Hi Damien, Builds fine on Cygwin, all tests pass. Thanks, Corinna On Jul 31 16:12, Damien Miller wrote: > Hi, > > OpenSSH 9.4 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This is a bugfix release. > > Snapshot releases for portable OpenSSH are available from > http://www.mindrot.org/openssh_snap/ > > The OpenBSD version is available in CVS HEAD: > http://www.openbsd.org/anoncvs.html > > Portable OpenSSH is also available via git using the > instructions at http://www.openssh.com/portable.html#cvs > At https://anongit.mindrot.org/openssh.git/ or via a mirror at Github: > https://github.com/openssh/openssh-portable > > Running the regression tests supplied with Portable OpenSSH does not > require installation and is a simply: > > $ ./configure && make tests > > Live testing on suitable non-production systems is also appreciated. > Please send reports of success or failure to > openssh-unix-dev@xxxxxxxxxxx. Security bugs should be reported > directly to openssh@xxxxxxxxxxx. > > Below is a summary of changes. More detail may be found in the ChangeLog > in the portable OpenSSH tarballs. > > Thanks to the many people who contributed to this release. > > Changes since OpenSSH 9.3p2 > =========================== > > This release fixes a number of bugs and adds some small features. > > Potentially incompatible changes > -------------------------------- > > * This release removes support for older versions of libcrypto. > OpenSSH now requires LibreSSL >= 3.1.0 or OpenSSL >= 1.1.1. > Note that these versions are already deprecated by their upstream > vendors. > > * ssh-agent(1): PKCS#11 modules must now be specified by their full > paths. Previously dlopen(3) could search for them in system > library directories. > > New features > ------------ > > * ssh(1): allow forwarding Unix Domain sockets via ssh -W. > > * ssh(1): add support for configuration tags to ssh(1). > This adds a ssh_config(5) "Tag" directive and corresponding > "Match tag" predicate that may be used to select blocks of > configuration similar to the pf.conf(5) keywords of the same > name. > > * ssh(1): add a "match localnetwork" predicate. This allows matching > on the addresses of available network interfaces and may be used to > vary the effective client configuration based on network location. > > * ssh(1), sshd(8), ssh-keygen(1): infrastructure support for KRL > extensions. This defines wire formats for optional KRL extensions > and implements parsing of the new submessages. No actual extensions > are supported at this point. > > * sshd(8): AuthorizedPrincipalsCommand and AuthorizedKeysCommand now > accept two additional %-expansion sequences: %D which expands to > the routing domain of the connected session and %C which expands > to the addresses and port numbers for the source and destination > of the connection. > > * ssh-keygen(1): increase the default work factor (rounds) for the > bcrypt KDF used to derive symmetric encryption keys for passphrase > protected key files by 50%. > > Bugfixes > -------- > > * ssh-agent(1): improve isolation between loaded PKCS#11 modules > by running seperate ssh-pkcs11-helpers for each loaded provider. > > * ssh(1): make -f (fork after authentication) work correctly with > multiplexed connections, including ControlPersist. bz3589 bz3589 > > * ssh-agent(1), ssh(1): improve defences against invalid PKCS#11 > modules being loaded by checking that the requested module > contains the required symbol before loading it. > > * sshd(8): fix AuthorizedPrincipalsCommand when AuthorizedKeysCommand > appears before it in sshd_config. Since OpenSSH 8.7 the > AuthorizedPrincipalsCommand directive was incorrectly ignored in > this situation. bz3574 > > * sshd(8), ssh(1), ssh-keygen(1): remove vestigal support for KRL > signatures When the KRL format was originally defined, it included > support for signing of KRL objects. However, the code to sign KRLs > and verify KRL signatues was never completed in OpenSSH. This > release removes the partially-implemented code to verify KRLs. > All OpenSSH tools now ignore KRL_SECTION_SIGNATURE sections in > KRL files. > > * All: fix a number of memory leaks and unreachable/harmless integer > overflows. > > * ssh-agent(1), ssh(1): don't truncate strings logged from PKCS#11 > modules; GHPR406 > > * sshd(8), ssh(1): better validate CASignatureAlgorithms in > ssh_config and sshd_config. Previously this directive would accept > certificate algorithm names, but these were unusable in practice as > OpenSSH does not support CA chains. bz3577 > > * ssh(1): make `ssh -Q CASignatureAlgorithms` only list signature > algorithms that are valid for CA signing. Previous behaviour was > to list all signing algorithms, including certificate algorithms. > > * ssh-keyscan(1): gracefully handle systems where rlimits or the > maximum number of open files is larger than INT_MAX; bz3581 > > * ssh-keygen(1): fix "no comment" not showing on when running > `ssh-keygen -l` on multiple keys where one has a comment and other > following keys do not. bz3580 > > * scp(1), sftp(1): adjust ftruncate() logic to handle servers that > reorder requests. Previously, if the server reordered requests then > the resultant file would be erroneously truncated. > > * ssh(1): don't incorrectly disable hostname canonicalization when > CanonicalizeHostname=yes and ProxyJump was expicitly set to > "none". bz3567 > > * scp(1): when copying local->remote, check that the source file > exists before opening an SFTP connection to the server. Based on > GHPR#370 > > Portability > ----------- > > * All: a number of build fixes for various platforms and > configuration combinations. > > * sshd(8): provide a replacement for the SELinux matchpathcon() > function, which is deprecated. > > * All: relax libcrypto version checks for OpenSSL >=3. Beyond > OpenSSL 3.0, the ABI compatibility guarantees are wider (only > the library major must match instead of major and minor in > earlier versions). bz#3548. > > * Tests: fix build problems for the sk-dummy.so FIDO provider module > used in some tests. > > OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de > Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, > Tim Rice and Ben Lindstrom. > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev@xxxxxxxxxxx > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
