Age | Commit message (Collapse) | Author | |
---|---|---|---|
2014-10-07 | Restore TCP wrappers support | Colin Watson | |
Support for TCP wrappers was dropped in OpenSSH 6.7. See this message and thread: https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032497.html It is true that this reduces preauth attack surface in sshd. On the other hand, this support seems to be quite widely used, and abruptly dropping it (from the perspective of users who don't read openssh-unix-dev) could easily cause more serious problems in practice. It's not entirely clear what the right long-term answer for Debian is, but it at least probably doesn't involve dropping this feature shortly before a freeze. Forwarded: not-needed Last-Update: 2014-10-07 Patch-Name: restore-tcp-wrappers.patch | |||
2014-10-07 | GSSAPI key exchange support | Simon Wilkinson | |
This patch has been rejected upstream: "None of the OpenSSH developers are in favour of adding this, and this situation has not changed for several years. This is not a slight on Simon's patch, which is of fine quality, but just that a) we don't trust GSSAPI implementations that much and b) we don't like adding new KEX since they are pre-auth attack surface. This one is particularly scary, since it requires hooks out to typically root-owned system resources." However, quite a lot of people rely on this in Debian, and it's better to have it merged into the main openssh package rather than having separate -krb5 packages (as we used to have). It seems to have a generally good security history. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 Last-Updated: 2014-10-07 Patch-Name: gssapi.patch | |||
2014-10-07 | Import openssh_6.7p1.orig.tar.gz | Colin Watson | |
2014-10-07 | establish V_6_7 branch | Damien Miller | |
2014-10-07 | - (djm) Release OpenSSH-6.7 | Damien Miller | |
2014-10-03 | - (djm) [sshd_config.5] typo; from Iain Morgan | Damien Miller | |
2014-10-01 | - (djm) [openbsd-compat/Makefile.in openbsd-compat/kludge-fd_set.c] | Damien Miller | |
[openbsd-compat/openbsd-compat.h] Kludge around bad glibc _FORTIFY_SOURCE check that doesn't grok heap-allocated fd_sets; ok dtucker@ | |||
2014-09-10 | - (djm) [sandbox-seccomp-filter.c] Allow mremap and exit for DietLibc; | Damien Miller | |
patch from Felix von Leitner; ok dtucker | |||
2014-09-09 | 20140908 | Darren Tucker | |
- (dtucker) [INSTALL] Update info about egd. ok djm@ | |||
2014-09-04 | - (djm) [openbsd-compat/arc4random.c] Zero seed after keying PRNG | Damien Miller | |
2014-09-03 | - (djm) [contrib/cygwin/ssh-host-config] Fix old code leading to | Damien Miller | |
permissions/ACLs; from Corinna Vinschen | |||
2014-09-03 | - (djm) [defines.h sshbuf.c] Move __predict_true|false to defines.h and | Damien Miller | |
conditionalise to avoid duplicate definition. | |||
2014-08-30 | - (djm) [Makefile.in] Make TEST_SHELL a variable; "good idea" tim@ | Damien Miller | |
2014-08-30 | - (djm) [openbsd-compat/openssl-compat.h] add include guard | Damien Miller | |
2014-08-30 | - (djm) [misc.c] Missing newline between functions | Damien Miller | |
2014-08-30 | - (djm) [openbsd-compat/openssl-compat.h] add | Damien Miller | |
OPENSSL_[RD]SA_MAX_MODULUS_BITS defines for OpenSSL that lacks them | |||
2014-08-27 | - (djm) [openbsd-compat/explicit_bzero.c] implement explicit_bzero() | Damien Miller | |
using memset_s() where possible; improve fallback to indirect bzero via a volatile pointer to give it more of a chance to avoid being optimised away. | |||
2014-08-27 | - (djm) [monitor.c sshd.c] SIGXFSZ needs to be ignored in postauth | Damien Miller | |
monitor, not preauth; bz#2263 | |||
2014-08-27 | - (djm) [regress/unittests/sshbuf/test_sshbuf_getput_crypto.c] | Damien Miller | |
[regress/unittests/sshbuf/test_sshbuf_getput_fuzz.c] [regress/unittests/sshkey/common.c] [regress/unittests/sshkey/test_file.c] [regress/unittests/sshkey/test_fuzz.c] [regress/unittests/sshkey/test_sshkey.c] Don't include openssl/ec.h on !ECC OpenSSL systems | |||
2014-08-26 | - (djm) [INSTALL] Recommend libcrypto be built -fPIC, mention LibreSSL, | Damien Miller | |
update OpenSSL version requirement. | |||
2014-08-26 | - (djm) [bufec.c] Skip this file on !ECC OpenSSL | Damien Miller | |
2014-08-24 | - (djm) [sftp-server.c] Some systems (e.g. Irix) have prctl() but not | Damien Miller | |
PR_SET_DUMPABLE, so adjust ifdef; reported by Tom Christensen | |||
2014-08-23 | - (djm) [configure.ac] We now require a working vsnprintf everywhere (not | Damien Miller | |
just for systems that lack asprintf); check for it always and extend test to catch more brokenness. Fixes builds on Solaris <= 9 | |||
2014-08-23 | - (djm) [sshd.c] Ignore SIGXFSZ in preauth monitor child; can explode on | Damien Miller | |
lastlog writing on platforms with high UIDs; bz#2263 | |||
2014-08-22 | - (djm) [configure.ac] double braces to appease autoconf | Damien Miller | |
2014-08-22 | - (djm) [openbsd-compat/bsd-snprintf.c] Fix compilation failure (prototype/ | Damien Miller | |
definition mismatch) and warning for broken/missing snprintf case. | |||
2014-08-22 | - (djm) [sshbuf-getput-crypto.c] Fix compilation when OpenSSL lacks ECC | Damien Miller | |
2014-08-22 | - (djm) [configure.ac] include leading zero characters in OpenSSL version | Damien Miller | |
number; fixes test for unsupported versions | |||
2014-08-21 | - (djm) [regress/unittests/test_helper/test_helper.c] Fix for systems that | Damien Miller | |
don't set __progname. Diagnosed by Tom Christensen. | |||
2014-08-21 | - (djm) [key.h] Fix ifdefs for no-ECC OpenSSL | Damien Miller | |
2014-08-21 | - (djm) [Makefile.in] fix reference to libtest_helper.a in sshkey test too. | Damien Miller | |
2014-08-20 | - (djm) [contrib/cygwin/README] Correct build instructions; from Corinna | Damien Miller | |
2014-08-20 | - (djm) [sshkey.h] Fix compilation when OpenSSL lacks ECC | Damien Miller | |
2014-08-20 | - (djm) [Makefile.in] refer to libtest_helper.a by explicit path rather than | Damien Miller | |
-L/-l; fixes linking problems on some platforms | |||
2014-08-20 | - (djm) [configure.ac] Check OpenSSL version is supported at configure time; | Damien Miller | |
suggested by Kevin Brott | |||
2014-08-19 | - (djm) [INSTALL contrib/caldera/openssh.spec contrib/cygwin/README] | Damien Miller | |
[contrib/redhat/openssh.spec contrib/suse/openssh.spec] Remove mentions of TCP wrappers. | |||
2014-08-19 | - (djm) [ssh-dss.c] Include openssl/dsa.h for DSA_SIG | Damien Miller | |
2014-08-19 | - (djm) [sshbuf.h] Fix compilation on systems without OPENSSL_HAS_ECC. | Damien Miller | |
2014-08-19 | - (djm) [myproposal.h] Make curve25519 KEX dependent on | Damien Miller | |
HAVE_EVP_SHA256 instead of OPENSSL_HAS_ECC. | |||
2014-08-19 | - (djm) [serverloop.c] Fix syntax error on Cygwin; from Corinna Vinschen | Damien Miller | |
2014-08-10 | - (djm) [README contrib/caldera/openssh.spec] | Damien Miller | |
[contrib/redhat/openssh.spec contrib/suse/openssh.spec] Update versions | |||
2014-08-01 | - (djm) [regress/multiplex.sh] Use -d (detach stdin) flag to disassociate | Damien Miller | |
nc from stdin, it's more portable | |||
2014-08-01 | - (djm) [regress/multiplex.sh] Instruct nc not to quit as soon as stdin | Damien Miller | |
is closed; avoid regress failures when stdin is /dev/null | |||
2014-08-01 | - (djm) [regress/multiplex.sh] Skip test for non-OpenBSD netcat. We need | Damien Miller | |
a better solution, but this will have to do for now. | |||
2014-07-30 | - schwarze@cvs.openbsd.org 2014/07/28 15:40:08 | Damien Miller | |
[sftp-server.8 sshd_config.5] some systems no longer need /dev/log; issue noticed by jirib; ok deraadt | |||
2014-07-30 | - dtucker@cvs.openbsd.org 2014/07/25 21:22:03 | Damien Miller | |
[ssh-agent.c] Clear buffer used for handling messages. This prevents keys being left in memory after they have been expired or deleted in some cases (but note that ssh-agent is setgid so you would still need root to access them). Pointed out by Kevin Burns, ok deraadt | |||
2014-07-30 | - OpenBSD CVS Sync | Damien Miller | |
- millert@cvs.openbsd.org 2014/07/24 22:57:10 [ssh.1] Mention UNIX-domain socket forwarding too. OK jmc@ deraadt@ | |||
2014-07-25 | - (djm) [regress/multiplex.sh] restore incorrectly deleted line; | Damien Miller | |
pointed out by Christian Hesse | |||
2014-07-23 | - dtucker@cvs.openbsd.org 2014/07/22 23:35:38 | Darren Tucker | |
[regress/unittests/sshkey/testdata/*] Regenerate test keys with certs signed with ed25519 instead of ecdsa. These can be used in -portable on platforms that don't support ECDSA. | |||
2014-07-23 | - dtucker@cvs.openbsd.org 2014/07/22 23:57:40 | Darren Tucker | |
[regress/unittests/sshkey/mktestdata.sh] Add $OpenBSD tag to make syncs easier |