handler for tty-generated signals and | ||
8902 | wait for the ssh child to suspend before suspending sftp. This lets ssh | ||
8903 | restore the terminal mode as needed when it is suspended at the password | ||
8904 | prompt. OK dtucker@ | ||
8905 | |||
8906 | Upstream-ID: a31c1f42aa3e2985dcc91e46e6a17bd22e372d69 | ||
8907 | |||
8908 | commit fd2a8f1033fa2316fff719fd5176968277560158 | ||
8909 | Author: jmc@openbsd.org <jmc@openbsd.org> | ||
8910 | Date: Sat Oct 15 19:56:25 2016 +0000 | ||
8911 | |||
8912 | upstream commit | ||
8913 | |||
8914 | various formatting fixes, specifically removing Dq; | ||
8915 | |||
8916 | Upstream-ID: 81e85df2b8e474f5f93d66e61d9a4419ce87347c | ||
8917 | |||
8918 | commit 8f866d8a57b9a2dc5dd04504e27f593b551618e3 | ||
8919 | Author: Darren Tucker <dtucker@zip.com.au> | ||
8920 | Date: Wed Oct 19 03:26:09 2016 +1100 | ||
8921 | |||
8922 | Import readpassphrase.c rev 1.26. | ||
8923 | |||
8924 | Author: miller@openbsd.org: | ||
8925 | Avoid generate SIGTTOU when restoring the terminal mode. If we get | ||
8926 | SIGTTOU it means the process is not in the foreground process group | ||
8927 | which, in most cases, means that the shell has taken control of the tty. | ||
8928 | Requiring the user the fg the process in this case doesn't make sense | ||
8929 | and can result in both SIGTSTP and SIGTTOU being sent which can lead to | ||
8930 | the process being suspended again immediately after being brought into | ||
8931 | the foreground. | ||
8932 | |||
8933 | commit f901440cc844062c9bab0183d133f7ccc58ac3a5 | ||
8934 | Author: Darren Tucker <dtucker@zip.com.au> | ||
8935 | Date: Wed Oct 19 03:23:16 2016 +1100 | ||
8936 | |||
8937 | Import readpassphrase.c rev 1.25. | ||
8938 | |||
8939 | Wrap <readpassphrase.h> so internal calls go direct and | ||
8940 | readpassphrase is weak. | ||
8941 | |||
8942 | (DEF_WEAK is a no-op in portable.) | ||
8943 | |||
8944 | commit 032147b69527e5448a511049b2d43dbcae582624 | ||
8945 | Author: Darren Tucker <dtucker@zip.com.au> | ||
8946 | Date: Sat Oct 15 05:51:12 2016 +1100 | ||
8947 | |||
8948 | Move DEF_WEAK into defines.h. | ||
8949 | |||
8950 | As well pull in more recent changes from OpenBSD these will start to | ||
8951 | arrive so put it where the definition is shared. | ||
8952 | |||
8953 | commit e0259a82ddd950cfb109ddee86fcebbc09c6bd04 | ||
8954 | Author: Darren Tucker <dtucker@zip.com.au> | ||
8955 | Date: Sat Oct 15 04:34:46 2016 +1100 | ||
8956 | |||
8957 | Remove do_pam_set_tty which is dead code. | ||
8958 | |||
8959 | The callers of do_pam_set_tty were removed in 2008, so this is now dead | ||
8960 | code. bz#2604, pointed out by jjelen at redhat.com. | ||
8961 | |||
8962 | commit ca04de83f210959ad2ed870a30ba1732c3ae00e3 | ||
8963 | Author: Damien Miller <djm@mindrot.org> | ||
8964 | Date: Thu Oct 13 18:53:43 2016 +1100 | ||
8965 | |||
8966 | unbreak principals-command test | ||
8967 | |||
8968 | Undo inconsistetly updated variable name. | ||
8969 | |||
8970 | commit 1723ec92eb485ce06b4cbf49712d21975d873909 | ||
8971 | Author: djm@openbsd.org <djm@openbsd.org> | ||
8972 | Date: Tue Oct 11 21:49:54 2016 +0000 | ||
8973 | |||
8974 | upstream commit | ||
8975 | |||
8976 | fix the KEX fuzzer - the previous method of obtaining the | ||
8977 | packet contents was broken. This now uses the new per-packet input hook, so | ||
8978 | it sees exact post-decrypt packets and doesn't have to pass packet integrity | ||
8979 | checks. ok markus@ | ||
8980 | |||
8981 | Upstream-Regress-ID: 402fb6ffabd97de590e8e57b25788949dce8d2fd | ||
8982 | |||
8983 | commit 09f997893f109799cddbfce6d7e67f787045cbb2 | ||
8984 | Author: natano@openbsd.org <natano@openbsd.org> | ||
8985 | Date: Thu Oct 6 09:31:38 2016 +0000 | ||
8986 | |||
8987 | upstream commit | ||
8988 | |||
8989 | Move USER out of the way to unbreak the BUILDUSER | ||
8990 | mechanism. ok tb | ||
8991 | |||
8992 | Upstream-Regress-ID: 74ab9687417dd071d62316eaadd20ddad1d5af3c | ||
8993 | |||
8994 | commit 3049a012c482a7016f674db168f23fd524edce27 | ||
8995 | Author: bluhm@openbsd.org <bluhm@openbsd.org> | ||
8996 | Date: Fri Sep 30 11:55:20 2016 +0000 | ||
8997 | |||
8998 | upstream commit | ||
8999 | |||
9000 | In ssh tests set REGRESS_FAIL_EARLY with ?= so that the | ||
9001 | environment can change it. OK djm@ | ||
9002 | |||
9003 | Upstream-Regress-ID: 77bcb50e47b68c7209c7f0a5a020d73761e5143b | ||
9004 | |||
9005 | commit 39af7b444db28c1cb01b7ea468a4f574a44f375b | ||
9006 | Author: djm@openbsd.org <djm@openbsd.org> | ||
9007 | Date: Tue Oct 11 21:47:45 2016 +0000 | ||
9008 | |||
9009 | upstream commit | ||
9010 | |||
9011 | Add a per-packet input hook that is called with the | ||
9012 | decrypted packet contents. This will be used for fuzzing; ok markus@ | ||
9013 | |||
9014 | Upstream-ID: a3221cee6b1725dd4ae1dd2c13841b4784cb75dc | ||
9015 | |||
9016 | commit ec165c392ca54317dbe3064a8c200de6531e89ad | ||
9017 | Author: markus@openbsd.org <markus@openbsd.org> | ||
9018 | Date: Mon Oct 10 19:28:48 2016 +0000 | ||
9019 | |||
9020 | upstream commit | ||
9021 | |||
9022 | Unregister the KEXINIT handler after message has been | ||
9023 | received. Otherwise an unauthenticated peer can repeat the KEXINIT and cause | ||
9024 | allocation of up to 128MB -- until the connection is closed. Reported by | ||
9025 | shilei-c at 360.cn | ||
9026 | |||
9027 | Upstream-ID: 43649ae12a27ef94290db16d1a98294588b75c05 | ||
9028 | |||
9029 | commit 29d40319392e6e19deeca9d45468aa1119846e50 | ||
9030 | Author: Darren Tucker <dtucker@zip.com.au> | ||
9031 | Date: Thu Oct 13 04:07:20 2016 +1100 | ||
9032 | |||
9033 | Import rev 1.24 from OpenBSD. | ||
9034 | |||
9035 | revision 1.24 | ||
9036 | date: 2013/11/24 23:51:29; author: deraadt; state: Exp; lines: +4 -4; | ||
9037 | most obvious unsigned char casts for ctype | ||
9038 | ok jca krw ingo | ||
9039 | |||
9040 | commit 12069e56221de207ed666c2449dedb431a2a7ca2 | ||
9041 | Author: Darren Tucker <dtucker@zip.com.au> | ||
9042 | Date: Thu Oct 13 04:04:44 2016 +1100 | ||
9043 | |||
9044 | Import rev 1.23 from OpenBSD. Fixes bz#2619. | ||
9045 | |||
9046 | revision 1.23 | ||
9047 | date: 2010/05/14 13:30:34; author: millert; state: Exp; lines: +41 -39; | ||
9048 | Defer installing signal handlers until echo is disabled so that we | ||
9049 | get suspended normally when not the foreground process. Fix potential | ||
9050 | infinite loop when restoring terminal settings if process is in the | ||
9051 | background when restore occurs. OK miod@ | ||
9052 | |||
9053 | commit 7508d83eff89af069760b4cc587305588a64e415 | ||
9054 | Author: Darren Tucker <dtucker@zip.com.au> | ||
9055 | Date: Thu Oct 13 03:53:51 2016 +1100 | ||
9056 | |||
9057 | If we don't have TCSASOFT, define it to zero. | ||
9058 | |||
9059 | This makes it a no-op when we use it below, which allows us to re-sync | ||
9060 | those lines with the upstream and make future updates easier. | ||
9061 | |||
9062 | commit aae4dbd4c058d3b1fe1eb5c4e6ddf35827271377 | ||
9063 | Author: jmc@openbsd.org <jmc@openbsd.org> | ||
9064 | Date: Fri Oct 7 14:41:52 2016 +0000 | ||
9065 | |||
9066 | upstream commit | ||
9067 | |||
9068 | tidy up the formatting in this file. more specifically, | ||
9069 | replace .Dq, which looks appalling, with .Cm, where appropriate; | ||
9070 | |||
9071 | Upstream-ID: ff8e90aa0343d9bb56f40a535e148607973cc738 | ||
9072 | |||
9073 | commit a571dbcc7b7b25371174569b13df5159bc4c6c7a | ||
9074 | Author: djm@openbsd.org <djm@openbsd.org> | ||
9075 | Date: Tue Oct 4 21:34:40 2016 +0000 | ||
9076 | |||
9077 | upstream commit | ||
9078 | |||
9079 | add a comment about implicitly-expected checks to | ||
9080 | sshkey_ec_validate_public() | ||
9081 | |||
9082 | Upstream-ID: 74a7f71c28f7c13a50f89fc78e7863b9cd61713f | ||
9083 | |||
9084 | commit 2f78a2a698f4222f8e05cad57ac6e0c3d1faff00 | ||
9085 | Author: djm@openbsd.org <djm@openbsd.org> | ||
9086 | Date: Fri Sep 30 20:24:46 2016 +0000 | ||
9087 | |||
9088 | upstream commit | ||
9089 | |||
9090 | fix some -Wpointer-sign warnings in the new mux proxy; ok | ||
9091 | markus@ | ||
9092 | |||
9093 | Upstream-ID: b1ba7b3769fbc6b7f526792a215b0197f5e55dfd | ||
9094 | |||
9095 | commit ca71c36645fc26fcd739a8cfdc702cec85607761 | ||
9096 | Author: bluhm@openbsd.org <bluhm@openbsd.org> | ||
9097 | Date: Wed Sep 28 20:09:52 2016 +0000 | ||
9098 | |||
9099 | upstream commit | ||
9100 | |||
9101 | Add a makefile rule to create the ssh library when | ||
9102 | regress needs it. This allows to run the ssh regression tests without doing | ||
9103 | a "make build" before. Discussed with dtucker@ and djm@; OK djm@ | ||
9104 | |||
9105 | Upstream-Regress-ID: ce489bd53afcd471225a125b4b94565d4717c025 | ||
9106 | |||
9107 | commit ce44c970f913d2a047903dba8670554ac42fc479 | ||
9108 | Author: bluhm@openbsd.org <bluhm@openbsd.org> | ||
9109 | Date: Mon Sep 26 21:34:38 2016 +0000 | ||
9110 | |||
9111 | upstream commit | ||
9112 | |||
9113 | Allow to run ssh regression tests as root. If the user | ||
9114 | is already root, the test should not expect that SUDO is set. If ssh needs | ||
9115 | another user, use sudo or doas to switch from root if necessary. OK dtucker@ | ||
9116 | |||
9117 | Upstream-Regress-ID: b464e55185ac4303529e3e6927db41683aaeace2 | ||
9118 | |||
9119 | commit 8d0578478586e283e751ca51e7b0690631da139a | ||
9120 | Author: markus@openbsd.org <markus@openbsd.org> | ||
9121 | Date: Fri Sep 30 09:19:13 2016 +0000 | ||
9122 | |||
9123 | upstream commit | ||
9124 | |||
9125 | ssh proxy mux mode (-O proxy; idea from Simon Tatham): - mux | ||
9126 | client speaks the ssh-packet protocol directly over unix-domain socket. - mux | ||
9127 | server acts as a proxy, translates channel IDs and relays to the server. - no | ||
9128 | filedescriptor passing necessary. - combined with unix-domain forwarding it's | ||
9129 | even possible to run mux client and server on different machines. feedback | ||
9130 | & ok djm@ | ||
9131 | |||
9132 | Upstream-ID: 666a2fb79f58e5c50e246265fb2b9251e505c25b | ||
9133 | |||
9134 | commit b7689155f3f5c4999846c07a852b1c7a43b09cec | ||
9135 | Author: djm@openbsd.org <djm@openbsd.org> | ||
9136 | Date: Wed Sep 28 21:44:52 2016 +0000 | ||
9137 | |||
9138 | upstream commit | ||
9139 | |||
9140 | put back some pre-auth zlib bits that I shouldn't have | ||
9141 | removed - they are still used by the client. Spotted by naddy@ | ||
9142 | |||
9143 | Upstream-ID: 80919468056031037d56a1f5b261c164a6f90dc2 | ||
9144 | |||
9145 | commit 4577adead6a7d600c8e764619d99477a08192c8f | ||
9146 | Author: djm@openbsd.org <djm@openbsd.org> | ||
9147 | Date: Wed Sep 28 20:32:42 2016 +0000 | ||
9148 | |||
9149 | upstream commit | ||
9150 | |||
9151 | restore pre-auth compression support in the client -- the | ||
9152 | previous commit was intended to remove it from the server only. | ||
9153 | |||
9154 | remove a few server-side pre-auth compression bits that escaped | ||
9155 | |||
9156 | adjust wording of Compression directive in sshd_config(5) | ||
9157 | |||
9158 | pointed out by naddy@ ok markus@ | ||
9159 | |||
9160 | Upstream-ID: d23696ed72a228dacd4839dd9f2dec424ba2016b | ||
9161 | |||
9162 | commit 80d1c963b4dc84ffd11d09617b39c4bffda08956 | ||
9163 | Author: jmc@openbsd.org <jmc@openbsd.org> | ||
9164 | Date: Wed Sep 28 17:59:22 2016 +0000 | ||
9165 | |||
9166 | upstream commit | ||
9167 | |||
9168 | use a separate TOKENS section, as we've done for | ||
9169 | sshd_config(5); help/ok djm | ||
9170 | |||
9171 | Upstream-ID: 640e32b5e4838e4363738cdec955084b3579481d | ||
9172 | |||
9173 | commit 1cfd5c06efb121e58e8b6671548fda77ef4b4455 | ||
9174 | Author: Damien Miller <djm@mindrot.org> | ||
9175 | Date: Thu Sep 29 03:19:23 2016 +1000 | ||
9176 | |||
9177 | Remove portability support for mmap | ||
9178 | |||
9179 | We no longer need to wrap/replace mmap for portability now that | ||
9180 | pre-auth compression has been removed from OpenSSH. | ||
9181 | |||
9182 | commit 0082fba4efdd492f765ed4c53f0d0fbd3bdbdf7f | ||
9183 | Author: djm@openbsd.org <djm@openbsd.org> | ||
9184 | Date: Wed Sep 28 16:33:06 2016 +0000 | ||
9185 | |||
9186 | upstream commit | ||
9187 | |||
9188 | Remove support for pre-authentication compression. Doing | ||
9189 | compression early in the protocol probably seemed reasonable in the 1990s, | ||
9190 | but today it's clearly a bad idea in terms of both cryptography (cf. multiple | ||
9191 | compression oracle attacks in TLS) and attack surface. | ||
9192 | |||
9193 | Moreover, to support it across privilege-separation zlib needed | ||
9194 | the assistance of a complex shared-memory manager that made the | ||
9195 | required attack surface considerably larger. | ||
9196 | |||
9197 | Prompted by Guido Vranken pointing out a compiler-elided security | ||
9198 | check in the shared memory manager found by Stack | ||
9199 | (http://css.csail.mit.edu/stack/); ok deraadt@ markus@ | ||
9200 | |||
9201 | NB. pre-auth authentication has been disabled by default in sshd | ||
9202 | for >10 years. | ||
9203 | |||
9204 | Upstream-ID: 32af9771788d45a0779693b41d06ec199d849caf | ||
9205 | |||
9206 | commit 27c3a9c2aede2184856b5de1e6eca414bb751c38 | ||
9207 | Author: djm@openbsd.org <djm@openbsd.org> | ||
9208 | Date: Mon Sep 26 21:16:11 2016 +0000 | ||
9209 | |||
9210 | upstream commit | ||
9211 | |||
9212 | Avoid a theoretical signed integer overflow should | ||
9213 | BN_num_bytes() ever violate its manpage and return a negative value. Improve | ||
9214 | order of tests to avoid confusing increasingly pedantic compilers. | ||
9215 | |||
9216 | Reported by Guido Vranken from stack (css.csail.mit.edu/stack) | ||
9217 | unstable optimisation analyser output. ok deraadt@ | ||
9218 | |||
9219 | Upstream-ID: f8508c830c86d8f36c113985e52bf8eedae23505 | ||
9220 | |||
9221 | commit 8663e51c80c6aa3d750c6d3bcff6ee05091922be | ||
9222 | Author: Damien Miller <djm@mindrot.org> | ||
9223 | Date: Wed Sep 28 07:40:33 2016 +1000 | ||
9224 | |||
9225 | fix mdoc2man.awk formatting for top-level lists | ||
9226 | |||
9227 | Reported by Glenn Golden | ||
9228 | Diagnosis and fix from Ingo Schwarze | ||
9229 | |||
9230 | commit b97739dc21570209ed9d4e7beee0c669ed23b097 | ||
9231 | Author: djm@openbsd.org <djm@openbsd.org> | ||
9232 | Date: Thu Sep 22 21:15:41 2016 +0000 | ||
9233 | |||
9234 | upstream commit | ||
9235 | |||
9236 | missing bit from previous commit | ||
9237 | |||
9238 | Upstream-ID: 438d5ed6338b28b46e822eb13eee448aca31df37 | ||
9239 | |||
9240 | commit de6a175a99d22444e10d19ad3fffef39bc3ee3bb | ||
9241 | Author: jmc@openbsd.org <jmc@openbsd.org> | ||
9242 | Date: Thu Sep 22 19:19:01 2016 +0000 | ||
9243 | |||
9244 | upstream commit | ||
9245 | |||
9246 | organise the token stuff into a separate section; ok | ||
9247 | markus for an earlier version of the diff ok/tweaks djm | ||
9248 | |||
9249 | Upstream-ID: 81a6daa506a4a5af985fce7cf9e59699156527c8 | ||
9250 | |||
9251 | commit 16277fc45ffc95e4ffc3d45971ff8320b974de2b | ||
9252 | Author: djm@openbsd.org <djm@openbsd.org> | ||
9253 | Date: Thu Sep 22 17:55:13 2016 +0000 | ||
9254 | |||
9255 | upstream commit | ||
9256 | |||
9257 | mention curve25519-sha256 KEX | ||
9258 | |||
9259 | Upstream-ID: 33ae1f433ce4795ffa6203761fbdf86e0d7ffbaf | ||
9260 | |||
9261 | commit 0493766d5676c7ca358824ea8d3c90f6047953df | ||
9262 | Author: djm@openbsd.org <djm@openbsd.org> | ||
9263 | Date: Thu Sep 22 17:52:53 2016 +0000 | ||
9264 | |||
9265 | upstream commit | ||
9266 | |||
9267 | support plain curve25519-sha256 KEX algorithm now that it | ||
9268 | is approaching standardisation (same algorithm is currently supported as | ||
9269 | curve25519-sha256@libssh.org) | ||
9270 | |||
9271 | Upstream-ID: 5e2b6db2e72667048cf426da43c0ee3fc777baa2 | ||
9272 | |||
9273 | commit f31c654b30a6f02ce0b8ea8ab81791b675489628 | ||
9274 | Author: dtucker@openbsd.org <dtucker@openbsd.org> | ||
9275 | Date: Thu Sep 22 02:29:57 2016 +0000 | ||
9276 | |||
9277 | upstream commit | ||
9278 | |||
9279 | If ssh receives a PACKET_DISCONNECT during userauth it | ||
9280 | will cause ssh_dispatch_run(DISPATCH_BLOCK, ...) to return without the | ||
9281 | session being authenticated. Check for this and exit if necessary. ok djm@ | ||
9282 | |||
9283 | Upstream-ID: b3afe126c0839d2eae6cddd41ff2ba317eda0903 | ||
9284 | |||
9285 | commit 1622649b7a829fc8dc313042a43a974f0f3e8a99 | ||
9286 | Author: djm@openbsd.org <djm@openbsd.org> | ||
9287 | Date: Wed Sep 21 19:53:12 2016 +0000 | ||
9288 | |||
9289 | upstream commit | ||
9290 | |||
9291 | correctly return errors from kex_send_ext_info(). Fix from | ||
9292 | Sami Farin via https://github.com/openssh/openssh-portable/pull/50 | ||
9293 | |||
9294 | Upstream-ID: c85999af28aaecbf92cfa2283381df81e839b42c | ||
9295 | |||
9296 | commit f83a0cfe16c7a73627b46a9a94e40087d60f32fb | ||
9297 | Author: djm@openbsd.org <djm@openbsd.org> | ||
9298 | Date: Wed Sep 21 17:44:20 2016 +0000 | ||
9299 | |||
9300 | upstream commit | ||
9301 | |||
9302 | cast uint64_t for printf | ||
9303 | |||
9304 | Upstream-ID: 76d23e89419ccbd2320f92792a6d878211666ac1 | ||
9305 | |||
9306 | commit 5f63ab474f58834feca4f35c498be03b7dd38a16 | ||
9307 | Author: djm@openbsd.org <djm@openbsd.org> | ||
9308 | Date: Wed Sep 21 17:03:54 2016 +0000 | ||
9309 | |||
9310 | upstream commit | ||
9311 | |||
9312 | disable tests for affirmative negated match after backout of | ||
9313 | match change | ||
9314 | |||
9315 | Upstream-Regress-ID: acebb8e5042f03d66d86a50405c46c4de0badcfd | ||
9316 | |||
9317 | commit a5ad3a9db5a48f350f257a67b62fafd719ecb7e0 | ||
9318 | Author: djm@openbsd.org <djm@openbsd.org> | ||
9319 | Date: Wed Sep 21 16:55:42 2016 +0000 | ||
9320 | |||
9321 | upstream commit | ||
9322 | |||
9323 | Revert two recent changes to negated address matching. The | ||
9324 | new behaviour offers unintuitive surprises. We'll find a better way to deal | ||
9325 | with single negated matches. | ||
9326 | |||
9327 | match.c 1.31: | ||
9328 | > fix matching for pattern lists that contain a single negated match, | ||
9329 | > e.g. "Host !example" | ||
9330 | > | ||
9331 | > report and patch from Robin Becker. bz#1918 ok dtucker@ | ||
9332 | |||
9333 | addrmatch.c 1.11: | ||
9334 | > fix negated address matching where the address list consists of a | ||
9335 | > single negated match, e.g. "Match addr !192.20.0.1" | ||
9336 | > | ||
9337 | > Report and patch from Jakub Jelen. bz#2397 ok dtucker@ | ||
9338 | |||
9339 | Upstream-ID: ec96c770f0f5b9a54e5e72fda25387545e9c80c6 | ||
9340 | |||
9341 | commit 119b7a2ca0ef2bf3f81897ae10301b8ca8cba844 | ||
9342 | Author: djm@openbsd.org <djm@openbsd.org> | ||
9343 | Date: Wed Sep 21 01:35:12 2016 +0000 | ||
9344 | |||
9345 | upstream commit | ||
9346 | |||
9347 | test all the AuthorizedPrincipalsCommand % expansions | ||
9348 | |||
9349 | Upstream-Regress-ID: 0a79a84dfaa59f958e46b474c3db780b454d30e3 | ||
9350 | |||
9351 | commit bfa9d969ab6235d4938ce069d4db7e5825c56a19 | ||
9352 | Author: djm@openbsd.org <djm@openbsd.org> | ||
9353 | Date: Wed Sep 21 01:34:45 2016 +0000 | ||
9354 | |||
9355 | upstream commit | ||
9356 | |||
9357 | add a way for principals command to get see key ID and serial | ||
9358 | too | ||
9359 | |||
9360 | Upstream-ID: 0d30978bdcf7e8eaeee4eea1b030eb2eb1823fcb | ||
9361 | |||
9362 | commit 920585b826af1c639e4ed78b2eba01fd2337b127 | ||
9363 | Author: djm@openbsd.org <djm@openbsd.org> | ||
9364 | Date: Fri Sep 16 06:09:31 2016 +0000 | ||
9365 | |||
9366 | upstream commit | ||
9367 | |||
9368 | add a note on kexfuzz' limitations | ||
9369 | |||
9370 | Upstream-Regress-ID: 03804d4a0dbc5163e1a285a4c8cc0a76a4e864ec | ||
9371 | |||
9372 | commit 0445ff184080b196e12321998b4ce80b0f33f8d1 | ||
9373 | Author: djm@openbsd.org <djm@openbsd.org> | ||
9374 | Date: Fri Sep 16 01:01:41 2016 +0000 | ||
9375 | |||
9376 | upstream commit | ||
9377 | |||
9378 | fix for newer modp DH groups | ||
9379 | (diffie-hellman-group14-sha256 etc) | ||
9380 | |||
9381 | Upstream-Regress-ID: fe942c669959462b507516ae1634fde0725f1c68 | ||
9382 | |||
9383 | commit 28652bca29046f62c7045e933e6b931de1d16737 | ||
9384 | Author: markus@openbsd.org <markus@openbsd.org> | ||
9385 | Date: Mon Sep 19 19:02:19 2016 +0000 | ||
9386 | |||
9387 | upstream commit | ||
9388 | |||
9389 | move inbound NEWKEYS handling to kex layer; otherwise | ||
9390 | early NEWKEYS causes NULL deref; found by Robert Swiecki/honggfuzz; fixed | ||
9391 | with & ok djm@ | ||
9392 | |||
9393 | Upstream-ID: 9a68b882892e9f51dc7bfa9f5a423858af358b2f | ||
9394 | |||
9395 | commit 492710894acfcc2f173d14d1d45bd2e688df605d | ||
9396 | Author: natano@openbsd.org <natano@openbsd.org> | ||
9397 | Date: Mon Sep 19 07:52:42 2016 +0000 | ||
9398 | |||
9399 | upstream commit | ||
9400 | |||
9401 | Replace two more arc4random() loops with | ||
9402 | arc4random_buf(). | ||
9403 | |||
9404 | tweaks and ok dtucker | ||
9405 | ok deraadt | ||
9406 | |||
9407 | Upstream-ID: 738d3229130ccc7eac975c190276ca6fcf0208e4 | ||
9408 | |||
9409 | commit 1036356324fecc13099ac6e986b549f6219327d7 | ||
9410 | Author: tedu@openbsd.org <tedu@openbsd.org> | ||
9411 | Date: Sat Sep 17 18:00:27 2016 +0000 | ||
9412 | |||
9413 | upstream commit | ||
9414 | |||
9415 | replace two arc4random loops with arc4random_buf ok | ||
9416 | deraadt natano | ||
9417 | |||
9418 | Upstream-ID: e18ede972d1737df54b49f011fa4f3917a403f48 | ||
9419 | |||
9420 | commit 00df97ff68a49a756d4b977cd02283690f5dfa34 | ||
9421 | Author: djm@openbsd.org <djm@openbsd.org> | ||
9422 | Date: Wed Sep 14 20:11:26 2016 +0000 | ||
9423 | |||
9424 | upstream commit | ||
9425 | |||
9426 | take fingerprint of correct key for | ||
9427 | AuthorizedPrincipalsCommand | ||
9428 | |||
9429 | Upstream-ID: 553581a549cd6a3e73ce9f57559a325cc2cb1f38 | ||
9430 | |||
9431 | commit e7907c1cb938b96dd33d27c2fea72c4e08c6b2f6 | ||
9432 | Author: djm@openbsd.org <djm@openbsd.org> | ||
9433 | Date: Wed Sep 14 05:42:25 2016 +0000 | ||
9434 | |||
9435 | upstream commit | ||
9436 | |||
9437 | add %-escapes to AuthorizedPrincipalsCommand to match those | ||
9438 | supported for AuthorizedKeysCommand (key, key type, fingerprint, etc) and a | ||
9439 | few more to provide access to the certificate's CA key; 'looks ok' dtucker@ | ||
9440 | |||
9441 | Upstream-ID: 6b00fd446dbebe67f4e4e146d2e492d650ae04eb | ||
9442 | |||
9443 | commit 2b939c272a81c4d0c47badeedbcb2ba7c128ccda | ||
9444 | Author: dtucker@openbsd.org <dtucker@openbsd.org> | ||
9445 | Date: Wed Sep 14 00:45:31 2016 +0000 | ||
9446 | |||
9447 | upstream commit | ||
9448 | |||
9449 | Improve test coverage of ssh-keygen -T a bit. | ||
9450 | |||
9451 | Upstream-Regress-ID: 8851668c721bcc2b400600cfc5a87644cc024e72 | ||
9452 | |||
9453 | commit 44d82fc83be6c5ccd70881c2dac1a73e5050398b | ||
9454 | Author: dtucker@openbsd.org <dtucker@openbsd.org> | ||
9455 | Date: Mon Sep 12 02:25:46 2016 +0000 | ||
9456 | |||
9457 | upstream commit | ||
9458 | |||
9459 | Add testcase for ssh-keygen -j, -J and -K options for | ||
9460 | moduli screening. Does not currently test generation as that is extremely | ||
9461 | slow. | ||
9462 | |||
9463 | Upstream-Regress-ID: 9de6ce801377ed3ce0a63a1413f1cd5fd3c2d062 | ||
9464 | |||
9465 | commit 44e5f756d286bc3a1a5272ea484ee276ba3ac5c2 | ||
9466 | Author: djm@openbsd.org <djm@openbsd.org> | ||
9467 | Date: Tue Aug 23 08:17:04 2016 +0000 | ||
9468 | |||
9469 | upstream commit | ||
9470 | |||
9471 | add tests for addr_match_list() | ||
9472 | |||
9473 | Upstream-Regress-ID: fae2d1fef84687ece584738a924c7bf969616c8e | ||
9474 | |||
9475 | commit 445e218878035b59c704c18406e8aeaff4c8aa25 | ||
9476 | Author: djm@openbsd.org <djm@openbsd.org> | ||
9477 | Date: Mon Sep 12 23:39:34 2016 +0000 | ||
9478 | |||
9479 | upstream commit | ||
9480 | |||
9481 | handle certs in rsa_hash_alg_from_ident(), saving an | ||
9482 | unnecessary special case elsewhere. | ||
9483 | |||
9484 | Upstream-ID: 901cb081c59d6d2698b57901c427f3f6dc7397d4 | ||
9485 | |||
9486 | commit 130f5df4fa37cace8c079dccb690e5cafbf00751 | ||
9487 | Author: djm@openbsd.org <djm@openbsd.org> | ||
9488 | Date: Mon Sep 12 23:31:27 2016 +0000 | ||
9489 | |||
9490 | upstream commit | ||
9491 | |||
9492 | list all supported signature algorithms in the | ||
9493 | server-sig-algs Reported by mb AT smartftp.com in bz#2547 and (independantly) | ||
9494 | Ron Frederick; ok markus@ | ||
9495 | |||
9496 | Upstream-ID: ddf702d721f54646b11ef2cee6d916666cb685cd | ||
9497 | |||
9498 | commit 8f750ccfc07acb8aa98be5a5dd935033a6468cfd | ||
9499 | Author: Darren Tucker <dtucker@zip.com.au> | ||
9500 | Date: Mon Sep 12 14:43:58 2016 +1000 | ||
9501 | |||
9502 | Remove no-op brackets to resync with upstream. | ||
9503 | |||
9504 | commit 7050896e7395866278c19c2ff080c26152619d1d | ||
9505 | Author: Darren Tucker <dtucker@zip.com.au> | ||
9506 | Date: Mon Sep 12 13:57:28 2016 +1000 | ||
9507 | |||
9508 | Resync ssh-keygen -W error message with upstream. | ||
9509 | |||
9510 | commit 43cceff82cc20413cce58ba3375e19684e62cec4 | ||
9511 | Author: Darren Tucker <dtucker@zip.com.au> | ||
9512 | Date: Mon Sep 12 13:55:37 2016 +1000 | ||
9513 | |||
9514 | Move ssh-keygen -W handling code to match upstream | ||
9515 | |||
9516 | commit af48d541360b1d7737b35740a4b1ca34e1652cd9 | ||
9517 | Author: Darren Tucker <dtucker@zip.com.au> | ||
9518 | Date: Mon Sep 12 13:52:17 2016 +1000 | ||
9519 | |||
9520 | Move ssh-keygen -T handling code to match upstream. | ||
9521 | |||
9522 | commit d8c3cfbb018825c6c86547165ddaf11924901c49 | ||
9523 | Author: Darren Tucker <dtucker@zip.com.au> | ||
9524 | Date: Mon Sep 12 13:30:50 2016 +1000 | ||
9525 | |||
9526 | Move -M handling code to match upstream. | ||
9527 | |||
9528 | commit 7b63cf6dbbfa841c003de57d1061acbf2ff22364 | ||
9529 | Author: dtucker@openbsd.org <dtucker@openbsd.org> | ||
9530 | Date: Mon Sep 12 03:29:16 2016 +0000 | ||
9531 | |||
9532 | upstream commit | ||
9533 | |||
9534 | Spaces->tabs. | ||
9535 | |||
9536 | Upstream-ID: f4829dfc3f36318273f6082b379ac562eead70b7 | ||
9537 | |||
9538 | commit 11e5e644536821ceb3bb4dd8487fbf0588522887 | ||
9539 | Author: dtucker@openbsd.org <dtucker@openbsd.org> | ||
9540 | Date: Mon Sep 12 03:25:20 2016 +0000 | ||
9541 | |||
9542 | upstream commit | ||
9543 | |||
9544 | Style whitespace fix. Also happens to remove a no-op | ||
9545 | diff with portable. | ||
9546 | |||
9547 | Upstream-ID: 45d90f9a62ad56340913a433a9453eb30ceb8bf3 | ||
9548 | |||
9549 | commit 9136ec134c97a8aff2917760c03134f52945ff3c | ||
9550 | Author: deraadt@openbsd.org <deraadt@openbsd.org> | ||
9551 | Date: Mon Sep 12 01:22:38 2016 +0000 | ||
9552 | |||
9553 | upstream commit | ||
9554 | |||
9555 | Add MAXIMUM(), MINIMUM(), and ROUNDUP() to misc.h, then | ||
9556 | use those definitions rather than pulling <sys/param.h> and unknown namespace | ||
9557 | pollution. ok djm markus dtucker | ||
9558 | |||
9559 | Upstream-ID: 712cafa816c9f012a61628b66b9fbd5687223fb8 | ||
9560 | |||
9561 | commit f219fc8f03caca7ac82a38ed74bbd6432a1195e7 | ||
9562 | Author: jmc@openbsd.org <jmc@openbsd.org> | ||
9563 | Date: Wed Sep 7 18:39:24 2016 +0000 | ||
9564 | |||
9565 | upstream commit | ||
9566 | |||
9567 | sort; from matthew martin | ||
9568 | |||
9569 | Upstream-ID: 73cec7f7ecc82d37a4adffad7745e4684de67ce7 | ||
9570 | |||
9571 | commit 06ce56b05def9460aecc7cdb40e861a346214793 | ||
9572 | Author: markus@openbsd.org <markus@openbsd.org> | ||
9573 | Date: Tue Sep 6 09:22:56 2016 +0000 | ||
9574 | |||
9575 | upstream commit | ||
9576 | |||
9577 | ssh_set_newkeys: print correct block counters on | ||
9578 | rekeying; ok djm@ | ||
9579 | |||
9580 | Upstream-ID: 32bb7a9cb9919ff5bab28d50ecef3a2b2045dd1e | ||
9581 | |||
9582 | commit e5e8d9114ac6837a038f4952994ca95a97fafe8d | ||
9583 | Author: markus@openbsd.org <markus@openbsd.org> | ||
9584 | Date: Tue Sep 6 09:14:05 2016 +0000 | ||
9585 | |||
9586 | upstream commit | ||
9587 | |||
9588 | update ext_info_c every time we receive a kexinit msg; | ||
9589 | fixes sending of ext_info if privsep is disabled; report Aris Adamantiadis & | ||
9590 | Mancha; ok djm@ | ||
9591 | |||
9592 | Upstream-ID: 2ceaa1076e19dbd3542254b4fb8e42d608f28856 | ||
9593 | |||
9594 | commit da95318dbedbaa1335323dba370975c2f251afd8 | ||
9595 | Author: djm@openbsd.org <djm@openbsd.org> | ||
9596 | Date: Mon Sep 5 14:02:42 2016 +0000 | ||
9597 | |||
9598 | upstream commit | ||
9599 | |||
9600 | remove 3des-cbc from the client's default proposal; | ||
9601 | 64-bit block ciphers are not safe in 2016 and we don't want to wait until | ||
9602 | attacks like sweet32 are extended to SSH. | ||
9603 | |||
9604 | As 3des-cbc was the only mandatory cipher in the SSH RFCs, this may | ||
9605 | cause problems connecting to older devices using the defaults, but | ||
9606 | it's highly likely that such devices already need explicit | ||
9607 | configuration for KEX and hostkeys anyway. | ||
9608 | |||
9609 | ok deraadt, markus, dtucker | ||
9610 | |||
9611 | Upstream-ID: a505dfe65c6733af0f751b64cbc4bb7e0761bc2f | ||
9612 | |||
9613 | commit b33ad6d997d36edfea65e243cd12ccd01f413549 | ||
9614 | Author: djm@openbsd.org <djm@openbsd.org> | ||
9615 | Date: Mon Sep 5 13:57:31 2016 +0000 | ||
9616 | |||
9617 | upstream commit | ||
9618 | |||
9619 | enforce expected request flow for GSSAPI calls; thanks to | ||
9620 | Jakub Jelen for testing; ok markus@ | ||
9621 | |||
9622 | Upstream-ID: d4bc0e70e1be403735d3d9d7e176309b1fd626b9 | ||
9623 | |||
9624 | commit 0bb2980260fb24e5e0b51adac471395781b66261 | ||
9625 | Author: Darren Tucker <dtucker@zip.com.au> | ||
9626 | Date: Mon Sep 12 11:07:00 2016 +1000 | ||
9627 | |||
9628 | Restore ssh-keygen's -J and -j option handling. | ||
9629 | |||
9630 | These were incorrectly removed in the 1d9a2e28 sync commit. | ||
9631 | |||
9632 | commit 775f8a23f2353f5869003c57a213d14b28e0736e | ||
9633 | Author: Damien Miller <djm@mindrot.org> | ||
9634 | Date: Wed Aug 31 10:48:07 2016 +1000 | ||
9635 | |||
9636 | tighten PAM monitor calls | ||
9637 | |||
9638 | only allow kbd-interactive ones when that authentication method is | ||
9639 | enabled. Prompted by Solar Designer | ||
9640 | |||
9641 | commit 7fd0ea8a1db4bcfb3d8cd9df149e5d571ebea1f4 | ||
9642 | Author: djm@openbsd.org <djm@openbsd.org> | ||
9643 | Date: Tue Aug 30 07:50:21 2016 +0000 | ||
9644 | |||
9645 | upstream commit | ||
9646 | |||
9647 | restrict monitor auth calls to be allowed only when their | ||
9648 | respective authentication methods are enabled in the configuration. | ||
9649 | |||
9650 | prompted by Solar Designer; ok markus dtucker | ||
9651 | |||
9652 | Upstream-ID: 6eb3f89332b3546d41d6dbf5a8e6ff920142b553 | ||
9653 | |||
9654 | commit b38b95f5bcc52278feb839afda2987933f68ff96 | ||
9655 | Author: Damien Miller <djm@mindrot.org> | ||
9656 | Date: Mon Aug 29 11:47:07 2016 +1000 | ||
9657 | |||
9658 | Tighten monitor state-machine flow for PAM calls | ||
9659 | |||
9660 | (attack surface reduction) | ||
9661 | |||
9662 | commit dc664d1bd0fc91b24406a3e9575b81c285b8342b | ||
9663 | Author: djm@openbsd.org <djm@openbsd.org> | ||
9664 | Date: Sun Aug 28 22:28:12 2016 +0000 | ||
9665 | |||
9666 | upstream commit | ||
9667 | |||
9668 | fix uninitialised optlen in getsockopt() call; harmless | ||
9669 | on Unix/BSD but potentially crashy on Cygwin. Reported by James Slepicka ok | ||
9670 | deraadt@ | ||
9671 | |||
9672 | Upstream-ID: 1987ccee508ba5b18f016c85100d7ac3f70ff965 | ||
9673 | |||
9674 | commit 5bcc1e2769f7d6927d41daf0719a9446ceab8dd7 | ||
9675 | Author: guenther@openbsd.org <guenther@openbsd.org> | ||
9676 | Date: Sat Aug 27 04:05:12 2016 +0000 | ||
9677 | |||
9678 | upstream commit | ||
9679 | |||
9680 | Pull in <sys/time.h> for struct timeval | ||
9681 | |||
9682 | ok deraadt@ | ||
9683 | |||
9684 | Upstream-ID: ae34525485a173bccd61ac8eefeb91c57e3b7df6 | ||
9685 | |||
9686 | commit fa4a4c96b19127dc2fd4e92f20d99c0c7f34b538 | ||
9687 | Author: guenther@openbsd.org <guenther@openbsd.org> | ||
9688 | Date: Sat Aug 27 04:04:56 2016 +0000 | ||
9689 | |||
9690 | upstream commit | ||
9691 | |||
9692 | Pull in <stdlib.h> for NULL | ||
9693 | |||
9694 | ok deraadt@ | ||
9695 | |||
9696 | Upstream-ID: 7baa6a0f1e049bb3682522b4b95a26c866bfc043 | ||
9697 | |||
9698 | commit ae363d74ccc1451185c0c8bd4631e28c67c7fd36 | ||
9699 | Author: djm@openbsd.org <djm@openbsd.org> | ||
9700 | Date: Thu Aug 25 23:57:54 2016 +0000 | ||
9701 | |||
9702 | upstream commit | ||
9703 | |||
9704 | add a sIgnore opcode that silently ignores options and | ||
9705 | use it to suppress noisy deprecation warnings for the Protocol directive. | ||
9706 | |||
9707 | req henning, ok markus | ||
9708 | |||
9709 | Upstream-ID: 9fe040aca3d6ff393f6f7e60045cdd821dc4cbe0 | ||
9710 | |||
9711 | commit a94c60306643ae904add6e8ed219e4be3494255c | ||
9712 | Author: djm@openbsd.org <djm@openbsd.org> | ||
9713 | Date: Thu Aug 25 23:56:51 2016 +0000 | ||
9714 | |||
9715 | upstream commit | ||
9716 | |||
9717 | remove superfluous NOTREACHED comment | ||
9718 | |||
9719 | Upstream-ID: a7485c1f1be618e8c9e38fd9be46c13b2d03b90c | ||
9720 | |||
9721 | commit fc041c47144ce28cf71353124a8a5d183cd6a251 | ||
9722 | Author: otto@openbsd.org <otto@openbsd.org> | ||
9723 | Date: Tue Aug 23 16:21:45 2016 +0000 | ||
9724 | |||
9725 | upstream commit | ||
9726 | |||
9727 | fix previous, a condition was modified incorrectly; ok | ||
9728 | markus@ deraadt@ | ||
9729 | |||
9730 | Upstream-ID: c443e339768e7ed396dff3bb55f693e7d3641453 | ||
9731 | |||
9732 | commit 23555eb13a9b0550371a16dcf8beaab7a5806a64 | ||
9733 | Author: djm@openbsd.org <djm@openbsd.org> | ||
9734 | Date: Tue Aug 23 08:17:42 2016 +0000 | ||
9735 | |||
9736 | upstream commit | ||
9737 | |||
9738 | downgrade an error() to a debug2() to match similar cases | ||
9739 | in addr_match_list() | ||
9740 | |||
9741 | Upstream-ID: 07c3d53e357214153d9d08f234411e0d1a3d6f5c | ||