* New upstream release (closes: #453367).

- CVE-2007-4752: Prevent ssh(1) from using a trusted X11 cookie if creation of an untrusted cookie fails; found and fixed by Jan Pechanec (closes: #444738). - sshd(8) in new installations defaults to SSH Protocol 2 only. Existing installations are unchanged. - The SSH channel window size has been increased, and both ssh(1) sshd(8) now send window updates more aggressively. These improves performance on high-BDP (Bandwidth Delay Product) networks. - ssh(1) and sshd(8) now preserve MAC contexts between packets, which saves 2 hash calls per packet and results in 12-16% speedup for arcfour256/hmac-md5. - A new MAC algorithm has been added, UMAC-64 (RFC4418) as "umac-64@openssh.com". UMAC-64 has been measured to be approximately 20% faster than HMAC-MD5. - Failure to establish a ssh(1) TunnelForward is now treated as a fatal error when the ExitOnForwardFailure option is set. - ssh(1) returns a sensible exit status if the control master goes away without passing the full exit status. - When using a ProxyCommand in ssh(1), set the outgoing hostname with gethostname(2), allowing hostbased authentication to work. - Make scp(1) skip FIFOs rather than hanging (closes: #246774). - Encode non-printing characters in scp(1) filenames. These could cause copies to be aborted with a "protocol error". - Handle SIGINT in sshd(8) privilege separation child process to ensure that wtmp and lastlog records are correctly updated. - Report GSSAPI mechanism in errors, for libraries that support multiple mechanisms. - Improve documentation for ssh-add(1)'s -d option. - Rearrange and tidy GSSAPI code, removing server-only code being linked into the client. - Delay execution of ssh(1)'s LocalCommand until after all forwardings have been established. - In scp(1), do not truncate non-regular files. - Improve exit message from ControlMaster clients. - Prevent sftp-server(8) from reading until it runs out of buffer space, whereupon it would exit with a fatal error (closes: #365541). - pam_end() was not being called if authentication failed (closes: #405041). - Manual page datestamps updated (closes: #433181).
author: Colin Watson <cjwatson@debian.org> 2007-12-24 10:29:57 +0000
committer: Colin Watson <cjwatson@debian.org> 2007-12-24 10:29:57 +0000
commit: c3e531b12b2335b7fa5a6bcc9a309d3c523ff64b (patch)
tree: b72c0867348e7e7914d64af6fc5e25c728922e03 /auth.c
parent: 6b222fdf3cb54c11a446df38e027fe7acf2220cb (diff)
parent: 70847d299887abb96f8703ca99db6d817b78960e (diff)
1 files changed, 4 insertions, 4 deletions
diff --git a/auth.c b/auth.c
index 505102f8a..c1e0f4812 100644
--- a/auth.c
+++ b/auth.c
@@ -115,11 +115,11 @@ allowed_user(struct passwd * pw)
        /* grab passwd field for locked account check */
 #ifdef USE_SHADOW
        if (spw != NULL)
-#if defined(HAVE_LIBIAF)  &&  !defined(BROKEN_LIBIAF)
+#ifdef USE_LIBIAF
                passwd = get_iaf_password(pw);
 #else
                passwd = spw->sp_pwdp;
-#endif /* HAVE_LIBIAF  && !BROKEN_LIBIAF */
+#endif /* USE_LIBIAF */
 #else
        passwd = pw->pw_passwd;
 #endif
@@ -141,9 +141,9 @@ allowed_user(struct passwd * pw)
                if (strstr(passwd, LOCKED_PASSWD_SUBSTR))
                        locked = 1;
 #endif
-#if defined(HAVE_LIBIAF)  &&  !defined(BROKEN_LIBIAF)
+#ifdef USE_LIBIAF
                free(passwd);
-#endif /* HAVE_LIBIAF  && !BROKEN_LIBIAF */
+#endif /* USE_LIBIAF */
                if (locked) {
                        logit("User %.100s not allowed because account is locked",
                            pw->pw_name);
author	Colin Watson <cjwatson@debian.org>	2007-12-24 10:29:57 +0000
committer	Colin Watson <cjwatson@debian.org>	2007-12-24 10:29:57 +0000
commit	c3e531b12b2335b7fa5a6bcc9a309d3c523ff64b (patch)
tree	b72c0867348e7e7914d64af6fc5e25c728922e03 /auth.c
parent	6b222fdf3cb54c11a446df38e027fe7acf2220cb (diff)
parent	70847d299887abb96f8703ca99db6d817b78960e (diff)

diff --git a/auth.c b/auth.c index 505102f8a..c1e0f4812 100644 --- a/auth.c +++ b/auth.c
@@ -115,11 +115,11 @@ allowed_user(struct passwd * pw)
115	/* grab passwd field for locked account check */	115	/* grab passwd field for locked account check */
116	#ifdef USE_SHADOW	116	#ifdef USE_SHADOW
117	if (spw != NULL)	117	if (spw != NULL)
118	#if defined(HAVE_LIBIAF) && !defined(BROKEN_LIBIAF)	118	#ifdef USE_LIBIAF
119	passwd = get_iaf_password(pw);	119	passwd = get_iaf_password(pw);
120	#else	120	#else
121	passwd = spw->sp_pwdp;	121	passwd = spw->sp_pwdp;
122	#endif /* HAVE_LIBIAF && !BROKEN_LIBIAF */	122	#endif /* USE_LIBIAF */
123	#else	123	#else
124	passwd = pw->pw_passwd;	124	passwd = pw->pw_passwd;
125	#endif	125	#endif
@@ -141,9 +141,9 @@ allowed_user(struct passwd * pw)
141	if (strstr(passwd, LOCKED_PASSWD_SUBSTR))	141	if (strstr(passwd, LOCKED_PASSWD_SUBSTR))
142	locked = 1;	142	locked = 1;
143	#endif	143	#endif
144	#if defined(HAVE_LIBIAF) && !defined(BROKEN_LIBIAF)	144	#ifdef USE_LIBIAF
145	free(passwd);	145	free(passwd);
146	#endif /* HAVE_LIBIAF && !BROKEN_LIBIAF */	146	#endif /* USE_LIBIAF */
147	if (locked) {	147	if (locked) {
148	logit("User %.100s not allowed because account is locked",	148	logit("User %.100s not allowed because account is locked",
149	pw->pw_name);	149	pw->pw_name);