special snowflake reporting in. looks good here too. thanks for all your hardwork, folks! On Tue, Mar 14, 2017 at 3:40 AM, Damien Miller <djm@xxxxxxxxxxx> wrote: > Hi, > > OpenSSH 7.5p1 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This is a bugfix release. > > Snapshot releases for portable OpenSSH are available from > http://www.mindrot.org/openssh_snap/ > > The OpenBSD version is available in CVS HEAD: > http://www.openbsd.org/anoncvs.html > > Portable OpenSSH is also available via git using the > instructions at http://www.openssh.com/portable.html#cvs > At https://anongit.mindrot.org/openssh.git/ or via a mirror at Github: > https://github.com/openssh/openssh-portable > > Running the regression tests supplied with Portable OpenSSH does not > require installation and is a simply: > > $ ./configure && make tests > > Live testing on suitable non-production systems is also > appreciated. Please send reports of success or failure to > openssh-unix-dev@xxxxxxxxxxx. > > Below is a summary of changes. More detail may be found in the ChangeLog > in the portable OpenSSH tarballs. > > Thanks to the many people who contributed to this release. > > Future deprecation notice > ========================= > > We plan on retiring more legacy cryptography in future releases, > specifically: > > * In the next major release (expected June-August), removing remaining > support for the SSH v.1 protocol (currently client-only and compile- > time disabled). > > * In the same release, removing support for Blowfish and RC4 ciphers > and the RIPE-MD160 HMAC. (These are currently run-time disabled). > > * In the same release, removing the remaining CBC ciphers from being > offered by default in the client (These have not been offered in > sshd by default for several years). > > * Refusing all RSA keys smaller than 1024 bits (the current minimum > is 768 bits) > > This list reflects our current intentions, but please check the final > release notes for future releases. > > Potentially-incompatible changes > ================================ > > This release includes a number of changes that may affect existing > configurations: > > * This release deprecates the sshd_config UsePrivilegeSeparation > option, thereby making privilege separation mandatory. Privilege > separation has been on by default for almost 15 years. > > * The format of several log messages emitted by the packet code has > changed to include additional information about the user and > their authentication state. Software that monitors ssh/sshd logs > may need to account for these changes. For example: > > Connection closed by user x 1.1.1.1 port 1234 [preauth] > Connection closed by authenticating user x 10.1.1.1 port 1234 [preauth] > Connection closed by invalid user x 1.1.1.1 port 1234 [preauth] > > Affected messages include connection closure, timeout, remote > disconnection, negotiation failure and some other fatal messages > generated by the packet code. > > Changes since OpenSSH 7.4 > ========================= > > This is a bugfix release. > > New Features > ------------ > > * ssh(1), sshd(8): Support "=-" syntax to easily remove methods from > algorithm lists, e.g. Ciphers=-*cbc. bz#2671 > > Bugfixes > -------- > > * ssh(1), sshd(8): Allow form-feed characters to appear in > configuration files. > > * sshd(8): Fix regression in OpenSSH 7.4 support for the > server-sig-algs extension, where SHA2 RSA signature methods were > not being correctly advertised. bz#2680 > > * ssh(1), ssh-keygen(1): Fix a number of case-sensitivity bugs in > known_hosts processing. bz#2591 bz#2685 > > * ssh(1): Allow ssh to use certificates accompanied by a private key > file but no corresponding plain *.pub public key. bz#2617 > > * ssh(1): When updating hostkeys using the UpdateHostKeys option, > accept RSA keys if HostkeyAlgorithms contains any RSA keytype. > Previously, ssh could ignore RSA keys when only the ssh-rsa-sha2-* > methods were enabled in HostkeyAlgorithms and not the old ssh-rsa > method. bz#2650 > > * ssh(1): Detect and report excessively long configuration file > lines. bz#2651 > > * Merge a number of fixes found by Coverity and reported via Redhat > and FreeBSD. Includes fixes for some memory and file descriptor > leaks in error paths. bz#2687 > > * ssh-keyscan(1): Correctly hash hosts with a port number. bz#2692 > > * ssh(1), sshd(8): When logging long messages to stderr, don't truncate > "\r\n" if the length of the message exceeds the buffer. bz#2688 > > * ssh(1): Fully quote [host]:port in generated ProxyJump/-J command- > line; avoid confusion over IPv6 addresses and shells that treat > square bracket characters specially. > > * ssh-keygen(1): Fix corruption of known_hosts when running > "ssh-keygen -H" on a known_hosts containing already-hashed entries. > > * Fix various fallout and sharp edges caused by removing SSH protocol > 1 support from the server, including the server banner string being > incorrectly terminated with only \n (instead of \r\n), and > confusing error messages from ssh-keyscan bz#2583. > > * ssh(1), sshd(8): Free fd_set on connection timeout. bz#2683 > > * sshd(8): Fix Unix domain socket forwarding for root (regression in > OpenSSH 7.4). > > * sftp(1): Fix division by zero crash in "df" output when server > returns zero total filesystem blocks/inodes. > > * ssh(1), ssh-add(1), ssh-keygen(1), sshd(8): Translate OpenSSL errors > encountered during key loading to more meaningful error codes. > bz#2522 bz#2523 > > * ssh-keygen(1): Sanitise escape sequences in key comments sent to > printf but preserve valid UTF-8 when the locale supports it; > bz#2520 > > * ssh(1), sshd(8): Return reason for port forwarding failures where > feasible rather than always "administratively prohibited". bz#2674 > > * sshd(8): Fix deadlock when AuthorizedKeysCommand or > AuthorizedPrincipalsCommand produces a lot of output and a key is > matched early. bz#2655 > > * Regression tests: several reliability fixes. bz#2654 bz#2658 bz#2659 > > * ssh(1): Fix typo in ~C error message for bad port forward > cancellation. bz#2672 > > * ssh(1): Show a useful error message when included config files > can't be opened; bz#2653 > > * sshd(8): Make sshd set GSSAPIStrictAcceptorCheck=yes as the manual page > (previously incorrectly) advertised. bz#2637 > > * sshd_config(5): Repair accidentally-deleted mention of %k token > in AuthorizedKeysCommand; bz#2656 > > * sshd(8): Remove vestiges of previously removed LOGIN_PROGRAM; bzbz#2665 > > * ssh-agent(1): Relax PKCS#11 whitelist to include libexec and > common 32-bit compatibility library directories. > > * sftp-client(1): fix non-exploitable integer overflow in SSH2_FXP_NAME > response handling. > > Portability > ----------- > > * sshd(8): Avoid sandbox errors for Linux S390 systems using an ICA > crypto coprocessor. > > * sshd(8): Fix non-exploitable weakness in seccomp-bpf sandbox arg > inspection. > > * ssh(1): Fix X11 forwarding on OSX where X11 was being started by > launchd. bz#2341 > > * ssh-keygen(1), ssh(1), sftp(1): Fix output truncation for various that > contain non-printable characters where the codeset in use is ASCII. > > * build: Fix builds that attempt to link a kerberised libldns. bz#2603 > > * build: Fix compilation problems caused by unconditionally defining > _XOPEN_SOURCE in wide character detection. > > * sshd(8): Fix sandbox violations for clock_gettime VSDO syscall > fallback on some Linux/X32 kernels. bz#2142 > > OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de > Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, > Tim Rice and Ben Lindstrom. > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev@xxxxxxxxxxx > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev