[openssh-commits] [openssh] annotated tag V_8_1_P1 created (now ed5822cb)
git+noreply at mindrot.org
git+noreply at mindrot.org
Wed Oct 9 12:00:18 AEDT 2019
This is an automated email from the git hooks/post-receive script.
djm pushed a change to annotated tag V_8_1_P1
in repository openssh.
at ed5822cb (tag)
tagging cdf1d0a9f5d18535e0a18ff34860e81a6d83aa5c (commit)
replaces V_8_0_P1
tagged by Damien Miller
on Wed Oct 9 11:38:46 2019 +1100
- Log -----------------------------------------------------------------
openssh-8.1p1
-----BEGIN PGP SIGNATURE-----
iQHDBAABCgAdFiEEWcIRjtIG2SfmZ+vj0+X1a22SDTAFAl2dLBsACgkQ0+X1a22S
DTC/twx6AgP0/2/9+WG8CyELpLvzRN+RnZ0D3R1JklpYnMUiOWIBnNIoKONrokl/
kxV6G1XP66/160EwE8tJXr6pj69nT5/ZSvYEmV4e4EISD4LSZ755NJhHYQRnYk7D
ynEpAYgO1+1BPvqv0oTQmt8bdtJBWI+LrGcVPaaAALPQzWNZnQ8VzDeptCmedRZI
xDdO2yjJXYNM4u9qq+K7mIT58GKyw0TJvlfjNljxOwrzTsCus6qfNtADoOo/rcza
8myIblbBEKOUG2rS7qN27ZJGAstaF9goAVGrujd5DtnVMGt7McLhBbu24lmC+bAh
rVygQm1nX3H3c3PirWQ1af45hVscKdzGqHEksuuVv9rb0WpX14OOK7VAJadwHvAH
WubXvkGu4pCRG8V74EALdwyXF2uycosO1n4u2Ids67Lq4jKnmhpHi7jU1rNAGt8d
cFl9mv2btCGKg7AiVNFAHHqbntu/QzAHJWN2Uk9VdpeU5j7jJE2O6eJlMpdj1bib
LyWUdDvaUeppIAhcirm0TLNXW3l+8g==
=4nC6
-----END PGP SIGNATURE-----
Damien Miller (30):
remove realpath() compat replacement
sftp-realpath.c needs includes.h
fix typo that prevented detection of Linux VRF
depend
fix SIGWINCH delivery of Solaris for mux sessions
convert to UTF-8; from Mike Frysinger
allow mprotect(2) with PROT_(READ|WRITE|NONE) only
use SC_ALLOW_ARG_MASK to limit mmap protections
proc_pidinfo()-based closefrom() for OS X
tweak warning flags
retain Solaris PRIV_FILE_LINK_ANY in sftp-server
fixed test in OSX closefrom() replacement
portability fixes for sshsig
oops; missed including the actual file
Fuzzer harness for sshsig
fuzzer for sshsig allowed_signers option parsing
update fuzzing makefile to more recent clang
check that configure/config.h is up to date
extend autoconf freshness test
revert config.h/config.h.in freshness checks
make unittests pass for no-openssl case
needs time.h for --without-openssl
explicitly test set[ug]id() return values
memleak of buffer in sshpam_query
typo in comment
remove duplicate #includes
avoid "return (value)" in void-declared function
wrap stdint.h include in HAVE_STDINT_H
depend
prepare for 8.1 release
Darren Tucker (68):
Don't install duplicate STREAMS modules on Solaris
Whitespace resync w/OpenBSD.
Import regenerated moduli.
Remove unused variables from RLIMIT_NOFILE test.
Use "doc" man page format if mandoc present.
Fix typo in man page formatter selector.
Add OpenSSL 1.1.1 to the supported list.
Conditionalize ECDH methods in CA algos.
Fix building w/out ECC.
Use the correct macro for SSH_ALLOWED_CA_SIGALGS.
Add no-op implementation of pam_putenv.
Have pthread_create return errno on failure.
Update utimensat test.
Always clean up before and after utimensat test.
Include missed bits from previous sync.
Typo fixes in error messages.
upstream: Use explicit_bzero instead of memset
upstream rev 1.25: add sys/types.h
upstream rev 1.25: add DEF_WEAK.
upstream rev 1.27: fix integer overflow.
Include stdio.h for vsnprintf.
Do not fatal on failed lookup of group "tty".
Remove nc stderr redirection to resync w/OpenBSD.
Add missing bracket in EGD seeding code.
Add prototype for compat strndup.(bz#3032).
Cast *ID types to unsigned long when printing.
Add prototype for strnlen to prevent warnings.
Include log.h for debug() and friends.
Move log.h include inside ifdefs.
Allow agent tests to write to valgrind dir.
Clear valgrind-out dir to prevent collisions.
Import memmem.c from OpenBSD.
Hook memmem compat code into build.
Put valgrind vgdb files to a specific directory.
Allow low-priv tests to write to pipe dir.
Fail tests if Valgrind enabled and reports errors.
Fix format string integer type in error message.
Show valgrind results and error counts.
Enable connect-privsep test with valgrind.
Show when skipping valgrind for a test.
make depend.
Force dependencies one per line.
Revert one dependency per line change.
Skip running sftp-chroot under Valgrind.
Rename valgrind "errors" to "failures".
Import current sha2.c and sha2.h from OpenBSD.
Re-apply portability changes to current sha2.{c,h}.
Include stdlib.h for free() and calloc().
Add headers to prevent warnings w/out OpenSSL.
Remove sys/cdefs.h include.
Split regress-binaries into two targets.
upstream rev 1.28: fix comment typo.
Make "unit" a dependency of "test".
Add lib dependencies for regress binary targets.
Split test targets further.
Remove override disabling DH-GEX.
Report success of individual tests as well as all.
Fix mem leak in unit test.
Fix pasto in fallback code.
Provide explicit path to configure-check.
Privsep is now required.
Add more ToS bits, currently only used by netcat.
Re-enable dhgex test.
Add SKIP_LTESTS for skipping specific tests.
Include stdio.h for snprintf.
Put ssherr.h back as it's actually needed.
Make DEF_WEAK more likely to be correct.
Make MAKE_CLONE no-op macro more correct.
Eduardo Barretto (1):
Enable specific ioctl call for EP11 crypto card (s390)
Elliott Hughes (1):
pthread_create(3) returns positive values on failure.
Harald Freudenberger (1):
allow s390 specific ioctl for ecc hardware support
Jitendra Sharma (1):
Update README doc to include missing test cases
Lonnie Abelbeck (1):
Deny (non-fatal) shmget/shmat/shmdt in preauth privsep child.
Sorin Adrian Savu (1):
openssl-devel is obsoleted by libssl-devel
bluhm at openbsd.org (1):
upstream: Test did not compile due to missing symbols. Add source
deraadt at openbsd.org (10):
upstream: When doing the fork+exec'ing for ssh-keysign, rearrange
upstream: Some asprintf() calls were checked < 0, rather than the
upstream: oops, from asou
upstream: asprintf returns -1, not an arbitrary value < 0. Also
upstream: When system calls indicate an error they return -1, not
upstream: snprintf/vsnprintf return < 0 on error, rather than -1.
upstream: stat() returns precisely -1 to indicate error
upstream: fatal() if getgrnam() cannot find "tty"
upstream: still compile uuencode.c, unbreaks build
upstream: identity_file[] should be PATH_MAX, not the arbitrary
djm at openbsd.org (77):
upstream: When signing certificates with an RSA key, default to
upstream: embiggen format buffer size for certificate serial number so
upstream: fix ssh-keysign fd handling problem introduced in r1.304
upstream: if passed a bad fd, log what it was
upstream: for public key authentication, check AuthorizedKeysFiles
upstream: process agent requests for RSA certificate private keys using
upstream: slightly more instructive error message when the user
upstream: check for convtime() refusing to accept times that
upstream: print the correct AuthorizedPrincipalsCommand rather than
upstream: Add protection for private keys at rest in RAM against
upstream: adapt for key shielding API changes (const removal)
upstream: fix mismatch proto/decl from key shielding change; spotted
upstream: fix NULL deference (bzero) on err
upstream: add a local implementation of BSD realpath() for
upstream: revert header removal that snuck into previous
upstream: cap the number of permiopen/permitlisten directives we're
upstream: print explicit "not modified" message if a file was
upstream: include SHA2-variant RSA key algorithms in KEX proposal;
upstream: add some functions to perform random-access read/write
upstream: unit tests for sshbuf_peek/poke bounds-checked random access
upstream: two more bounds-checking sshbuf counterparts to common
upstream: support PKCS8 as an optional format for storage of
upstream: unit tests for sshbuf_cmp() and sshbuf_find(); ok markus
upstream: remove mostly vestigal uuencode.[ch]; moving the only unique
upstream: adapt to sshbuf_dtob64() change
upstream: fix off-by-one in sshbuf_dtob64() base64 wrapping that could
upstream: Accept the verbose flag when searching for host keys in known
upstream: add regression tests for scp for out-of-destination path file
upstream: let sshbuf_find/cmp take a void* for the
upstream: typo; from Christian Hesse
upstream: fix some memleaks in test_helper code
upstream: produce a useful error message if the user's shell is set
upstream: switch percent_expand() to use sshbuf instead of a limited
upstream: include sshbuf-misc.c in SRCS_BASE
upstream: print comment when printing pubkey from private
upstream: downgrade PKCS#11 "provider returned no slots" warning
upstream: constify an argument
upstream: factor out confirm_overwrite(); ok markus@
upstream: fix memleak in ssh_free_identitylist(); ok markus@
upstream: authfd: add function to check if key is in agent
upstream: move skip_space() to misc.c and make it public; ok
upstream: move advance_past_options to authfile.c and make it
upstream: make get_sigtype public as sshkey_get_sigtype(); ok
upstream: move authorized_keys option parsing helpsers to misc.c
upstream: sshsig: lightweight signature and verification ability
upstream: sshsig tweaks and improvements from and suggested by
upstream: only add plain keys to prevent any certs laying around
upstream: regress test for sshsig; feedback and ok markus@
upstream: expose allowed_signers options parsing code in header for
upstream: memleak on error path; found by libfuzzer
upstream: only send ext_info for KEX_INITIAL; bz#2929 ok dtucker
upstream: sprinkle in some explicit errors here, otherwise the
upstream: if a PKCS#11 token returns no keys then try to login and
upstream: better error code for bad arguments; inspired by
upstream: remove leakmalloc reference; we used this early when
upstream: lots of things were relying on libcrypto headers to
upstream: fixes for !WITH_OPENSSL compilation; ok dtucker@
upstream: avoid compiling certain files that deeply depend on
upstream: typo in previous
upstream: key conversion should fail for !openssl builds, not fall
upstream: clarify that ConnectTimeout applies both to the TCP
upstream: allow %n to be expanded in ProxyCommand strings
upstream: whitespace
upstream: clarify that IdentitiesOnly also applies to the default
upstream: Allow testing signature syntax and validity without verifying
upstream: revert unconditional forced login implemented in r1.41 of
upstream: remove some duplicate #includes
upstream: ban empty namespace strings for s
upstream: make signature format match PROTOCO
upstream: thinko in previous; spotted by Mantas
upstream: more sshsig regress tests: check key revocation, the
upstream: space
upstream: fix memory leak in error path; bz#3074 patch from
upstream: reversed test yielded incorrect debug message
upstream: fix integer overflow in XMSS private key parsing.
upstream: fix an unreachable integer overflow similar to the XMSS
upstream: openssh-8.1
dtucker at openbsd.org (45):
upstream: Remove crc32.{c,h} which were only used by the now-gone
upstream: When running sshd -T, assume any attibute not provided by
upstream: Document new default RSA key size. From
upstream: Use the LogLevel typdef instead of int where appropriate. Patch from Markus Schmidt via openssh-unix-dev, ok markus@
upstream: Import regenerated moduli.
upstream: Wrap XMSS including in ifdef. Patch from markus at
upstream: Free host on exit path. Patch from markus at
upstream: Free channel objects on exit path. Patch from markus at
upstream: Use the correct (according to POSIX) format for
upstream: Move a variable declaration to the block where it's used
upstream: Check for user at host when parsing sftp target. This
upstream: Typo and spelling fixes in comments and error messages.
upstream: Add tests for sshd -T -C with Match.
upstream: Add unit tests for user at host and URI parsing.
upstream: Remove unneeded unlink of xauthfile o
upstream: Add a sleep to allow forwards to come up.
upstream: Adapt the PuTTY/Conch tests to new key names.
upstream: Add (recently added) rsa_oldfmt to CLEANFILES.
upstream: Remove some set but never used variables. ok daraadt@
upstream: Update names of host key files in CLEANFILES to match
upstream: Remove ssh1 files from CLEANFILES since ssh1 no longer
upstream: Move sleep time into a variable so that we can increase
upstream: Allow SLEEPTIME to be overridden.
upstream: Remove the sleeps and thus races from the forwarding
upstream: Only add ssh-dss to allowed key types if it's supported
upstream: Only test conversion of key types supported by the
upstream: Skip DH group generation test if binaries don't support
upstream: Only use DSA key type in tests if binaries support it.
upstream: Construct list of key types to test based on the types
upstream: Make certificate tests work with the supported key
upstream: Switch keys-command test from rsa to ed25519 since it's
upstream: Only use supported key types during KRL test, preferring
upstream: Restrict limit-keytype to types supported by build. This
upstream: Fix typo in CASignatureAlgorithms wherein what should be
upstream: Remove now-redundant perm_ok arg since
upstream: Allow the maximimum uint32 value for the argument passed to
upstream: Change description of TCPKeepAlive from "inactive" to
upstream: Use ed25519 for most hostkey rotation tests since it's
upstream: Check for RSA support before using it for the user key,
upstream: Fix potential truncation warning. ok deraadt.
upstream: Plug mem leaks on error paths, based in part on github
upstream: Test for empty result in expected bits. Remove CRs from log
upstream: Check for gmtime failure in moduli generation. Based on
upstream: Instead of running sed over the whole log to remove CRs,
upstream: Correct type for end-of-list sentinel; fixes initializer
florian at openbsd.org (1):
upstream: For PermitOpen violations add the remote host and port to
jmc at openbsd.org (11):
upstream: tweak previous;
upstream: consistent lettering for "HostName" keyword; from lauri
upstream: deraadt noticed some inconsistency in the way we denote
upstream: Hostname->HostName cleanup; from lauri tirkkonen ok
upstream: from tim: - for reput, it is remote-path which is
upstream: tweak previous;
upstream: macro fix; ok djm
upstream: new sentence, new line;
upstream: fix the DH-GEX text in -a; because this required a comma,
upstream: group and sort single letter options; ok deraadt
upstream: use a more common options order in SYNOPSIS and sync
kn at openbsd.org (1):
upstream: Call comma-separated lists as such to clarify semantics
lum at openbsd.org (1):
upstream: Make the standard output messages of both methods of
mestre at openbsd.org (1):
upstream: When using a combination of a Yubikey+GnuPG+remote
naddy at openbsd.org (4):
upstream: Many key types are supported now, so take care to check
upstream: repair typo and editing mishap
upstream: Call comma-separated lists as such to clarify semantics.
upstream: Allow prepending a list of algorithms to the default set
otto at openbsd.org (1):
upstream: Replace calls to ssh_malloc_init() by a static init of
schwarze at openbsd.org (1):
upstream: Delete some .Sx macros that were used in a wrong way.
tb at openbsd.org (1):
upstream: Fix a typo and make <esc><right> move right to the
-----------------------------------------------------------------------
No new revisions were added by this update.
--
To stop receiving notification emails like this one, please contact
djm at mindrot.org.
More information about the openssh-commits
mailing list