diff options
author | Colin Watson <cjwatson@debian.org> | 2007-12-24 10:29:57 +0000 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2007-12-24 10:29:57 +0000 |
commit | c3e531b12b2335b7fa5a6bcc9a309d3c523ff64b (patch) | |
tree | b72c0867348e7e7914d64af6fc5e25c728922e03 /packet.c | |
parent | 6b222fdf3cb54c11a446df38e027fe7acf2220cb (diff) | |
parent | 70847d299887abb96f8703ca99db6d817b78960e (diff) |
* New upstream release (closes: #453367).
- CVE-2007-4752: Prevent ssh(1) from using a trusted X11 cookie if
creation of an untrusted cookie fails; found and fixed by Jan Pechanec
(closes: #444738).
- sshd(8) in new installations defaults to SSH Protocol 2 only. Existing
installations are unchanged.
- The SSH channel window size has been increased, and both ssh(1)
sshd(8) now send window updates more aggressively. These improves
performance on high-BDP (Bandwidth Delay Product) networks.
- ssh(1) and sshd(8) now preserve MAC contexts between packets, which
saves 2 hash calls per packet and results in 12-16% speedup for
arcfour256/hmac-md5.
- A new MAC algorithm has been added, UMAC-64 (RFC4418) as
"umac-64@openssh.com". UMAC-64 has been measured to be approximately
20% faster than HMAC-MD5.
- Failure to establish a ssh(1) TunnelForward is now treated as a fatal
error when the ExitOnForwardFailure option is set.
- ssh(1) returns a sensible exit status if the control master goes away
without passing the full exit status.
- When using a ProxyCommand in ssh(1), set the outgoing hostname with
gethostname(2), allowing hostbased authentication to work.
- Make scp(1) skip FIFOs rather than hanging (closes: #246774).
- Encode non-printing characters in scp(1) filenames. These could cause
copies to be aborted with a "protocol error".
- Handle SIGINT in sshd(8) privilege separation child process to ensure
that wtmp and lastlog records are correctly updated.
- Report GSSAPI mechanism in errors, for libraries that support multiple
mechanisms.
- Improve documentation for ssh-add(1)'s -d option.
- Rearrange and tidy GSSAPI code, removing server-only code being linked
into the client.
- Delay execution of ssh(1)'s LocalCommand until after all forwardings
have been established.
- In scp(1), do not truncate non-regular files.
- Improve exit message from ControlMaster clients.
- Prevent sftp-server(8) from reading until it runs out of buffer space,
whereupon it would exit with a fatal error (closes: #365541).
- pam_end() was not being called if authentication failed
(closes: #405041).
- Manual page datestamps updated (closes: #433181).
Diffstat (limited to 'packet.c')
-rw-r--r-- | packet.c | 10 |
1 files changed, 5 insertions, 5 deletions
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: packet.c,v 1.145 2006/09/19 21:14:08 markus Exp $ */ | 1 | /* $OpenBSD: packet.c,v 1.148 2007/06/07 19:37:34 pvalchev Exp $ */ |
2 | /* | 2 | /* |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -632,7 +632,7 @@ set_newkeys(int mode) | |||
632 | enc = &newkeys[mode]->enc; | 632 | enc = &newkeys[mode]->enc; |
633 | mac = &newkeys[mode]->mac; | 633 | mac = &newkeys[mode]->mac; |
634 | comp = &newkeys[mode]->comp; | 634 | comp = &newkeys[mode]->comp; |
635 | memset(mac->key, 0, mac->key_len); | 635 | mac_clear(mac); |
636 | xfree(enc->name); | 636 | xfree(enc->name); |
637 | xfree(enc->iv); | 637 | xfree(enc->iv); |
638 | xfree(enc->key); | 638 | xfree(enc->key); |
@@ -647,14 +647,15 @@ set_newkeys(int mode) | |||
647 | enc = &newkeys[mode]->enc; | 647 | enc = &newkeys[mode]->enc; |
648 | mac = &newkeys[mode]->mac; | 648 | mac = &newkeys[mode]->mac; |
649 | comp = &newkeys[mode]->comp; | 649 | comp = &newkeys[mode]->comp; |
650 | if (mac->md != NULL) | 650 | if (mac_init(mac) == 0) |
651 | mac->enabled = 1; | 651 | mac->enabled = 1; |
652 | DBG(debug("cipher_init_context: %d", mode)); | 652 | DBG(debug("cipher_init_context: %d", mode)); |
653 | cipher_init(cc, enc->cipher, enc->key, enc->key_len, | 653 | cipher_init(cc, enc->cipher, enc->key, enc->key_len, |
654 | enc->iv, enc->block_size, crypt_type); | 654 | enc->iv, enc->block_size, crypt_type); |
655 | /* Deleting the keys does not gain extra security */ | 655 | /* Deleting the keys does not gain extra security */ |
656 | /* memset(enc->iv, 0, enc->block_size); | 656 | /* memset(enc->iv, 0, enc->block_size); |
657 | memset(enc->key, 0, enc->key_len); */ | 657 | memset(enc->key, 0, enc->key_len); |
658 | memset(mac->key, 0, mac->key_len); */ | ||
658 | if ((comp->type == COMP_ZLIB || | 659 | if ((comp->type == COMP_ZLIB || |
659 | (comp->type == COMP_DELAYED && after_authentication)) && | 660 | (comp->type == COMP_DELAYED && after_authentication)) && |
660 | comp->enabled == 0) { | 661 | comp->enabled == 0) { |
@@ -1249,7 +1250,6 @@ packet_read_poll_seqnr(u_int32_t *seqnr_p) | |||
1249 | logit("Received disconnect from %s: %.400s", | 1250 | logit("Received disconnect from %s: %.400s", |
1250 | get_remote_ipaddr(), msg); | 1251 | get_remote_ipaddr(), msg); |
1251 | cleanup_exit(255); | 1252 | cleanup_exit(255); |
1252 | xfree(msg); | ||
1253 | break; | 1253 | break; |
1254 | default: | 1254 | default: |
1255 | if (type) | 1255 | if (type) |