[openssh-commits] [openssh] annotated tag V_8_0_P1 created (now 92d169d6)

git+noreply at mindrot.org git+noreply at mindrot.org
Thu Apr 18 09:01:51 AEST 2019


This is an automated email from the git hooks/post-receive script.

djm pushed a change to annotated tag V_8_0_P1
in repository openssh.

        at  92d169d6  (tag)
   tagging  fd0fa130ecf06d7d092932adcd5d77f1549bfc8d (commit)
  replaces  V_7_9_P1
 tagged by  Damien Miller
        on  Thu Apr 18 08:53:19 2019 +1000

- Log -----------------------------------------------------------------
openssh-8.0
-----BEGIN PGP SIGNATURE-----

iQHDBAABCgAdFiEEWcIRjtIG2SfmZ+vj0+X1a22SDTAFAly3rmcACgkQ0+X1a22S
DTBEtAyAhR64YKZevUXLfMHH8a0oXQJO1gdS9hZCJJxAdShs1dXLNb3dkfOa7os9
BvFPVpgGBE/ERVWNi9icNZerYngLGhwGKzIKRHzxnTMu4yakgnBsMDaM40ztTEo2
VLjWmU9iWIjrZBAsVLCqJvSwffWGwQ1zE60Gz4Lk4uxJPKHW8UXGdPtk3EMYm77i
Mo2c4lrXl+OgeePriK6JNOlAWZSj7b3DueCoERcv7OogTtsuFYcYUDSsRaMO80s3
QCGUek7QCnkcW0E4xmFM+cs4xAimnbydF17SgzbIS6v+1aQsHah+8965BCgygwSL
v0ohUYh3YpEoQNm5ERVbdx0gh8zHSVyQFw/Y/4JQ+ZJVefCOroNiFiWQGY5yzLXe
fz2QeSKhliRDVXWnCbDqPykVhuJZ51zBUz87k69h7fQIamJdpY6YYuf8sKPmN0mz
s+Za3rymZ2sI2V3QICOVp+dTiur1Kh5xjZ0SHJlYXZ+sYGdRDFvxoAZ2RHDtHaVO
5lyKQPHw0NRI51Fg/RxOK795VvjcgQ==
=bePN
-----END PGP SIGNATURE-----

Corinna Vinschen (6):
      Cygwin: Change service name to cygsshd
      Cygwin: only tweak sshd_config file if it's new, drop creating sshd user
      Add tags to .gitignore
      Revert "[auth.c] On Cygwin, refuse usernames that have differences in case"
      Cygwin: implement case-insensitive Unicode user and group name matching
      drop old Cygwin considerations

Dag-Erling Smørgrav (1):
      AC_CHECK_SIZEOF() no longer needs a second argument.

Damien Miller (32):
      fix compile for openssl 1.0.x w/ --with-ssl-engine
      regen depend
      remove remaining references to SSLeay
      fix builds on OpenSSL <= 1.0.x
      refactor libcrypto initialisation
      fix configure test for OpenSSL version
      expose $SSH_CONNECTION in the PAM environment
      upstream: convert auth2.c to new packet API
      depend
      remove vestiges of old packet API from loginrec.c
      remove PAM dependencies on old packet API
      last bits of old packet API / active_state global
      conditionalise ECDSA PKCS#11 support
      remove HAVE_DLOPEN that snuck in
      Fix -Wunused when compiling PKCS#11 without ECDSA
      make agent-pkcs11 search harder for softhsm2.so
      pass TEST_SSH_SSHPKCS11HELPER to regress tests
      fix previous test
      fixup missing ssherr.h
      depend
      new files need includes.h
      add missing header
      typo
      depend
      use same close logic for stderr as stdout
      don't set $MAIL if UsePam=yes
      session: Do not use removed API
      update versions
      rewrite README
      Revert "rewrite README"
      second thoughts: leave README in place
      makedepend

Darren Tucker (37):
      Include openssl compatibility.
      Check for the existence of openssl version funcs.
      Use detected version functions in openssl compat.
      Update required OpenSSL versions to match current.
      Update check for minimum OpenSSL version.
      Import new moduli.
      Fix pasto for HAVE_EVP_CIPHER_CTX_SET_IV.
      Simplify OpenSSL 1.1 function checks.
      Remove hardcoded service name in cygwin setup.
      Improve warnings in cygwin service setup.
      Fix check for OpenSSL 1.0.1 exactly.
      Remove fallback check for /usr/local/ssl.
      Test for OPENSSL_init_crypto before using.
      Resync Makefile.inc with upstream.
      Resync with OpenBSD by pulling in an ifdef SIGINFO.
      Move RANDOM_SEED_SIZE outside ifdef.
      Improve OpenSSL_add_all_algorithms check.
      Reverse order of OpenSSL init functions.
      Include stdio.h for FILE if needed.
      Add a minimal implementation of utimensat().
      Add minimal fchownat and fchmodat implementations.
      Check for cc before gcc.
      Wrap ECC static globals in EC_KEY_METHOD_NEW too.
      Make --with-rpath take a flag instead of yes/no.
      Allow building against OpenSSL dev (3.x) version.
      Also undef SIMPLEQ_FOREACH_SAFE.
      Include unistd.h for strmode().
      For broken read/readv comparisons, poll(RW).
      Revert unintended parts of previous commit.
      Use Cygwin-specific matching only for users+groups.
      Replace alloca with xcalloc.
      On Cygwin run sshd as SYSTEM where possible.
      Fix build when configured --without-openssl.
      Only use O_NOFOLLOW in utimensat if defined.
      Add includes.h for compat layer.
      Adapt custom_failed_login to new prototype.
      Remove "struct ssh" from sys_auth_record_login.

Eneas U de Queiroz (1):
      fix compilation with openssl built without ECC

Jakub Jelen (1):
      Adjust softhsm2 path on Fedora Linux for regress

Kevin Adler (1):
      Don't pass loginmsg by address now that it's an sshbuf*

Manoj Ampalam (1):
      Fix error message w/out nistp521.

Tim Rice (2):
      Only use O_NOFOLLOW in fchownat and fchmodat if defined
      Stop USL compilers for erroring with "integral constant expression expected"

benno at openbsd.org (1):
      upstream: ssh-keygen -D pkcs11.so needs to initialize pkcs11

djm at openbsd.org (127):
      upstream: when printing certificate contents "ssh-keygen -Lf
      upstream: refer to OpenSSL not SSLeay;
      upstream: mention ssh-ed25519-cert-v01 at openssh.com in list of cert
      upstream: correct local variable name; from yawang AT microsoft.com
      upstream: typo in error message; caught by Debian lintian, via
      upstream: support a prefix of '@' to suppress echo of sftp batch
      upstream: fix bug in HostbasedAcceptedKeyTypes and
      upstream: fix bug in client that was keeping a redundant ssh-agent
      upstream: disallow empty incoming filename or ones that refer to the
      upstream: use path_absolute() for pathname checks; from Manoj Ampalam
      upstream: make grandparent-parent-child sshbuf chains robust to
      upstream: redirect stderr of ProxyCommands to /dev/null when ssh is
      upstream: silence (to log level debug2) failure messages when
      upstream: add some knobs:
      upstream: add a ssh_config "Match final" predicate
      upstream: don't truncate user or host name in "user at host's
      upstream: don't attempt to connect to empty SSH_AUTH_SOCK; bz#293
      upstream: no need to allocate channels_pre/channels_post in
      upstream: mention that the ssh-keygen -F (find host in
      upstream: fix option letter pasto in previous
      upstream: only consider the ext-info-c extension during the initial
      upstream: move client/server SSH-* banners to buffers under
      upstream: ssh_packet_set_state() now frees ssh->kex implicitly, so
      upstream: Request RSA-SHA2 signatures for
      upstream: static on global vars, const on handler tables that contain
      upstream: fix memory leak of ciphercontext when rekeying; bz#2942
      upstream: eliminate function-static attempt counters for
      upstream: add support for a "lsetstat at openssh.com" extension. This
      upstream: Add "-h" flag to sftp chown/chgrp/chmod commands to
      upstream: many of the global variables in this file can be made static;
      upstream: include time.h for time(3)/nanosleep(2); from Ian
      upstream: tun_fwd_ifnames variable should b
      upstream: regress bits for banner processing refactor (this test was
      upstream: begin landing remaining refactoring of packet parsing
      upstream: allow sshpkt_fatal() to take a varargs format; we'll
      upstream: convert clientloop.c to new packet API
      upstream: convert sshconnect2.c to new packet API
      upstream: convert mux.c to new packet API
      upstream: convert ssh.c to new packet API
      upstream: convert sshconnect.c to new packet API
      upstream: convert channels.c to new packet API
      upstream: convert servconf.c to new packet API
      upstream: convert the remainder of clientloop.c to new packet API
      upstream: convert the remainder of sshconnect2.c to new packet
      upstream: convert serverloop.c to new packet API
      upstream: convert auth.c to new packet API
      upstream: convert session.c to new packet API
      upstream: convert sshd.c to new packet API
      upstream: convert monitor.c to new packet API
      upstream: remove last references to active_state
      upstream: remove last traces of old packet API!
      upstream: fix error in refactor: use ssh_packet_disconnect() instead of
      upstream: add option to test whether keys in an agent are usable,
      upstream: add support for ECDSA keys in PKCS#11 tokens
      upstream: allow override of the pkcs#11 helper binary via
      upstream: cleanup pkcs#11 client code: use sshkey_new in instead
      upstream: cleanup unnecessary code in ECDSA pkcs#11 signature
      upstream: cleanup PKCS#11 ECDSA pubkey loading: the returned
      upstream: use EVP_PKEY_get0_EC_KEY() instead of direct access of
      upstream: fix leak of ECDSA pkcs11_key objects
      upstream: make the PKCS#11 RSA code more like the new PKCS#11
      upstream: use OpenSSL's RSA reference counting hooks to
      upstream: KNF previous; from markus@
      upstream: we use singleton pkcs#11 RSA_METHOD and EC_KEY_METHOD
      upstream: use ECDSA_SIG_set0() instead of poking signature values into
      upstream: add "extra:" target to run some extra tests that are not
      upstream: adapt agent-pkcs11.sh test to softhsm2 and add support
      upstream: allow override of ssh-pkcs11-helper binary via
      upstream: GSSAPI code got missed when converting to new packet API
      upstream: get the ex_data (pkcs11_key object) back from the keys at
      upstream: always print the caller's error message in ossl_error(),
      upstream: fix all-zero check in kexc25519_shared_key
      upstream: remove obsolete (SSH v.1) sshbuf_get/put_bignum1
      upstream: Make sshpkt_get_bignum2() allocate the bignum it is
      upstream: save the derived session id in kex_derive_keys() rather
      upstream: factor out DH keygen; it's identical between the client
      upstream: factor out kex_dh_compute_key() - it's shared between
      upstream: factor out kex_load_hostkey() - this is duplicated in
      upstream: factor out kex_verify_hostkey() - again, duplicated
      upstream: Add support for a PQC KEX/KEM:
      upstream: use KEM API for vanilla c25519 KEX
      upstream: use KEM API for vanilla DH KEX
      upstream: use KEM API for vanilla ECDH
      upstream: remove kex_derive_keys_bn wrapper; no unused since the
      upstream: pass values used in KEX hash computation as sshbuf
      upstream: merge kexkem[cs] into kexgen
      upstream: rename kex->kem_client_pub -> kex->client_pub now that
      upstream: nothing shall escape this purge
      upstream: forgot to cvs add this file in previous series of commits;
      upstream: fix reversed arguments to kex_load_hostkey(); manifested as
      upstream: remove hack to use non-system libcrypto
      upstream: adapt to bignum1 API removal and bignum2 API change
      upstream: adapt to changes in KEX API and file removals
      upstream: adapt to changes in KEX APIs and file removals
      upstream: add "-v" flags to ssh-add and ssh-pkcs11-helper to turn up
      upstream: switch sntrup implementation source from supercop to
      upstream: mention the new vs. old key formats in the introduction
      upstream: clarify: ssh-keygen -e only writes public keys, never
      upstream: print the full pubkey being attempted at loglevel >=
      upstream: Include -m in the synopsis for a few more commands that
      upstream: Mention that configuration for the destination host is
      upstream: Support keys that set the CKA_ALWAYS_AUTHENTICATE by
      upstream: Correct some bugs in PKCS#11 token PIN handling at
      upstream: add -m to usage(); reminded by jmc@
      upstream: backoff reading messages from active connections when the
      upstream: pass most arguments to the KEX hash functions as sshbuf
      upstream: switch mainloop from select(2) to poll(2); ok deraadt@
      upstream: move a bunch of global flag variables to main(); make the
      upstream: allow auto-incrementing certificate serial number for certs
      upstream: make ssh-keyscan return a non-zero exit status if it
      upstream: check in scp client that filenames sent during
      upstream: fix NULL-deref crash in PKCS#11 code when attempting
      upstream: syslog when connection is dropped for attempting to run a
      upstream: when checking that filenames sent by the server side
      upstream: cleanup GSSAPI authentication context after completion of the
      upstream: fix regression in r1.302 reported by naddy@ - only the first
      upstream: perform removal of agent-forwarding directory in forward
      upstream: openssh-7.9 accidentally reused the server's algorithm lists
      upstream: let PKCS11Provider=none do what users expect
      upstream: mention PKCS11Provide=none, reword a little and remove
      upstream: Fix two race conditions in sshd relating to SIGHUP:
      upstream: in ssh_set_newkeys(), mention the direction that we're
      upstream: whitespace
      upstream: Fix authentication failures when "AuthenticationMethods
      upstream: fix interaction between ClientAliveInterval and RekeyLimit
      upstream: when logging/fataling on error, include a bit more detail
      upstream: openssh-8.0

dtucker at openbsd.org (28):
      upstream: Import new moduli.
      upstream: Fix inverted logic for redirecting ProxyCommand stderr to
      upstream: UsePrivilegeSeparation no is deprecated
      upstream: Append pid to temp files in /var/run and set a cleanup
      upstream: Output info on SIGUSR1 as well as
      upstream: Remove now-unneeded ifdef SIGINFO around handler since it is
      upstream: Fix calculation of initial bandwidth limits. Account for
      upstream: DH-GEX min value is now specified in RFC8270. ok djm@
      upstream: Sanitize scp filenames via snmprintf. To do this we move
      upstream: Remove 3 as a guess for possible generator during moduli
      upstream: Remove duplicate word. bz#2958, patch from jjelen at
      upstream: Remove support for obsolete host/port syntax.
      upstream: Always initialize 2nd arg to hpdelim2. It populates that
      upstream: Check for both EAGAIN and EWOULDBLOCK. This is a no-op
      upstream: Have progressmeter force an update at the beginning and
      upstream: Accept the host key fingerprint as a synonym for "yes"
      upstream: Generate all key supported key types and enable for keyscan
      upstream: Count the number of key types instead of assuming there
      upstream: Enable ssh-dss for the agent test. Disable it for the
      upstream: Remove leftover debugging.
      upstream: The test sshd_config in in $OBJ.
      upstream: Save connection timeout and restore for 2nd and
      upstream: Remove obsolete "Protocol" from commented out examples. Patch
      upstream: Adapt code in the non-USE_PIPES codepath to the new packet
      upstream: Reset last-seen time when sending a keepalive. Prevents
      upstream: Move checks for lists of users or groups into their own
      upstream: Increase the default RSA key size to 3072 bits. Based on
      upstream: Expand comment to document rationale for default key

florian at openbsd.org (1):
      upstream: struct sockaddr_storage is guaranteed to be large enough,

jmc at openbsd.org (7):
      upstream: tweak previous;
      upstream: - -T was added to the first synopsis by mistake - since
      upstream: tweak previous;
      upstream: add -T to usage();
      upstream: sync the description of ~/.ssh/config with djm's updated
      upstream: benno helped me clean up the tcp forwarding section;
      upstream: full stop in the wrong place;

markus at openbsd.org (3):
      upstream: Add authors for public domain sntrup4591761 code;
      upstream: dup stdout/in for proxycommand=-, otherwise stdout might
      upstream: fix use-after-free in ssh-pkcs11; found by hshoexer w/AFL

naddy at openbsd.org (1):
      upstream: PKCS#11 support is no longer limited to RSA; ok benno@

schwarze at openbsd.org (1):
      upstream: fix markup error (missing blank before delimiter); from

tb at openbsd.org (4):
      upstream: Print an \r in front of the password prompt so parts of
      upstream: Fix BN_is_prime_* calls in SSH, the API returns -1 on
      upstream: Add a -J option as a shortcut for -o Proxyjump= to scp(1)
      upstream: Forgot to add -J to the synopsis.

tedu at openbsd.org (1):
      upstream: remove unused and problematic sudo clean. ok espie

-----------------------------------------------------------------------

No new revisions were added by this update.

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.


More information about the openssh-commits mailing list