* New upstream release (closes: #453367).

- CVE-2007-4752: Prevent ssh(1) from using a trusted X11 cookie if creation of an untrusted cookie fails; found and fixed by Jan Pechanec (closes: #444738). - sshd(8) in new installations defaults to SSH Protocol 2 only. Existing installations are unchanged. - The SSH channel window size has been increased, and both ssh(1) sshd(8) now send window updates more aggressively. These improves performance on high-BDP (Bandwidth Delay Product) networks. - ssh(1) and sshd(8) now preserve MAC contexts between packets, which saves 2 hash calls per packet and results in 12-16% speedup for arcfour256/hmac-md5. - A new MAC algorithm has been added, UMAC-64 (RFC4418) as "umac-64@openssh.com". UMAC-64 has been measured to be approximately 20% faster than HMAC-MD5. - Failure to establish a ssh(1) TunnelForward is now treated as a fatal error when the ExitOnForwardFailure option is set. - ssh(1) returns a sensible exit status if the control master goes away without passing the full exit status. - When using a ProxyCommand in ssh(1), set the outgoing hostname with gethostname(2), allowing hostbased authentication to work. - Make scp(1) skip FIFOs rather than hanging (closes: #246774). - Encode non-printing characters in scp(1) filenames. These could cause copies to be aborted with a "protocol error". - Handle SIGINT in sshd(8) privilege separation child process to ensure that wtmp and lastlog records are correctly updated. - Report GSSAPI mechanism in errors, for libraries that support multiple mechanisms. - Improve documentation for ssh-add(1)'s -d option. - Rearrange and tidy GSSAPI code, removing server-only code being linked into the client. - Delay execution of ssh(1)'s LocalCommand until after all forwardings have been established. - In scp(1), do not truncate non-regular files. - Improve exit message from ControlMaster clients. - Prevent sftp-server(8) from reading until it runs out of buffer space, whereupon it would exit with a fatal error (closes: #365541). - pam_end() was not being called if authentication failed (closes: #405041). - Manual page datestamps updated (closes: #433181).
author: Colin Watson <cjwatson@debian.org> 2007-12-24 10:29:57 +0000
committer: Colin Watson <cjwatson@debian.org> 2007-12-24 10:29:57 +0000
commit: c3e531b12b2335b7fa5a6bcc9a309d3c523ff64b (patch)
tree: b72c0867348e7e7914d64af6fc5e25c728922e03 /README.platform
parent: 6b222fdf3cb54c11a446df38e027fe7acf2220cb (diff)
parent: 70847d299887abb96f8703ca99db6d817b78960e (diff)
1 files changed, 15 insertions, 1 deletions
diff --git a/README.platform b/README.platform
index b7dc3f91c..3d7db1494 100644
--- a/README.platform
+++ b/README.platform
@@ -23,6 +23,20 @@ to force the previous IPv4-only behaviour.
 IPv6 known to work: 5.1ML7 5.2ML2 5.2ML5
 IPv6 known broken: 4.3.3ML11 5.1ML4
+If you wish to use dynamic libraries that aren't in the normal system
+locations (eg IBM's OpenSSL and zlib packages) then you will need to
+define the environment variable blibpath before running configure, eg
+blibpath=/lib:/usr/lib:/opt/freeware/lib ./configure \
+  --with-ssl-dir=/opt/freeware --with-zlib=/opt/freeware
+If sshd is built with the WITH_AIXAUTHENTICATE option (which is enabled
+by default) then sshd checks that users are permitted via the
+loginrestrictions() function, in particular that the user has the
+"rlogin" attribute set.  This check is not done for the root account,
+instead the PermitRootLogin setting in sshd_config is used.
 Cygwin
 ------
 To build on Cygwin, OpenSSH requires the following packages:
@@ -67,4 +81,4 @@ account stacks which will prevent authentication entirely, but will still
 return the output from pam_nologin to the client.
-$Id: README.platform,v 1.7 2006/06/23 11:05:13 dtucker Exp $
+$Id: README.platform,v 1.9 2007/08/09 04:31:53 dtucker Exp $
author	Colin Watson <cjwatson@debian.org>	2007-12-24 10:29:57 +0000
committer	Colin Watson <cjwatson@debian.org>	2007-12-24 10:29:57 +0000
commit	c3e531b12b2335b7fa5a6bcc9a309d3c523ff64b (patch)
tree	b72c0867348e7e7914d64af6fc5e25c728922e03 /README.platform
parent	6b222fdf3cb54c11a446df38e027fe7acf2220cb (diff)
parent	70847d299887abb96f8703ca99db6d817b78960e (diff)

diff --git a/README.platform b/README.platform index b7dc3f91c..3d7db1494 100644 --- a/README.platform +++ b/README.platform
@@ -23,6 +23,20 @@ to force the previous IPv4-only behaviour.
23	IPv6 known to work: 5.1ML7 5.2ML2 5.2ML5	23	IPv6 known to work: 5.1ML7 5.2ML2 5.2ML5
24	IPv6 known broken: 4.3.3ML11 5.1ML4	24	IPv6 known broken: 4.3.3ML11 5.1ML4
25		25
		26	If you wish to use dynamic libraries that aren't in the normal system
		27	locations (eg IBM's OpenSSL and zlib packages) then you will need to
		28	define the environment variable blibpath before running configure, eg
		29
		30	blibpath=/lib:/usr/lib:/opt/freeware/lib ./configure \
		31	--with-ssl-dir=/opt/freeware --with-zlib=/opt/freeware
		32
		33	If sshd is built with the WITH_AIXAUTHENTICATE option (which is enabled
		34	by default) then sshd checks that users are permitted via the
		35	loginrestrictions() function, in particular that the user has the
		36	"rlogin" attribute set. This check is not done for the root account,
		37	instead the PermitRootLogin setting in sshd_config is used.
		38
		39
26	Cygwin	40	Cygwin
27	------	41	------
28	To build on Cygwin, OpenSSH requires the following packages:	42	To build on Cygwin, OpenSSH requires the following packages:
@@ -67,4 +81,4 @@ account stacks which will prevent authentication entirely, but will still
67	return the output from pam_nologin to the client.	81	return the output from pam_nologin to the client.
68		82
69		83
70	$Id: README.platform,v 1.7 2006/06/23 11:05:13 dtucker Exp $	84	$Id: README.platform,v 1.9 2007/08/09 04:31:53 dtucker Exp $