[openssh-commits] [openssh] annotated tag V_9_5_P1 created (now e2b5d8ee)

git+noreply at mindrot.org git+noreply at mindrot.org
Wed Oct 4 21:00:11 AEDT 2023


This is an automated email from the git hooks/post-receive script.

djm pushed a change to annotated tag V_9_5_P1
in repository openssh.

        at  e2b5d8ee  (tag)
   tagging  80a2f64b8c1d27383cc83d182b73920d1e6a91f1 (commit)
  replaces  V_9_3_P1
 tagged by  Damien Miller
        on  Wed Oct 4 15:55:00 2023 +1100

- Log -----------------------------------------------------------------
openssh-9.5p1
-----BEGIN SSH SIGNATURE-----
U1NIU0lHAAAAAQAAAH8AAAAic2stZWNkc2Etc2hhMi1uaXN0cDI1NkBvcGVuc3NoLmNvbQ
AAAAhuaXN0cDI1NgAAAEEEucmjdlUMQ1hkZebm472VTtvSIMWrmAelO7Uxoc9ZMR892/D4
CMVBD+rliLO4wmRcawx1iZuUkQllgemb0hLtmQAAAARzc2g6AAAAA2dpdAAAAAAAAAAGc2
hhNTEyAAAAeAAAACJzay1lY2RzYS1zaGEyLW5pc3RwMjU2QG9wZW5zc2guY29tAAAASQAA
ACEA7WcEKKcqxpjfRRhVOznHOSsf6SlAWbpkBYA01cN3nl0AAAAgIlhw5EaLbGdhj9DaVi
Mtgw72SsEKJdOA52IQKECVmAQAAAAEDw==
-----END SSH SIGNATURE-----

Carlos Rodríguez Gili (1):
      Fix test error for /bin/sh on Solaris 10 and older

Damien Miller (25):
      remove support for old libcrypto
      put back SSLeay_version compat in configure test
      Allow building with BoringSSL
      don't use obsolete ERR_load_CRYPTO_strings()
      another ERR_load_CRYPTO_strings() vestige
      BoringSSL doesn't support EC_POINT_point2bn()
      Github testing support for BoringSSL
      don't call connect() on negative socket
      need va_end() after va_copy(); ok dtucker
      remove unused upper-case const strings in fmtfp
      handle sysconf(SC_OPEN_MAX) returning > INT_MAX;
      replace deprecate selinux matchpathcon function
      portable-specific int overflow defence-in-depth
      avoid AF_LINK on platforms that don't define it
      conditionalise match localnetwork on ifaddrs.h
      conditionalise stdint.h inclusion on HAVE_STDINT_H
      agent_fuzz doesn't want stdint.h conditionalised
      Bring back OPENSSL_HAS_ECC to ssh-pkcs11-client
      depend
      wrap poll.h include in HAVE_POLL_H
      update version in README
      update versions in RPM specs
      depend
      use portable provider allowlist path in manpage
      crank version numbers

Darren Tucker (42):
      Show 9.3 branch instead of 9.2.
      Test latest OpenSSL 1.1, 3.0 and LibreSSL 3.7.
      Find suitable OpenSSL version.
      Specify test target if we build without OpenSSL.
      Split libcrypto and other config flags.
      Explicitly disable security key test on aix51 VM.
      Also look for gdb error message from OpenIndiana.
      Explicitly disable OpenSSL on AIX test VM.
      Pass rpath when building 64bit Solaris.
      Configure with --target instead of deprecated form.
      Replace OPENSSL_NO_SHA with HEADER_SHA_H.
      Remove HEADER_SHA_H from previous...
      Prevent conflicts between Solaris SHA2 and OpenSSL.
      child_set_eng: verify both env pointer and count.
      Test against LibreSSL 3.7.2.
      Add macos-13 test target.
      Handle OpenSSL >=3 ABI compatibility.
      Include config.guess in debug output.
      Skip agent-peereid test on macos13.
      Add macos13 PAM test target.
      Update OpenSSL compat test for 3.x.
      Suppress warning for snprintf truncation test.
      Remove warning pragma since clang doesn't like it.
      main(void) to prevent unused variable warning.
      Special case OpenWrt instead of Dropbear.
      Make ssh-copy-id(1) consistent with OpenSSH.
      Update runner OS version for hardenedmalloc test.
      Fix typo in declaration of nmesg.
      Handle a couple more OpenSSL no-ecc cases.
      Retire dfly58 test VM.  Add dfly64.
      Prefer OpenSSL's SHA256 in sk-dummy.so
      Fix RNG seeding for OpenSSL w/out self seeding.
      Only include unistd.h once.
      Add obsd72 and obsd73 test targets.
      Add 9.4 branch to CI status page.
      Fix zlib version check for 1.3 and future version.
      Add test for zlib development branch.
      Add OpenBSD ARM64 test host.
      obsd-arm64 host is real hardware...
      Include Portable version in sshd version string.
      Set LLONG_MAX for C89 test.
      Use zero-call-used-regs=used with Apple compilers.

David Seifert (1):
      gss-serv.c: `MAXHOSTNAMELEN` -> `HOST_NAME_MAX`

Jakub Jelen (1):
      Remove outdated comment

Philip Hands (7):
      update copyright notices
      ssh-copy-id: add -x option (for debugging)
      add -t option to specify the target path
      make -x also apply to the target script
      drop whitespace
      if -s & -p specified, mention 'sftp -P' on success
      fixup! if -s & -p specified, mention 'sftp -P' on

deraadt at openbsd.org (1):
      upstream: typo; from Jim Spath

djm at openbsd.org (80):
      upstream: scp: when copying local->remote, check that source file
      upstream: fix test: getnameinfo returns a non-zero value on error, not
      upstream: fix memory leak; Coverity CID 291848
      upstream: return SSH_ERR_KEY_NOT_FOUND if the allowed_signers file
      upstream: remove unused variable; prompted by Coverity CID 291879
      upstream: don't attempt to decode a ridiculous number of
      upstream: remove redundant test
      upstream: don't print key if printing hostname failed; with/ok
      upstream: clamp max number of GSSAPI mechanisms to 2048; ok dtucker
      upstream: don't leak arg2 on parse_pubkey_algos error path; ok
      upstream: don't care about glob() return value here.
      upstream: match_user() shouldn't be called with user==NULL unless
      upstream: remove redundant ssh!=NULL check; we'd already
      upstream: simplify sshsig_find_principals() similar to what happened to
      upstream: Check for ProxyJump=none in CanonicalizeHostname logic.
      upstream: adjust ftruncate() logic to handle servers that reorder
      upstream: fix AuthorizedPrincipalsCommand when AuthorizedKeysCommand
      upstream: reset comment=NULL for each key in do_fingerprint();
      upstream: prepare for support for connecting to unix domain sockets
      upstream: handle rlimits > INT_MAX (rlim_t is u64); ok dtucker
      upstream: make `ssh -Q CASignatureAlgorithms` only list signature
      upstream: better validate CASignatureAlgorithms in ssh_config and
      upstream: misplaced debug message
      upstream: add defence-in-depth checks for some unreachable integer
      upstream: Support for KRL extensions.
      upstream: remove vestigal support for KRL signatures
      upstream: add a "match localnetwork" predicate.
      upstream: Add support for configuration tags to ssh(1).
      upstream: return SSH_ERR_KRL_BAD_MAGIC when a KRL doesn't contain a
      upstream: Move RCSID to before license block and away from #includes,
      upstream: move other RCSIDs to before their respective license blocks
      upstream: missing match localnetwork negation check
      upstream: terminate process if requested to load a PKCS#11 provider
      upstream: Disallow remote addition of FIDO/PKCS11 provider
      upstream: Ensure FIDO/PKCS11 libraries contain expected symbols
      upstream: Separate ssh-pkcs11-helpers for each p11 module
      upstream: make ssh -f (fork after authentication) work properly in
      upstream: increase default KDF work-factor for OpenSSH format
      upstream: make sshd_config AuthorizedPrincipalsCommand and
      upstream: don't incorrectly truncate logged strings retrieved from
      upstream: better error messages
      upstream: test ChrootDirectory in Match block
      upstream: add LTESTS_FROM variable to allow skipping of tests up to
      upstream: don't need to start a command here; use ssh -N instead.
      upstream: CheckHostIP has defaulted to 'no' for a while; make the
      upstream: openssh-9.4
      upstream: better debug logging of sessions' exit status
      upstream: add message number of SSH2_MSG_NEWCOMPRESS defined in RFC8308
      upstream: defence-in-depth MaxAuthTries check in monitor; ok markus
      upstream: fix regression in OpenSSH 9.4 (mux.c r1.99) that caused
      upstream: want stdlib.h for free(3)
      upstream: correct math for ClientAliveInterval that caused the
      upstream: Introduce a transport-level ping facility
      upstream: Add keystroke timing obfuscation to the client.
      upstream: explicit long long type in timing calculations (doesn't
      upstream: limit artificial login delay to a reasonable maximum (5s)
      upstream: descriptive text shouldn't be under .Cm
      upstream: make PerSourceMaxStartups first-match-wins; ok dtucker@
      upstream: set interactive mode for ControlPersist sessions if they
      upstream: make channel_output_poll() return a flag indicating
      upstream: avoid bogus "obfuscate_keystroke_timing: stopping ..."
      upstream: trigger keystroke timing obfucation only if the channels
      upstream: handle cr+lf (instead of just cr) in sshsig signature
      upstream: downgrade duplicate Subsystem directives from being a
      upstream: preserve quoting of Subsystem commands and arguments.
      upstream: allocate the subsystems array as necessary and remove the
      upstream: allow override of Sybsystem directives in sshd Match
      upstream: regression test for override of subsystem in match blocks
      upstream: fix scp in SFTP mode recursive upload and download of
      upstream: the sftp code was one of my first contributions to
      upstream: regress test for recursive copies of directories containing
      upstream: fix recursive remote-remote copies of directories that
      upstream: regress test recursive remote-remote directories copies where
      upstream: fix sizeof(*ptr) instead sizeof(ptr) in realloc (pointer here
      upstream: randomise keystroke obfuscation intervals and average
      upstream: typo in comment
      upstream: rename remote_glob() -> sftp_glob() to match other API
      upstream: fix link to agent draft; spotted by Jann Horn
      upstream: add some cautionary text about % token expansion and
      upstream: openssh-9.5

dlg at openbsd.org (1):
      upstream: add support for unix domain sockets to ssh -W

dtucker at openbsd.org (20):
      upstream: Add tilde and environment variable expansion to
      upstream: Add RevokedHostKeys to percent expansion test.
      upstream: Remove compat code for OpenSSL 1.0.*
      upstream: Remove compat code for OpenSSL < 1.1.*
      upstream: Plug more mem leaks in sftp by making
      upstream: Plug potential mem leak in process_put.
      upstream: Ignore return from sshpkt_disconnect
      upstream: Remove dead code from inside if block.
      upstream: Ignore return value from muxclient(). It normally loops
      upstream: Check fd against >=0 instead of >0 in error path. The
      upstream: Return immediately from get_sock_port
      upstream: Explictly ignore return codes
      upstream: Explicitly ignore return from waitpid here too.
      upstream: Move up null check and simplify process_escapes.
      upstream: Import regenerated moduli.
      upstream: Remove unused prototypes for ssh1 RSA functions.
      upstream: minleft and maxsign are u_int so cast appropriately. Prompted
      upstream: Include stdint.h for SIZE_MAX. Fixes OPENSSL=no build.
      upstream: remove unnecessary if statement.
      upstream: Apply ConnectTimeout to multiplexing local socket

jmc at openbsd.org (5):
      upstream: -P before -p in SYNOPSIS;
      upstream: - add -P to usage() - sync the arg name to -J in usage()
      upstream: tweak the allow-remote-pkcs11 text;
      upstream: %C is a callable macro in mdoc(7)
      upstream: add spacing for punctuation when macro args;

job at openbsd.org (1):
      upstream: Generate Ed25519 keys when invoked without arguments

jsg at openbsd.org (3):
      upstream: fix double words ok dtucker@
      upstream: remove duplicate signal.h include
      upstream: configuation -> configuration

millert at openbsd.org (1):
      upstream: Store timeouts as int, not u_int as they are limited to

naddy at openbsd.org (2):
      upstream: man page typos; ok jmc@
      upstream: drop a wayward comma, ok jmc@

tobhe at openbsd.org (1):
      upstream: Log errors in kex_exchange_identification() with level

-----------------------------------------------------------------------

No new revisions were added by this update.

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.


More information about the openssh-commits mailing list