[openssh-commits] [openssh] branch master updated (e7adebef -> 82662d56)

git+noreply at mindrot.org git+noreply at mindrot.org
Thu Nov 7 10:49:16 AEDT 2024 

This is an automated email from the git hooks/post-receive script.

djm pushed a change to branch master
in repository openssh.

    from e7adebef Add git signing key for Tim Rice
     new 593a0b65 upstream: Ignore extra groups that don't fit in the buffer passed
     new 82662d56 upstream: ssh-agent implemented an all-or-nothing allow-list of

The 2 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails.  The revisions
listed as "add" were already present in the repository and have only
been added to this reference.


Detailed log of new commits:

commit 82662d562cf54829df8a941cdfb2fd307e1d9a90
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Wed Nov 6 22:51:26 2024 +0000

    upstream: ssh-agent implemented an all-or-nothing allow-list of
    
    FIDO application IDs for security key-backed keys, to prevent web key handles
    from being used remotely as this would likely lead to unpleasant surprises.
    By default, only application IDs that start with "ssh:*" are allowed.
    
    This adds a -Owebsafe-allow=... argument that can override the default
    list with a more or less restrictive one. The default remains unchanged.
    
    ok markus@
    
    OpenBSD-Commit-ID: 957c1ed92a8d7c87453b9341f70cb3f4e6b23e8d

commit 593a0b65c55c1e06a8c22b084aefc395aedb0127
Author: jca at openbsd.org <jca at openbsd.org>
Date:   Mon Nov 4 21:59:15 2024 +0000

    upstream: Ignore extra groups that don't fit in the buffer passed
    
    to getgrouplist(3)
    
    Our kernel supports 16 groups (NGROUPS_MAX), but nothing prevents
    an admin from adding a user to more groups.  With that tweak we'll keep
    on ignoring them instead of potentially reading past the buffer passed to
    getgrouplist(3).  That behavior is explicitely described in initgroups(3).
    
    ok millert@ gilles@
    
    OpenBSD-Commit-ID: a959fc45ea3431b36f52eda04faefc58bcde00db

Summary of changes:
 .skipped-commit-ids |  1 +
 groupaccess.c       |  2 +-
 ssh-agent.1         | 26 +++++++++++++++++++-------
 ssh-agent.c         | 19 ++++++++++++++++---
 4 files changed, 37 insertions(+), 11 deletions(-)

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.

More information about the openssh-commits mailing list