- djm@cvs.openbsd.org 2014/04/01 03:34:10

[sshconnect.c] When using VerifyHostKeyDNS with a DNSSEC resolver, down-convert any certificate keys to plain keys and attempt SSHFP resolution. Prevents a server from skipping SSHFP lookup and forcing a new-hostkey dialog by offering only certificate keys. Reported by mcv21 AT cam.ac.uk
author: Damien Miller <djm@mindrot.org> 2014-04-20 13:23:43 +1000
committer: Damien Miller <djm@mindrot.org> 2014-04-20 13:23:43 +1000
commit: 7d6a9fb660c808882d064e152d6070ffc3844c3f (patch)
tree: b3ba326eb0853c005d9c9d4c91b1c0f8dac8855e /ChangeLog
parent: fcd62c0b66b8415405ed0af29c236329eb88cc0f (diff)
1 files changed, 9 insertions, 0 deletions
diff --git a/ChangeLog b/ChangeLog
index c1f6f2638..898fc89c6 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -73,6 +73,15 @@
     [ssh-keysign.c]
     include fingerprint of key not found
     use arc4random_buf() instead of loop+arc4random()
+   - djm@cvs.openbsd.org 2014/04/01 03:34:10
+     [sshconnect.c]
+     When using VerifyHostKeyDNS with a DNSSEC resolver, down-convert any
+     certificate keys to plain keys and attempt SSHFP resolution.
+     
+     Prevents a server from skipping SSHFP lookup and forcing a new-hostkey
+     dialog by offering only certificate keys.
+     
+     Reported by mcv21 AT cam.ac.uk
 20140401
 - (djm) On platforms that support it, use prctl() to prevent sftp-server
author	Damien Miller <djm@mindrot.org>	2014-04-20 13:23:43 +1000
committer	Damien Miller <djm@mindrot.org>	2014-04-20 13:23:43 +1000
commit	7d6a9fb660c808882d064e152d6070ffc3844c3f (patch)
tree	b3ba326eb0853c005d9c9d4c91b1c0f8dac8855e /ChangeLog
parent	fcd62c0b66b8415405ed0af29c236329eb88cc0f (diff)

diff --git a/ChangeLog b/ChangeLog index c1f6f2638..898fc89c6 100644 --- a/ChangeLog +++ b/ChangeLog
@@ -73,6 +73,15 @@
73	[ssh-keysign.c]	73	[ssh-keysign.c]
74	include fingerprint of key not found	74	include fingerprint of key not found
75	use arc4random_buf() instead of loop+arc4random()	75	use arc4random_buf() instead of loop+arc4random()
		76	- djm@cvs.openbsd.org 2014/04/01 03:34:10
		77	[sshconnect.c]
		78	When using VerifyHostKeyDNS with a DNSSEC resolver, down-convert any
		79	certificate keys to plain keys and attempt SSHFP resolution.
		80
		81	Prevents a server from skipping SSHFP lookup and forcing a new-hostkey
		82	dialog by offering only certificate keys.
		83
		84	Reported by mcv21 AT cam.ac.uk
76		85
77	20140401	86	20140401
78	- (djm) On platforms that support it, use prctl() to prevent sftp-server	87	- (djm) On platforms that support it, use prctl() to prevent sftp-server