summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2011-09-22 - djm@cvs.openbsd.org 2011/09/05 05:59:08Damien Miller
[misc.c] fix typo in IPQoS parsing: there is no "AF14" class, but there is an "AF21" class. Spotted by giesen AT snickers.org; ok markus stevesk
2011-09-22 - djm@cvs.openbsd.org 2011/09/05 05:56:13Damien Miller
[scp.1 sftp.1] mention ControlPersist and KbdInteractiveAuthentication in the -o verbiage in these pages too (prompted by jmc@)
2011-09-22 - djm@cvs.openbsd.org 2011/08/26 01:45:15Damien Miller
[ssh.1] Add some missing ssh_config(5) options that can be used in ssh(1)'s -o argument. Patch from duclare AT guu.fi
2011-09-22 - djm@cvs.openbsd.org 2011/09/22 06:27:29Damien Miller
[glob.c] fix GLOB_KEEPSTAT without GLOB_NOSORT; the implicit sort was being applied only to the gl_pathv vector and not the corresponding gl_statv array. reported in OpenSSH bz#1935; feedback and okay matthew@
2011-09-22 - stsp@cvs.openbsd.org 2011/09/20 10:18:46Damien Miller
[glob.c] In glob(3), limit recursion during matching attempts. Similar to fnmatch fix. Also collapse consecutive '*' (from NetBSD). ok miod deraadt
2011-09-22 - pyr@cvs.openbsd.org 2011/05/12 07:15:10Damien Miller
[openbsd-compat/glob.c] When the max number of items for a directory has reached GLOB_LIMIT_READDIR an error is returned but closedir() is not called. spotted and fix provided by Frank Denis obsd-tech@pureftpd.org ok otto@, millert@
2011-09-09 - (dtucker) [entropy.h] Bug #1932: remove old definition of init_rng. FromDarren Tucker
Colin Watson.
2011-09-07 - (djm) [contrib/redhat/openssh.spec] Correct restorcon => restoreconDamien Miller
2011-09-07 - (djm) [README version.h] Correct versionDamien Miller
2011-09-05 - (djm) Release OpenSSH-5.9Damien Miller
2011-09-05 - (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec]Damien Miller
[contrib/suse/openssh.spec] Update version numbers.
2011-09-04 - (dtucker) [ssh-keygen.c ssh-pkcs11.c] Bug #1929: add null implementationsDarren Tucker
ofsh-pkcs11.cpkcs_init and pkcs_terminate for building without dlopen support.
2011-09-04 - (djm) [regress/connect-privsep.sh regress/test-exec.sh] demote fatalDamien Miller
regress errors for the sandbox to warnings. ok tim dtucker
2011-08-29 - (djm) [openbsd-compat/port-linux.c] Suppress logging when attemptingDamien Miller
to switch SELinux context away from unconfined_t, based on patch from Jan Chadima; bz#1919 ok dtucker@
2011-08-28 - (dtucker) [auth-skey.c] Add log.h to fix build --with-skey.Darren Tucker
2011-08-17 - (tim) [configure.ac] Typo in error message spotted by Andy TsouladzeTim Rice
2011-08-17 - (djm) [regress/cipher-speed.sh regress/try-ciphers.sh] disable HMAC-SHA2Damien Miller
MAC tests for platforms that hack EVP_SHA2 support
2011-08-17 - djm@cvs.openbsd.org 2011/08/02 01:23:41Damien Miller
[regress/cipher-speed.sh regress/try-ciphers.sh] add SHA256/SHA512 based HMAC modes
2011-08-17 - markus@cvs.openbsd.org 2011/06/30 22:44:43Damien Miller
[connect-privsep.sh] test with sandbox enabled; ok djm@
2011-08-17 - dtucker@cvs.openbsd.org 2011/06/03 05:35:10Damien Miller
[regress/cfgmatch.sh] use OBJ to find test configs, patch from Tim Rice
2011-08-17 - (djm) [contrib/ssh-copy-id] Missing backlslash; spotted byDamien Miller
bisson AT archlinux.org
2011-08-17 - (djm) [configure.ac] error out if the host lacks the necessary bits forDamien Miller
an explicitly requested sandbox type
2011-08-17 - (djm) [ openbsd-compat/bsd-cygwin_util.c openbsd-compat/bsd-cygwin_util.h]Damien Miller
binary_pipe is no longer required on Cygwin; patch from Corinna Vinschen
2011-08-16 - (tim) [mac.c myproposal.h] Wrap SHA256 and SHA512 in ifdefs forTim Rice
OpenSSL 0.9.7. ok djm
2011-08-12 - (djm) [contrib/ssh-copy-id] Fix failure for cases where the path to theDamien Miller
identify file contained whitespace. bz#1828 patch from gwenael.lambrouin AT gmail.com; ok dtucker@
2011-08-12 - (djm) [contrib/redhat/openssh.spec contrib/redhat/sshd.init]Damien Miller
[contrib/suse/openssh.spec contrib/suse/rc.sshd] Updated RHEL and SLES init scrips from imorgan AT nas.nasa.gov
2011-08-12 - (dtucker) [openbsd-compat/port-linux.c] Bug 1924: Improve selinux contextDarren Tucker
change error by reporting old and new context names Patch from jchadima at redhat.
2011-08-07 - dtucker@cvs.openbsd.org 2011/08/07 12:55:30Darren Tucker
[sftp.1] typo, fix from Laurent Gautrot
2011-08-07 - jmc@cvs.openbsd.org 2010/10/14 20:41:28Darren Tucker
[moduli.5] probabalistic -> probabilistic; from naddy
2011-08-07 - sobrado@cvs.openbsd.org 2009/10/28 08:56:54Darren Tucker
[moduli.5] "Diffie-Hellman" is the usual spelling for the cryptographic protocol first published by Whitfield Diffie and Martin Hellman in 1976. ok jmc@
2011-08-07 - (dtucker) OpenBSD CVS SyncDarren Tucker
- jmc@cvs.openbsd.org 2008/06/26 06:59:39 [moduli.5] tweak previous;
2011-08-06 - djm@cvs.openbsd.org 2011/08/02 23:15:03Damien Miller
[ssh.c] typo in comment
2011-08-06 - djm@cvs.openbsd.org 2011/08/02 23:13:01Damien Miller
[version.h] crank now, release later
2011-08-06 - djm@cvs.openbsd.org 2011/08/02 01:22:11Damien Miller
[mac.c myproposal.h ssh.1 ssh_config.5 sshd.8 sshd_config.5] Add new SHA256 and SHA512 based HMAC modes from http://www.ietf.org/id/draft-dbider-sha2-mac-for-ssh-02.txt Patch from mdb AT juniper.net; feedback and ok markus@
2011-08-06 - markus@cvs.openbsd.org 2011/08/01 19:18:15Damien Miller
[gss-serv.c] prevent post-auth resource exhaustion (int overflow leading to 4GB malloc); report Adam Zabrock; ok djm@, deraadt@
2011-08-06 - djm@cvs.openbsd.org 2011/07/29 14:42:45Damien Miller
[sandbox-systrace.c] fail open(2) with EPERM rather than SIGKILLing the whole process. libc will call open() to do strerror() when NLS is enabled; feedback and ok markus@
2011-08-06 - tedu@cvs.openbsd.org 2011/07/06 18:09:21Damien Miller
[authfd.c] bzero the agent address. the kernel was for a while very cranky about these things. evne though that's fixed, always good to initialize memory. ok deraadt djm
2011-08-06 - djm@cvs.openbsd.org 2011/06/23 23:35:42Damien Miller
[monitor.c] ignore EINTR errors from poll()
2011-06-27 - (djm) [configure.ac Makefile.in sandbox-darwin.c] Add a sandbox forDamien Miller
Darwin/OS X using sandbox_init() + setrlimit(); feedback and testing markus@
2011-06-23 - djm@cvs.openbsd.org 2011/06/23 09:34:13Damien Miller
[sshd.c ssh-sandbox.h sandbox.h sandbox-rlimit.c sandbox-systrace.c] [sandbox-null.c] rename sandbox.h => ssh-sandbox.h to make things easier for portable
2011-06-23 - (djm) [sandbox-null.c] Dummy sandbox for platforms that don't supportDamien Miller
setrlimit(2)
2011-06-23 - djm@cvs.openbsd.org 2011/06/22 22:08:42Damien Miller
[channels.c channels.h clientloop.c clientloop.h mux.c ssh.c] hook up a channel confirm callback to warn the user then requested X11 forwarding was refused by the server; ok markus@
2011-06-23 - djm@cvs.openbsd.org 2011/06/22 21:57:01Damien Miller
[servconf.c servconf.h sshd.c sshd_config.5 sandbox-rlimit.c] [sandbox-systrace.c sandbox.h configure.ac Makefile.in] introduce sandboxing of the pre-auth privsep child using systrace(4). This introduces a new "UsePrivilegeSeparation=sandbox" option for sshd_config that applies mandatory restrictions on the syscalls the privsep child can perform. This prevents a compromised privsep child from being used to attack other hosts (by opening sockets and proxying) or probing local kernel attack surface. The sandbox is implemented using systrace(4) in unsupervised "fast-path" mode, where a list of permitted syscalls is supplied. Any syscall not on the list results in SIGKILL being sent to the privsep child. Note that this requires a kernel with the new SYSTR_POLICY_KILL option. UsePrivilegeSeparation=sandbox will become the default in the future so please start testing it now. feedback dtucker@; ok markus@
2011-06-23 - OpenBSD CVS SyncDamien Miller
- djm@cvs.openbsd.org 2011/06/22 21:47:28 [servconf.c] reuse the multistate option arrays to pretty-print options for "sshd -T"
2011-06-20 - djm@cvs.openbsd.org 2011/06/17 21:57:25Damien Miller
[clientloop.c] setproctitle for a mux master that has been gracefully stopped; bz#1911 from Bert.Wesarg AT googlemail.com
2011-06-20 - djm@cvs.openbsd.org 2011/06/17 21:47:35Damien Miller
[servconf.c] factor out multi-choice option parsing into a parse_multistate label and some support structures; ok dtucker@
2011-06-20 - djm@cvs.openbsd.org 2011/06/17 21:46:16Damien Miller
[sftp-server.c] the protocol version should be unsigned; bz#1913 reported by mb AT smartftp.com
2011-06-20 - djm@cvs.openbsd.org 2011/06/17 21:44:31Damien Miller
[log.c log.h monitor.c monitor.h monitor_wrap.c monitor_wrap.h sshd.c] make the pre-auth privsep slave log via a socketpair shared with the monitor rather than /var/empty/dev/log; ok dtucker@ deraadt@ markus@
2011-06-20 - markus@cvs.openbsd.org 2011/06/14 22:49:18Damien Miller
[authfile.c] make sure key_parse_public/private_rsa1() no longer consumes its input buffer. fixes ssh-add for passphrase-protected ssh1-keys; noted by naddy@; ok djm@
2011-06-20 - djm@cvs.openbsd.org 2011/06/04 00:10:26Damien Miller
[ssh_config.5] explain IdentifyFile's semantics a little better, prompted by bz#1898 ok dtucker jmc