summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2014-10-07Restore TCP wrappers supportColin Watson
Support for TCP wrappers was dropped in OpenSSH 6.7. See this message and thread: https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032497.html It is true that this reduces preauth attack surface in sshd. On the other hand, this support seems to be quite widely used, and abruptly dropping it (from the perspective of users who don't read openssh-unix-dev) could easily cause more serious problems in practice. It's not entirely clear what the right long-term answer for Debian is, but it at least probably doesn't involve dropping this feature shortly before a freeze. Forwarded: not-needed Last-Update: 2014-10-07 Patch-Name: restore-tcp-wrappers.patch
2014-10-07GSSAPI key exchange supportSimon Wilkinson
This patch has been rejected upstream: "None of the OpenSSH developers are in favour of adding this, and this situation has not changed for several years. This is not a slight on Simon's patch, which is of fine quality, but just that a) we don't trust GSSAPI implementations that much and b) we don't like adding new KEX since they are pre-auth attack surface. This one is particularly scary, since it requires hooks out to typically root-owned system resources." However, quite a lot of people rely on this in Debian, and it's better to have it merged into the main openssh package rather than having separate -krb5 packages (as we used to have). It seems to have a generally good security history. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 Last-Updated: 2014-10-07 Patch-Name: gssapi.patch
2014-10-07Import openssh_6.7p1.orig.tar.gzColin Watson
2014-10-07establish V_6_7 branchDamien Miller
2014-10-07 - (djm) Release OpenSSH-6.7Damien Miller
2014-10-03 - (djm) [sshd_config.5] typo; from Iain MorganDamien Miller
2014-10-01 - (djm) [openbsd-compat/Makefile.in openbsd-compat/kludge-fd_set.c]Damien Miller
[openbsd-compat/openbsd-compat.h] Kludge around bad glibc _FORTIFY_SOURCE check that doesn't grok heap-allocated fd_sets; ok dtucker@
2014-09-10 - (djm) [sandbox-seccomp-filter.c] Allow mremap and exit for DietLibc;Damien Miller
patch from Felix von Leitner; ok dtucker
2014-09-0920140908Darren Tucker
- (dtucker) [INSTALL] Update info about egd. ok djm@
2014-09-04 - (djm) [openbsd-compat/arc4random.c] Zero seed after keying PRNGDamien Miller
2014-09-03 - (djm) [contrib/cygwin/ssh-host-config] Fix old code leading toDamien Miller
permissions/ACLs; from Corinna Vinschen
2014-09-03 - (djm) [defines.h sshbuf.c] Move __predict_true|false to defines.h andDamien Miller
conditionalise to avoid duplicate definition.
2014-08-30 - (djm) [Makefile.in] Make TEST_SHELL a variable; "good idea" tim@Damien Miller
2014-08-30 - (djm) [openbsd-compat/openssl-compat.h] add include guardDamien Miller
2014-08-30 - (djm) [misc.c] Missing newline between functionsDamien Miller
2014-08-30 - (djm) [openbsd-compat/openssl-compat.h] addDamien Miller
OPENSSL_[RD]SA_MAX_MODULUS_BITS defines for OpenSSL that lacks them
2014-08-27 - (djm) [openbsd-compat/explicit_bzero.c] implement explicit_bzero()Damien Miller
using memset_s() where possible; improve fallback to indirect bzero via a volatile pointer to give it more of a chance to avoid being optimised away.
2014-08-27 - (djm) [monitor.c sshd.c] SIGXFSZ needs to be ignored in postauthDamien Miller
monitor, not preauth; bz#2263
2014-08-27 - (djm) [regress/unittests/sshbuf/test_sshbuf_getput_crypto.c]Damien Miller
[regress/unittests/sshbuf/test_sshbuf_getput_fuzz.c] [regress/unittests/sshkey/common.c] [regress/unittests/sshkey/test_file.c] [regress/unittests/sshkey/test_fuzz.c] [regress/unittests/sshkey/test_sshkey.c] Don't include openssl/ec.h on !ECC OpenSSL systems
2014-08-26 - (djm) [INSTALL] Recommend libcrypto be built -fPIC, mention LibreSSL,Damien Miller
update OpenSSL version requirement.
2014-08-26 - (djm) [bufec.c] Skip this file on !ECC OpenSSLDamien Miller
2014-08-24 - (djm) [sftp-server.c] Some systems (e.g. Irix) have prctl() but notDamien Miller
PR_SET_DUMPABLE, so adjust ifdef; reported by Tom Christensen
2014-08-23 - (djm) [configure.ac] We now require a working vsnprintf everywhere (notDamien Miller
just for systems that lack asprintf); check for it always and extend test to catch more brokenness. Fixes builds on Solaris <= 9
2014-08-23 - (djm) [sshd.c] Ignore SIGXFSZ in preauth monitor child; can explode onDamien Miller
lastlog writing on platforms with high UIDs; bz#2263
2014-08-22 - (djm) [configure.ac] double braces to appease autoconfDamien Miller
2014-08-22 - (djm) [openbsd-compat/bsd-snprintf.c] Fix compilation failure (prototype/Damien Miller
definition mismatch) and warning for broken/missing snprintf case.
2014-08-22 - (djm) [sshbuf-getput-crypto.c] Fix compilation when OpenSSL lacks ECCDamien Miller
2014-08-22 - (djm) [configure.ac] include leading zero characters in OpenSSL versionDamien Miller
number; fixes test for unsupported versions
2014-08-21 - (djm) [regress/unittests/test_helper/test_helper.c] Fix for systems thatDamien Miller
don't set __progname. Diagnosed by Tom Christensen.
2014-08-21 - (djm) [key.h] Fix ifdefs for no-ECC OpenSSLDamien Miller
2014-08-21 - (djm) [Makefile.in] fix reference to libtest_helper.a in sshkey test too.Damien Miller
2014-08-20 - (djm) [contrib/cygwin/README] Correct build instructions; from CorinnaDamien Miller
2014-08-20 - (djm) [sshkey.h] Fix compilation when OpenSSL lacks ECCDamien Miller
2014-08-20 - (djm) [Makefile.in] refer to libtest_helper.a by explicit path rather thanDamien Miller
-L/-l; fixes linking problems on some platforms
2014-08-20 - (djm) [configure.ac] Check OpenSSL version is supported at configure time;Damien Miller
suggested by Kevin Brott
2014-08-19 - (djm) [INSTALL contrib/caldera/openssh.spec contrib/cygwin/README]Damien Miller
[contrib/redhat/openssh.spec contrib/suse/openssh.spec] Remove mentions of TCP wrappers.
2014-08-19 - (djm) [ssh-dss.c] Include openssl/dsa.h for DSA_SIGDamien Miller
2014-08-19 - (djm) [sshbuf.h] Fix compilation on systems without OPENSSL_HAS_ECC.Damien Miller
2014-08-19 - (djm) [myproposal.h] Make curve25519 KEX dependent onDamien Miller
HAVE_EVP_SHA256 instead of OPENSSL_HAS_ECC.
2014-08-19 - (djm) [serverloop.c] Fix syntax error on Cygwin; from Corinna VinschenDamien Miller
2014-08-10 - (djm) [README contrib/caldera/openssh.spec]Damien Miller
[contrib/redhat/openssh.spec contrib/suse/openssh.spec] Update versions
2014-08-01 - (djm) [regress/multiplex.sh] Use -d (detach stdin) flag to disassociateDamien Miller
nc from stdin, it's more portable
2014-08-01 - (djm) [regress/multiplex.sh] Instruct nc not to quit as soon as stdinDamien Miller
is closed; avoid regress failures when stdin is /dev/null
2014-08-01 - (djm) [regress/multiplex.sh] Skip test for non-OpenBSD netcat. We needDamien Miller
a better solution, but this will have to do for now.
2014-07-30 - schwarze@cvs.openbsd.org 2014/07/28 15:40:08Damien Miller
[sftp-server.8 sshd_config.5] some systems no longer need /dev/log; issue noticed by jirib; ok deraadt
2014-07-30 - dtucker@cvs.openbsd.org 2014/07/25 21:22:03Damien Miller
[ssh-agent.c] Clear buffer used for handling messages. This prevents keys being left in memory after they have been expired or deleted in some cases (but note that ssh-agent is setgid so you would still need root to access them). Pointed out by Kevin Burns, ok deraadt
2014-07-30 - OpenBSD CVS SyncDamien Miller
- millert@cvs.openbsd.org 2014/07/24 22:57:10 [ssh.1] Mention UNIX-domain socket forwarding too. OK jmc@ deraadt@
2014-07-25 - (djm) [regress/multiplex.sh] restore incorrectly deleted line;Damien Miller
pointed out by Christian Hesse
2014-07-23 - dtucker@cvs.openbsd.org 2014/07/22 23:35:38Darren Tucker
[regress/unittests/sshkey/testdata/*] Regenerate test keys with certs signed with ed25519 instead of ecdsa. These can be used in -portable on platforms that don't support ECDSA.
2014-07-23 - dtucker@cvs.openbsd.org 2014/07/22 23:57:40Darren Tucker
[regress/unittests/sshkey/mktestdata.sh] Add $OpenBSD tag to make syncs easier