[openssh-commits] [openssh] annotated tag V_8_0_P1 created (now 92d169d6)
git+noreply at mindrot.org
git+noreply at mindrot.org
Thu Apr 18 09:01:51 AEST 2019
This is an automated email from the git hooks/post-receive script.
djm pushed a change to annotated tag V_8_0_P1
in repository openssh.
at 92d169d6 (tag)
tagging fd0fa130ecf06d7d092932adcd5d77f1549bfc8d (commit)
replaces V_7_9_P1
tagged by Damien Miller
on Thu Apr 18 08:53:19 2019 +1000
- Log -----------------------------------------------------------------
openssh-8.0
-----BEGIN PGP SIGNATURE-----
iQHDBAABCgAdFiEEWcIRjtIG2SfmZ+vj0+X1a22SDTAFAly3rmcACgkQ0+X1a22S
DTBEtAyAhR64YKZevUXLfMHH8a0oXQJO1gdS9hZCJJxAdShs1dXLNb3dkfOa7os9
BvFPVpgGBE/ERVWNi9icNZerYngLGhwGKzIKRHzxnTMu4yakgnBsMDaM40ztTEo2
VLjWmU9iWIjrZBAsVLCqJvSwffWGwQ1zE60Gz4Lk4uxJPKHW8UXGdPtk3EMYm77i
Mo2c4lrXl+OgeePriK6JNOlAWZSj7b3DueCoERcv7OogTtsuFYcYUDSsRaMO80s3
QCGUek7QCnkcW0E4xmFM+cs4xAimnbydF17SgzbIS6v+1aQsHah+8965BCgygwSL
v0ohUYh3YpEoQNm5ERVbdx0gh8zHSVyQFw/Y/4JQ+ZJVefCOroNiFiWQGY5yzLXe
fz2QeSKhliRDVXWnCbDqPykVhuJZ51zBUz87k69h7fQIamJdpY6YYuf8sKPmN0mz
s+Za3rymZ2sI2V3QICOVp+dTiur1Kh5xjZ0SHJlYXZ+sYGdRDFvxoAZ2RHDtHaVO
5lyKQPHw0NRI51Fg/RxOK795VvjcgQ==
=bePN
-----END PGP SIGNATURE-----
Corinna Vinschen (6):
Cygwin: Change service name to cygsshd
Cygwin: only tweak sshd_config file if it's new, drop creating sshd user
Add tags to .gitignore
Revert "[auth.c] On Cygwin, refuse usernames that have differences in case"
Cygwin: implement case-insensitive Unicode user and group name matching
drop old Cygwin considerations
Dag-Erling Smørgrav (1):
AC_CHECK_SIZEOF() no longer needs a second argument.
Damien Miller (32):
fix compile for openssl 1.0.x w/ --with-ssl-engine
regen depend
remove remaining references to SSLeay
fix builds on OpenSSL <= 1.0.x
refactor libcrypto initialisation
fix configure test for OpenSSL version
expose $SSH_CONNECTION in the PAM environment
upstream: convert auth2.c to new packet API
depend
remove vestiges of old packet API from loginrec.c
remove PAM dependencies on old packet API
last bits of old packet API / active_state global
conditionalise ECDSA PKCS#11 support
remove HAVE_DLOPEN that snuck in
Fix -Wunused when compiling PKCS#11 without ECDSA
make agent-pkcs11 search harder for softhsm2.so
pass TEST_SSH_SSHPKCS11HELPER to regress tests
fix previous test
fixup missing ssherr.h
depend
new files need includes.h
add missing header
typo
depend
use same close logic for stderr as stdout
don't set $MAIL if UsePam=yes
session: Do not use removed API
update versions
rewrite README
Revert "rewrite README"
second thoughts: leave README in place
makedepend
Darren Tucker (37):
Include openssl compatibility.
Check for the existence of openssl version funcs.
Use detected version functions in openssl compat.
Update required OpenSSL versions to match current.
Update check for minimum OpenSSL version.
Import new moduli.
Fix pasto for HAVE_EVP_CIPHER_CTX_SET_IV.
Simplify OpenSSL 1.1 function checks.
Remove hardcoded service name in cygwin setup.
Improve warnings in cygwin service setup.
Fix check for OpenSSL 1.0.1 exactly.
Remove fallback check for /usr/local/ssl.
Test for OPENSSL_init_crypto before using.
Resync Makefile.inc with upstream.
Resync with OpenBSD by pulling in an ifdef SIGINFO.
Move RANDOM_SEED_SIZE outside ifdef.
Improve OpenSSL_add_all_algorithms check.
Reverse order of OpenSSL init functions.
Include stdio.h for FILE if needed.
Add a minimal implementation of utimensat().
Add minimal fchownat and fchmodat implementations.
Check for cc before gcc.
Wrap ECC static globals in EC_KEY_METHOD_NEW too.
Make --with-rpath take a flag instead of yes/no.
Allow building against OpenSSL dev (3.x) version.
Also undef SIMPLEQ_FOREACH_SAFE.
Include unistd.h for strmode().
For broken read/readv comparisons, poll(RW).
Revert unintended parts of previous commit.
Use Cygwin-specific matching only for users+groups.
Replace alloca with xcalloc.
On Cygwin run sshd as SYSTEM where possible.
Fix build when configured --without-openssl.
Only use O_NOFOLLOW in utimensat if defined.
Add includes.h for compat layer.
Adapt custom_failed_login to new prototype.
Remove "struct ssh" from sys_auth_record_login.
Eneas U de Queiroz (1):
fix compilation with openssl built without ECC
Jakub Jelen (1):
Adjust softhsm2 path on Fedora Linux for regress
Kevin Adler (1):
Don't pass loginmsg by address now that it's an sshbuf*
Manoj Ampalam (1):
Fix error message w/out nistp521.
Tim Rice (2):
Only use O_NOFOLLOW in fchownat and fchmodat if defined
Stop USL compilers for erroring with "integral constant expression expected"
benno at openbsd.org (1):
upstream: ssh-keygen -D pkcs11.so needs to initialize pkcs11
djm at openbsd.org (127):
upstream: when printing certificate contents "ssh-keygen -Lf
upstream: refer to OpenSSL not SSLeay;
upstream: mention ssh-ed25519-cert-v01 at openssh.com in list of cert
upstream: correct local variable name; from yawang AT microsoft.com
upstream: typo in error message; caught by Debian lintian, via
upstream: support a prefix of '@' to suppress echo of sftp batch
upstream: fix bug in HostbasedAcceptedKeyTypes and
upstream: fix bug in client that was keeping a redundant ssh-agent
upstream: disallow empty incoming filename or ones that refer to the
upstream: use path_absolute() for pathname checks; from Manoj Ampalam
upstream: make grandparent-parent-child sshbuf chains robust to
upstream: redirect stderr of ProxyCommands to /dev/null when ssh is
upstream: silence (to log level debug2) failure messages when
upstream: add some knobs:
upstream: add a ssh_config "Match final" predicate
upstream: don't truncate user or host name in "user at host's
upstream: don't attempt to connect to empty SSH_AUTH_SOCK; bz#293
upstream: no need to allocate channels_pre/channels_post in
upstream: mention that the ssh-keygen -F (find host in
upstream: fix option letter pasto in previous
upstream: only consider the ext-info-c extension during the initial
upstream: move client/server SSH-* banners to buffers under
upstream: ssh_packet_set_state() now frees ssh->kex implicitly, so
upstream: Request RSA-SHA2 signatures for
upstream: static on global vars, const on handler tables that contain
upstream: fix memory leak of ciphercontext when rekeying; bz#2942
upstream: eliminate function-static attempt counters for
upstream: add support for a "lsetstat at openssh.com" extension. This
upstream: Add "-h" flag to sftp chown/chgrp/chmod commands to
upstream: many of the global variables in this file can be made static;
upstream: include time.h for time(3)/nanosleep(2); from Ian
upstream: tun_fwd_ifnames variable should b
upstream: regress bits for banner processing refactor (this test was
upstream: begin landing remaining refactoring of packet parsing
upstream: allow sshpkt_fatal() to take a varargs format; we'll
upstream: convert clientloop.c to new packet API
upstream: convert sshconnect2.c to new packet API
upstream: convert mux.c to new packet API
upstream: convert ssh.c to new packet API
upstream: convert sshconnect.c to new packet API
upstream: convert channels.c to new packet API
upstream: convert servconf.c to new packet API
upstream: convert the remainder of clientloop.c to new packet API
upstream: convert the remainder of sshconnect2.c to new packet
upstream: convert serverloop.c to new packet API
upstream: convert auth.c to new packet API
upstream: convert session.c to new packet API
upstream: convert sshd.c to new packet API
upstream: convert monitor.c to new packet API
upstream: remove last references to active_state
upstream: remove last traces of old packet API!
upstream: fix error in refactor: use ssh_packet_disconnect() instead of
upstream: add option to test whether keys in an agent are usable,
upstream: add support for ECDSA keys in PKCS#11 tokens
upstream: allow override of the pkcs#11 helper binary via
upstream: cleanup pkcs#11 client code: use sshkey_new in instead
upstream: cleanup unnecessary code in ECDSA pkcs#11 signature
upstream: cleanup PKCS#11 ECDSA pubkey loading: the returned
upstream: use EVP_PKEY_get0_EC_KEY() instead of direct access of
upstream: fix leak of ECDSA pkcs11_key objects
upstream: make the PKCS#11 RSA code more like the new PKCS#11
upstream: use OpenSSL's RSA reference counting hooks to
upstream: KNF previous; from markus@
upstream: we use singleton pkcs#11 RSA_METHOD and EC_KEY_METHOD
upstream: use ECDSA_SIG_set0() instead of poking signature values into
upstream: add "extra:" target to run some extra tests that are not
upstream: adapt agent-pkcs11.sh test to softhsm2 and add support
upstream: allow override of ssh-pkcs11-helper binary via
upstream: GSSAPI code got missed when converting to new packet API
upstream: get the ex_data (pkcs11_key object) back from the keys at
upstream: always print the caller's error message in ossl_error(),
upstream: fix all-zero check in kexc25519_shared_key
upstream: remove obsolete (SSH v.1) sshbuf_get/put_bignum1
upstream: Make sshpkt_get_bignum2() allocate the bignum it is
upstream: save the derived session id in kex_derive_keys() rather
upstream: factor out DH keygen; it's identical between the client
upstream: factor out kex_dh_compute_key() - it's shared between
upstream: factor out kex_load_hostkey() - this is duplicated in
upstream: factor out kex_verify_hostkey() - again, duplicated
upstream: Add support for a PQC KEX/KEM:
upstream: use KEM API for vanilla c25519 KEX
upstream: use KEM API for vanilla DH KEX
upstream: use KEM API for vanilla ECDH
upstream: remove kex_derive_keys_bn wrapper; no unused since the
upstream: pass values used in KEX hash computation as sshbuf
upstream: merge kexkem[cs] into kexgen
upstream: rename kex->kem_client_pub -> kex->client_pub now that
upstream: nothing shall escape this purge
upstream: forgot to cvs add this file in previous series of commits;
upstream: fix reversed arguments to kex_load_hostkey(); manifested as
upstream: remove hack to use non-system libcrypto
upstream: adapt to bignum1 API removal and bignum2 API change
upstream: adapt to changes in KEX API and file removals
upstream: adapt to changes in KEX APIs and file removals
upstream: add "-v" flags to ssh-add and ssh-pkcs11-helper to turn up
upstream: switch sntrup implementation source from supercop to
upstream: mention the new vs. old key formats in the introduction
upstream: clarify: ssh-keygen -e only writes public keys, never
upstream: print the full pubkey being attempted at loglevel >=
upstream: Include -m in the synopsis for a few more commands that
upstream: Mention that configuration for the destination host is
upstream: Support keys that set the CKA_ALWAYS_AUTHENTICATE by
upstream: Correct some bugs in PKCS#11 token PIN handling at
upstream: add -m to usage(); reminded by jmc@
upstream: backoff reading messages from active connections when the
upstream: pass most arguments to the KEX hash functions as sshbuf
upstream: switch mainloop from select(2) to poll(2); ok deraadt@
upstream: move a bunch of global flag variables to main(); make the
upstream: allow auto-incrementing certificate serial number for certs
upstream: make ssh-keyscan return a non-zero exit status if it
upstream: check in scp client that filenames sent during
upstream: fix NULL-deref crash in PKCS#11 code when attempting
upstream: syslog when connection is dropped for attempting to run a
upstream: when checking that filenames sent by the server side
upstream: cleanup GSSAPI authentication context after completion of the
upstream: fix regression in r1.302 reported by naddy@ - only the first
upstream: perform removal of agent-forwarding directory in forward
upstream: openssh-7.9 accidentally reused the server's algorithm lists
upstream: let PKCS11Provider=none do what users expect
upstream: mention PKCS11Provide=none, reword a little and remove
upstream: Fix two race conditions in sshd relating to SIGHUP:
upstream: in ssh_set_newkeys(), mention the direction that we're
upstream: whitespace
upstream: Fix authentication failures when "AuthenticationMethods
upstream: fix interaction between ClientAliveInterval and RekeyLimit
upstream: when logging/fataling on error, include a bit more detail
upstream: openssh-8.0
dtucker at openbsd.org (28):
upstream: Import new moduli.
upstream: Fix inverted logic for redirecting ProxyCommand stderr to
upstream: UsePrivilegeSeparation no is deprecated
upstream: Append pid to temp files in /var/run and set a cleanup
upstream: Output info on SIGUSR1 as well as
upstream: Remove now-unneeded ifdef SIGINFO around handler since it is
upstream: Fix calculation of initial bandwidth limits. Account for
upstream: DH-GEX min value is now specified in RFC8270. ok djm@
upstream: Sanitize scp filenames via snmprintf. To do this we move
upstream: Remove 3 as a guess for possible generator during moduli
upstream: Remove duplicate word. bz#2958, patch from jjelen at
upstream: Remove support for obsolete host/port syntax.
upstream: Always initialize 2nd arg to hpdelim2. It populates that
upstream: Check for both EAGAIN and EWOULDBLOCK. This is a no-op
upstream: Have progressmeter force an update at the beginning and
upstream: Accept the host key fingerprint as a synonym for "yes"
upstream: Generate all key supported key types and enable for keyscan
upstream: Count the number of key types instead of assuming there
upstream: Enable ssh-dss for the agent test. Disable it for the
upstream: Remove leftover debugging.
upstream: The test sshd_config in in $OBJ.
upstream: Save connection timeout and restore for 2nd and
upstream: Remove obsolete "Protocol" from commented out examples. Patch
upstream: Adapt code in the non-USE_PIPES codepath to the new packet
upstream: Reset last-seen time when sending a keepalive. Prevents
upstream: Move checks for lists of users or groups into their own
upstream: Increase the default RSA key size to 3072 bits. Based on
upstream: Expand comment to document rationale for default key
florian at openbsd.org (1):
upstream: struct sockaddr_storage is guaranteed to be large enough,
jmc at openbsd.org (7):
upstream: tweak previous;
upstream: - -T was added to the first synopsis by mistake - since
upstream: tweak previous;
upstream: add -T to usage();
upstream: sync the description of ~/.ssh/config with djm's updated
upstream: benno helped me clean up the tcp forwarding section;
upstream: full stop in the wrong place;
markus at openbsd.org (3):
upstream: Add authors for public domain sntrup4591761 code;
upstream: dup stdout/in for proxycommand=-, otherwise stdout might
upstream: fix use-after-free in ssh-pkcs11; found by hshoexer w/AFL
naddy at openbsd.org (1):
upstream: PKCS#11 support is no longer limited to RSA; ok benno@
schwarze at openbsd.org (1):
upstream: fix markup error (missing blank before delimiter); from
tb at openbsd.org (4):
upstream: Print an \r in front of the password prompt so parts of
upstream: Fix BN_is_prime_* calls in SSH, the API returns -1 on
upstream: Add a -J option as a shortcut for -o Proxyjump= to scp(1)
upstream: Forgot to add -J to the synopsis.
tedu at openbsd.org (1):
upstream: remove unused and problematic sudo clean. ok espie
-----------------------------------------------------------------------
No new revisions were added by this update.
--
To stop receiving notification emails like this one, please contact
djm at mindrot.org.
More information about the openssh-commits
mailing list