summaryrefslogtreecommitdiffstats
path: root/crypto/openssh/ChangeLog
diff options
context:
space:
mode:
Diffstat (limited to 'crypto/openssh/ChangeLog')
-rw-r--r--crypto/openssh/ChangeLog932
1 files changed, 931 insertions, 1 deletions
diff --git a/crypto/openssh/ChangeLog b/crypto/openssh/ChangeLog
index 38de846..63aeae5 100644
--- a/crypto/openssh/ChangeLog
+++ b/crypto/openssh/ChangeLog
@@ -1,3 +1,934 @@
+20131006
+ - (djm) Release OpenSSH-6.7
+
+20141003
+ - (djm) [sshd_config.5] typo; from Iain Morgan
+
+20141001
+ - (djm) [openbsd-compat/Makefile.in openbsd-compat/kludge-fd_set.c]
+ [openbsd-compat/openbsd-compat.h] Kludge around bad glibc
+ _FORTIFY_SOURCE check that doesn't grok heap-allocated fd_sets;
+ ok dtucker@
+
+20140910
+ - (djm) [sandbox-seccomp-filter.c] Allow mremap and exit for DietLibc;
+ patch from Felix von Leitner; ok dtucker
+
+20140908
+ - (dtucker) [INSTALL] Update info about egd. ok djm@
+
+20140904
+ - (djm) [openbsd-compat/arc4random.c] Zero seed after keying PRNG
+
+20140903
+ - (djm) [defines.h sshbuf.c] Move __predict_true|false to defines.h and
+ conditionalise to avoid duplicate definition.
+ - (djm) [contrib/cygwin/ssh-host-config] Fix old code leading to
+ permissions/ACLs; from Corinna Vinschen
+
+20140830
+ - (djm) [openbsd-compat/openssl-compat.h] add
+ OPENSSL_[RD]SA_MAX_MODULUS_BITS defines for OpenSSL that lacks them
+ - (djm) [misc.c] Missing newline between functions
+ - (djm) [openbsd-compat/openssl-compat.h] add include guard
+ - (djm) [Makefile.in] Make TEST_SHELL a variable; "good idea" tim@
+
+20140827
+ - (djm) [regress/unittests/sshbuf/test_sshbuf_getput_crypto.c]
+ [regress/unittests/sshbuf/test_sshbuf_getput_fuzz.c]
+ [regress/unittests/sshkey/common.c]
+ [regress/unittests/sshkey/test_file.c]
+ [regress/unittests/sshkey/test_fuzz.c]
+ [regress/unittests/sshkey/test_sshkey.c] Don't include openssl/ec.h
+ on !ECC OpenSSL systems
+ - (djm) [monitor.c sshd.c] SIGXFSZ needs to be ignored in postauth
+ monitor, not preauth; bz#2263
+ - (djm) [openbsd-compat/explicit_bzero.c] implement explicit_bzero()
+ using memset_s() where possible; improve fallback to indirect bzero
+ via a volatile pointer to give it more of a chance to avoid being
+ optimised away.
+
+20140825
+ - (djm) [bufec.c] Skip this file on !ECC OpenSSL
+ - (djm) [INSTALL] Recommend libcrypto be built -fPIC, mention LibreSSL,
+ update OpenSSL version requirement.
+
+20140824
+ - (djm) [sftp-server.c] Some systems (e.g. Irix) have prctl() but not
+ PR_SET_DUMPABLE, so adjust ifdef; reported by Tom Christensen
+
+20140823
+ - (djm) [sshd.c] Ignore SIGXFSZ in preauth monitor child; can explode on
+ lastlog writing on platforms with high UIDs; bz#2263
+ - (djm) [configure.ac] We now require a working vsnprintf everywhere (not
+ just for systems that lack asprintf); check for it always and extend
+ test to catch more brokenness. Fixes builds on Solaris <= 9
+
+20140822
+ - (djm) [configure.ac] include leading zero characters in OpenSSL version
+ number; fixes test for unsupported versions
+ - (djm) [sshbuf-getput-crypto.c] Fix compilation when OpenSSL lacks ECC
+ - (djm) [openbsd-compat/bsd-snprintf.c] Fix compilation failure (prototype/
+ definition mismatch) and warning for broken/missing snprintf case.
+ - (djm) [configure.ac] double braces to appease autoconf
+
+20140821
+ - (djm) [Makefile.in] fix reference to libtest_helper.a in sshkey test too.
+ - (djm) [key.h] Fix ifdefs for no-ECC OpenSSL
+ - (djm) [regress/unittests/test_helper/test_helper.c] Fix for systems that
+ don't set __progname. Diagnosed by Tom Christensen.
+
+20140820
+ - (djm) [configure.ac] Check OpenSSL version is supported at configure time;
+ suggested by Kevin Brott
+ - (djm) [Makefile.in] refer to libtest_helper.a by explicit path rather than
+ -L/-l; fixes linking problems on some platforms
+ - (djm) [sshkey.h] Fix compilation when OpenSSL lacks ECC
+ - (djm) [contrib/cygwin/README] Correct build instructions; from Corinna
+
+20140819
+ - (djm) [serverloop.c] Fix syntax error on Cygwin; from Corinna Vinschen
+ - (djm) [sshbuf.h] Fix compilation on systems without OPENSSL_HAS_ECC.
+ - (djm) [ssh-dss.c] Include openssl/dsa.h for DSA_SIG
+ - (djm) [INSTALL contrib/caldera/openssh.spec contrib/cygwin/README]
+ [contrib/redhat/openssh.spec contrib/suse/openssh.spec] Remove mentions
+ of TCP wrappers.
+
+20140811
+ - (djm) [myproposal.h] Make curve25519 KEX dependent on
+ HAVE_EVP_SHA256 instead of OPENSSL_HAS_ECC.
+
+20140810
+ - (djm) [README contrib/caldera/openssh.spec]
+ [contrib/redhat/openssh.spec contrib/suse/openssh.spec] Update versions
+
+20140801
+ - (djm) [regress/multiplex.sh] Skip test for non-OpenBSD netcat. We need
+ a better solution, but this will have to do for now.
+ - (djm) [regress/multiplex.sh] Instruct nc not to quit as soon as stdin
+ is closed; avoid regress failures when stdin is /dev/null
+ - (djm) [regress/multiplex.sh] Use -d (detach stdin) flag to disassociate
+ nc from stdin, it's more portable
+
+20140730
+ - OpenBSD CVS Sync
+ - millert@cvs.openbsd.org 2014/07/24 22:57:10
+ [ssh.1]
+ Mention UNIX-domain socket forwarding too. OK jmc@ deraadt@
+ - dtucker@cvs.openbsd.org 2014/07/25 21:22:03
+ [ssh-agent.c]
+ Clear buffer used for handling messages. This prevents keys being
+ left in memory after they have been expired or deleted in some cases
+ (but note that ssh-agent is setgid so you would still need root to
+ access them). Pointed out by Kevin Burns, ok deraadt
+ - schwarze@cvs.openbsd.org 2014/07/28 15:40:08
+ [sftp-server.8 sshd_config.5]
+ some systems no longer need /dev/log;
+ issue noticed by jirib;
+ ok deraadt
+
+20140725
+ - (djm) [regress/multiplex.sh] restore incorrectly deleted line;
+ pointed out by Christian Hesse
+
+20140722
+ - (djm) [regress/multiplex.sh] ssh mux master lost -N somehow;
+ put it back
+ - (djm) [regress/multiplex.sh] change the test for still-open Unix
+ domain sockets to be robust against nc implementations that produce
+ error messages.
+ - (dtucker) [regress/unittests/sshkey/test_{file,fuzz,sshkey}.c] Wrap ecdsa-
+ specific tests inside OPENSSL_HAS_ECC.
+ - (dtucker) OpenBSD CVS Sync
+ - dtucker@cvs.openbsd.org 2014/07/22 01:18:50
+ [key.c]
+ Prevent spam from key_load_private_pem during hostbased auth. ok djm@
+ - guenther@cvs.openbsd.org 2014/07/22 07:13:42
+ [umac.c]
+ Convert from <sys/endian.h> to the shiney new <endian.h>
+ ok dtucker@, who also confirmed that -portable handles this already
+ (ID sync only, includes.h pulls in endian.h if available.)
+ - djm@cvs.openbsd.org 2014/07/22 01:32:12
+ [regress/multiplex.sh]
+ change the test for still-open Unix domain sockets to be robust against
+ nc implementations that produce error messages. from -portable
+ (Id sync only)
+ - dtucker@cvs.openbsd.org 2014/07/22 23:23:22
+ [regress/unittests/sshkey/mktestdata.sh]
+ Sign test certs with ed25519 instead of ecdsa so that they'll work in
+ -portable on platforms that don't have ECDSA in their OpenSSL. ok djm
+ - dtucker@cvs.openbsd.org 2014/07/22 23:57:40
+ [regress/unittests/sshkey/mktestdata.sh]
+ Add $OpenBSD tag to make syncs easier
+ - dtucker@cvs.openbsd.org 2014/07/22 23:35:38
+ [regress/unittests/sshkey/testdata/*]
+ Regenerate test keys with certs signed with ed25519 instead of ecdsa.
+ These can be used in -portable on platforms that don't support ECDSA.
+
+20140721
+ - OpenBSD CVS Sync
+ - millert@cvs.openbsd.org 2014/07/15 15:54:15
+ [forwarding.sh multiplex.sh]
+ Add support for Unix domain socket forwarding. A remote TCP port
+ may be forwarded to a local Unix domain socket and vice versa or
+ both ends may be a Unix domain socket. This is a reimplementation
+ of the streamlocal patches by William Ahern from:
+ http://www.25thandclement.com/~william/projects/streamlocal.html
+ OK djm@ markus@
+ - (djm) [regress/multiplex.sh] Not all netcat accept the -N option.
+ - (dtucker) [sshkey.c] ifdef out unused variable when compiling without
+ OPENSSL_HAS_ECC.
+
+20140721
+ - (dtucker) [cipher.c openbsd-compat/openssl-compat.h] Restore the bits
+ needed to build AES CTR mode against OpenSSL 0.9.8f and above. ok djm
+ - (dtucker) [regress/unittests/sshkey/
+ {common,test_file,test_fuzz,test_sshkey}.c] Wrap stdint.h includes in
+ ifdefs.
+
+20140719
+ - (tim) [openbsd-compat/port-uw.c] Include misc.h for fwd_opts, used
+ in servconf.h.
+
+20140718
+ - OpenBSD CVS Sync
+ - millert@cvs.openbsd.org 2014/07/15 15:54:14
+ [PROTOCOL auth-options.c auth-passwd.c auth-rh-rsa.c auth-rhosts.c]
+ [auth-rsa.c auth.c auth1.c auth2-hostbased.c auth2-kbdint.c auth2-none.c]
+ [auth2-passwd.c auth2-pubkey.c auth2.c canohost.c channels.c channels.h]
+ [clientloop.c misc.c misc.h monitor.c mux.c packet.c readconf.c]
+ [readconf.h servconf.c servconf.h serverloop.c session.c ssh-agent.c]
+ [ssh.c ssh_config.5 sshconnect.c sshconnect1.c sshconnect2.c sshd.c]
+ [sshd_config.5 sshlogin.c]
+ Add support for Unix domain socket forwarding. A remote TCP port
+ may be forwarded to a local Unix domain socket and vice versa or
+ both ends may be a Unix domain socket. This is a reimplementation
+ of the streamlocal patches by William Ahern from:
+ http://www.25thandclement.com/~william/projects/streamlocal.html
+ OK djm@ markus@
+ - jmc@cvs.openbsd.org 2014/07/16 14:48:57
+ [ssh.1]
+ add the streamlocal* options to ssh's -o list; millert says they're
+ irrelevant for scp/sftp;
+ ok markus millert
+ - djm@cvs.openbsd.org 2014/07/17 00:10:56
+ [sandbox-systrace.c]
+ ifdef SYS_sendsyslog so this will compile without patching on -stable
+ - djm@cvs.openbsd.org 2014/07/17 00:10:18
+ [mux.c]
+ preserve errno across syscall
+ - djm@cvs.openbsd.org 2014/07/17 00:12:03
+ [key.c]
+ silence "incorrect passphrase" error spam; reported and ok dtucker@
+ - djm@cvs.openbsd.org 2014/07/17 07:22:19
+ [mux.c ssh.c]
+ reflect stdio-forward ("ssh -W host:port ...") failures in exit status.
+ previously we were always returning 0. bz#2255 reported by Brendan
+ Germain; ok dtucker
+ - djm@cvs.openbsd.org 2014/07/18 02:46:01
+ [ssh-agent.c]
+ restore umask around listener socket creation (dropped in streamlocal patch
+ merge)
+ - (dtucker) [auth2-gss.c gss-serv-krb5.c] Include misc.h for fwd_opts, used
+ in servconf.h.
+ - (dtucker) [Makefile.in] Add a t-exec target to run just the executable
+ tests.
+ - (dtucker) [key.c sshkey.c] Put new ecdsa bits inside ifdef OPENSSL_HAS_ECC.
+
+20140717
+ - (djm) [digest-openssl.c] Preserve array order when disabling digests.
+ Reported by Petr Lautrbach.
+ - OpenBSD CVS Sync
+ - deraadt@cvs.openbsd.org 2014/07/11 08:09:54
+ [sandbox-systrace.c]
+ Permit use of SYS_sendsyslog from inside the sandbox. Clock is ticking,
+ update your kernels and sshd soon.. libc will start using sendsyslog()
+ in about 4 days.
+ - tedu@cvs.openbsd.org 2014/07/11 13:54:34
+ [myproposal.h]
+ by popular demand, add back hamc-sha1 to server proposal for better compat
+ with many clients still in use. ok deraadt
+
+20140715
+ - (djm) [configure.ac] Delay checks for arc4random* until after libcrypto
+ has been located; fixes builds agains libressl-portable
+
+20140711
+ - OpenBSD CVS Sync
+ - benno@cvs.openbsd.org 2014/07/09 14:15:56
+ [ssh-add.c]
+ fix ssh-add crash while loading more than one key
+ ok markus@
+
+20140709
+ - OpenBSD CVS Sync
+ - djm@cvs.openbsd.org 2014/07/07 08:19:12
+ [ssh_config.5]
+ mention that ProxyCommand is executed using shell "exec" to avoid
+ a lingering process; bz#1977
+ - djm@cvs.openbsd.org 2014/07/09 01:45:10
+ [sftp.c]
+ more useful error message when GLOB_NOSPACE occurs;
+ bz#2254, patch from Orion Poplawski
+ - djm@cvs.openbsd.org 2014/07/09 03:02:15
+ [key.c]
+ downgrade more error() to debug() to better match what old authfile.c
+ did; suppresses spurious errors with hostbased authentication enabled
+ - djm@cvs.openbsd.org 2014/07/06 07:42:03
+ [multiplex.sh test-exec.sh]
+ add a hook to the cleanup() function to kill $SSH_PID if it is set
+
+ use it to kill the mux master started in multiplex.sh (it was being left
+ around on fatal failures)
+ - djm@cvs.openbsd.org 2014/07/07 08:15:26
+ [multiplex.sh]
+ remove forced-fatal that I stuck in there to test the new cleanup
+ logic and forgot to remove...
+
+20140706
+ - OpenBSD CVS Sync
+ - djm@cvs.openbsd.org 2014/07/03 23:18:35
+ [authfile.h]
+ remove leakmalloc droppings
+ - djm@cvs.openbsd.org 2014/07/05 23:11:48
+ [channels.c]
+ fix remote-forward cancel regression; ok markus@
+
+20140704
+ - OpenBSD CVS Sync
+ - jsing@cvs.openbsd.org 2014/07/03 12:42:16
+ [cipher-chachapoly.c]
+ Call chacha_ivsetup() immediately before chacha_encrypt_bytes() - this
+ makes it easier to verify that chacha_encrypt_bytes() is only called once
+ per chacha_ivsetup() call.
+ ok djm@
+ - djm@cvs.openbsd.org 2014/07/03 22:23:46
+ [sshconnect.c]
+ when rekeying, skip file/DNS lookup if it is the same as the key sent
+ during initial key exchange. bz#2154 patch from Iain Morgan; ok markus@
+ - djm@cvs.openbsd.org 2014/07/03 22:33:41
+ [channels.c]
+ allow explicit ::1 and 127.0.0.1 forwarding bind addresses when
+ GatewayPorts=no; allows client to choose address family;
+ bz#2222 ok markus@
+ - djm@cvs.openbsd.org 2014/07/03 22:40:43
+ [servconf.c servconf.h session.c sshd.8 sshd_config.5]
+ Add a sshd_config PermitUserRC option to control whether ~/.ssh/rc is
+ executed, mirroring the no-user-rc authorized_keys option;
+ bz#2160; ok markus@
+
+20140703
+ - (djm) [digest-openssl.c configure.ac] Disable RIPEMD160 if libcrypto
+ doesn't support it.
+ - (djm) [monitor_fdpass.c] Use sys/poll.h if poll.h doesn't exist;
+ bz#2237
+ - OpenBSD CVS Sync
+ - djm@cvs.openbsd.org 2014/07/03 01:45:38
+ [sshkey.c]
+ make Ed25519 keys' title fit properly in the randomart border; bz#2247
+ based on patch from Christian Hesse
+ - djm@cvs.openbsd.org 2014/07/03 03:11:03
+ [ssh-agent.c]
+ Only cleanup agent socket in the main agent process and not in any
+ subprocesses it may have started (e.g. forked askpass). Fixes
+ agent sockets being zapped when askpass processes fatal();
+ bz#2236 patch from Dmitry V. Levin
+ - djm@cvs.openbsd.org 2014/07/03 03:15:01
+ [ssh-add.c]
+ make stdout line-buffered; saves partial output getting lost when
+ ssh-add fatal()s part-way through (e.g. when listing keys from an
+ agent that supports key types that ssh-add doesn't);
+ bz#2234, reported by Phil Pennock
+ - djm@cvs.openbsd.org 2014/07/03 03:26:43
+ [digest-openssl.c]
+ use EVP_Digest() for one-shot hash instead of creating, updating,
+ finalising and destroying a context.
+ bz#2231, based on patch from Timo Teras
+ - djm@cvs.openbsd.org 2014/07/03 03:34:09
+ [gss-serv.c session.c ssh-keygen.c]
+ standardise on NI_MAXHOST for gethostname() string lengths; about
+ 1/2 the cases were using it already. Fixes bz#2239 en passant
+ - djm@cvs.openbsd.org 2014/07/03 03:47:27
+ [ssh-keygen.c]
+ When hashing or removing hosts using ssh-keygen, don't choke on
+ @revoked markers and don't remove @cert-authority markers;
+ bz#2241, reported by mlindgren AT runelind.net
+ - djm@cvs.openbsd.org 2014/07/03 04:36:45
+ [digest.h]
+ forward-declare struct sshbuf so consumers don't need to include sshbuf.h
+ - djm@cvs.openbsd.org 2014/07/03 05:32:36
+ [ssh_config.5]
+ mention '%%' escape sequence in HostName directives and how it may
+ be used to specify IPv6 link-local addresses
+ - djm@cvs.openbsd.org 2014/07/03 05:38:17
+ [ssh.1]
+ document that -g will only work in the multiplexed case if applied to
+ the mux master
+ - djm@cvs.openbsd.org 2014/07/03 06:39:19
+ [ssh.c ssh_config.5]
+ Add a %C escape sequence for LocalCommand and ControlPath that expands
+ to a unique identifer based on a has of the tuple of (local host,
+ remote user, hostname, port).
+
+ Helps avoid exceeding sockaddr_un's miserly pathname limits for mux
+ control paths.
+
+ bz#2220, based on patch from mancha1 AT zoho.com; ok markus@
+ - jmc@cvs.openbsd.org 2014/07/03 07:45:27
+ [ssh_config.5]
+ escape %C since groff thinks it part of an Rs/Re block;
+ - djm@cvs.openbsd.org 2014/07/03 11:16:55
+ [auth.c auth.h auth1.c auth2.c]
+ make the "Too many authentication failures" message include the
+ user, source address, port and protocol in a format similar to the
+ authentication success / failure messages; bz#2199, ok dtucker
+
+20140702
+ - OpenBSD CVS Sync
+ - deraadt@cvs.openbsd.org 2014/06/13 08:26:29
+ [sandbox-systrace.c]
+ permit SYS_getentropy
+ from matthew
+ - matthew@cvs.openbsd.org 2014/06/18 02:59:13
+ [sandbox-systrace.c]
+ Now that we have a dedicated getentropy(2) system call for
+ arc4random(3), we can disallow __sysctl(2) in OpenSSH's systrace
+ sandbox.
+
+ ok djm
+ - naddy@cvs.openbsd.org 2014/06/18 15:42:09
+ [sshbuf-getput-crypto.c]
+ The ssh_get_bignum functions must accept the same range of bignums
+ the corresponding ssh_put_bignum functions create. This fixes the
+ use of 16384-bit RSA keys (bug reported by Eivind Evensen).
+ ok djm@
+ - djm@cvs.openbsd.org 2014/06/24 00:52:02
+ [krl.c]
+ fix bug in KRL generation: multiple consecutive revoked certificate
+ serial number ranges could be serialised to an invalid format.
+
+ Readers of a broken KRL caused by this bug will fail closed, so no
+ should-have-been-revoked key will be accepted.
+ - djm@cvs.openbsd.org 2014/06/24 01:13:21
+ [Makefile.in auth-bsdauth.c auth-chall.c auth-options.c auth-rsa.c
+ [auth2-none.c auth2-pubkey.c authfile.c authfile.h cipher-3des1.c
+ [cipher-chachapoly.c cipher-chachapoly.h cipher.c cipher.h
+ [digest-libc.c digest-openssl.c digest.h dns.c entropy.c hmac.h
+ [hostfile.c key.c key.h krl.c monitor.c packet.c rsa.c rsa.h
+ [ssh-add.c ssh-agent.c ssh-dss.c ssh-ecdsa.c ssh-ed25519.c
+ [ssh-keygen.c ssh-pkcs11-client.c ssh-pkcs11-helper.c ssh-pkcs11.c
+ [ssh-rsa.c sshbuf-misc.c sshbuf.h sshconnect.c sshconnect1.c
+ [sshconnect2.c sshd.c sshkey.c sshkey.h
+ [openbsd-compat/openssl-compat.c openbsd-compat/openssl-compat.h]
+ New key API: refactor key-related functions to be more library-like,
+ existing API is offered as a set of wrappers.
+
+ with and ok markus@
+
+ Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew
+ Dempsky and Ron Bowes for a detailed review a few months ago.
+ NB. This commit also removes portable OpenSSH support for OpenSSL
+ <0.9.8e.
+ - djm@cvs.openbsd.org 2014/06/24 02:19:48
+ [ssh.c]
+ don't fatal() when hostname canonicalisation fails with a
+ ProxyCommand in use; continue and allow the ProxyCommand to
+ connect anyway (e.g. to a host with a name outside the DNS
+ behind a bastion)
+ - djm@cvs.openbsd.org 2014/06/24 02:21:01
+ [scp.c]
+ when copying local->remote fails during read, don't send uninitialised
+ heap to the remote end. Reported by Jann Horn
+ - deraadt@cvs.openbsd.org 2014/06/25 14:16:09
+ [sshbuf.c]
+ unblock SIGSEGV before raising it
+ ok djm
+ - markus@cvs.openbsd.org 2014/06/27 16:41:56
+ [channels.c channels.h clientloop.c ssh.c]
+ fix remote fwding with same listen port but different listen address
+ with gerhard@, ok djm@
+ - markus@cvs.openbsd.org 2014/06/27 18:50:39
+ [ssh-add.c]
+ fix loading of private keys
+ - djm@cvs.openbsd.org 2014/06/30 12:54:39
+ [key.c]
+ suppress spurious error message when loading key with a passphrase;
+ reported by kettenis@ ok markus@
+ - djm@cvs.openbsd.org 2014/07/02 04:59:06
+ [cipher-3des1.c]
+ fix ssh protocol 1 on the server that regressed with the sshkey change
+ (sometimes fatal() after auth completed), make file return useful status
+ codes.
+ NB. Id sync only for these two. They were bundled into the sshkey merge
+ above, since it was easier to sync the entire file and then apply
+ portable-specific changed atop it.
+ - djm@cvs.openbsd.org 2014/04/30 05:32:00
+ [regress/Makefile]
+ unit tests for new buffer API; including basic fuzz testing
+ NB. Id sync only.
+ - djm@cvs.openbsd.org 2014/05/21 07:04:21
+ [regress/integrity.sh]
+ when failing because of unexpected output, show the offending output
+ - djm@cvs.openbsd.org 2014/06/24 01:04:43
+ [regress/krl.sh]
+ regress test for broken consecutive revoked serial number ranges
+ - djm@cvs.openbsd.org 2014/06/24 01:14:17
+ [Makefile.in regress/Makefile regress/unittests/Makefile]
+ [regress/unittests/sshkey/Makefile]
+ [regress/unittests/sshkey/common.c]
+ [regress/unittests/sshkey/common.h]
+ [regress/unittests/sshkey/mktestdata.sh]
+ [regress/unittests/sshkey/test_file.c]
+ [regress/unittests/sshkey/test_fuzz.c]
+ [regress/unittests/sshkey/test_sshkey.c]
+ [regress/unittests/sshkey/tests.c]
+ [regress/unittests/sshkey/testdata/dsa_1]
+ [regress/unittests/sshkey/testdata/dsa_1-cert.fp]
+ [regress/unittests/sshkey/testdata/dsa_1-cert.pub]
+ [regress/unittests/sshkey/testdata/dsa_1.fp]
+ [regress/unittests/sshkey/testdata/dsa_1.fp.bb]
+ [regress/unittests/sshkey/testdata/dsa_1.param.g]
+ [regress/unittests/sshkey/testdata/dsa_1.param.priv]
+ [regress/unittests/sshkey/testdata/dsa_1.param.pub]
+ [regress/unittests/sshkey/testdata/dsa_1.pub]
+ [regress/unittests/sshkey/testdata/dsa_1_pw]
+ [regress/unittests/sshkey/testdata/dsa_2]
+ [regress/unittests/sshkey/testdata/dsa_2.fp]
+ [regress/unittests/sshkey/testdata/dsa_2.fp.bb]
+ [regress/unittests/sshkey/testdata/dsa_2.pub]
+ [regress/unittests/sshkey/testdata/dsa_n]
+ [regress/unittests/sshkey/testdata/dsa_n_pw]
+ [regress/unittests/sshkey/testdata/ecdsa_1]
+ [regress/unittests/sshkey/testdata/ecdsa_1-cert.fp]
+ [regress/unittests/sshkey/testdata/ecdsa_1-cert.pub]
+ [regress/unittests/sshkey/testdata/ecdsa_1.fp]
+ [regress/unittests/sshkey/testdata/ecdsa_1.fp.bb]
+ [regress/unittests/sshkey/testdata/ecdsa_1.param.curve]
+ [regress/unittests/sshkey/testdata/ecdsa_1.param.priv]
+ [regress/unittests/sshkey/testdata/ecdsa_1.param.pub]
+ [regress/unittests/sshkey/testdata/ecdsa_1.pub]
+ [regress/unittests/sshkey/testdata/ecdsa_1_pw]
+ [regress/unittests/sshkey/testdata/ecdsa_2]
+ [regress/unittests/sshkey/testdata/ecdsa_2.fp]
+ [regress/unittests/sshkey/testdata/ecdsa_2.fp.bb]
+ [regress/unittests/sshkey/testdata/ecdsa_2.param.curve]
+ [regress/unittests/sshkey/testdata/ecdsa_2.param.priv]
+ [regress/unittests/sshkey/testdata/ecdsa_2.param.pub]
+ [regress/unittests/sshkey/testdata/ecdsa_2.pub]
+ [regress/unittests/sshkey/testdata/ecdsa_n]
+ [regress/unittests/sshkey/testdata/ecdsa_n_pw]
+ [regress/unittests/sshkey/testdata/ed25519_1]
+ [regress/unittests/sshkey/testdata/ed25519_1-cert.fp]
+ [regress/unittests/sshkey/testdata/ed25519_1-cert.pub]
+ [regress/unittests/sshkey/testdata/ed25519_1.fp]
+ [regress/unittests/sshkey/testdata/ed25519_1.fp.bb]
+ [regress/unittests/sshkey/testdata/ed25519_1.pub]
+ [regress/unittests/sshkey/testdata/ed25519_1_pw]
+ [regress/unittests/sshkey/testdata/ed25519_2]
+ [regress/unittests/sshkey/testdata/ed25519_2.fp]
+ [regress/unittests/sshkey/testdata/ed25519_2.fp.bb]
+ [regress/unittests/sshkey/testdata/ed25519_2.pub]
+ [regress/unittests/sshkey/testdata/pw]
+ [regress/unittests/sshkey/testdata/rsa1_1]
+ [regress/unittests/sshkey/testdata/rsa1_1.fp]
+ [regress/unittests/sshkey/testdata/rsa1_1.fp.bb]
+ [regress/unittests/sshkey/testdata/rsa1_1.param.n]
+ [regress/unittests/sshkey/testdata/rsa1_1.pub]
+ [regress/unittests/sshkey/testdata/rsa1_1_pw]
+ [regress/unittests/sshkey/testdata/rsa1_2]
+ [regress/unittests/sshkey/testdata/rsa1_2.fp]
+ [regress/unittests/sshkey/testdata/rsa1_2.fp.bb]
+ [regress/unittests/sshkey/testdata/rsa1_2.param.n]
+ [regress/unittests/sshkey/testdata/rsa1_2.pub]
+ [regress/unittests/sshkey/testdata/rsa_1]
+ [regress/unittests/sshkey/testdata/rsa_1-cert.fp]
+ [regress/unittests/sshkey/testdata/rsa_1-cert.pub]
+ [regress/unittests/sshkey/testdata/rsa_1.fp]
+ [regress/unittests/sshkey/testdata/rsa_1.fp.bb]
+ [regress/unittests/sshkey/testdata/rsa_1.param.n]
+ [regress/unittests/sshkey/testdata/rsa_1.param.p]
+ [regress/unittests/sshkey/testdata/rsa_1.param.q]
+ [regress/unittests/sshkey/testdata/rsa_1.pub]
+ [regress/unittests/sshkey/testdata/rsa_1_pw]
+ [regress/unittests/sshkey/testdata/rsa_2]
+ [regress/unittests/sshkey/testdata/rsa_2.fp]
+ [regress/unittests/sshkey/testdata/rsa_2.fp.bb]
+ [regress/unittests/sshkey/testdata/rsa_2.param.n]
+ [regress/unittests/sshkey/testdata/rsa_2.param.p]
+ [regress/unittests/sshkey/testdata/rsa_2.param.q]
+ [regress/unittests/sshkey/testdata/rsa_2.pub]
+ [regress/unittests/sshkey/testdata/rsa_n]
+ [regress/unittests/sshkey/testdata/rsa_n_pw]
+ unit and fuzz tests for new key API
+ - (djm) [sshkey.c] Conditionalise inclusion of util.h
+ - (djm) [regress/Makefile] fix execution of sshkey unit/fuzz test
+
+20140618
+ - (tim) [openssh/session.c] Work around to get chroot sftp working on UnixWare
+
+20140617
+ - (dtucker) [entropy.c openbsd-compat/openssl-compat.{c,h}
+ openbsd-compat/regress/{.cvsignore,Makefile.in,opensslvertest.c}]
+ Move the OpenSSL header/library version test into its own function and add
+ tests for it. Fix it to allow fix version upgrades (but not downgrades).
+ Prompted by chl@ via OpenSMTPD (issue #462) and Debian (bug #748150).
+ ok djm@ chl@
+
+20140616
+ - (dtucker) [defines.h] Fix undef of _PATH_MAILDIR. From rak at debian via
+ OpenSMTPD and chl@
+
+20140612
+ - (dtucker) [configure.ac] Remove tcpwrappers support, support has already
+ been removed from sshd.c.
+
+20140611
+ - (dtucker) [defines.h] Add va_copy if we don't already have it, taken from
+ openbsd-compat/bsd-asprintf.c.
+ - (dtucker) [regress/unittests/sshbuf/*.c regress/unittests/test_helper/*]
+ Wrap stdlib.h include an ifdef for platforms that don't have it.
+ - (tim) [regress/unittests/test_helper/test_helper.h] Add includes.h for
+ u_intXX_t types.
+
+20140610
+ - (dtucker) [regress/unittests/sshbuf/test_sshbuf_getput_crypto.c
+ regress/unittests/sshbuf/test_sshbuf_getput_fuzz.c] Only do NISTP256
+ curve tests if OpenSSL has them.
+ - (dtucker) [myprosal.h] Don't include curve25519-sha256@libssh.org in
+ the proposal if the version of OpenSSL we're using doesn't support ECC.
+ - (dtucker) [regress/unittests/sshbuf/test_sshbuf_getput_fuzz.c] ifdef
+ ECC variable too.
+ - (dtucker) OpenBSD CVS Sync
+ - djm@cvs.openbsd.org 2014/06/05 22:17:50
+ [sshconnect2.c]
+ fix inverted test that caused PKCS#11 keys that were explicitly listed
+ not to be preferred. Reported by Dirk-Willem van Gulik
+ - dtucker@cvs.openbsd.org 2014/06/10 21:46:11
+ [sshbuf.h]
+ Group ECC functions together to make things a little easier in -portable.
+ "doesn't bother me" deraadt@
+ - (dtucker) [sshbuf.h] Only declare ECC functions if building without
+ OpenSSL or if OpenSSL has ECC.
+ - (dtucker) [openbsd-compat/arc4random.c] Use explicit_bzero instead of an
+ assigment that might get optimized out. ok djm@
+ - (dtucker) [bufaux.c bufbn.c bufec.c buffer.c] Pull in includes.h for
+ compat stuff, specifically whether or not OpenSSL has ECC.
+
+20140527
+ - (djm) [cipher.c] Fix merge botch.
+ - (djm) [contrib/cygwin/ssh-host-config] Updated Cygwin ssh-host-config
+ from Corinna Vinschen, fixing a number of bugs and preparing for
+ Cygwin 1.7.30.
+ - (djm) [configure.ac openbsd-compat/bsd-cygwin_util.c]
+ [openbsd-compat/bsd-cygwin_util.h] On Cygwin, determine privilege
+ separation user at runtime, since it may need to be a domain account.
+ Patch from Corinna Vinschen.
+
+20140522
+ - (djm) [Makefile.in] typo in path
+
+20140521
+ - (djm) [commit configure.ac defines.h sshpty.c] don't attempt to use
+ vhangup on Linux. It doens't work for non-root users, and for them
+ it just messes up the tty settings.
+ - (djm) [misc.c] Use CLOCK_BOOTTIME in preference to CLOCK_MONOTONIC
+ when it is available. It takes into account time spent suspended,
+ thereby ensuring timeouts (e.g. for expiring agent keys) fire
+ correctly. bz#2228 reported by John Haxby
+
+20140519
+ - (djm) [rijndael.c rijndael.h] Sync with newly-ressurected versions ine
+ OpenBSD
+ - OpenBSD CVS Sync
+ - logan@cvs.openbsd.org 2014/04/20 09:24:26
+ [dns.c dns.h ssh-keygen.c]
+ Add support for SSHFP DNS records for ED25519 key types.
+ OK from djm@
+ - logan@cvs.openbsd.org 2014/04/21 14:36:16
+ [sftp-client.c sftp-client.h sftp.c]
+ Implement sftp upload resume support.
+ OK from djm@, with input from guenther@, mlarkin@ and
+ okan@
+ - logan@cvs.openbsd.org 2014/04/22 10:07:12
+ [sftp.c]
+ Sort the sftp command list.
+ OK from djm@
+ - logan@cvs.openbsd.org 2014/04/22 12:42:04
+ [sftp.1]
+ Document sftp upload resume.
+ OK from djm@, with feedback from okan@.
+ - jmc@cvs.openbsd.org 2014/04/22 14:16:30
+ [sftp.1]
+ zap eol whitespace;
+ - djm@cvs.openbsd.org 2014/04/23 12:42:34
+ [readconf.c]
+ don't record duplicate IdentityFiles
+ - djm@cvs.openbsd.org 2014/04/28 03:09:18
+ [authfile.c bufaux.c buffer.h channels.c krl.c mux.c packet.c packet.h]
+ [ssh-keygen.c]
+ buffer_get_string_ptr's return should be const to remind
+ callers that futzing with it will futz with the actual buffer
+ contents
+ - djm@cvs.openbsd.org 2014/04/29 13:10:30
+ [clientloop.c serverloop.c]
+ bz#1818 - don't send channel success/failre replies on channels that
+ have sent a close already; analysis and patch from Simon Tatham;
+ ok markus@
+ - markus@cvs.openbsd.org 2014/04/29 18:01:49
+ [auth.c authfd.c authfile.c bufaux.c cipher.c cipher.h hostfile.c]
+ [kex.c key.c mac.c monitor.c monitor_wrap.c myproposal.h packet.c]
+ [roaming_client.c ssh-agent.c ssh-keygen.c ssh-keyscan.c ssh-keysign.c]
+ [ssh-pkcs11.h ssh.c sshconnect.c sshconnect2.c sshd.c]
+ make compiling against OpenSSL optional (make OPENSSL=no);
+ reduces algorithms to curve25519, aes-ctr, chacha, ed25519;
+ allows us to explore further options; with and ok djm
+ - dtucker@cvs.openbsd.org 2014/04/29 19:58:50
+ [sftp.c]
+ Move nulling of variable next to where it's freed. ok markus@
+ - dtucker@cvs.openbsd.org 2014/04/29 20:36:51
+ [sftp.c]
+ Don't attempt to append a nul quote char to the filename. Should prevent
+ fatal'ing with "el_insertstr failed" when there's a single quote char
+ somewhere in the string. bz#2238, ok markus@
+ - djm@cvs.openbsd.org 2014/04/30 05:29:56
+ [bufaux.c bufbn.c bufec.c buffer.c buffer.h sshbuf-getput-basic.c]
+ [sshbuf-getput-crypto.c sshbuf-misc.c sshbuf.c sshbuf.h ssherr.c]
+ [ssherr.h]
+ New buffer API; the first installment of the conversion/replacement
+ of OpenSSH's internals to make them usable as a standalone library.
+
+ This includes a set of wrappers to make it compatible with the
+ existing buffer API so replacement can occur incrementally.
+
+ With and ok markus@
+
+ Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew
+ Dempsky and Ron Bowes for a detailed review.
+ - naddy@cvs.openbsd.org 2014/04/30 19:07:48
+ [mac.c myproposal.h umac.c]
+ UMAC can use our local fallback implementation of AES when OpenSSL isn't
+ available. Glue code straight from Ted Krovetz's original umac.c.
+ ok markus@
+ - djm@cvs.openbsd.org 2014/05/02 03:27:54
+ [chacha.h cipher-chachapoly.h digest.h hmac.h kex.h kexc25519.c]
+ [misc.h poly1305.h ssh-pkcs11.c defines.h]
+ revert __bounded change; it causes way more problems for portable than
+ it solves; pointed out by dtucker@
+ - markus@cvs.openbsd.org 2014/05/03 17:20:34
+ [monitor.c packet.c packet.h]
+ unbreak compression, by re-init-ing the compression code in the
+ post-auth child. the new buffer code is more strict, and requires
+ buffer_init() while the old code was happy after a bzero();
+ originally from djm@
+ - logan@cvs.openbsd.org 2014/05/05 07:02:30
+ [sftp.c]
+ Zap extra whitespace.
+
+ OK from djm@ and dtucker@
+ - (djm) [configure.ac] Unconditionally define WITH_OPENSSL until we write
+ portability glue to support building without libcrypto
+ - (djm) [Makefile.in configure.ac sshbuf-getput-basic.c]
+ [sshbuf-getput-crypto.c sshbuf.c] compilation and portability fixes
+ - OpenBSD CVS Sync
+ - djm@cvs.openbsd.org 2014/03/13 20:44:49
+ [login-timeout.sh]
+ this test is a sorry mess of race conditions; add another sleep
+ to avoid a failure on slow machines (at least until I find a
+ better way)
+ - djm@cvs.openbsd.org 2014/04/21 22:15:37
+ [dhgex.sh integrity.sh kextype.sh rekey.sh try-ciphers.sh]
+ repair regress tests broken by server-side default cipher/kex/mac changes
+ by ensuring that the option under test is included in the server's
+ algorithm list
+ - dtucker@cvs.openbsd.org 2014/05/03 18:46:14
+ [proxy-connect.sh]
+ Add tests for with and without compression, with and without privsep.
+ - logan@cvs.openbsd.org 2014/05/04 10:40:59
+ [connect-privsep.sh]
+ Remove the Z flag from the list of malloc options as it
+ was removed from malloc.c 10 days ago.
+
+ OK from miod@
+ - (djm) [regress/unittests/Makefile]
+ [regress/unittests/Makefile.inc]
+ [regress/unittests/sshbuf/Makefile]
+ [regress/unittests/sshbuf/test_sshbuf.c]
+ [regress/unittests/sshbuf/test_sshbuf_fixed.c]
+ [regress/unittests/sshbuf/test_sshbuf_fuzz.c]
+ [regress/unittests/sshbuf/test_sshbuf_getput_basic.c]
+ [regress/unittests/sshbuf/test_sshbuf_getput_crypto.c]
+ [regress/unittests/sshbuf/test_sshbuf_getput_fuzz.c]
+ [regress/unittests/sshbuf/test_sshbuf_misc.c]
+ [regress/unittests/sshbuf/tests.c]
+ [regress/unittests/test_helper/Makefile]
+ [regress/unittests/test_helper/fuzz.c]
+ [regress/unittests/test_helper/test_helper.c]
+ [regress/unittests/test_helper/test_helper.h]
+ Import new unit tests from OpenBSD; not yet hooked up to build.
+ - (djm) [regress/Makefile Makefile.in]
+ [regress/unittests/sshbuf/test_sshbuf.c
+ [regress/unittests/sshbuf/test_sshbuf_fixed.c]
+ [regress/unittests/sshbuf/test_sshbuf_fuzz.c]
+ [regress/unittests/sshbuf/test_sshbuf_getput_basic.c]
+ [regress/unittests/sshbuf/test_sshbuf_getput_crypto.c]
+ [regress/unittests/sshbuf/test_sshbuf_getput_fuzz.c]
+ [regress/unittests/sshbuf/test_sshbuf_misc.c]
+ [regress/unittests/sshbuf/tests.c]
+ [regress/unittests/test_helper/fuzz.c]
+ [regress/unittests/test_helper/test_helper.c]
+ Hook new unit tests into the build and "make tests"
+ - (djm) [sshbuf.c] need __predict_false
+
+20140430
+ - (dtucker) [defines.h] Define __GNUC_PREREQ__ macro if we don't already
+ have it. Only attempt to use __attribute__(__bounded__) for gcc.
+
+20140420
+ - OpenBSD CVS Sync
+ - djm@cvs.openbsd.org 2014/03/03 22:22:30
+ [session.c]
+ ignore enviornment variables with embedded '=' or '\0' characters;
+ spotted by Jann Horn; ok deraadt@
+ Id sync only - portable already has this.
+ - djm@cvs.openbsd.org 2014/03/12 04:44:58
+ [ssh-keyscan.c]
+ scan for Ed25519 keys by default too
+ - djm@cvs.openbsd.org 2014/03/12 04:50:32
+ [auth-bsdauth.c ssh-keygen.c]
+ don't count on things that accept arguments by reference to clear
+ things for us on error; most things do, but it's unsafe form.
+ - djm@cvs.openbsd.org 2014/03/12 04:51:12
+ [authfile.c]
+ correct test that kdf name is not "none" or "bcrypt"
+ - naddy@cvs.openbsd.org 2014/03/12 13:06:59
+ [ssh-keyscan.1]
+ scan for Ed25519 keys by default too
+ - deraadt@cvs.openbsd.org 2014/03/15 17:28:26
+ [ssh-agent.c ssh-keygen.1 ssh-keygen.c]
+ Improve usage() and documentation towards the standard form.
+ In particular, this line saves a lot of man page reading time.
+ usage: ssh-keygen [-q] [-b bits] [-t dsa | ecdsa | ed25519 | rsa | rsa1]
+ [-N new_passphrase] [-C comment] [-f output_keyfile]
+ ok schwarze jmc
+ - tedu@cvs.openbsd.org 2014/03/17 19:44:10
+ [ssh.1]
+ old descriptions of des and blowfish are old. maybe ok deraadt
+ - tedu@cvs.openbsd.org 2014/03/19 14:42:44
+ [scp.1]
+ there is no need for rcp anymore
+ ok deraadt millert
+ - markus@cvs.openbsd.org 2014/03/25 09:40:03
+ [myproposal.h]
+ trimm default proposals.
+
+ This commit removes the weaker pre-SHA2 hashes, the broken ciphers
+ (arcfour), and the broken modes (CBC) from the default configuration
+ (the patch only changes the default, all the modes are still available
+ for the config files).
+
+ ok djm@, reminded by tedu@ & naddy@ and discussed with many
+ - deraadt@cvs.openbsd.org 2014/03/26 17:16:26
+ [myproposal.h]
+ The current sharing of myproposal[] between both client and server code
+ makes the previous diff highly unpallatable. We want to go in that
+ direction for the server, but not for the client. Sigh.
+ Brought up by naddy.
+ - markus@cvs.openbsd.org 2014/03/27 23:01:27
+ [myproposal.h ssh-keyscan.c sshconnect2.c sshd.c]
+ disable weak proposals in sshd, but keep them in ssh; ok djm@
+ - djm@cvs.openbsd.org 2014/03/26 04:55:35
+ [chacha.h cipher-chachapoly.h digest.h hmac.h kex.h kexc25519.c
+ [misc.h poly1305.h ssh-pkcs11.c]
+ use __bounded(...) attribute recently added to sys/cdefs.h instead of
+ longform __attribute__(__bounded(...));
+
+ for brevity and a warning free compilation with llvm/clang
+ - tedu@cvs.openbsd.org 2014/03/26 19:58:37
+ [sshd.8 sshd.c]
+ remove libwrap support. ok deraadt djm mfriedl
+ - naddy@cvs.openbsd.org 2014/03/28 05:17:11
+ [ssh_config.5 sshd_config.5]
+ sync available and default algorithms, improve algorithm list formatting
+ help from jmc@ and schwarze@, ok deraadt@
+ - jmc@cvs.openbsd.org 2014/03/31 13:39:34
+ [ssh-keygen.1]
+ the text for the -K option was inserted in the wrong place in -r1.108;
+ fix From: Matthew Clarke
+ - djm@cvs.openbsd.org 2014/04/01 02:05:27
+ [ssh-keysign.c]
+ include fingerprint of key not found
+ use arc4random_buf() instead of loop+arc4random()
+ - djm@cvs.openbsd.org 2014/04/01 03:34:10
+ [sshconnect.c]
+ When using VerifyHostKeyDNS with a DNSSEC resolver, down-convert any
+ certificate keys to plain keys and attempt SSHFP resolution.
+
+ Prevents a server from skipping SSHFP lookup and forcing a new-hostkey
+ dialog by offering only certificate keys.
+
+ Reported by mcv21 AT cam.ac.uk
+ - djm@cvs.openbsd.org 2014/04/01 05:32:57
+ [packet.c]
+ demote a debug3 to PACKET_DEBUG; ok markus@
+ - djm@cvs.openbsd.org 2014/04/12 04:55:53
+ [sshd.c]
+ avoid crash at exit: check that pmonitor!=NULL before dereferencing;
+ bz#2225, patch from kavi AT juniper.net
+ - djm@cvs.openbsd.org 2014/04/16 23:22:45
+ [bufaux.c]
+ skip leading zero bytes in buffer_put_bignum2_from_string();
+ reported by jan AT mojzis.com; ok markus@
+ - djm@cvs.openbsd.org 2014/04/16 23:28:12
+ [ssh-agent.1]
+ remove the identity files from this manpage - ssh-agent doesn't deal
+ with them at all and the same information is duplicated in ssh-add.1
+ (which does deal with them); prodded by deraadt@
+ - djm@cvs.openbsd.org 2014/04/18 23:52:25
+ [compat.c compat.h sshconnect2.c sshd.c version.h]
+ OpenSSH 6.5 and 6.6 have a bug that causes ~0.2% of connections
+ using the curve25519-sha256@libssh.org KEX exchange method to fail
+ when connecting with something that implements the spec properly.
+
+ Disable this KEX method when speaking to one of the affected
+ versions.
+
+ reported by Aris Adamantiadis; ok markus@
+ - djm@cvs.openbsd.org 2014/04/19 05:54:59
+ [compat.c]
+ missing wildcard; pointed out by naddy@
+ - tedu@cvs.openbsd.org 2014/04/19 14:53:48
+ [ssh-keysign.c sshd.c]
+ Delete futile calls to RAND_seed. ok djm
+ NB. Id sync only. This only applies to OpenBSD's libcrypto slashathon
+ - tedu@cvs.openbsd.org 2014/04/19 18:15:16
+ [sshd.8]
+ remove some really old rsh references
+ - tedu@cvs.openbsd.org 2014/04/19 18:42:19
+ [ssh.1]
+ delete .xr to hosts.equiv. there's still an unfortunate amount of
+ documentation referring to rhosts equivalency in here.
+ - djm@cvs.openbsd.org 2014/04/20 02:30:25
+ [misc.c misc.h umac.c]
+ use get/put_u32 to load values rather than *((UINT32 *)p) that breaks on
+ strict-alignment architectures; reported by and ok stsp@
+ - djm@cvs.openbsd.org 2014/04/20 02:49:32
+ [compat.c]
+ add a canonical 6.6 + curve25519 bignum fix fake version that I can
+ recommend people use ahead of the openssh-6.7 release
+
+20140401
+ - (djm) On platforms that support it, use prctl() to prevent sftp-server
+ from accessing /proc/self/{mem,maps}; patch from jann AT thejh.net
+ - (djm) Use full release (e.g. 6.5p1) in debug output rather than just
+ version. From des@des.no
+
+20140317
+ - (djm) [sandbox-seccomp-filter.c] Soft-fail stat() syscalls. Add XXX to
+ remind myself to add sandbox violation logging via the log socket.
+
+20140314
+ - (tim) [opensshd.init.in] Add support for ed25519
+
20140313
- (djm) Release OpenSSH 6.6
@@ -2884,4 +3815,3 @@
[contrib/suse/openssh.spec] Update for release 6.0
- (djm) [README] Update URL to release notes.
- (djm) Release openssh-6.0
-
OpenPOWER on IntegriCloud