[openssh-commits] [openssh] annotated tag V_9_8_P1 created (now 7f337c89)
git+noreply at mindrot.org
git+noreply at mindrot.org
Mon Jul 1 17:55:10 AEST 2024
This is an automated email from the git hooks/post-receive script.
djm pushed a change to annotated tag V_9_8_P1
in repository openssh.
at 7f337c89 (tag)
tagging 6849957945754e6551e515f41e8cf3937cda222d (commit)
replaces V_9_7_P1
by Damien Miller
on Mon Jul 1 14:36:52 2024 +1000
- Log -----------------------------------------------------------------
openssh-9.8p1
-----BEGIN SSH SIGNATURE-----
U1NIU0lHAAAAAQAAAH8AAAAic2stZWNkc2Etc2hhMi1uaXN0cDI1NkBvcGVuc3NoLmNvbQ
AAAAhuaXN0cDI1NgAAAEEEucmjdlUMQ1hkZebm472VTtvSIMWrmAelO7Uxoc9ZMR892/D4
CMVBD+rliLO4wmRcawx1iZuUkQllgemb0hLtmQAAAARzc2g6AAAAA2dpdAAAAAAAAAAGc2
hhNTEyAAAAeAAAACJzay1lY2RzYS1zaGEyLW5pc3RwMjU2QG9wZW5zc2guY29tAAAASQAA
ACAIc3jlbs+bt0sg6alV5NggfprHvE6CyCmUO6hMA9CyxAAAACEAnP1Stcz1LKv4bkFwQG
hWSdSoWqfY6HqInSUSvYrz9KoAAAAHQQ==
-----END SSH SIGNATURE-----
90 (1):
Fix missing header for systemd notification
Alkaid (1):
Fix OpenSSL ED25519 support detection
Damien Miller (26):
add new token-based signing key for dtucker@
notify systemd on listen and reload
depend
sync getrrsetbyname.c with recent upstream changes
Makefile support for sshd-session
attempt at updating RPM specs for sshd-session
remove remaining use_privsep mention
rename need_privsep to need_chroot
depend
remove PRIVSEP macros for osx
whitespace
missing file for PerSourcePenalties regress test
delay lookup of privsep user until config loaded
fix PTY allocation on Cygwin, broken by sshd split
typo in comment
prepare for checking in autogenerated files
sshd: don't use argv[0] as PAM service name
add a sshd_config PamServiceName option
skip penalty-expire test in valgrind test env
minix doesn't have loopback, so skip penalty tests
propagate PAM crashes to PerSourcePenalties
DSA support is disabled, so remove from fuzzers
missed a bit of DSA in the fuzzer
PAMServiceName may appear in a Match block
version numbers
autogenerated files for release
Darren Tucker (23):
Improve detection of -fzero-call-used-regs=used.
Update branches shown on ci-status to 9.7 and 9.6.
Move xpg4 'id' handling into test-exec.sh.
Add Mac OS X 14 test targets.
If we're using xpg4's id, remember to pass args.
Add short names for test jobs on github CI.
Be more specific about when to rerun workflows.
Ensure /usr/local/etc exists before using in tests.
Better short name for OpenBSD upstream CI jobs too.
Really mkdir /usr/local/etc in CI tests.
Resync with upstream: ${} around DATAFILE.
Fix name of OpenBSD upstream CI jobs.
Rearrange selfhosted VM scheduling.
Check if OpenSSL implementation supports DSA.
Port changes from selfhosted to upstream tests.
Update LibreSSL and OpenSSL versions tested.
Remove 9.6 branch from status page.
Merge flags for OpenSSL 3.x versions.
Remove macos-11 runner.
Restart sshd after installing it for testing.
Need to supply "-f" to restart sshd.
Move -f to the place needed to restart sshd.
Rerun upstream tests on .sh file changes too.
Eero Häkkinen (1):
Expose SSH_AUTH_INFO_0 always to PAM auth modules.
anton at openbsd.org (3):
upstream: Since ssh-agent(1) is only readable by root by now, use
upstream: Add missing kex-names.c source file required since the
upstream: Stop using DSA in dropbear interop tests.
claudio at openbsd.org (1):
upstream: Remove unused ptr[3] char array in pkcs11_decode_hex.
deraadt at openbsd.org (14):
upstream: new-style relink kit for sshd. The old scheme created
upstream: also create a relink kit for ssh-agent, since it is a
upstream: Use strtonum() instead of severely non-idomatic
upstream: Replace non-idiomatic strtoul(, 16) to parse a region
upstream: rewrite convtime() to use a isdigit-scanner and
upstream: can shortcut by returning strtonum() value directly; ok
upstream: for parse_ipqos(), use strtonum() instead of mostly
upstream: Oops, incorrect hex conversion spotted by claudio.
upstream: construct and install a relink-kit for sshd-session ok
upstream: -Werror was turned on (probably just for development),
upstream: enable -fret-clean on amd64, for libc libcrypto ld.so
upstream: avoid shadowing issues which some compilers won't accept
upstream: save_errno wrappers inside two small signal handlers that
upstream: Instead of using possibly complex ssh_signal(), write all
djm at openbsd.org (59):
upstream: optional debugging
upstream: allow WAYLAND_DISPLAY to enable SSH_ASKPASS
upstream: in OpenSSH private key format, correct type for subsequent
upstream: add explict check for server hostkey type against
upstream: correctly restore sigprocmask around ppoll() reported
upstream: add missing reserved fields to key constraint protocol
upstream: stricter validation of messaging socket fd number; disallow
upstream: flush stdout after writing "sftp>" prompt when not using
upstream: fix home-directory extension implementation, it always
upstream: simplify exit message handling, which was more complicated
upstream: Start the process of splitting sshd into separate
upstream: missing files from previous
upstream: fix incorrect debug option name introduce in previous
upstream: allow overriding the sshd-session binary path
upstream: g/c unused variable
upstream: this test has been broken since 2014, and has been
upstream: don't need sys/queue.h here
upstream: typos
upstream: warn when -r (deprecated option to disable re-exec) is
upstream: be really strict with fds reserved for communication with the
upstream: Add a facility to sshd(8) to penalise particular
upstream: disable stderr redirection before closing fds
upstream: prepare for PerSourcePenalties being enabled by default
upstream: simplify
upstream: make sure logs are saved from sshd run via start_sshd
upstream: regress test for PerSourcePenalties
upstream: mention that PerSourcePenalties don't affect concurrent
upstream: enable PerSourcePenalties by default.
upstream: correct error message
upstream: log waitpid() status for abnormal exits
upstream: reap the [net] child if it hangs up while writing privsep
upstream: update to mention that PerSourcePenalties default to
upstream: move tree init before possible early return
upstream: fix off-by-one comparison for PerSourcePenalty
upstream: a little more RB_TREE paranoia
upstream: reap the pre-auth [net] child if it hangs up during privsep
upstream: fix PIDFILE handling, broken for SUDO=doas in last commit
upstream: reap preauth net child if it hangs up during privsep message
upstream: split PerSourcePenalties address tracking. Previously it
upstream: specify an algorithm for ssh-keyscan, otherwise it will make
upstream: make host/banner comments go to stderr instead of stdout,
upstream: don't redirect stderr for ssh-keyscan we expect to succeed
upstream: split the PerSourcePenalties test in two: one tests penalty
upstream: ssh-keyscan -q man bits
upstream: clarify KEXAlgorithms supported vs available. Inspired by
upstream: crank up penalty timeouts so this should work on even the
upstream: penalty test is still a bit racy
upstream: same treatment for this test
upstream: promote connection-closed messages from verbose to info
upstream: disable the DSA signature algorithm by default; ok
upstream: put back reaping of preauth child process when writes
upstream: stricter check for overfull tables in penalty record path
upstream: mention SshdSessionPath option
upstream: move child process waitpid() loop out of SIGCHLD handler;
upstream: retire unused API
upstream: delete obsolete comment
upstream: use "lcd" to change directory before "lls" rather then "cd",
upstream: when sending ObscureKeystrokeTiming chaff packets, we
upstream: openssh-9.8
dtucker at openbsd.org (14):
upstream: Import regenerated moduli.
upstream: In PuTTY interop test, don't assume the PuTTY major
upstream: Increase timeout. Resyncs with portable where some of
upstream: Save error code from SSH for use inside case statement,
upstream: Improve shell portability: grep -q is not portable so
upstream: Verify string returned from local shell command.
upstream: test -h is the POSIXly way of testing for a symlink. Reduces
upstream: Use egrep instead of grep -E.
upstream: Re-enable ssh-dss tests
upstream: Rework dropbear key setup
upstream: Use ed25519 keys for kex tests
upstream: Provide defaults for ciphers and macs
upstream: Remove dropbear key types not supported
upstream: Work around dbclient cipher/mac query bug.
jmc at openbsd.org (5):
upstream: escape the final dot at eol in "e.g." to avoid double
upstream: do not mark up "(default: 20ms)";
upstream: sort -q in the options list;
upstream: - uppercase start of sentence - correct sentence grammar
upstream: ssl(8) no longer contains a HISTORY section;
job at openbsd.org (1):
upstream: Clarify how literal IPv6 addresses can be used in -J mode
jsg at openbsd.org (5):
upstream: correct indentation; no functional change ok tb@
upstream: spelling; ok djm@
upstream: remove externs for removed vars; ok djm@
upstream: remove prototypes with no matching function; ok djm@
upstream: remove unused struct fwd_perm_list, no decl with complete
miod at openbsd.org (1):
upstream: Do not pass -Werror if building with gcc 3, for asn1.h
naddy at openbsd.org (5):
upstream: remove duplicate copy of relink kit for sshd-session
upstream: Do not pass -Werror twice when building with clang.
upstream: remove references to SSH1 and DSA server keys
upstream: separate keywords with comma
upstream: remove one more mention of DSA
renmingshuai (1):
Shell syntax fix (leftover from a sync).
semarie at openbsd.org (1):
upstream: set right mode on ssh-agent at boot-time
tobias at openbsd.org (2):
upstream: never close stdin
upstream: remove SSH1 leftovers
-----------------------------------------------------------------------
This annotated tag includes the following new commits:
new 637e4dfe upstream: use "lcd" to change directory before "lls" rather then "cd",
new 146c420d upstream: when sending ObscureKeystrokeTiming chaff packets, we
new bfebb8a5 upstream: openssh-9.8
new fa41f659 version numbers
new 68499579 autogenerated files for release
The 5 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Detailed log of new commits:
commit 6849957945754e6551e515f41e8cf3937cda222d
Author: Damien Miller <djm at mindrot.org>
Date: Mon Jul 1 14:36:28 2024 +1000
autogenerated files for release
commit fa41f6592ff1b6ead4a652ac75af31eabb05b912
Author: Damien Miller <djm at mindrot.org>
Date: Mon Jul 1 14:33:26 2024 +1000
version numbers
commit bfebb8a5130a792c5356bd06e1ddef72a0a0449f
Author: djm at openbsd.org <djm at openbsd.org>
Date: Mon Jul 1 04:31:59 2024 +0000
upstream: openssh-9.8
OpenBSD-Commit-ID: 5f8b89e38a4c5f7c6d52ffa19f796d49f36fab19
commit 146c420d29d055cc75c8606327a1cf8439fe3a08
Author: djm at openbsd.org <djm at openbsd.org>
Date: Mon Jul 1 04:31:17 2024 +0000
upstream: when sending ObscureKeystrokeTiming chaff packets, we
can't rely on channel_did_enqueue to tell that there is data to send. This
flag indicates that the channels code enqueued a packet on _this_ ppoll()
iteration, not that data was enqueued in _any_ ppoll() iteration in the
timeslice. ok markus@
OpenBSD-Commit-ID: 009b74fd2769b36b5284a0188ade182f00564136
commit 637e4dfea4ed81264e264b6200172ce319c64ead
Author: djm at openbsd.org <djm at openbsd.org>
Date: Mon Jul 1 03:10:19 2024 +0000
upstream: use "lcd" to change directory before "lls" rather then "cd",
since the directory we're trying to list is local. Spotted by Corinna
Vinschen
OpenBSD-Regress-ID: 821feca4a4bebe491944e624c8f7f2990b891415
--
To stop receiving notification emails like this one, please contact
djm at mindrot.org.
More information about the openssh-commits
mailing list