1 files changed, 9 insertions, 0 deletions
diff --git a/ChangeLog b/ChangeLog
index c1f6f2638..898fc89c6 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -73,6 +73,15 @@
     [ssh-keysign.c]
     include fingerprint of key not found
     use arc4random_buf() instead of loop+arc4random()
+   - djm@cvs.openbsd.org 2014/04/01 03:34:10
+     [sshconnect.c]
+     When using VerifyHostKeyDNS with a DNSSEC resolver, down-convert any
+     certificate keys to plain keys and attempt SSHFP resolution.
+     
+     Prevents a server from skipping SSHFP lookup and forcing a new-hostkey
+     dialog by offering only certificate keys.
+     
+     Reported by mcv21 AT cam.ac.uk
 20140401
 - (djm) On platforms that support it, use prctl() to prevent sftp-server

diff --git a/ChangeLog b/ChangeLog index c1f6f2638..898fc89c6 100644 --- a/ChangeLog +++ b/ChangeLog
@@ -73,6 +73,15 @@
73	[ssh-keysign.c]	73	[ssh-keysign.c]
74	include fingerprint of key not found	74	include fingerprint of key not found
75	use arc4random_buf() instead of loop+arc4random()	75	use arc4random_buf() instead of loop+arc4random()
		76	- djm@cvs.openbsd.org 2014/04/01 03:34:10
		77	[sshconnect.c]
		78	When using VerifyHostKeyDNS with a DNSSEC resolver, down-convert any
		79	certificate keys to plain keys and attempt SSHFP resolution.
		80
		81	Prevents a server from skipping SSHFP lookup and forcing a new-hostkey
		82	dialog by offering only certificate keys.
		83
		84	Reported by mcv21 AT cam.ac.uk
76		85
77	20140401	86	20140401
78	- (djm) On platforms that support it, use prctl() to prevent sftp-server	87	- (djm) On platforms that support it, use prctl() to prevent sftp-server