1 files changed, 295 insertions, 0 deletions

diff --git a/ChangeLog b/ChangeLog
index 5df76186d..f8e600847 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,298 @@
+20120828
+ - (djm) Release openssh-6.1
+
+20120828
+ - (dtucker) [openbsd-compat/bsd-cygwin_util.h] define WIN32_LEAN_AND_MEAN
+   for compatibility with future mingw-w64 headers.  Patch from vinschen at
+   redhat com.
+
+20120822
+ - (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
+   [contrib/suse/openssh.spec] Update version numbers
+
+20120731
+ - (djm) OpenBSD CVS Sync
+   - jmc@cvs.openbsd.org 2012/07/06 06:38:03
+     [ssh-keygen.c]
+     missing full stop in usage();
+   - djm@cvs.openbsd.org 2012/07/10 02:19:15
+     [servconf.c servconf.h sshd.c sshd_config]
+     Turn on systrace sandboxing of pre-auth sshd by default for new installs
+     by shipping a config that overrides the current UsePrivilegeSeparation=yes
+     default. Make it easier to flip the default in the future by adding too.
+     prodded markus@ feedback dtucker@ "get it in" deraadt@
+   - dtucker@cvs.openbsd.org 2012/07/13 01:35:21
+     [servconf.c]
+     handle long comments in config files better.  bz#2025, ok markus
+   - markus@cvs.openbsd.org 2012/07/22 18:19:21
+     [version.h]
+     openssh 6.1
+
+20120720
+ - (dtucker) Import regened moduli file.
+
+20120706
+ - (djm) [sandbox-seccomp-filter.c] fallback to rlimit if seccomp filter is
+   not available. Allows use of sshd compiled on host with a filter-capable
+   kernel on hosts that lack the support. bz#2011 ok dtucker@
+ - (djm) [configure.ac] Recursively expand $(bindir) to ensure it has no
+   unexpanded $(prefix) embedded. bz#2007 patch from nix-corp AT
+   esperi.org.uk; ok dtucker@
+- (djm) OpenBSD CVS Sync
+   - dtucker@cvs.openbsd.org 2012/07/06 00:41:59
+     [moduli.c ssh-keygen.1 ssh-keygen.c]
+     Add options to specify starting line number and number of lines to process
+     when screening moduli candidates.  This allows processing of different
+     parts of a candidate moduli file in parallel.  man page help jmc@, ok djm@
+   - djm@cvs.openbsd.org 2012/07/06 01:37:21
+     [mux.c]
+     fix memory leak of passed-in environment variables and connection
+     context when new session message is malformed; bz#2003 from Bert.Wesarg
+     AT googlemail.com
+   - djm@cvs.openbsd.org 2012/07/06 01:47:38
+     [ssh.c]
+     move setting of tty_flag to after config parsing so RequestTTY options
+     are correctly picked up. bz#1995 patch from przemoc AT gmail.com;
+     ok dtucker@
+
+20120704
+ - (dtucker) [configure.ac openbsd-compat/bsd-misc.h] Add setlinebuf for
+   platforms that don't have it.  "looks good" tim@
+
+20120703
+ - (dtucker) [configure.ac] Detect platforms that can't use select(2) with
+   setrlimit(RLIMIT_NOFILE, rl_zero) and disable the rlimit sandbox on those.
+ - (dtucker) [configure.ac sandbox-rlimit.c] Test whether or not
+   setrlimit(RLIMIT_FSIZE, rl_zero) and skip it if it's not supported.  Its
+   benefit is minor, so it's not worth disabling the sandbox if it doesn't
+   work.
+
+20120702
+- (dtucker) OpenBSD CVS Sync
+   - naddy@cvs.openbsd.org 2012/06/29 13:57:25
+     [ssh_config.5 sshd_config.5]
+     match the documented MAC order of preference to the actual one;
+     ok dtucker@
+   - markus@cvs.openbsd.org 2012/06/30 14:35:09
+     [sandbox-systrace.c sshd.c]
+     fix a during the load of the sandbox policies (child can still make
+     the read-syscall and wait forever for systrace-answers) by replacing
+     the read/write synchronisation with SIGSTOP/SIGCONT;
+     report and help hshoexer@; ok djm@, dtucker@
+   - dtucker@cvs.openbsd.org 2012/07/02 08:50:03
+     [ssh.c]
+     set interactive ToS for forwarded X11 sessions.  ok djm@
+   - dtucker@cvs.openbsd.org 2012/07/02 12:13:26
+     [ssh-pkcs11-helper.c sftp-client.c]
+     fix a couple of "assigned but not used" warnings.  ok markus@
+   - dtucker@cvs.openbsd.org 2012/07/02 14:37:06
+     [regress/connect-privsep.sh]
+     remove exit from end of test since it prevents reporting failure
+ - (dtucker) [regress/reexec.sh regress/sftp-cmds.sh regress/test-exec.sh]
+   Move cygwin detection to test-exec and use to skip reexec test on cygwin.
+ - (dtucker) [regress/test-exec.sh] Correct uname for cygwin/w2k.
+
+20120629
+ - OpenBSD CVS Sync
+   - dtucker@cvs.openbsd.org 2012/06/21 00:16:07
+     [addrmatch.c]
+     fix strlcpy truncation check.  from carsten at debian org, ok markus
+   - dtucker@cvs.openbsd.org 2012/06/22 12:30:26
+     [monitor.c sshconnect2.c]
+     remove dead code following 'for (;;)' loops.
+     From Steve.McClellan at radisys com, ok markus@
+   - dtucker@cvs.openbsd.org 2012/06/22 14:36:33
+     [sftp.c]
+     Remove unused variable leftover from tab-completion changes.
+     From Steve.McClellan at radisys com, ok markus@
+   - dtucker@cvs.openbsd.org 2012/06/26 11:02:30
+     [sandbox-systrace.c]
+     Add mquery to the list of allowed syscalls for "UsePrivilegeSeparation
+     sandbox" since malloc now uses it.  From johnw.mail at gmail com.
+   - dtucker@cvs.openbsd.org 2012/06/28 05:07:45
+     [mac.c myproposal.h ssh_config.5 sshd_config.5]
+     Remove hmac-sha2-256-96 and hmac-sha2-512-96 MACs since they were removed
+     from draft6 of the spec and will not be in the RFC when published.  Patch
+     from mdb at juniper net via bz#2023, ok markus.
+   - naddy@cvs.openbsd.org 2012/06/29 13:57:25
+     [ssh_config.5 sshd_config.5]
+     match the documented MAC order of preference to the actual one; ok dtucker@
+   - dtucker@cvs.openbsd.org 2012/05/13 01:42:32
+     [regress/addrmatch.sh]
+     Add "Match LocalAddress" and "Match LocalPort" to sshd and adjust tests
+     to match.  Feedback and ok djm@ markus@.
+   - djm@cvs.openbsd.org 2012/06/01 00:47:35
+     [regress/multiplex.sh regress/forwarding.sh]
+     append to rather than truncate test log; bz#2013 from openssh AT
+     roumenpetrov.info
+   - djm@cvs.openbsd.org 2012/06/01 00:52:52
+     [regress/sftp-cmds.sh]
+     don't delete .* on cleanup due to unintended env expansion; pointed out in
+     bz#2014 by openssh AT roumenpetrov.info
+   - dtucker@cvs.openbsd.org 2012/06/26 12:06:59
+     [regress/connect-privsep.sh]
+     test sandbox with every malloc option
+   - dtucker@cvs.openbsd.org 2012/06/28 05:07:45
+     [regress/try-ciphers.sh regress/cipher-speed.sh]
+     Remove hmac-sha2-256-96 and hmac-sha2-512-96 MACs since they were removed
+     from draft6 of the spec and will not be in the RFC when published.  Patch
+     from mdb at juniper net via bz#2023, ok markus.
+ - (dtucker) [myproposal.h] Remove trailing backslash to fix compile error.
+ - (dtucker) [key.c] ifdef out sha256 key types on platforms that don't have
+   the required functions in libcrypto.
+
+20120628
+ - (dtucker) [openbsd-compat/getrrsetbyname-ldns.c] bz #2022: prevent null
+   pointer deref in the client when built with LDNS and using DNSSEC with a
+   CNAME.  Patch from gregdlg+mr at hochet info.
+
+20120622
+ - (dtucker) [contrib/cygwin/ssh-host-config] Ensure that user sshd runs as
+   can logon as a service.  Patch from vinschen at redhat com.
+
+20120620
+ - (djm) OpenBSD CVS Sync
+   - djm@cvs.openbsd.org 2011/12/02 00:41:56
+     [mux.c]
+     fix bz#1948: ssh -f doesn't fork for multiplexed connection.
+     ok dtucker@
+   - djm@cvs.openbsd.org 2011/12/04 23:16:12
+     [mux.c]
+     revert:
+     > revision 1.32
+     > date: 2011/12/02 00:41:56;  author: djm;  state: Exp;  lines: +4 -1
+     > fix bz#1948: ssh -f doesn't fork for multiplexed connection.
+     > ok dtucker@
+     it interacts badly with ControlPersist
+   - djm@cvs.openbsd.org 2012/01/07 21:11:36
+     [mux.c]
+     fix double-free in new session handler
+     NB. Id sync only
+   - djm@cvs.openbsd.org 2012/05/23 03:28:28
+     [dns.c dns.h key.c key.h ssh-keygen.c]
+     add support for RFC6594 SSHFP DNS records for ECDSA key types.
+     patch from bugzilla-m67 AT nulld.me in bz#1978; ok + tweak markus@
+   - djm@cvs.openbsd.org 2012/06/01 00:49:35
+     [PROTOCOL.mux]
+     correct types of port numbers (integers, not strings); bz#2004 from
+     bert.wesarg AT googlemail.com
+   - djm@cvs.openbsd.org 2012/06/01 01:01:22
+     [mux.c]
+     fix memory leak when mux socket creation fails; bz#2002 from bert.wesarg
+     AT googlemail.com
+   - dtucker@cvs.openbsd.org 2012/06/18 11:43:53
+     [jpake.c]
+     correct sizeof usage.  patch from saw at online.de, ok deraadt
+   - dtucker@cvs.openbsd.org 2012/06/18 11:49:58
+     [ssh_config.5]
+     RSA instead of DSA twice.  From Steve.McClellan at radisys com
+   - dtucker@cvs.openbsd.org 2012/06/18 12:07:07
+     [ssh.1 sshd.8]
+     Remove mention of 'three' key files since there are now four.  From
+     Steve.McClellan at radisys com.
+   - dtucker@cvs.openbsd.org 2012/06/18 12:17:18
+     [ssh.1]
+     Clarify description of -W.  Noted by Steve.McClellan at radisys com,
+     ok jmc
+   - markus@cvs.openbsd.org 2012/06/19 18:25:28
+     [servconf.c servconf.h sshd_config.5]
+     sshd_config: extend Match to allow AcceptEnv and {Allow,Deny}{Users,Groups}
+     this allows 'Match LocalPort 1022' combined with 'AllowUser bauer'
+     ok djm@ (back in March)
+   - jmc@cvs.openbsd.org 2012/06/19 21:35:54
+     [sshd_config.5]
+     tweak previous; ok markus
+   - djm@cvs.openbsd.org 2012/06/20 04:42:58
+     [clientloop.c serverloop.c]
+     initialise accept() backoff timer to avoid EINVAL from select(2) in
+     rekeying
+
+20120519
+ - (dtucker) [configure.ac] bz#2010: fix non-portable shell construct.  Patch
+   from cjwatson at debian org.
+ - (dtucker) [configure.ac contrib/Makefile] bz#1996: use AC_PATH_TOOL to find
+   pkg-config so it does the right thing when cross-compiling.  Patch from
+   cjwatson at debian org.
+- (dtucker) OpenBSD CVS Sync
+   - dtucker@cvs.openbsd.org 2012/05/13 01:42:32
+     [servconf.h servconf.c sshd.8 sshd.c auth.c sshd_config.5]
+     Add "Match LocalAddress" and "Match LocalPort" to sshd and adjust tests
+     to match.  Feedback and ok djm@ markus@.
+   - dtucker@cvs.openbsd.org 2012/05/19 06:30:30
+     [sshd_config.5]
+     Document PermitOpen none.  bz#2001, patch from Loganaden Velvindron
+
+20120504
+ - (dtucker) [configure.ac] Include <sys/param.h> rather than <sys/types.h>
+   to fix building on some plaforms.  Fom bowman at math utah edu and
+   des at des no.
+
+20120427
+ - (dtucker) [regress/addrmatch.sh] skip tests when running on a non-ipv6
+   platform rather than exiting early, so that we still clean up and return
+   success or failure to test-exec.sh
+
+20120426
+ - (djm) [auth-passwd.c] Handle crypt() returning NULL; from Paul Wouters
+   via Niels
+ - (djm) [auth-krb5.c] Save errno across calls that might modify it;
+   ok dtucker@
+
+20120423
+ - OpenBSD CVS Sync
+   - djm@cvs.openbsd.org 2012/04/23 08:18:17
+     [channels.c]
+     fix function proto/source mismatch
+
+20120422
+ - OpenBSD CVS Sync
+   - djm@cvs.openbsd.org 2012/02/29 11:21:26
+     [ssh-keygen.c]
+     allow conversion of RSA1 keys to public PEM and PKCS8; "nice" markus@
+   - guenther@cvs.openbsd.org 2012/03/15 03:10:27
+     [session.c]
+     root should always be excluded from the test for /etc/nologin instead
+     of having it always enforced even when marked as ignorenologin.  This
+     regressed when the logic was incompletely flipped around in rev 1.251
+     ok halex@ millert@
+   - djm@cvs.openbsd.org 2012/03/28 07:23:22
+     [PROTOCOL.certkeys]
+     explain certificate extensions/crit split rationale. Mention requirement
+     that each appear at most once per cert.
+   - dtucker@cvs.openbsd.org 2012/03/29 23:54:36
+     [channels.c channels.h servconf.c]
+     Add PermitOpen none option based on patch from Loganaden Velvindron
+     (bz #1949).  ok djm@
+   - djm@cvs.openbsd.org 2012/04/11 13:16:19
+     [channels.c channels.h clientloop.c serverloop.c]
+     don't spin in accept() when out of fds (ENFILE/ENFILE) - back off for a
+     while; ok deraadt@ markus@
+   - djm@cvs.openbsd.org 2012/04/11 13:17:54
+     [auth.c]
+     Support "none" as an argument for AuthorizedPrincipalsFile to indicate
+     no file should be read.
+   - djm@cvs.openbsd.org 2012/04/11 13:26:40
+     [sshd.c]
+     don't spin in accept() when out of fds (ENFILE/ENFILE) - back off for a
+     while; ok deraadt@ markus@
+   - djm@cvs.openbsd.org 2012/04/11 13:34:17
+     [ssh-keyscan.1 ssh-keyscan.c]
+     now that sshd defaults to offering ECDSA keys, ssh-keyscan should also
+     look for them by default; bz#1971
+   - djm@cvs.openbsd.org 2012/04/12 02:42:32
+     [servconf.c servconf.h sshd.c sshd_config sshd_config.5]
+     VersionAddendum option to allow server operators to append some arbitrary
+     text to the SSH-... banner; ok deraadt@ "don't care" markus@
+   - djm@cvs.openbsd.org 2012/04/12 02:43:55
+     [sshd_config sshd_config.5]
+     mention AuthorizedPrincipalsFile=none default
+   - djm@cvs.openbsd.org 2012/04/20 03:24:23
+     [sftp.c]
+     setlinebuf(3) is more readable than setvbuf(.., _IOLBF, ...)
+   - jmc@cvs.openbsd.org 2012/04/20 16:26:22
+     [ssh.1]
+     use "brackets" instead of "braces", for consistency;
+
 20120420
  - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
    [contrib/suse/openssh.spec] Update for release 6.0