diff options
Diffstat (limited to 'ChangeLog')
| -rw-r--r-- | ChangeLog | 4925 |
1 files changed, 2686 insertions, 2239 deletions
diff --git a/ChangeLog b/ChangeLog index e008ec9f383f..bb729917c333 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,2689 @@ +commit a0349a1cc4a18967ad1dbff5389bcdf9da098814 +Author: Damien Miller <djm@mindrot.org> +Date: Mon Apr 2 15:38:28 2018 +1000 + + update versions in .spec files + +commit 816ad38f79792f5617e3913be306ddb27e91091c +Author: Damien Miller <djm@mindrot.org> +Date: Mon Apr 2 15:38:20 2018 +1000 + + update version number + +commit 2c71ca1dd1efe458cb7dee3f8a1a566f913182c2 +Author: Darren Tucker <dtucker@dtucker.net> +Date: Fri Mar 30 18:23:07 2018 +1100 + + Disable native strndup and strnlen on AIX. + + On at least some revisions of AIX, strndup returns unterminated strings + under some conditions, apparently because strnlen returns incorrect + values in those cases. Disable both on AIX and use the replacements + from openbsd-compat. Fixes problem with ECDSA keys there, ok djm. + +commit 6b5a17bc14e896e3904dc58d889b58934cfacd24 +Author: Darren Tucker <dtucker@dtucker.net> +Date: Mon Mar 26 13:12:44 2018 +1100 + + Include ssh_api.h for struct ssh. + + struct ssh is needed by implementations of sys_auth_passwd() that were + converted in commit bba02a50. Needed to fix build on AIX, I assume for + the other platforms too (although it should be harmless if not needed). + +commit bc3f80e4d191b8e48650045dfa8a682cd3aabd4d +Author: Darren Tucker <dtucker@dtucker.net> +Date: Mon Mar 26 12:58:09 2018 +1100 + + Remove UNICOS code missed during removal. + + Fixes compile error on AIX. + +commit 9d57762c24882e2f000a21a0ffc8c5908a1fa738 +Author: markus@openbsd.org <markus@openbsd.org> +Date: Sat Mar 24 19:29:03 2018 +0000 + + upstream: openssh-7.7 + + OpenBSD-Commit-ID: 274e614352460b9802c905f38fb5ea7ed5db3d41 + +commit 4b7d8acdbbceef247dc035e611e577174ed8a87e +Author: Damien Miller <djm@mindrot.org> +Date: Mon Mar 26 09:37:02 2018 +1100 + + Remove authinfo.sh test dependency on printenv + + Some platforms lack printenv in the default $PATH. + Reported by Tom G. Christensen + +commit 4afeaf3dcb7dc70efd98fcfcb0ed28a6b40b820e +Author: Tim Rice <tim@multitalents.net> +Date: Sun Mar 25 10:00:21 2018 -0700 + + Use libiaf on all sysv5 systems + +commit bba02a5094b3db228ceac41cb4bfca165d0735f3 +Author: Tim Rice <tim@multitalents.net> +Date: Sun Mar 25 09:17:33 2018 -0700 + + modified: auth-sia.c + modified: openbsd-compat/port-aix.c + modified: openbsd-compat/port-uw.c + + propogate changes to auth-passwd.c in commit + 7c856857607112a3dfe6414696bf4c7ab7fb0cb3 to other providers + of sys_auth_passwd() + +commit d7a7a39168bdfe273587bf85d779d60569100a3f +Author: markus@openbsd.org <markus@openbsd.org> +Date: Sat Mar 24 19:29:03 2018 +0000 + + upstream: openssh-7.7 + + OpenBSD-Commit-ID: 274e614352460b9802c905f38fb5ea7ed5db3d41 + +commit 9efcaaac314c611c6c0326e8bac5b486c424bbd2 +Author: markus@openbsd.org <markus@openbsd.org> +Date: Sat Mar 24 19:28:43 2018 +0000 + + upstream: fix bogus warning when signing cert keys using agent; + + from djm; ok deraadt dtucker + + OpenBSD-Commit-ID: 12e50836ba2040042383a8b71e12d7ea06e9633d + +commit 393436024d2e4b4c7a01f9cfa5854e7437896d11 +Author: Darren Tucker <dtucker@dtucker.net> +Date: Sun Mar 25 09:40:46 2018 +1100 + + Replace /dev/stdin with "-". + + For some reason sftp -b doesn't work with /dev/stdin on Cygwin, as noted + and suggested by vinschen at redhat.com. + +commit b5974de1a1d419e316ffb6524b1b277dda2f3b49 +Author: Darren Tucker <dtucker@dtucker.net> +Date: Fri Mar 23 13:21:14 2018 +1100 + + Provide $OBJ to paths in PuTTY interop tests. + +commit dc31e79454e9b9140b33ad380565fdb59b9c4f33 +Author: dtucker@openbsd.org <dtucker@openbsd.org> +Date: Fri Mar 16 09:06:31 2018 +0000 + + upstream: Tell puttygen to use /dev/urandom instead of /dev/random. On + + OpenBSD they are both non-blocking, but on many other -portable platforms it + blocks, stalling tests. + + OpenBSD-Regress-ID: 397d0d4c719c353f24d79f5b14775e0cfdf0e1cc + +commit cb1f94431ef319cd48618b8b771b58739a8210cf +Author: markus@openbsd.org <markus@openbsd.org> +Date: Thu Mar 22 07:06:11 2018 +0000 + + upstream: ssh/xmss: fix build; ok djm@ + + OpenBSD-Commit-ID: c9374ca41d4497f1c673ab681cc33f6e7c5dd186 + +commit 27979da9e4074322611355598f69175b9ff10d39 +Author: markus@openbsd.org <markus@openbsd.org> +Date: Thu Mar 22 07:05:48 2018 +0000 + + upstream: ssh/xmss: fix deserialize for certs; ok djm@ + + OpenBSD-Commit-ID: f44c41636c16ec83502039828beaf521c057dddc + +commit c6cb2565c9285eb54fa9dfbb3890f5464aff410f +Author: Darren Tucker <dtucker@dtucker.net> +Date: Thu Mar 22 17:00:28 2018 +1100 + + Save $? before case statement. + + In some shells (FreeBSD 9, ash) the case statement resets $?, so save + for later testing. + +commit 4c4e7f783b43b264c247233acb887ee10ed4ce4d +Author: djm@openbsd.org <djm@openbsd.org> +Date: Wed Mar 14 05:35:40 2018 +0000 + + upstream: rename recently-added "valid-before" key restriction to + + "expiry-time" as the former is confusing wrt similar terminology in X.509; + pointed out by jsing@ + + OpenBSD-Regress-ID: ac8b41dbfd90cffd525d58350c327195b0937793 + +commit 500396b204c58e78ad9d081516a365a9f28dc3fd +Author: djm@openbsd.org <djm@openbsd.org> +Date: Mon Mar 12 00:56:03 2018 +0000 + + upstream: check valid-before option in authorized_keys + + OpenBSD-Regress-ID: 7e1e4a84f7f099a290e5a4cbf4196f90ff2d7e11 + +commit a76b5d26c2a51d7dd7a5164e683ab3f4419be215 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Mon Mar 12 00:54:04 2018 +0000 + + upstream: explicitly specify RSA/SHA-2 keytype here too + + OpenBSD-Regress-ID: 74d7b24e8c72c27af6b481198344eb077e993a62 + +commit 3a43297ce29d37c64e37c7e21282cb219e28d3d1 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Mon Mar 12 00:52:57 2018 +0000 + + upstream: exlicitly include RSA/SHA-2 keytypes in + + PubkeyAcceptedKeyTypes here + + OpenBSD-Regress-ID: 954d19e0032a74e31697fb1dc7e7d3d1b2d65fe9 + +commit 037fdc1dc2d68e1d43f9c9e2586c02cabc8f7cc8 +Author: jmc@openbsd.org <jmc@openbsd.org> +Date: Wed Mar 14 06:56:20 2018 +0000 + + upstream: sort expiry-time; + + OpenBSD-Commit-ID: 8c7d82ee1e63e26ceb2b3d3a16514019f984f6bf + +commit abc0fa38c9bc136871f28e452c3465c3051fc785 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Wed Mar 14 05:35:40 2018 +0000 + + upstream: rename recently-added "valid-before" key restriction to + + "expiry-time" as the former is confusing wrt similar terminology in X.509; + pointed out by jsing@ + + OpenBSD-Commit-ID: 376939466a1f562f3950a22314bc6505733aaae6 + +commit bf0fbf2b11a44f06a64b620af7d01ff171c28e13 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Mon Mar 12 00:52:01 2018 +0000 + + upstream: add valid-before="[time]" authorized_keys option. A + + simple way of giving a key an expiry date. ok markus@ + + OpenBSD-Commit-ID: 1793b4dd5184fa87f42ed33c7b0f4f02bc877947 + +commit fbd733ab7adc907118a6cf56c08ed90c7000043f +Author: Darren Tucker <dtucker@dtucker.net> +Date: Mon Mar 12 19:17:26 2018 +1100 + + Add AC_LANG_PROGRAM to AC_COMPILE_IFELSE. + + The recently added MIPS ABI tests need AC_LANG_PROGRAM to prevent + warnings from autoconf. Pointed out by klausz at haus-gisela.de. + +commit c7c458e8261b04d161763cd333d74e7a5842e917 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Wed Mar 7 23:53:08 2018 +0000 + + upstream: revert recent strdelim() change, it causes problems with + + some configs. + + revision 1.124 + date: 2018/03/02 03:02:11; author: djm; state: Exp; lines: +19 -8; commitid: nNRsCijZiGG6SUTT; + Allow escaped quotes \" and \' in ssh_config and sshd_config quotes + option strings. bz#1596 ok markus@ + + OpenBSD-Commit-ID: 59c40b1b81206d713c06b49d8477402c86babda5 + +commit 0bcd871ccdf3baf2b642509ba4773d5be067cfa2 +Author: jmc@openbsd.org <jmc@openbsd.org> +Date: Mon Mar 5 07:03:18 2018 +0000 + + upstream: move the input format details to -f; remove the output + + format details and point to sshd(8), where it is documented; + + ok dtucker + + OpenBSD-Commit-ID: 95f17e47dae02a6ac7329708c8c893d4cad0004a + +commit 45011511a09e03493568506ce32f4891a174a3bd +Author: Vicente Olivert Riera <Vincent.Riera@imgtec.com> +Date: Tue Jun 20 16:42:28 2017 +0100 + + configure.ac: properly set seccomp_audit_arch for MIPS64 + + Currently seccomp_audit_arch is set to AUDIT_ARCH_MIPS64 or + AUDIT_ARCH_MIPSEL64 (depending on the endinness) when openssh is built + for MIPS64. However, that's only valid for n64 ABI. The right macros for + n32 ABI defined in seccomp.h are AUDIT_ARCH_MIPS64N32 and + AUDIT_ARCH_MIPSEL64N32, for big and little endian respectively. + + Because of that an sshd built for MIPS64 n32 rejects connection attempts + and the output of strace reveals that the problem is related to seccomp + audit: + + [pid 194] prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, {len=57, + filter=0x555d5da0}) = 0 + [pid 194] write(7, "\0\0\0]\0\0\0\5\0\0\0Ulist_hostkey_types: "..., 97) = ? + [pid 193] <... poll resumed> ) = 2 ([{fd=5, revents=POLLIN|POLLHUP}, + {fd=6, revents=POLLHUP}]) + [pid 194] +++ killed by SIGSYS +++ + + This patch fixes that problem by setting the right value to + seccomp_audit_arch taking into account the MIPS64 ABI. + + Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com> + +commit 580086704c31de91dc7ba040a28e416bf1fefbca +Author: Vicente Olivert Riera <Vincent.Riera@imgtec.com> +Date: Tue Jun 20 16:42:11 2017 +0100 + + configure.ac: detect MIPS ABI + + Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com> + +commit cd4e937aa701f70366cd5b5969af525dff6fdf15 +Author: Alan Yee <alyee@ucsd.edu> +Date: Wed Mar 7 15:12:14 2018 -0800 + + Use https URLs for links that support it. + +commit c0a0c3fc4a76b682db22146b28ddc46566db1ce9 +Author: Darren Tucker <dtucker@dtucker.net> +Date: Mon Mar 5 20:03:07 2018 +1100 + + Disable UTMPX on SunOS4. + +commit 58fd4c5c0140f6636227ca7acbb149ab0c2509b9 +Author: Darren Tucker <dtucker@dtucker.net> +Date: Mon Mar 5 19:28:08 2018 +1100 + + Check for and work around buggy fflush(NULL). + + Some really old platforms (eg SunOS4) segfault on fflush(NULL) so check + for and work around. With klausz at haus-gisela.de. + +commit 71e48bc7945f867029e50e06c665c66aed6d3c64 +Author: Darren Tucker <dtucker@dtucker.net> +Date: Mon Mar 5 10:22:32 2018 +1100 + + Remove extra XMSS #endif + + Extra #endif breaks compile with -DWITH_XMSS. Pointed out by Jack + Schmidt via github. + +commit 055e09e2212ff52067786bf6d794ca9512ff7f0c +Author: dtucker@openbsd.org <dtucker@openbsd.org> +Date: Sat Mar 3 06:37:53 2018 +0000 + + upstream: Update RSA minimum modulus size to 1024. sshkey.h rev 1.18 + + bumped the minimum from 768 to 1024, update man page accordingly. + + OpenBSD-Commit-ID: 27563ab4e866cd2aac40a5247876f6787c08a338 + +commit 7e4fadd3248d6bb7d39d6688c76a613d35d2efc1 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Sun Mar 4 01:46:48 2018 +0000 + + upstream: for the pty control tests, just check that the PTY path + + points to something in /dev (rather than checking the device node itself); + makes life easier for portable, where systems with dynamic ptys can delete + nodes before we get around to testing their existence. + + OpenBSD-Regress-ID: b1e455b821e62572bccd98102f8dd9d09bb94994 + +commit 13ef4cf53f24753fe920832b990b25c9c9cd0530 +Author: Darren Tucker <dtucker@dtucker.net> +Date: Sat Mar 3 16:21:20 2018 +1100 + + Update PAM password change to new opts API. + +commit 33561e68e0b27366cb769295a077aabc6a49d2a1 +Author: Darren Tucker <dtucker@dtucker.net> +Date: Sat Mar 3 14:56:09 2018 +1100 + + Add strndup for platforms that need it. + + Some platforms don't have strndup, which includes Solaris 10, NetBSD 3 + and FreeBSD 6. + +commit e8a17feba95eef424303fb94441008f6c5347aaf +Author: Darren Tucker <dtucker@dtucker.net> +Date: Sat Mar 3 14:49:07 2018 +1100 + + Flatten and alphabetize object file lists. + + This will make maintenance and changes easier. "no objection" tim@ + +commit de1920d743d295f50e6905e5957c4172c038e8eb +Author: djm@openbsd.org <djm@openbsd.org> +Date: Sat Mar 3 03:16:17 2018 +0000 + + upstream: unit tests for new authorized_keys options API + + OpenBSD-Regress-ID: 820f9ec9c6301f6ca330ad4052d85f0e67d0bdc1 + +commit dc3e92df17556dc5b0ab19cee8dcb2a6ba348717 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Fri Mar 2 02:53:27 2018 +0000 + + upstream: fix testing of pty option, include positive test and + + testing of restrict keyword + + OpenBSD-Regress-ID: 4268f27c2706a0a95e725d9518c5bcbec9814c6d + +commit 3d1edd1ebbc0aabea8bbe61903060f37137f7c61 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Fri Mar 2 02:51:55 2018 +0000 + + upstream: better testing for port-forwarding and restrict flags in + + authorized_keys + + OpenBSD-Regress-ID: ee771df8955f2735df54746872c6228aff381daa + +commit 7c856857607112a3dfe6414696bf4c7ab7fb0cb3 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Sat Mar 3 03:15:51 2018 +0000 + + upstream: switch over to the new authorized_keys options API and + + remove the legacy one. + + Includes a fairly big refactor of auth2-pubkey.c to retain less state + between key file lines. + + feedback and ok markus@ + + OpenBSD-Commit-ID: dece6cae0f47751b9892080eb13d6625599573df + +commit 90c4bec8b5f9ec4c003ae4abdf13fc7766f00c8b +Author: djm@openbsd.org <djm@openbsd.org> +Date: Sat Mar 3 03:06:02 2018 +0000 + + upstream: Introduce a new API for handling authorized_keys options. + + This API parses options to a dedicated structure rather than the old API's + approach of setting global state. It also includes support for merging + options, e.g. from authorized_keys, authorized_principals and/or + certificates. + + feedback and ok markus@ + + OpenBSD-Commit-ID: 98badda102cd575210d7802943e93a34232c80a2 + +commit 26074380767e639ef89321610e146ae11016b385 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Sat Mar 3 03:01:50 2018 +0000 + + upstream: warn when the agent returns a signature type that was + + different to what was requested. This might happen when an old/non-OpenSSH + agent is asked to make a rsa-sha2-256/512 signature but only supports + ssh-rsa. bz#2799 feedback and ok markus@ + + OpenBSD-Commit-ID: 760c0f9438c5c58abc16b5f98008ff2d95cb13ce + +commit f493d2b0b66fb003ed29f31dd66ff1aeb64be1fc +Author: jmc@openbsd.org <jmc@openbsd.org> +Date: Fri Mar 2 21:40:15 2018 +0000 + + upstream: apply a lick of paint; tweaks/ok dtucker + + OpenBSD-Commit-ID: 518a6736338045e0037f503c21027d958d05e703 + +commit 713d9cb510e0e7759398716cbe6dcf43e574be71 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Fri Mar 2 03:02:11 2018 +0000 + + upstream: Allow escaped quotes \" and \' in ssh_config and + + sshd_config quotes option strings. bz#1596 ok markus@ + + OpenBSD-Commit-ID: dd3a29fc2dc905e8780198e5a6a30b096de1a1cb + +commit 94b4e2d29afaaaef89a95289b16c18bf5627f7cd +Author: djm@openbsd.org <djm@openbsd.org> +Date: Fri Mar 2 02:08:03 2018 +0000 + + upstream: refactor sshkey_read() to make it a little more, err, + + readable. ok markus + + OpenBSD-Commit-ID: 2e9247b5762fdac3b6335dc606d3822121714c28 + +commit 5886b92968b360623491699247caddfb77a74d80 +Author: markus@openbsd.org <markus@openbsd.org> +Date: Thu Mar 1 20:32:16 2018 +0000 + + upstream: missing #ifdef for _PATH_HOST_XMSS_KEY_FILE; report by + + jmc@ + + OpenBSD-Commit-ID: 9039cb69a3f9886bfef096891a9e7fcbd620280b + +commit 3b36bed3d26f17f6a2b7e036e01777770fe1bcd4 +Author: dtucker@openbsd.org <dtucker@openbsd.org> +Date: Mon Feb 26 12:14:53 2018 +0000 + + upstream: Remove unneeded (local) include. ok markus@ + + OpenBSD-Commit-ID: 132812dd2296b1caa8cb07d2408afc28e4e60f93 + +commit 27b9f3950e0289e225b57b7b880a8f1859dcd70b +Author: dtucker@openbsd.org <dtucker@openbsd.org> +Date: Mon Feb 26 03:56:44 2018 +0000 + + upstream: Add $OpenBSD$ markers to xmss files to help keep synced + + with portable. ok djm@. + + OpenBSD-Commit-ID: 5233a27aafd1dfadad4b957225f95ae51eb365c1 + +commit afd830847a82ebbd5aeab05bad6d2c8ce74df1cd +Author: dtucker@openbsd.org <dtucker@openbsd.org> +Date: Mon Feb 26 03:03:05 2018 +0000 + + upstream: Add newline at end of file to prevent compiler warnings. + + OpenBSD-Commit-ID: 52f247d4eafe840c7c14c8befa71a760a8eeb063 + +commit 941e0d3e9bb8d5e4eb70cc694441445faf037c84 +Author: Darren Tucker <dtucker@dtucker.net> +Date: Wed Feb 28 19:59:35 2018 +1100 + + Add WITH_XMSS, move to prevent conflicts. + + Add #ifdef WITH_XMSS to ssh-xmss.c, move it in the other files to after + includes.h so it's less likely to conflict and will pick up WITH_XMSS if + added to config.h. + +commit a10d8552d0d2438da4ed539275abcbf557d1e7a8 +Author: Darren Tucker <dtucker@dtucker.net> +Date: Tue Feb 27 14:45:17 2018 +1100 + + Conditionally compile XMSS code. + + The XMSS code is currently experimental and, unlike the rest of OpenSSH + cannot currently be compiled with a c89 compiler. + +commit 146c3bd28c8dbee9c4b06465d9c9facab96b1e9b +Author: Darren Tucker <dtucker@dtucker.net> +Date: Mon Feb 26 12:51:29 2018 +1100 + + Check dlopen has RTLD_NOW before enabling pkcs11. + +commit 1323f120d06a26074c4d154fcbe7f49bcad3d741 +Author: Darren Tucker <dtucker@dtucker.net> +Date: Tue Feb 27 08:41:25 2018 +1100 + + Check for attributes on prototype args. + + Some compilers (gcc 2.9.53, 3.0 and probably others, see gcc bug #3481) + do not accept __attribute__ on function pointer prototype args. Check for + this and hide them if they're not accepted. + +commit f0b245b0439e600fab782d19e97980e9f2c2533c +Author: Darren Tucker <dtucker@dtucker.net> +Date: Mon Feb 26 11:43:48 2018 +1100 + + Check if HAVE_DECL_BZERO correctly. + +commit c7ef4a399155e1621a532cc5e08e6fa773658dd4 +Author: Darren Tucker <dtucker@dtucker.net> +Date: Mon Feb 26 17:42:56 2018 +1100 + + Wrap <stdint.h> in #ifdef HAVE_STDINT_H. + +commit ac53ce46cf8165cbda7f57ee045f9f32e1e92b31 +Author: Darren Tucker <dtucker@dtucker.net> +Date: Mon Feb 26 16:24:23 2018 +1100 + + Replace $(CURDIR) with $(PWD). + + The former doesn't work on Solaris or BSDs. + +commit 534b2680a15d14e7e60274d5b29b812d44cc5a44 +Author: Darren Tucker <dtucker@dtucker.net> +Date: Mon Feb 26 14:51:59 2018 +1100 + + Comment out hexdump(). + + Nothing currently uses them but they cause conflicts on at least + FreeBSD, possibly others. ok djm@ + +commit 5aea4aa522f61bb2f34c3055a7de203909dfae77 +Author: Darren Tucker <dtucker@dtucker.net> +Date: Mon Feb 26 14:39:14 2018 +1100 + + typo: missing ; + +commit cd3ab57f9b388f8b1abf601dc4d78ff82d83b75e +Author: Darren Tucker <dtucker@dtucker.net> +Date: Mon Feb 26 14:37:06 2018 +1100 + + Hook up flock() compat code. + + Also a couple of minor changes: fail if we can't lock instead of + silently succeeding, and apply a couple of minor style fixes. + +commit b087998d1ba90dd1ddb6bfdb17873dc3e7392798 +Author: Darren Tucker <dtucker@dtucker.net> +Date: Mon Feb 26 14:27:02 2018 +1100 + + Import flock() compat from NetBSD. + + From NetBSD's src/trunk/tools/compat/flock.c, no OpenSSH changes yet. + +commit 89212533dde6798324e835b1499084658df4579e +Author: Darren Tucker <dtucker@dtucker.net> +Date: Mon Feb 26 12:32:14 2018 +1100 + + Fix breakage when REGRESSTMP not set. + + BUILDDIR is not set where used for REGRESSTMP, use make's CURDIR + instead. Pointed out by djm@. + +commit f885474137df4b89498c0b8834c2ac72c47aa4bd +Author: Damien Miller <djm@mindrot.org> +Date: Mon Feb 26 12:18:14 2018 +1100 + + XMSS-related files get includes.h + +commit 612faa34c72e421cdc9e63f624526bae62d557cc +Author: Damien Miller <djm@mindrot.org> +Date: Mon Feb 26 12:17:55 2018 +1100 + + object files end with .o - not .c + +commit bda709b8e13d3eef19e69c2d1684139e3af728f5 +Author: Damien Miller <djm@mindrot.org> +Date: Mon Feb 26 12:17:22 2018 +1100 + + avoid inclusion of deprecated selinux/flask.h + + Use string_to_security_class() instead. + +commit 2e396439365c4ca352cac222717d09b14f8a0dfd +Author: Damien Miller <djm@mindrot.org> +Date: Mon Feb 26 11:48:27 2018 +1100 + + updatedepend + +commit 1b11ea7c58cd5c59838b5fa574cd456d6047b2d4 +Author: markus@openbsd.org <markus@openbsd.org> +Date: Fri Feb 23 15:58:37 2018 +0000 + + upstream: Add experimental support for PQC XMSS keys (Extended + + Hash-Based Signatures) The code is not compiled in by default (see WITH_XMSS + in Makefile.inc) Joint work with stefan-lukas_gazdag at genua.eu See + https://tools.ietf.org/html/draft-irtf-cfrg-xmss-hash-based-signatures-12 ok + djm@ + + OpenBSD-Commit-ID: ef3eccb96762a5d6f135d7daeef608df7776a7ac + +commit 7d330a1ac02076de98cfc8fda05353d57b603755 +Author: jmc@openbsd.org <jmc@openbsd.org> +Date: Fri Feb 23 07:38:09 2018 +0000 + + upstream: some cleanup for BindInterface and ssh-keyscan; + + OpenBSD-Commit-ID: 1a719ebeae22a166adf05bea5009add7075acc8c + +commit c7b5a47e3b9db9a0f0198f9c90c705f6307afc2b +Author: Darren Tucker <dtucker@dtucker.net> +Date: Sun Feb 25 23:55:41 2018 +1100 + + Invert sense of getpgrp test. + + AC_FUNC_GETPGRP tests if getpgrp(0) works, which it does if it's not + declared. Instead, test if the zero-arg version we want to use works. + +commit b39593a6de5290650a01adf8699c6460570403c2 +Author: Darren Tucker <dtucker@dtucker.net> +Date: Sun Feb 25 13:25:15 2018 +1100 + + Add no-op getsid implmentation. + +commit 11057564eb6ab8fd987de50c3d7f394c6f6632b7 +Author: Darren Tucker <dtucker@dtucker.net> +Date: Sun Feb 25 11:22:57 2018 +1100 + + bsd-statvfs: include sys/vfs.h, check for f_flags. + +commit e9dede06e5bc582a4aeb5b1cd5a7a640d7de3609 +Author: Darren Tucker <dtucker@dtucker.net> +Date: Sun Feb 25 10:20:31 2018 +1100 + + Handle calloc(0,x) where different from malloc. + + Configure assumes that if malloc(0) returns null then calloc(0,n) + also does. On some old platforms (SunOS4) malloc behaves as expected + (as determined by AC_FUNC_MALLOC) but calloc doesn't. Test for this + at configure time and activate the replacement function if found, plus + handle this case in rpl_calloc. + +commit 2eb4041493fd2635ffdc64a852d02b38c4955e0b +Author: Darren Tucker <dtucker@dtucker.net> +Date: Sat Feb 24 21:06:48 2018 +1100 + + Add prototype for readv if needed. + +commit 6c8c9a615b6d31db8a87bc25033f053d5b0a831e +Author: Darren Tucker <dtucker@dtucker.net> +Date: Sat Feb 24 20:46:37 2018 +1100 + + Check for raise and supply if needed. + +commit a9004425a032d7a7141a5437cfabfd02431e2a74 +Author: Darren Tucker <dtucker@dtucker.net> +Date: Sat Feb 24 20:25:22 2018 +1100 + + Check for bzero and supply if needed. + + Since explicit_bzero uses it via an indirect it needs to be a function + not just a macro. + +commit 1a348359e4d2876203b5255941bae348557f4f54 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Fri Feb 23 05:14:05 2018 +0000 + + upstream: Add ssh-keyscan -D option to make it print its results in + + SSHFP format bz#2821, ok dtucker@ + + OpenBSD-Commit-ID: 831446b582e0f298ca15c9d99c415c899e392221 + +commit 3e19fb976a47b44b3d7c4f8355269f7f2c5dd82c +Author: dtucker@openbsd.org <dtucker@openbsd.org> +Date: Fri Feb 23 04:18:46 2018 +0000 + + upstream: Add missing braces. + + Caught by the tinderbox's -Werror=misleading-indentation, ok djm@ + + OpenBSD-Commit-ID: d44656af594c3b2366eb87d6abcef83e1c88a6ca + +commit b59162da99399d89bd57f71c170c0003c55b1583 +Author: Darren Tucker <dtucker@dtucker.net> +Date: Fri Feb 23 15:20:42 2018 +1100 + + Check for ifaddrs.h for BindInterface. + + BindInterface required getifaddr and friends so disable if not available + (eg Solaris 10). We should be able to add support for some systems with + a bit more work but this gets the building again. + +commit a8dd6fe0aa10b6866830b4688a73ef966f0aed88 +Author: Damien Miller <djm@mindrot.org> +Date: Fri Feb 23 14:19:11 2018 +1100 + + space before tab in previous + +commit b5e9263c7704247f9624c8f5c458e9181fcdbc09 +Author: dtucker@openbsd.org <dtucker@openbsd.org> +Date: Fri Feb 9 03:40:22 2018 +0000 + + upstream: Replace fatal with exit in the case that we do not have + + $SUDO set. Prevents test failures when neither sudo nor doas are configured. + + OpenBSD-Regress-ID: 6a0464decc4f8ac7d6eded556a032b0fc521bc7b + +commit 3e9d3192ad43758ef761c5b0aa3ac5ccf8121ef2 +Author: Darren Tucker <dtucker@dtucker.net> +Date: Fri Feb 23 14:10:53 2018 +1100 + + Use portable syntax for REGRESSTMP. + +commit 73282b61187883a2b2bb48e087fdda1d751d6059 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Fri Feb 23 03:03:00 2018 +0000 + + upstream: unbreak interop test after SSHv1 purge; patch from Colin + + Watson via bz#2823 + + OpenBSD-Regress-ID: 807d30a597756ed6612bdf46dfebca74f49cb31a + +commit f8985dde5f46aedade0373365cbf86ed3f1aead2 +Author: dtucker@openbsd.org <dtucker@openbsd.org> +Date: Fri Feb 9 03:42:57 2018 +0000 + + upstream: Skip sftp-chroot test when SUDO not set instead of + + fatal(). + + OpenBSD-Regress-ID: cd4b5f1109b0dc09af4e5ea7d4968c43fbcbde88 + +commit df88551c02d4e3445c44ff67ba8757cff718609a +Author: dtucker@openbsd.org <dtucker@openbsd.org> +Date: Fri Feb 9 03:40:22 2018 +0000 + + upstream: Replace fatal with exit in the case that we do not have + + $SUDO set. Prevents test failures when neither sudo nor doas are configured. + + OpenBSD-Regress-ID: 6a0464decc4f8ac7d6eded556a032b0fc521bc7b + +commit 3b252c20b19f093e87363de197f1100b79705dd3 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Thu Feb 8 08:46:20 2018 +0000 + + upstream: some helpers to check verbose/quiet mode + + OpenBSD-Regress-ID: e736aac39e563f5360a0935080a71d5fdcb976de + +commit ac2e3026bbee1367e4cda34765d1106099be3287 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Fri Feb 23 02:34:33 2018 +0000 + + upstream: Add BindInterface ssh_config directive and -B + + command-line argument to ssh(1) that directs it to bind its outgoing + connection to the address of the specified network interface. + + BindInterface prefers to use addresses that aren't loopback or link- + local, but will fall back to those if no other addresses of the + required family are available on that interface. + + Based on patch by Mike Manning in bz#2820, ok dtucker@ + + OpenBSD-Commit-ID: c5064d285c2851f773dd736a2c342aa384fbf713 + +commit fcdb9d777839a3fa034b3bc3067ba8c1f6886679 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Mon Feb 19 00:55:02 2018 +0000 + + upstream: emphasise that the hostkey rotation may send key types + + that the client may not support, and that the client should simply disregard + such keys (this is what ssh does already). + + OpenBSD-Commit-ID: 65f8ffbc32ac8d12be8f913d7c0ea55bef8622bf + +commit ce066f688dc166506c082dac41ca686066e3de5f +Author: Darren Tucker <dtucker@dtucker.net> +Date: Thu Feb 22 20:45:09 2018 +1100 + + Add headers for sys/audit.h. + + On some older platforms (at least sunos4, probably others) sys/audit.h + requires some other headers. Patch from klausz at haus-gisela.de. + +commit 3fd2d2291a695c96a54269deae079bacce6e3fb9 +Author: Darren Tucker <dtucker@dtucker.net> +Date: Mon Feb 19 18:37:40 2018 +1100 + + Add REGRESSTMP make var override. + + Defaults to original location ($srcdir/regress) but allows overriding + if desired, eg a directory in /tmp. + +commit f8338428588f3ecb5243c86336eccaa28809f97e +Author: Darren Tucker <dtucker@dtucker.net> +Date: Sun Feb 18 15:53:15 2018 +1100 + + Remove now-unused check for getrusage. + + getrusage was used in ssh-rand-helper but that's now long gone. + Patch from klauszh at haus-gisela.de. + +commit 8570177195f6a4b3173c0a25484a83641ee3faa6 +Author: dtucker@openbsd.org <dtucker@openbsd.org> +Date: Fri Feb 16 04:43:11 2018 +0000 + + upstream: Don't send IUTF8 to servers that don't like them. + + Some SSH servers eg "ConfD" drop the connection if the client sends the + new IUTF8 (RFC8160) terminal mode even if it's not set. Add a bug bit + for such servers and avoid sending IUTF8 to them. ok djm@ + + OpenBSD-Commit-ID: 26425855402d870c3c0a90491e72e2a8a342ceda + +commit f6dc2ba3c9d12be53057b9371f5109ec553a399f +Author: Darren Tucker <dtucker@dtucker.net> +Date: Fri Feb 16 17:32:28 2018 +1100 + + freezero should check for NULL. + +commit 680321f3eb46773883111e234b3c262142ff7c5b +Author: djm@openbsd.org <djm@openbsd.org> +Date: Fri Feb 16 02:40:45 2018 +0000 + + upstream: Mention recent DH KEX methods: + + diffie-hellman-group14-sha256 + diffie-hellman-group16-sha512 + diffie-hellman-group18-sha512 + + From Jakub Jelen via bz#2826 + + OpenBSD-Commit-ID: 51bf769f06e55447f4bfa7306949e62d2401907a + +commit 88c50a5ae20902715f0fca306bb9c38514f71679 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Fri Feb 16 02:32:40 2018 +0000 + + upstream: stop loading DSA keys by default, remove sshd_config + + stanza and manpage bits; from Colin Watson via bz#2662, ok dtucker@ + + OpenBSD-Commit-ID: d33a849f481684ff655c140f5eb1b4acda8c5c09 + +commit d2b3db2860c962927def39a52f67f1c23f7b201a +Author: jsing@openbsd.org <jsing@openbsd.org> +Date: Wed Feb 14 16:27:24 2018 +0000 + + upstream: Ensure that D mod (P-1) and D mod (Q-1) are calculated in + + constant time. + + This avoids a potential side channel timing leak. + + ok djm@ markus@ + + OpenBSD-Commit-ID: 71ff3c16be03290e63d8edab8fac053d8a82968c + +commit 4270efad7048535b4f250f493d70f9acfb201593 +Author: jsing@openbsd.org <jsing@openbsd.org> +Date: Wed Feb 14 16:03:32 2018 +0000 + + upstream: Some obvious freezero() conversions. + + This also zeros an ed25519_pk when it was not being zeroed previously. + + ok djm@ dtucker@ + + OpenBSD-Commit-ID: 5c196a3c85c23ac0bd9b11bcadaedd90b7a2ce82 + +commit affa6ba67ffccc30b85d6e98f36eb5afd9386882 +Author: Darren Tucker <dtucker@dtucker.net> +Date: Thu Feb 15 22:32:04 2018 +1100 + + Remove execute bit from modpipe.c. + +commit 9879dca438526ae6dfd656fecb26b0558c29c731 +Author: Darren Tucker <dtucker@dtucker.net> +Date: Thu Feb 15 22:26:16 2018 +1100 + + Update prngd link to point to sourceforge. + +commit b6973fa5152b1a0bafd2417b7c3ad96f6e87d014 +Author: Darren Tucker <dtucker@dtucker.net> +Date: Thu Feb 15 22:22:38 2018 +1100 + + Remove references to UNICOS. + +commit f1ca487940449f0b64f38f1da575078257609966 +Author: Darren Tucker <dtucker@dtucker.net> +Date: Thu Feb 15 22:18:37 2018 +1100 + + Remove extra newline. + +commit 6d4e980f3cf27f409489cf89cd46c21501b13731 +Author: Darren Tucker <dtucker@dtucker.net> +Date: Thu Feb 15 22:16:54 2018 +1100 + + OpenSSH's builtin entropy gathering is long gone. + +commit 389125b25d1a1d7f22e907463b7e8eca74af79ea +Author: Darren Tucker <dtucker@dtucker.net> +Date: Thu Feb 15 21:43:01 2018 +1100 + + Replace remaining mysignal() with signal(). + + These seem to have been missed during the replacement of mysignal + with #define signal in commit 5ade9ab. Both include the requisite + headers to pick up the #define. + +commit 265d88d4e61e352de6791733c8b29fa3d7d0c26d +Author: Darren Tucker <dtucker@dtucker.net> +Date: Thu Feb 15 20:06:19 2018 +1100 + + Remove remaining now-obsolete cvs $Ids. + +commit 015749e9b1d2f6e14733466d19ba72f014d0845c +Author: Darren Tucker <dtucker@dtucker.net> +Date: Thu Feb 15 17:01:54 2018 +1100 + + Regenerate dependencies after UNICOS removal. + +commit ddc0f3814881ea279a6b6d4d98e03afc60ae1ed7 +Author: Darren Tucker <dtucker@dtucker.net> +Date: Tue Feb 13 09:10:46 2018 +1100 + + Remove UNICOS support. + + The code required to support it is quite invasive to the mainline + code that is synced with upstream and is an ongoing maintenance burden. + Both the hardware and software are literal museum pieces these days and + we could not find anyone still running OpenSSH on one. + +commit 174bed686968494723e6db881208cc4dac0d020f +Author: Darren Tucker <dtucker@dtucker.net> +Date: Tue Feb 13 18:12:47 2018 +1100 + + Retpoline linker flag only needed for linking. + +commit 075e258c2cc41e1d7f3ea2d292c5342091728d40 +Author: Darren Tucker <dtucker@dtucker.net> +Date: Tue Feb 13 17:36:43 2018 +1100 + + Default PidFile is sshd.pid not ssh.pid. + +commit 49f3c0ec47730ea264e2bd1e6ece11167d6384df +Author: Darren Tucker <dtucker@dtucker.net> +Date: Tue Feb 13 16:27:09 2018 +1100 + + Remove assigned-to-but-never-used variable. + + 'p' was removed in previous change but I neglected to remove the + otherwise-unused assignment to it. + +commit b8bbff3b3fc823bf80c5ab226c94f13cb887d5b1 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Tue Feb 13 03:36:56 2018 +0000 + + upstream: remove space before tab + + OpenBSD-Commit-ID: 674edd214d0a7332dd4623c9cf8117301b012890 + +commit 05046d907c211cb9b4cd21b8eff9e7a46cd6c5ab +Author: dtucker@openbsd.org <dtucker@openbsd.org> +Date: Sun Feb 11 21:16:56 2018 +0000 + + upstream Don't reset signal handlers inside handlers. + + The signal handlers from the original ssh1 code on which OpenSSH + is based assume unreliable signals and reinstall their handlers. + Since OpenBSD (and pretty much every current system) has reliable + signals this is not needed. In the unlikely even that -portable + is still being used on such systems we will deal with it in the + compat layer. ok deraadt@ + + OpenBSD-Commit-ID: f53a1015cb6908431b92116130d285d71589612c + +commit 3c51143c639ac686687c7acf9b373b8c08195ffb +Author: Darren Tucker <dtucker@dtucker.net> +Date: Tue Feb 13 09:07:29 2018 +1100 + + Whitespace sync with upstream. + +commit 19edfd4af746bedf0df17f01953ba8c6d3186eb7 +Author: Darren Tucker <dtucker@dtucker.net> +Date: Tue Feb 13 08:25:46 2018 +1100 + + Whitespace sync with upstream. + +commit fbfa6f980d7460b3e12b0ce88ed3b6018edf4711 +Author: Darren Tucker <dtucker@dtucker.net> +Date: Sun Feb 11 21:25:11 2018 +1300 + + Move signal compat code into bsd-signal.{c,h} + +commit 24d2a33bd3bf5170700bfdd8675498aa09a79eab +Author: Darren Tucker <dtucker@dtucker.net> +Date: Sun Feb 11 21:20:39 2018 +1300 + + Include headers for linux/if.h. + + Prevents configure-time "present but cannot be compiled" warning. + +commit bc02181c24fc551aab85eb2cff0f90380928ef43 +Author: Darren Tucker <dtucker@dtucker.net> +Date: Sun Feb 11 19:45:47 2018 +1300 + + Fix test for -z,retpolineplt linker flag. + +commit 3377df00ea3fece5293db85fe63baef33bf5152e +Author: Darren Tucker <dtucker@dtucker.net> +Date: Sun Feb 11 09:32:37 2018 +1100 + + Add checks for Spectre v2 mitigation (retpoline) + + This adds checks for gcc and clang flags for mitigations for Spectre + variant 2, ie "retpoline". It'll automatically enabled if the compiler + supports it as part of toolchain hardening flag. ok djm@ + +commit d9e5cf078ea5380da6df767bb1773802ec557ef0 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Sat Feb 10 09:25:34 2018 +0000 + + upstream commit + + constify some private key-related functions; based on + https://github.com/openssh/openssh-portable/pull/56 by Vincent Brillault + + OpenBSD-Commit-ID: dcb94a41834a15f4d00275cb5051616fdc4c988c + +commit a7c38215d564bf98e8e9eb40c1079e3adf686f15 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Sat Feb 10 09:03:54 2018 +0000 + + upstream commit + + Mention ServerAliveTimeout in context of TCPKeepAlives; + prompted by Christoph Anton Mitterer via github + + OpenBSD-Commit-ID: f0cf1b5bd3f1fbf41d71c88d75d93afc1c880ca2 + +commit 62562ceae61e4f7cf896566592bb840216e71061 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Sat Feb 10 06:54:38 2018 +0000 + + upstream commit + + clarify IgnoreUserKnownHosts; based on github PR from + Christoph Anton Mitterer. + + OpenBSD-Commit-ID: 4fff2c17620c342fb2f1f9c2d2e679aab3e589c3 + +commit 4f011daa4cada6450fa810f7563b8968639bb562 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Sat Feb 10 06:40:28 2018 +0000 + + upstream commit + + Shorter, more accurate explanation of + NoHostAuthenticationForLocalhost without the confusing example. Prompted by + Christoph Anton Mitterer via github and bz#2293. + + OpenBSD-Commit-ID: 19dc96bea25b80d78d416b581fb8506f1e7b76df + +commit 77e05394af21d3f5faa0c09ed3855e4505a5cf9f +Author: djm@openbsd.org <djm@openbsd.org> +Date: Sat Feb 10 06:15:12 2018 +0000 + + upstream commit + + Disable RemoteCommand and RequestTTY in the ssh session + started by scp. sftp is already doing this. From Camden Narzt via github; ok + dtucker + + OpenBSD-Commit-ID: 59e2611141c0b2ee579c6866e8eb9d7d8217bc6b + +commit ca613249a00b64b2eea9f52d3834b55c28cf2862 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Sat Feb 10 05:48:46 2018 +0000 + + upstream commit + + Refuse to create a certificate with an unusable number of + principals; Prompted by gdestuynder via github + + OpenBSD-Commit-ID: 8cfae2451e8f07810e3e2546dfdcce66984cbd29 + +commit b56ac069d46b6f800de34e1e935f98d050731d14 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Sat Feb 10 05:43:26 2018 +0000 + + upstream commit + + fatal if we're unable to write all the public key; previously + we would silently ignore errors writing the comment and terminating newline. + Prompted by github PR from WillerZ; ok dtucker + + OpenBSD-Commit-ID: 18fbfcfd4e8c6adbc84820039b64d70906e49831 + +commit cdb10bd431f9f6833475c27e9a82ebb36fdb12db +Author: Darren Tucker <dtucker@dtucker.net> +Date: Sat Feb 10 11:18:38 2018 +1100 + + Add changelog entry for binary strip change. + +commit fbddd91897cfaf456bfc2081f39fb4a2208a0ebf +Author: Darren Tucker <dtucker@dtucker.net> +Date: Sat Feb 10 11:14:54 2018 +1100 + + Remove unused variables. + +commit 937d96587df99c16c611d828cded292fa474a32b +Author: Darren Tucker <dtucker@dtucker.net> +Date: Sat Feb 10 11:12:45 2018 +1100 + + Don't strip binaries so debuginfo gets built. + + Tell install not to strip binaries during package creation so that the + debuginfo package can be built. + +commit eb0865f330f59c889ec92696b97bd397090e720c +Author: Darren Tucker <dtucker@dtucker.net> +Date: Sat Feb 10 10:33:11 2018 +1100 + + Fix bogus dates in changelog. + +commit 7fbde1b34c1f6c9ca9e9d10805ba1e5e4538e165 +Author: Darren Tucker <dtucker@dtucker.net> +Date: Sat Feb 10 10:25:15 2018 +1100 + + Remove SSH1 from description. + +commit 9c34a76f099c4e0634bf6ecc2f40ce93925402c4 +Author: Darren Tucker <dtucker@dtucker.net> +Date: Sat Feb 10 10:19:16 2018 +1100 + + Add support for compat-openssl10 build dep. + +commit 04f4e8193cb5a5a751fcc356bd6656291fec539e +Author: Darren Tucker <dtucker@dtucker.net> +Date: Sat Feb 10 09:57:04 2018 +1100 + + Add leading zero so it'll work when rhel not set. + + When rhel is not set it will error out with "bad if". Add leading zero + as per https://fedoraproject.org/wiki/Packaging:DistTag so it'll work + on non-RHEL. + +commit 12abd67a6af28476550807a443b38def2076bb92 +Author: Darren Tucker <dtucker@dtucker.net> +Date: Sat Feb 10 09:56:34 2018 +1100 + + Update openssl-devel dependency. + +commit b33e7645f8813719d7f9173fef24463c8833ebb3 +Author: nkadel <nkadel@gmail.com> +Date: Sun Nov 16 18:19:58 2014 -0500 + + Add mandir with-mandir' for RHEL 5 compatibility. + + Activate '--mandir' and '--with-mandir' settings in setup for RHEL + 5 compatibility. + +commit 94f8bf360eb0162e39ddf39d69925c2e93511e40 +Author: nkadel <nkadel@gmail.com> +Date: Sun Nov 16 18:18:51 2014 -0500 + + Discard 'K5DIR' reporting. + + It does not work inside 'mock' build environment. + +commit bb7e54dbaf34b70b3e57acf7982f3a2136c94ee5 +Author: nkadel <nkadel@gmail.com> +Date: Sun Nov 16 18:17:15 2014 -0500 + + Add 'dist' to 'rel' for OS specific RPM names. + +commit 87346f1f57f71150a9b8c7029d8c210e27027716 +Author: nkadel <nkadel@gmail.com> +Date: Sun Nov 16 14:17:38 2014 -0500 + + Add openssh-devel >= 0.9.8f for redhat spec file. + +commit bec1478d710866d3c1b119343a35567a8fc71ec3 +Author: nkadel <nkadel@gmail.com> +Date: Sun Nov 16 13:10:24 2014 -0500 + + Enhance BuildRequires for openssh-x11-askpass. + +commit 3104fcbdd3c70aefcb0cdc3ee24948907db8dc8f +Author: nkadel <nkadel@gmail.com> +Date: Sun Nov 16 13:04:14 2014 -0500 + + Always include x11-ssh-askpass SRPM. + + Always include x11-ssh-askpass tarball in redhat SRPM, even if unused. + +commit c61d0d038d58eebc365f31830be6e04ce373ad1b +Author: Damien Miller <djm@mindrot.org> +Date: Sat Feb 10 09:43:12 2018 +1100 + + this is long unused; prompted by dtucker@ + +commit 745771fb788e41bb7cdad34e5555bf82da3af7ed +Author: dtucker@openbsd.org <dtucker@openbsd.org> +Date: Fri Feb 9 02:37:36 2018 +0000 + + upstream commit + + Remove unused sKerberosTgtPassing from enum. From + calestyo via github pull req #11, ok djm@ + + OpenBSD-Commit-ID: 1008f8870865a7c4968b7aed402a0a9e3e5b9540 + +commit 1f385f55332db830b0ae22a7663b98279ca2d657 +Author: dtucker@openbsd.org <dtucker@openbsd.org> +Date: Thu Feb 8 04:12:32 2018 +0000 + + upstream commit + + Rename struct umac_ctx to umac128_ctx too. In portable + some linkers complain about two symbols with the same name having differing + sizes. ok djm@ + + OpenBSD-Commit-ID: cbebf8bdd3310a9795b4939a1e112cfe24061ca3 + +commit f1f047fb031c0081dbc8738f05bf5d4cc47acadf +Author: dtucker@openbsd.org <dtucker@openbsd.org> +Date: Wed Feb 7 22:52:45 2018 +0000 + + upstream commit + + ssh_free checks for and handles NULL args, remove NULL + checks from remaining callers. ok djm@ + + OpenBSD-Commit-ID: bb926825c53724c069df68a93a2597f9192f7e7b + +commit aee49b2a89b6b323c80dd3b431bd486e51f94c8c +Author: Darren Tucker <dtucker@dtucker.net> +Date: Thu Feb 8 12:36:22 2018 +1100 + + Set SO_REUSEADDR in regression test netcat. + + Sometimes multiplex tests fail on Solaris with "netcat: local_listen: + Address already in use" which is likely due to previous invocations + leaving the port in TIME_WAIT. Set SO_REUSEADDR (in addition to + SO_REUSEPORT which is alread set on platforms that support it). ok djm@ + +commit 1749991c55bab716877b7c687cbfbf19189ac6f1 +Author: jsing@openbsd.org <jsing@openbsd.org> +Date: Wed Feb 7 05:17:56 2018 +0000 + + upstream commit + + Convert some explicit_bzero()/free() calls to freezero(). + + ok deraadt@ dtucker@ + + OpenBSD-Commit-ID: f566ab99149650ebe58b1d4b946ea726c3829609 + +commit 94ec2b69d403f4318b7a0d9b17f8bc3efbf4d0d2 +Author: jsing@openbsd.org <jsing@openbsd.org> +Date: Wed Feb 7 05:15:49 2018 +0000 + + upstream commit + + Remove some #ifdef notyet code from OpenSSL 0.9.8 days. + + These functions have never appeared in OpenSSL and are likely never to do + so. + + "kill it with fire" djm@ + + OpenBSD-Commit-ID: fee9560e283fd836efc2631ef381658cc673d23e + +commit 7cd31632e3a6607170ed0c9ed413a7ded5b9b377 +Author: jsing@openbsd.org <jsing@openbsd.org> +Date: Wed Feb 7 02:06:50 2018 +0000 + + upstream commit + + Remove all guards for calls to OpenSSL free functions - + all of these functions handle NULL, from at least OpenSSL 1.0.1g onwards. + + Prompted by dtucker@ asking about guards for RSA_free(), when looking at + openssh-portable pr#84 on github. + + ok deraadt@ dtucker@ + + OpenBSD-Commit-ID: 954f1c51b94297d0ae1f749271e184141e0cadae + +commit 3c000d57d46882eb736c6563edfc4995915c24a2 +Author: Darren Tucker <dtucker@dtucker.net> +Date: Wed Feb 7 09:19:38 2018 +1100 + + Remove obsolete "Smartcard support" message + + The configure checks that populated $SCARD_MSG were removed in commits + 7ea845e4 and d8f60022 when the smartcard support was replaced with + PKCS#11. + +commit 3e615090de0ce36a833d811e01c28aec531247c4 +Author: dtucker@openbsd.org <dtucker@openbsd.org> +Date: Tue Feb 6 06:01:54 2018 +0000 + + upstream commit + + Replace "trojan horse" with the correct term (MITM). + From maikel at predikkta.com via bz#2822, ok markus@ + + OpenBSD-Commit-ID: e86ac64c512057c89edfadb43302ac0aa81a6c53 + +commit 3484380110d437c50e17f87d18544286328c75cb +Author: tb@openbsd.org <tb@openbsd.org> +Date: Mon Feb 5 05:37:46 2018 +0000 + + upstream commit + + Add a couple of non-negativity checks to avoid close(-1). + + ok djm + + OpenBSD-Commit-ID: 4701ce0b37161c891c838d0931305f1d37a50880 + +commit 5069320be93c8b2a6584b9f944c86f60c2b04e48 +Author: tb@openbsd.org <tb@openbsd.org> +Date: Mon Feb 5 05:36:49 2018 +0000 + + upstream commit + + The file descriptors for socket, stdin, stdout and stderr + aren't necessarily distinct, so check if they are the same to avoid closing + the same fd several times. + + ok djm + + OpenBSD-Commit-ID: 60d71fd22e9a32f5639d4ba6e25a2f417fc36ac1 + +commit 2b428f90ea1b21d7a7c68ec1ee334253b3f9324d +Author: djm@openbsd.org <djm@openbsd.org> +Date: Mon Feb 5 04:02:53 2018 +0000 + + upstream commit + + I accidentially a word + + OpenBSD-Commit-ID: 4547ee713fa941da861e83ae7a3e6432f915e14a + +commit 130283d5c2545ff017c2162dc1258c5354e29399 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Thu Jan 25 03:34:43 2018 +0000 + + upstream commit + + certificate options are case-sensitive; fix case on one + that had it wrong. + + move a badly-place sentence to a less bad place + + OpenBSD-Commit-ID: 231e516bba860699a1eece6d48532d825f5f747b + +commit 89f09ee68730337015bf0c3f138504494a34e9a6 +Author: Damien Miller <djm@mindrot.org> +Date: Wed Jan 24 12:20:44 2018 +1100 + + crypto_api.h needs includes.h + +commit c9c1bba06ad1c7cad8548549a68c071bd807af60 +Author: stsp@openbsd.org <stsp@openbsd.org> +Date: Tue Jan 23 20:00:58 2018 +0000 + + upstream commit + + Fix a logic bug in sshd_exchange_identification which + prevented clients using major protocol version 2 from connecting to the + server. ok millert@ + + OpenBSD-Commit-ID: 8668dec04586e27f1c0eb039ef1feb93d80a5ee9 + +commit a60c5dcfa2538ffc94dc5b5adb3db5b6ed905bdb +Author: stsp@openbsd.org <stsp@openbsd.org> +Date: Tue Jan 23 18:33:49 2018 +0000 + + upstream commit + + Add missing braces; fixes 'write: Socket is not + connected' error in ssh. ok deraadt@ + + OpenBSD-Commit-ID: db73a3a9e147722d410866cac34d43ed52e1ad24 + +commit 20d53ac283e1c60245ea464bdedd015ed9b38f4a +Author: Damien Miller <djm@mindrot.org> +Date: Tue Jan 23 16:49:43 2018 +1100 + + rebuild depends + +commit 552ea155be44f9c439c1f9f0c38f9e593428f838 +Author: Damien Miller <djm@mindrot.org> +Date: Tue Jan 23 16:49:22 2018 +1100 + + one SSH_BUG_BANNER instance that got away + +commit 14b5c635d1190633b23ac3372379517fb645b0c2 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Tue Jan 23 05:27:21 2018 +0000 + + upstream commit + + Drop compatibility hacks for some ancient SSH + implementations, including ssh.com <=2.* and OpenSSH <= 3.*. + + These versions were all released in or before 2001 and predate the + final SSH RFCs. The hacks in question aren't necessary for RFC- + compliant SSH implementations. + + ok markus@ + + OpenBSD-Commit-ID: 4be81c67db57647f907f4e881fb9341448606138 + +commit 7c77991f5de5d8475cbeb7cbb06d0c7d1611d7bb +Author: djm@openbsd.org <djm@openbsd.org> +Date: Tue Jan 23 05:17:04 2018 +0000 + + upstream commit + + try harder to preserve errno during + ssh_connect_direct() to make the final error message possibly accurate; + bz#2814, ok dtucker@ + + OpenBSD-Commit-ID: 57de882cb47381c319b04499fef845dd0c2b46ca + +commit 9e9c4a7e57b96ab29fe6d7545ed09d2e5bddbdec +Author: djm@openbsd.org <djm@openbsd.org> +Date: Tue Jan 23 05:12:12 2018 +0000 + + upstream commit + + unbreak support for clients that advertise a protocol + version of "1.99" (indicating both v2 and v1 support). Busted by me during + SSHv1 purge in r1.358; bz2810, ok dtucker + + OpenBSD-Commit-ID: e8f9c2bee11afc16c872bb79d6abe9c555bd0e4b + +commit fc21ea97968264ad9bb86b13fedaaec8fd3bf97d +Author: djm@openbsd.org <djm@openbsd.org> +Date: Tue Jan 23 05:06:25 2018 +0000 + + upstream commit + + don't attempt to force hostnames that are addresses to + lowercase, but instead canonicalise them through getnameinfo/getaddrinfo to + remove ambiguities (e.g. ::0001 => ::1) before they are matched against + known_hosts; bz#2763, ok dtucker@ + + OpenBSD-Commit-ID: ba0863ff087e61e5c65efdbe53be3cb92c9aefa0 + +commit d6364f6fb1a3d753d7ca9bf15b2adce961324513 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Tue Jan 23 05:01:15 2018 +0000 + + upstream commit + + avoid modifying pw->pw_passwd; let endpwent() clean up + for us, but keep a scrubbed copy; bz2777, ok dtucker@ + + OpenBSD-Commit-ID: 715afc0f59c6b82c4929a73279199ed241ce0752 + +commit a69bbb07cd6fb4dfb9bdcacd370ab26d0a2b4215 +Author: naddy@openbsd.org <naddy@openbsd.org> +Date: Sat Jan 13 00:24:09 2018 +0000 + + upstream commit + + clarify authorship; prodded by and ok markus@ + + OpenBSD-Commit-ID: e1938eee58c89b064befdabe232835fa83bb378c + +commit 04214b30be3d3e73a01584db4e040d5ccbaaddd4 +Author: markus@openbsd.org <markus@openbsd.org> +Date: Mon Jan 8 15:37:21 2018 +0000 + + upstream commit + + group shared source files (e.g. SRCS_KEX) and allow + compilation w/o OPENSSL ok djm@ + + OpenBSD-Commit-ID: fa728823ba21c4b45212750e1d3a4b2086fd1a62 + +commit 25cf9105b849932fc3b141590c009e704f2eeba6 +Author: markus@openbsd.org <markus@openbsd.org> +Date: Mon Jan 8 15:21:49 2018 +0000 + + upstream commit + + move subprocess() so scp/sftp do not need uidswap.o; ok + djm@ + + OpenBSD-Commit-ID: 6601b8360388542c2e5fef0f4085f8e54750bea8 + +commit b0d34132b3ca26fe94013f01d7b92101e70b68bb +Author: markus@openbsd.org <markus@openbsd.org> +Date: Mon Jan 8 15:18:46 2018 +0000 + + upstream commit + + switch ssh-pkcs11-helper to new API; ok djm@ + + OpenBSD-Commit-ID: e0c0ed2a568e25b1d2024f3e630f3fea837c2a42 + +commit ec4a9831184c0c6ed5f7f0cfff01ede5455465a3 +Author: markus@openbsd.org <markus@openbsd.org> +Date: Mon Jan 8 15:15:36 2018 +0000 + + upstream commit + + split client/server kex; only ssh-keygen needs + uuencode.o; only scp/sftp use progressmeter.o; ok djm@ + + OpenBSD-Commit-ID: f2c9feb26963615c4fece921906cf72e248b61ee + +commit ec77efeea06ac62ee1d76fe0b3225f3000775a9e +Author: markus@openbsd.org <markus@openbsd.org> +Date: Mon Jan 8 15:15:17 2018 +0000 + + upstream commit + + only ssh-keygen needs uuencode.o; only scp/sftp use + progressmeter.o + + OpenBSD-Commit-ID: a337e886a49f96701ccbc4832bed086a68abfa85 + +commit 25aae35d3d6ee86a8c4c0b1896acafc1eab30172 +Author: markus@openbsd.org <markus@openbsd.org> +Date: Mon Jan 8 15:14:44 2018 +0000 + + upstream commit + + uuencode.h is not used + + OpenBSD-Commit-ID: 238eb4659f3c119904326b9e94a5e507a912796c + +commit 4f29309c4cb19bcb1774931db84cacc414f17d29 +Author: Damien Miller <djm@mindrot.org> +Date: Wed Jan 3 19:50:43 2018 +1100 + + unbreak fuzz harness + +commit f6b50bf84dc0b61f22c887c00423e0ea7644e844 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Thu Dec 21 05:46:35 2017 +0000 + + upstream commit + + another libssh casualty + + OpenBSD-Regress-ID: 839b970560246de23e7c50215095fb527a5a83ec + +commit 5fb4fb5a0158318fb8ed7dbb32f3869bbf221f13 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Thu Dec 21 03:01:49 2017 +0000 + + upstream commit + + missed one (unbreak after ssh/lib removal) + + OpenBSD-Regress-ID: cfdd132143131769e2d2455e7892b5d55854c322 + +commit e6c4134165d05447009437a96e7201276688807f +Author: djm@openbsd.org <djm@openbsd.org> +Date: Thu Dec 21 00:41:22 2017 +0000 + + upstream commit + + unbreak unit tests after removal of src/usr.bin/ssh/lib + + OpenBSD-Regress-ID: 3a79760494147b20761cbd2bd5c20e86c63dc8f9 + +commit d45d69f2a937cea215c7f0424e5a4677b6d8c7fe +Author: djm@openbsd.org <djm@openbsd.org> +Date: Thu Dec 21 00:00:28 2017 +0000 + + upstream commit + + revert stricter key type / signature type checking in + userauth path; too much software generates inconsistent messages, so we need + a better plan. + + OpenBSD-Commit-ID: 4a44ddc991c803c4ecc8f1ad40e0ab4d22e1c519 + +commit c5a6cbdb79752f7e761074abdb487953ea6db671 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Tue Dec 19 00:49:30 2017 +0000 + + upstream commit + + explicitly test all key types and their certificate + counterparts + + refactor a little + + OpenBSD-Regress-ID: e9ecd5580821b9ef8b7106919c6980d8e45ca8c4 + +commit f689adb7a370b5572612d88be9837ca9aea75447 +Author: dtucker@openbsd.org <dtucker@openbsd.org> +Date: Mon Dec 11 11:41:56 2017 +0000 + + upstream commit + + use cmp in a loop instead of diff -N to compare + directories. The former works on more platforms for Portable. + + OpenBSD-Regress-ID: c3aa72807f9c488e8829a26ae50fe5bcc5b57099 + +commit 748dd8e5de332b24c40f4b3bbedb902acb048c98 +Author: Damien Miller <djm@mindrot.org> +Date: Tue Dec 19 16:17:59 2017 +1100 + + remove blocks.c from Makefile + +commit 278856320520e851063b06cef6ef1c60d4c5d652 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Tue Dec 19 00:24:34 2017 +0000 + + upstream commit + + include signature type and CA key (if applicable) in some + debug messages + + OpenBSD-Commit-ID: b71615cc20e78cec7105bb6e940c03ce9ae414a5 + +commit 7860731ef190b52119fa480f8064ab03c44a120a +Author: djm@openbsd.org <djm@openbsd.org> +Date: Mon Dec 18 23:16:23 2017 +0000 + + upstream commit + + unbreak hostkey rotation; attempting to sign with a + desired signature algorithm of kex->hostkey_alg is incorrect when the key + type isn't capable of making those signatures. ok markus@ + + OpenBSD-Commit-ID: 35ae46864e1f5859831ec0d115ee5ea50953a906 + +commit 966ef478339ad5e631fb684d2a8effe846ce3fd4 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Mon Dec 18 23:14:34 2017 +0000 + + upstream commit + + log mismatched RSA signature types; ok markus@ + + OpenBSD-Commit-ID: 381bddfcc1e297a42292222f3bcb5ac2b7ea2418 + +commit 349ecd4da3a985359694a74635748009be6baca6 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Mon Dec 18 23:13:42 2017 +0000 + + upstream commit + + pass kex->hostkey_alg and kex->hostkey_nid from pre-auth + to post-auth unpriviledged child processes; ok markus@ + + OpenBSD-Commit-ID: 4a35bc7af0a5f8a232d1361f79f4ebc376137302 + +commit c9e37a8725c083441dd34a8a53768aa45c3c53fe +Author: millert@openbsd.org <millert@openbsd.org> +Date: Mon Dec 18 17:28:54 2017 +0000 + + upstream commit + + Add helper function for uri handing in scp where a + missing path simply means ".". Also fix exit code and add warnings when an + invalid uri is encountered. OK otto@ + + OpenBSD-Commit-ID: 47dcf872380586dabf7fcc6e7baf5f8ad508ae1a + +commit 04c7e28f83062dc42f2380d1bb3a6bf0190852c0 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Mon Dec 18 02:25:15 2017 +0000 + + upstream commit + + pass negotiated signing algorithm though to + sshkey_verify() and check that the negotiated algorithm matches the type in + the signature (only matters for RSA SHA1/SHA2 sigs). ok markus@ + + OpenBSD-Commit-ID: 735fb15bf4adc060d3bee9d047a4bcaaa81b1af9 + +commit 931c78dfd7fe30669681a59e536bbe66535f3ee9 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Mon Dec 18 02:22:29 2017 +0000 + + upstream commit + + sshkey_sigtype() function to return the type of a + signature; ok markus@ + + OpenBSD-Commit-ID: d3772b065ad6eed97285589bfb544befed9032e8 + +commit 4cdc5956f2fcc9e9078938db833142dc07d8f523 +Author: naddy@openbsd.org <naddy@openbsd.org> +Date: Thu Dec 14 21:07:39 2017 +0000 + + upstream commit + + Replace ED25519's private SHA-512 implementation with a + call to the regular digest code. This speeds up compilation considerably. ok + markus@ + + OpenBSD-Commit-ID: fcce8c3bcfe7389462a28228f63c823e80ade41c + +commit 012e5cb839faf76549e3b6101b192fe1a74d367e +Author: naddy@openbsd.org <naddy@openbsd.org> +Date: Tue Dec 12 15:06:12 2017 +0000 + + upstream commit + + Create a persistent umac128.c source file: #define the + output size and the name of the entry points for UMAC-128 before including + umac.c. Idea from FreeBSD. ok dtucker@ + + OpenBSD-Commit-ID: 463cfacfa07cb8060a4d4961e63dca307bf3f4b1 + +commit b35addfb4cd3b5cdb56a2a489d38e940ada926c7 +Author: Darren Tucker <dtucker@zip.com.au> +Date: Mon Dec 11 16:23:28 2017 +1100 + + Update .depend with empty config.h + +commit 2d96f28246938e0ca474a939d8ac82ecd0de27e3 +Author: Darren Tucker <dtucker@zip.com.au> +Date: Mon Dec 11 16:21:55 2017 +1100 + + Ensure config.h is always in dependencies. + + Put an empty config.h into the dependency list to ensure that it's + always listed and consistent. + +commit ac4987a55ee5d4dcc8e87f7ae7c1f87be7257d71 +Author: deraadt@openbsd.org <deraadt@openbsd.org> +Date: Sun Dec 10 19:37:57 2017 +0000 + + upstream commit + + ssh/lib hasn't worked towards our code-sharing goals for + a quit while, perhaps it is too verbose? Change each */Makefile to + specifying exactly what sources that program requires, compiling it seperate. + Maybe we'll iterate by sorting those into seperatable chunks, splitting up + files which contain common code + server/client specific code, or whatnot. + But this isn't one step, or we'd have done it a long time ago.. ok dtucker + markus djm + + OpenBSD-Commit-ID: 5317f294d63a876bfc861e19773b1575f96f027d + +commit 48c23a39a8f1069a57264dd826f6c90aa12778d5 +Author: dtucker@openbsd.org <dtucker@openbsd.org> +Date: Sun Dec 10 05:55:29 2017 +0000 + + upstream commit + + Put remote client info back into the ClientAlive + connection termination message. Based in part on diff from lars.nooden at + gmail, ok djm + + OpenBSD-Commit-ID: 80a0f619a29bbf2f32eb5297a69978a0e05d0ee0 + +commit aabd75ec76575c1b17232e6526a644097cd798e5 +Author: deraadt@openbsd.org <deraadt@openbsd.org> +Date: Fri Dec 8 03:45:52 2017 +0000 + + upstream commit + + time_t printing needs %lld and (long long) casts ok djm + + OpenBSD-Commit-ID: 4a93bc2b0d42a39b8f8de8bb74d07ad2e5e83ef7 + +commit fd4eeeec16537870bd40d04836c7906ec141c17d +Author: djm@openbsd.org <djm@openbsd.org> +Date: Fri Dec 8 02:14:33 2017 +0000 + + upstream commit + + fix ordering in previous to ensure errno isn't clobbered + before logging. + + OpenBSD-Commit-ID: e260bc1e145a9690dcb0d5aa9460c7b96a0c8ab2 + +commit 155072fdb0d938015df828836beb2f18a294ab8a +Author: djm@openbsd.org <djm@openbsd.org> +Date: Fri Dec 8 02:13:02 2017 +0000 + + upstream commit + + for some reason unix_listener() logged most errors twice + with each message containing only some of the useful information; merge these + + OpenBSD-Commit-ID: 1978a7594a9470c0dddcd719586066311b7c9a4a + +commit 79c0e1d29959304e5a49af1dbc58b144628c09f3 +Author: Darren Tucker <dtucker@zip.com.au> +Date: Mon Dec 11 14:38:33 2017 +1100 + + Add autogenerated dependency info to Makefile. + + Adds a .depend file containing dependency information generated by + makedepend, which is appended to the generated Makefile by configure. + + You can regen the file with "make -f Makefile.in depend" if necessary, + but we'll be looking at some way to automatically keep this up to date. + + "no objection" djm@ + +commit f001de8fbf7f3faddddd8efd03df18e57601f7eb +Author: Darren Tucker <dtucker@zip.com.au> +Date: Mon Dec 11 13:42:51 2017 +1100 + + Fix pasto in ldns handling. + + When ldns-config is not found, configure would check the wrong variable. + ok djm@ + +commit c5bfe83f67cb64e71cf2fe0d1500f6904b0099ee +Author: Darren Tucker <dtucker@zip.com.au> +Date: Sat Dec 9 10:12:23 2017 +1100 + + Portable switched to git so s/CVS/git/. + +commit bb82e61a40a4ee52e4eb904caaee2c27b763ab5b +Author: Darren Tucker <dtucker@zip.com.au> +Date: Sat Dec 9 08:06:00 2017 +1100 + + Remove now-used check for perl. + +commit e0ce54c0b9ca3a9388f9c50f4fa6cc25c28a3240 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Wed Dec 6 05:06:21 2017 +0000 + + upstream commit + + don't accept junk after "yes" or "no" responses to + hostkey prompts. bz#2803 reported by Maksim Derbasov; ok dtucker@ + + OpenBSD-Commit-ID: e1b159fb2253be973ce25eb7a7be26e6f967717c + +commit 609d96b3d58475a15b2eb6b3d463f2c5d8e510c0 +Author: dtucker@openbsd.org <dtucker@openbsd.org> +Date: Tue Dec 5 23:59:47 2017 +0000 + + upstream commit + + Replace atoi and strtol conversions for integer arguments + to config keywords with a checking wrapper around strtonum. This will + prevent and flag invalid and negative arguments to these keywords. ok djm@ + + OpenBSD-Commit-ID: 99ae3981f3d608a219ccb8d2fff635ae52c17998 + +commit 168ecec13f9d7cb80c07df3bf7d414f4e4165e84 +Author: dtucker@openbsd.org <dtucker@openbsd.org> +Date: Tue Dec 5 23:56:07 2017 +0000 + + upstream commit + + Add missing break for rdomain. Prevents spurious + "Deprecated option" warnings. ok djm@ + + OpenBSD-Commit-ID: ba28a675d39bb04a974586241c3cba71a9c6099a + +commit 927f8514ceffb1af380a5f63ab4d3f7709b1b198 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Tue Dec 5 01:30:19 2017 +0000 + + upstream commit + + include the addr:port in bind/listen failure messages + + OpenBSD-Commit-ID: fdadb69fe1b38692608809cf0376b71c2c28e58e + +commit a8c89499543e2d889629c4e5e8dcf47a655cf889 +Author: dtucker@openbsd.org <dtucker@openbsd.org> +Date: Wed Nov 29 05:49:54 2017 +0000 + + upstream commit + + Import updated moduli. + + OpenBSD-Commit-ID: 524d210f982af6007aa936ca7f4c977f4d32f38a + +commit 3dde09ab38c8e1cfc28252be473541a81bc57097 +Author: dtucker@openbsd.org <dtucker@openbsd.org> +Date: Tue Nov 28 21:10:22 2017 +0000 + + upstream commit + + Have sftp print a warning about shell cleanliness when + decoding the first packet fails, which is usually caused by shells polluting + stdout of non-interactive starups. bz#2800, ok markus@ deraadt@. + + OpenBSD-Commit-ID: 88d6a9bf3470f9324b76ba1cbd53e50120f685b5 + +commit 6c8a246437f612ada8541076be2414846d767319 +Author: Darren Tucker <dtucker@zip.com.au> +Date: Fri Dec 1 17:11:47 2017 +1100 + + Replace mkinstalldirs with mkdir -p. + + Check for MIKDIR_P and use it instead of mkinstalldirs. Should fix "mkdir: + cannot create directory:... File exists" during "make install". + Patch from eb at emlix.com. + +commit 3058dd78d2e43ed0f82ad8eab8bb04b043a72023 +Author: Darren Tucker <dtucker@zip.com.au> +Date: Fri Dec 1 17:07:08 2017 +1100 + + Pull in newer install-sh from autoconf-2.69. + + Suggested by eb at emlix.com + +commit 79226e5413c5b0fda3511351a8511ff457e306d8 +Author: Darren Tucker <dtucker@zip.com.au> +Date: Fri Dec 1 16:55:35 2017 +1100 + + Remove RSA1 host key generation. + + SSH1 support is now gone, remove SSH1 key generation. + Patch from eb at emlix.com. + +commit 2937dd02c572a12f33d5c334d518f6cbe0b645eb +Author: djm@openbsd.org <djm@openbsd.org> +Date: Tue Nov 28 06:09:38 2017 +0000 + + upstream commit + + more whitespace errors + + OpenBSD-Commit-ID: 5e11c125378327b648940b90145e0d98beb05abb + +commit 7f257bf3fd3a759f31098960cbbd1453fafc4164 +Author: djm@openbsd.org@openbsd.org <djm@openbsd.org@openbsd.org> +Date: Tue Nov 28 06:04:51 2017 +0000 + + upstream commit + + whitespace at EOL + + OpenBSD-Commit-ID: 76d3965202b22d59c2784a8df3a8bfa5ee67b96a + +commit 5db6fbf1438b108e5df3e79a1b4de544373bc2d4 +Author: dtucker@openbsd.org@openbsd.org <dtucker@openbsd.org@openbsd.org> +Date: Sat Nov 25 06:46:22 2017 +0000 + + upstream commit + + Add monotime_ts and monotime_tv that return monotonic + timespec and timeval respectively. Replace calls to gettimeofday() in packet + timing with monotime_tv so that the callers will work over a clock step. + Should prevent integer overflow during clock steps reported by wangle6 at + huawei.com. "I like" markus@ + + OpenBSD-Commit-ID: 74d684264814ff806f197948b87aa732cb1b0b8a + +commit 2d638e986085bdf1a40310ed6e2307463db96ea0 +Author: dtucker@openbsd.org@openbsd.org <dtucker@openbsd.org@openbsd.org> +Date: Sat Nov 25 05:58:47 2017 +0000 + + upstream commit + + Remove get_current_time() and replace with calls to + monotime_double() which uses CLOCK_MONOTONIC and works over clock steps. "I + like" markus@ + + OpenBSD-Commit-ID: 3ad2f7d2414e2cfcaef99877a7a5b0baf2242952 + +commit ba460acae48a36ef749cb23068f968f4d5d90a24 +Author: Darren Tucker <dtucker@zip.com.au> +Date: Fri Nov 24 16:24:31 2017 +1100 + + Include string.h for explicit_bzero. + +commit a65655fb1a12b77fb22f9e71559b9d73030ec8ff +Author: Damien Miller <djm@mindrot.org> +Date: Fri Nov 24 10:23:47 2017 +1100 + + fix incorrect range of OpenSSL versions supported + + Pointed out by Solar Designer + +commit 83a1e5dbec52d05775174f368e0c44b08619a308 +Author: djm@openbsd.org@openbsd.org <djm@openbsd.org@openbsd.org> +Date: Wed Nov 15 02:10:16 2017 +0000 + + upstream commit + + downgrade a couple more request parsing errors from + process-fatal to just returning failure, making them consistent with the + others that were already like that. + + OpenBSD-Commit-ID: c111461f7a626690a2d53018ef26557b34652918 + +commit 93c68a8f3da8e5e6acdc3396f54d73919165e242 +Author: djm@openbsd.org@openbsd.org <djm@openbsd.org@openbsd.org> +Date: Wed Nov 15 00:13:40 2017 +0000 + + upstream commit + + fix regression in 7.6: failure to parse a signature request + message shouldn't be fatal to the process, just the request. Reported by Ron + Frederick + + OpenBSD-Commit-ID: e5d01b3819caa1a2ad51fc57d6ded43f48bbcc05 + +commit 548d3a66feb64c405733932a6b1abeaf7198fa71 +Author: djm@openbsd.org@openbsd.org <djm@openbsd.org@openbsd.org> +Date: Tue Nov 14 00:45:29 2017 +0000 + + upstream commit + + fix problem in configuration parsing when in config dump mode + (sshd -T) without providing a full connection specification (sshd -T -C ...) + + spotted by bluhm@ + + OpenBSD-Commit-ID: 7125faf5740eaa9d3a2f25400a0bc85e94e28b8f + +commit 33edb6ebdc2f81ebed1bceadacdfb8910b64fb88 +Author: djm@openbsd.org@openbsd.org <djm@openbsd.org@openbsd.org> +Date: Fri Nov 3 05:18:44 2017 +0000 + + upstream commit + + reuse parse_multistate for parse_flag (yes/no arguments). + Saves a few lines of code and makes the parser more consistent wrt case- + sensitivity. bz#2664 ok dtucker@ + + OpenBSD-Commit-ID: b2ad1b6086858d5db71c7b11e5a74dba6d60efef + +commit d52131a98316e76c0caa348f09bf6f7b9b01a1b9 +Author: djm@openbsd.org@openbsd.org <djm@openbsd.org@openbsd.org> +Date: Fri Nov 3 05:14:04 2017 +0000 + + upstream commit + + allow certificate validity intervals that specify only a + start or stop time (we already support specifying both or neither) + + OpenBSD-Commit-ID: 9be486545603c003030bdb5c467d1318b46b4e42 + +commit fbe8e7ac94c2fa380421a9205a8bc966549c2f91 +Author: djm@openbsd.org@openbsd.org <djm@openbsd.org@openbsd.org> +Date: Fri Nov 3 03:46:52 2017 +0000 + + upstream commit + + allow "cd" and "lcd" commands with no explicit path + argument. lcd will change to the local user's home directory as usual. cd + will change to the starting directory for session (because the protocol + offers no way to obtain the remote user's home directory). bz#2760 ok + dtucker@ + + OpenBSD-Commit-ID: 15333f5087cee8c1ed1330cac1bd0a3e6a767393 + +commit 0208a48517b5e8e8b091f32fa4addcd67c31ca9e +Author: dtucker@openbsd.org@openbsd.org <dtucker@openbsd.org@openbsd.org> +Date: Fri Nov 3 03:18:53 2017 +0000 + + upstream commit + + When doing a config test with sshd -T, only require the + attributes that are actually used in Match criteria rather than (an + incomplete list of) all criteria. ok djm@, man page help jmc@ + + OpenBSD-Commit-ID: b4e773c4212d3dea486d0259ae977551aab2c1fc + +commit c357eed5a52cd2f4ff358b17e30e3f9a800644da +Author: djm@openbsd.org@openbsd.org <djm@openbsd.org@openbsd.org> +Date: Fri Nov 3 02:32:19 2017 +0000 + + upstream commit + + typos in ECDSA certificate names; bz#2787 reported by + Mike Gerow + + OpenBSD-Commit-ID: 824938b6aba1b31321324ba1f56c05f84834b163 + +commit ecbf005b8fd80b81d0c61dfc1e96fe3da6099395 +Author: djm@openbsd.org@openbsd.org <djm@openbsd.org@openbsd.org> +Date: Fri Nov 3 02:29:17 2017 +0000 + + upstream commit + + Private keys in PEM format have been encrypted by AES-128 for + a while (not 3DES). bz#2788 reported by Calum Mackay + + OpenBSD-Commit-ID: bd33da7acbbb3c882f0a0ee56007a35ce0d8a11a + +commit 81c9ccdbf6ddbf9bfbd6f1f775a5a7c13e47e185 +Author: Darren Tucker <dtucker@zip.com.au> +Date: Fri Nov 3 14:52:51 2017 +1100 + + Check for linux/if.h when enabling rdomain. + + musl libc doesn't seem to have linux/if.h, so check for its presence + before enabling rdomain support on Linux. + +commit fa1b834cce41a1ce3e6a8d57fb67ef18c9dd803f +Author: Darren Tucker <dtucker@zip.com.au> +Date: Fri Nov 3 14:09:45 2017 +1100 + + Add headers for sys/sysctl.h and net/route.h + + On at least older OpenBSDs, sys/sysctl.h and net/route.h require + sys/types and, in the case of sys/sysctl.h, sys/param.h for MAXLOGNAME. + +commit 41bff4da21fcd8a7c6a83a7e0f92b018f904f6fb +Author: djm@openbsd.org@openbsd.org <djm@openbsd.org@openbsd.org> +Date: Fri Nov 3 02:22:41 2017 +0000 + + upstream commit + + avoid unused variable warnings for !WITH_OPENSSL; patch from + Marcus Folkesson + + OpenBSD-Commit-ID: c01d27a3f907acdc3dd4ea48170fac3ba236d229 + +commit 6b373e4635a7470baa94253dd1dc8953663da9e8 +Author: Marcus Folkesson <marcus.folkesson@gmail.com> +Date: Sat Oct 28 19:48:39 2017 +0200 + + only enable functions in dh.c when openssl is used + + Signed-off-by: Marcus Folkesson <marcus.folkesson@gmail.com> + +commit 939b30ba23848b572e15bf92f0f1a3d9cf3acc2b +Author: djm@openbsd.org@openbsd.org <djm@openbsd.org@openbsd.org> +Date: Wed Nov 1 00:04:15 2017 +0000 + + upstream commit + + fix broken stdout in ControlPersist mode, introduced by me in + r1.467 and reported by Alf Schlichting + + OpenBSD-Commit-ID: 3750a16e02108fc25f747e4ebcedb7123c1ef509 + +commit f21455a084f9cc3942cf1bde64055a4916849fed +Author: Darren Tucker <dtucker@zip.com.au> +Date: Tue Oct 31 10:09:33 2017 +1100 + + Include includes.h for HAVE_GETPAGESIZE. + + The configure script checks for getpagesize() and sets HAVE_GETPAGESIZE in + config.h, but bsd-getpagesize.c forgot to include includes.h (which + indirectly includes config.h) so the checks always fails, causing linker + issues when linking statically on systems with getpagesize(). + + Patch from Peter Korsgaard <peter at korsgaard.com> + +commit f2ad63c0718b93ac1d1e85f53fee33b06eef86b5 +Author: djm@openbsd.org@openbsd.org <djm@openbsd.org@openbsd.org> +Date: Mon Oct 30 22:01:52 2017 +0000 + + upstream commit + + whitespace at EOL + + OpenBSD-Regress-ID: f4b5df99b28c6f63478deb916c6ed0e794685f07 + +commit c6415b1f8f1d0c2735564371647fd6a177fb9a3e +Author: djm@openbsd.org@openbsd.org <djm@openbsd.org@openbsd.org> +Date: Mon Oct 30 21:59:43 2017 +0000 + + upstream commit + + whitespace at EOL + + OpenBSD-Regress-ID: 19b1394393deee4c8a2114a3b7d18189f27a15cd + +commit e4d4ddbbba0e585ca3ec3a455430750b4622a6d3 +Author: millert@openbsd.org@openbsd.org <millert@openbsd.org@openbsd.org> +Date: Wed Oct 25 20:08:36 2017 +0000 + + upstream commit + + Use printenv to test whether an SSH_USER_AUTH is set + instead of using $SSH_USER_AUTH. The latter won't work with csh which treats + unknown variables as an error when expanding them. OK markus@ + + OpenBSD-Regress-ID: f601e878dd8b71aa40381573dde3a8f567e6f2d1 + +commit 116b1b439413a724ebb3320633a64dd0f3ee1fe7 +Author: millert@openbsd.org@openbsd.org <millert@openbsd.org@openbsd.org> +Date: Tue Oct 24 19:33:32 2017 +0000 + + upstream commit + + Add tests for URI parsing. OK markus@ + + OpenBSD-Regress-ID: 5d1df19874f3b916d1a2256a905526e17a98bd3b + +commit dbe0662e9cd482593a4a8bf58c6481bfe8a747a4 +Author: djm@openbsd.org@openbsd.org <djm@openbsd.org@openbsd.org> +Date: Fri Oct 27 01:57:06 2017 +0000 + + upstream commit + + whitespace at EOL + + OpenBSD-Commit-ID: c95549cf5a07d56ea11aaff818415118720214f6 + +commit d2135474344335a7c6ee643b6ade6db400fa76ee +Author: djm@openbsd.org@openbsd.org <djm@openbsd.org@openbsd.org> +Date: Fri Oct 27 01:01:17 2017 +0000 + + upstream commit + + whitespace at EOL (lots) + + OpenBSD-Commit-ID: 757257dd44116794ee1b5a45c6724973de181747 + +commit b77c29a07f5a02c7c1998701c73d92bde7ae1608 +Author: djm@openbsd.org@openbsd.org <djm@openbsd.org@openbsd.org> +Date: Fri Oct 27 00:18:41 2017 +0000 + + upstream commit + + improve printing of rdomain on accept() a little + + OpenBSD-Commit-ID: 5da58db2243606899cedaa646c70201b2d12247a + +commit 68d3bbb2e6dfbf117c46e942142795b2cdd0274b +Author: jmc@openbsd.org@openbsd.org <jmc@openbsd.org@openbsd.org> +Date: Thu Oct 26 06:44:01 2017 +0000 + + upstream commit + + mark up the rdomain keyword; + + OpenBSD-Commit-ID: 1b597d0ad0ad20e94dbd61ca066057e6f6313b8a + +commit 0b2e2896b9d0d6cfb59e9ec8271085296bd4e99b +Author: jmc@openbsd.org@openbsd.org <jmc@openbsd.org@openbsd.org> +Date: Wed Oct 25 06:19:46 2017 +0000 + + upstream commit + + tweak the uri text, specifically removing some markup to + make it a bit more readable; + + issue reported by - and diff ok - millert + + OpenBSD-Commit-ID: 8b56a20208040b2d0633536fd926e992de37ef3f + +commit 7530e77bdc9415386d2a8ea3d086e8b611b2ba40 +Author: jmc@openbsd.org@openbsd.org <jmc@openbsd.org@openbsd.org> +Date: Wed Oct 25 06:18:06 2017 +0000 + + upstream commit + + simplify macros in previous, and some minor tweaks; + + OpenBSD-Commit-ID: 6efeca3d8b095b76e21b484607d9cc67ac9a11ca + +commit eb9c582b710dc48976b48eb2204218f6863bae9a +Author: Damien Miller <djm@mindrot.org> +Date: Tue Oct 31 00:46:29 2017 +1100 + + Switch upstream git repository. + + Previously portable OpenSSH has synced against a conversion of OpenBSD's + CVS repository made using the git cvsimport tool, but this has become + increasingly unreliable. + + As of this commit, portable OpenSSH now tracks a conversion of the + OpenBSD CVS upstream made using the excellent cvs2gitdump tool from + YASUOKA Masahiko: https://github.com/yasuoka/cvs2gitdump + + cvs2gitdump is considerably more reliable than gitcvsimport and the old + version of cvsps that it uses under the hood, and is the same tool used + to export the entire OpenBSD repository to git (so we know it can cope + with future growth). + + These new conversions are mirrored at github, so interested parties can + match portable OpenSSH commits to their upstream counterparts. + + https://github.com/djmdjm/openbsd-openssh-src + https://github.com/djmdjm/openbsd-openssh-regress + + An unfortunate side effect of switching upstreams is that we must have + a flag day, across which the upstream commit IDs will be inconsistent. + The old commit IDs are recorded with the tags "Upstream-ID" for main + directory commits and "Upstream-Regress-ID" for regress commits. + + To make it clear that the commit IDs do not refer to the same + things, the new repository will instead use "OpenBSD-ID" and + "OpenBSD-Regress-ID" tags instead. + + Apart from being a longwinded explanation of what is going on, this + commit message also serves to synchronise our tools with the state of + the tree, which happens to be: + + OpenBSD-ID: 9c43a9968c7929613284ea18e9fb92e4e2a8e4c1 + OpenBSD-Regress-ID: b33b385719420bf3bc57d664feda6f699c147fef + +commit 2de5c6b53bf063ac698596ef4e23d8e3099656ea +Author: Damien Miller <djm@mindrot.org> +Date: Fri Oct 27 08:42:33 2017 +1100 + + fix rdomain compilation errors + +commit 6bd5b569fd6dfd5e8c8af20bbc41e45c2d6462ab +Author: Damien Miller <djm@mindrot.org> +Date: Wed Oct 25 14:15:42 2017 +1100 + + autoconf glue to enable Linux VRF + +commit 97c5aaf925d61641d599071abb56012cde265978 +Author: Damien Miller <djm@mindrot.org> +Date: Wed Oct 25 14:09:56 2017 +1100 + + basic valid_rdomain() implementation for Linux + +commit ce1cca39d7935dd394080ce2df62f5ce5b51f485 +Author: Damien Miller <djm@mindrot.org> +Date: Wed Oct 25 13:47:59 2017 +1100 + + implement get/set_rdomain() for Linux + + Not enabled, pending implementation of valid_rdomain() and autoconf glue + +commit 6eee79f9b8d4a3b113b698383948a119acb82415 +Author: Damien Miller <djm@mindrot.org> +Date: Wed Oct 25 13:22:29 2017 +1100 + + stubs for rdomain replacement functions + +commit f5594f939f844bbb688313697d6676238da355b3 +Author: Damien Miller <djm@mindrot.org> +Date: Wed Oct 25 13:13:57 2017 +1100 + + rename port-tun.[ch] => port-net.[ch] + + Ahead of adding rdomain support + +commit d685e5a31feea35fb99e1a31a70b3c60a7f2a0eb +Author: djm@openbsd.org <djm@openbsd.org> +Date: Wed Oct 25 02:10:39 2017 +0000 + + upstream commit + + uninitialised variable in PermitTunnel printing code + + Upstream-ID: f04dc33e42855704e116b8da61095ecc71bc9e9a + +commit 43c29bb7cfd46bbbc61e0ffa61a11e74d49a712f +Author: Damien Miller <djm@mindrot.org> +Date: Wed Oct 25 13:10:59 2017 +1100 + + provide hooks and fallbacks for rdomain support + +commit 3235473bc8e075fad7216b7cd62fcd2b0320ea04 +Author: Damien Miller <djm@mindrot.org> +Date: Wed Oct 25 11:25:43 2017 +1100 + + check for net/route.h and sys/sysctl.h + +commit 4d5456c7de108e17603a0920c4d15bca87244921 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Wed Oct 25 00:21:37 2017 +0000 + + upstream commit + + transfer ownership of stdout to the session channel by + dup2'ing /dev/null to fd 1. This allows propagation of remote stdout close to + the local side; reported by David Newall, ok markus@ + + Upstream-ID: 8d9ac18a11d89e6b0415f0cbf67b928ac67f0e79 + +commit 68af80e6fdeaeb79432209db614386ff0f37e75f +Author: djm@openbsd.org <djm@openbsd.org> +Date: Wed Oct 25 00:19:47 2017 +0000 + + upstream commit + + add a "rdomain" criteria for the sshd_config Match + keyword to allow conditional configuration that depends on which rdomain(4) a + connection was recevied on. ok markus@ + + Upstream-ID: 27d8fd5a3f1bae18c9c6e533afdf99bff887a4fb + +commit 35eb33fb957979e3fcbe6ea0eaee8bf4a217421a +Author: djm@openbsd.org <djm@openbsd.org> +Date: Wed Oct 25 00:17:08 2017 +0000 + + upstream commit + + add sshd_config RDomain keyword to place sshd and the + subsequent user session (including the shell and any TCP/IP forwardings) into + the specified rdomain(4) + + ok markus@ + + Upstream-ID: be2358e86346b5cacf20d90f59f980b87d1af0f5 + +commit acf559e1cffbd1d6167cc1742729fc381069f06b +Author: djm@openbsd.org <djm@openbsd.org> +Date: Wed Oct 25 00:15:35 2017 +0000 + + upstream commit + + Add optional rdomain qualifier to sshd_config's + ListenAddress option to allow listening on a different rdomain(4), e.g. + + ListenAddress 0.0.0.0 rdomain 4 + + Upstream-ID: 24b6622c376feeed9e9be8b9605e593695ac9091 + +commit b9903ee8ee8671b447fc260c2bee3761e26c7227 +Author: millert@openbsd.org <millert@openbsd.org> +Date: Tue Oct 24 19:41:45 2017 +0000 + + upstream commit + + Kill dead store and some spaces vs. tabs indent in + parse_user_host_path(). Noticed by markus@ + + Upstream-ID: 114fec91dadf9af46c7c94fd40fc630ea2de8200 + +commit 0869627e00f4ee2a038cb62d7bd9ffad405e1800 +Author: jmc@openbsd.org <jmc@openbsd.org> +Date: Tue Oct 24 06:27:42 2017 +0000 + + upstream commit + + tweak previous; ok djm + + Upstream-ID: 7d913981ab315296be1f759c67b6e17aea38fca9 + +commit e3fa20e2e58fdc88a0e842358778f2de448b771b +Author: Damien Miller <djm@mindrot.org> +Date: Mon Oct 23 16:25:24 2017 +1100 + + avoid -Wsign-compare warning in argv copying + +commit b7548b12a6b2b4abf4d057192c353147e0abba08 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Mon Oct 23 05:08:00 2017 +0000 + + upstream commit + + Expose devices allocated for tun/tap forwarding. + + At the client, the device may be obtained from a new %T expansion + for LocalCommand. + + At the server, the allocated devices will be listed in a + SSH_TUNNEL variable exposed to the environment of any user sessions + started after the tunnel forwarding was established. + + ok markus + + Upstream-ID: e61e53f8ae80566e9ddc0d67a5df5bdf2f3c9f9e + +commit 887669ef032d63cf07f53cada216fa8a0c9a7d72 +Author: millert@openbsd.org <millert@openbsd.org> +Date: Sat Oct 21 23:06:24 2017 +0000 + + upstream commit + + Add URI support to ssh, sftp and scp. For example + ssh://user@host or sftp://user@host/path. The connection parameters + described in draft-ietf-secsh-scp-sftp-ssh-uri-04 are not implemented since + the ssh fingerprint format in the draft uses md5 with no way to specify the + hash function type. OK djm@ + + Upstream-ID: 4ba3768b662d6722de59e6ecb00abf2d4bf9cacc + +commit d27bff293cfeb2252f4c7a58babe5ad3262c6c98 +Author: Damien Miller <djm@mindrot.org> +Date: Fri Oct 20 13:22:00 2017 +1100 + + Fix missed RCSID merges + +commit d3b6aeb546242c9e61721225ac4387d416dd3d5e +Author: djm@openbsd.org <djm@openbsd.org> +Date: Fri Oct 20 02:13:41 2017 +0000 + + upstream commit + + more RCSIDs + + Upstream-Regress-ID: 1aecbe3f8224793f0ec56741a86d619830eb33be + +commit b011edbb32e41aaab01386ce4c0efcc9ff681c4a +Author: djm@openbsd.org <djm@openbsd.org> +Date: Fri Oct 20 01:56:39 2017 +0000 + + upstream commit + + add RCSIDs to these; they make syncing portable a bit + easier + + Upstream-ID: 56cb7021faea599736dd7e7f09c2e714425b1e68 + +commit 6eb27597781dccaf0ec2b80107a9f0592a0cb464 +Author: Damien Miller <djm@mindrot.org> +Date: Fri Oct 20 12:54:15 2017 +1100 + + upstream commit + + Apply missing commit 1.11 to kexc25519s.c + + Upstream-ID: 5f020e23a1ee6c3597af1f91511e68552cdf15e8 + +commit 6f72280553cb6918859ebcacc717f2d2fafc1a27 +Author: Damien Miller <djm@mindrot.org> +Date: Fri Oct 20 12:52:50 2017 +1100 + + upstream commit + + Apply missing commit 1.127 to servconf.h + + Upstream-ID: f14c4bac74a2b7cf1e3cff6bea5c447f192a7d15 + +commit bb3e16ab25cb911238c2eb7455f9cf490cb143cc +Author: jmc@openbsd.org <jmc@openbsd.org> +Date: Wed Oct 18 05:36:59 2017 +0000 + + upstream commit + + remove unused Pp; + + Upstream-ID: 8ad26467f1f6a40be887234085a8e01a61a00550 + +commit 05b69e99570553c8e1eafb895b1fbf1d098d2e14 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Wed Oct 18 02:49:44 2017 +0000 + + upstream commit + + In the description of pattern-lists, clarify negated + matches by explicitly stating that a negated match will never yield a + positive result, and that at least one positive term in the pattern-list must + match. bz#1918 + + Upstream-ID: 652d2f9d993f158fc5f83cef4a95cd9d95ae6a14 + +commit eb80e26a15c10bc65fed8b8cdb476819a713c0fd +Author: djm@openbsd.org <djm@openbsd.org> +Date: Fri Oct 13 21:13:54 2017 +0000 + + upstream commit + + log debug messages sent to peer; ok deraadt markus + + Upstream-ID: 3b4fdc0a06ea5083f61d96e20043000f477103d9 + +commit 071325f458d615d7740da5c1c1d5a8b68a0b4605 +Author: jmc@openbsd.org <jmc@openbsd.org> +Date: Fri Oct 13 16:50:45 2017 +0000 + + upstream commit + + trim permitrootlogin description somewhat, to avoid + ambiguity; original diff from walter alejandro iglesias, tweaked by sthen and + myself + + ok sthen schwarze deraadt + + Upstream-ID: 1749418b2bc073f3fdd25fe21f8263c3637fe5d2 + +commit 10727487becb897a15f658e0cb2d05466236e622 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Fri Oct 13 06:45:18 2017 +0000 + + upstream commit + + mention SSH_USER_AUTH in the list of environment + variables + + Upstream-ID: 1083397c3ee54b4933121ab058c70a0fc6383691 + +commit 224f193d6a4b57e7a0cb2b9ecd3b6c54d721d8c2 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Fri Oct 13 06:24:51 2017 +0000 + + upstream commit + + BIO_get_mem_data() is supposed to take a char* as pointer + argument, so don't pass it a const char* + + Upstream-ID: 1ccd91eb7f4dd4f0fa812d4f956987cd00b5f6ec + +commit cfa46825b5ef7097373ed8e31b01a4538a8db565 +Author: benno@openbsd.org <benno@openbsd.org> +Date: Mon Oct 9 20:12:51 2017 +0000 + + upstream commit + + clarify the order in which config statements are used. ok + jmc@ djm@ + + Upstream-ID: e37e27bb6bbac71315e22cb9690fd8a556a501ed + +commit dceabc7ad7ebc7769c8214a1647af64c9a1d92e5 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Thu Oct 5 15:52:03 2017 +0000 + + upstream commit + + replace statically-sized arrays in ServerOptions with + dynamic ones managed by xrecallocarray, removing some arbitrary (though + large) limits and saving a bit of memory; "much nicer" markus@ + + Upstream-ID: 1732720b2f478fe929d6687ac7b0a97ff2efe9d2 + +commit 2b4f3ab050c2aaf6977604dd037041372615178d +Author: jmc@openbsd.org <jmc@openbsd.org> +Date: Thu Oct 5 12:56:50 2017 +0000 + + upstream commit + + %C is hashed; from klemens nanni ok markus + + Upstream-ID: 6ebed7b2e1b6ee5402a67875d74f5e2859d8f998 + +commit a66714508b86d6814e9055fefe362d9fe4d49ab3 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Wed Oct 4 18:50:23 2017 +0000 + + upstream commit + + exercise PermitOpen a little more thoroughly + + Upstream-Regress-ID: f41592334e227a4c1f9a983044522de4502d5eac + +commit 609ecc8e57eb88e2eac976bd3cae7f7889aaeff6 +Author: dtucker@openbsd.org <dtucker@openbsd.org> +Date: Tue Sep 26 22:39:25 2017 +0000 + + upstream commit + + UsePrivilegeSeparation is gone, stop trying to test it. + + Upstream-Regress-ID: 796a5057cfd79456a20ea935cc53f6eb80ace191 + +commit 69bda0228861f3dacd4fb3d28b60ce9d103d254b +Author: djm@openbsd.org <djm@openbsd.org> +Date: Wed Oct 4 18:49:30 2017 +0000 + + upstream commit + + fix (another) problem in PermitOpen introduced during the + channels.c refactor: the third and subsequent arguments to PermitOpen were + being silently ignored; ok markus@ + + Upstream-ID: 067c89f1f53cbc381628012ba776d6861e6782fd + commit 66bf74a92131b7effe49fb0eefe5225151869dc5 Author: djm@openbsd.org <djm@openbsd.org> Date: Mon Oct 2 19:33:20 2017 +0000 @@ -7110,2242 +9796,3 @@ Author: Darren Tucker <dtucker@zip.com.au> Date: Mon Apr 4 11:07:59 2016 +1000 Fix configure-time warnings for openssl test. - -commit 95687f5831ae680f7959446d8ae4b52452ee05dd -Author: djm@openbsd.org <djm@openbsd.org> -Date: Fri Apr 1 02:34:10 2016 +0000 - - upstream commit - - whitespace at EOL - - Upstream-ID: 40ae2203d07cb14e0a89e1a0d4c6120ee8fd8c3a - -commit fdfbf4580de09d84a974211715e14f88a5704b8e -Author: dtucker@openbsd.org <dtucker@openbsd.org> -Date: Thu Mar 31 05:24:06 2016 +0000 - - upstream commit - - Remove fallback from moduli to "primes" file that was - deprecated in 2001 and fix log messages referring to primes file. Based on - patch from xnox at ubuntu.com via bz#2559. "kill it" deraadt@ - - Upstream-ID: 0d4f8c70e2fa7431a83b95f8ca81033147ba8713 - -commit 0235a5fa67fcac51adb564cba69011a535f86f6b -Author: djm@openbsd.org <djm@openbsd.org> -Date: Thu Mar 17 17:19:43 2016 +0000 - - upstream commit - - UseDNS affects ssh hostname processing in authorized_keys, - not known_hosts; bz#2554 reported by jjelen AT redhat.com - - Upstream-ID: c1c1bb895dde46095fc6d81d8653703928437591 - -commit 8c4739338f5e379d05b19d6e544540114965f07e -Author: Darren Tucker <dtucker@zip.com.au> -Date: Tue Mar 15 09:24:43 2016 +1100 - - Don't call Solaris setproject() with UsePAM=yes. - - When Solaris Projects are enabled along with PAM setting the project - is PAM's responsiblity. bz#2425, based on patch from - brent.paulson at gmail.com. - -commit cff26f373c58457a32cb263e212cfff53fca987b -Author: Damien Miller <djm@mindrot.org> -Date: Tue Mar 15 04:30:21 2016 +1100 - - remove slogin from *.spec - -commit c38905ba391434834da86abfc988a2b8b9b62477 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Mon Mar 14 16:20:54 2016 +0000 - - upstream commit - - unbreak authentication using lone certificate keys in - ssh-agent: when attempting pubkey auth with a certificate, if no separate - private key is found among the keys then try with the certificate key itself. - - bz#2550 reported by Peter Moody - - Upstream-ID: f939cd76d68e6a9a3d1711b5a943d6ed1e623966 - -commit 4b4bfb01cd40b9ddb948e6026ddd287cc303d871 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Thu Mar 10 11:47:57 2016 +0000 - - upstream commit - - sanitise characters destined for xauth reported by - github.com/tintinweb feedback and ok deraadt and markus - - Upstream-ID: 18ad8d0d74cbd2ea3306a16595a306ee356aa261 - -commit 732b463d37221722b1206f43aa59563766a6a968 -Author: Darren Tucker <dtucker@zip.com.au> -Date: Mon Mar 14 16:04:23 2016 +1100 - - Pass supported malloc options to connect-privsep. - - This allows us to activate only the supported options during the malloc - option portion of the connect-privsep test. - -commit d29c5b9b3e9f27394ca97a364ed4bb4a55a59744 -Author: Darren Tucker <dtucker@zip.com.au> -Date: Mon Mar 14 09:30:58 2016 +1100 - - Remove leftover roaming.h file. - - Pointed out by des at des.no. - -commit 8ff20ec95f4377021ed5e9b2331320f5c5a34cea -Author: Darren Tucker <dtucker@zip.com.au> -Date: Mon Mar 14 09:24:03 2016 +1100 - - Quote variables that may contain whitespace. - - The variable $L_TMP_ID_FILE needs to be surrounded by quotes in order to - survive paths containing whitespace. bz#2551, from Corinna Vinschen via - Philip Hands. - -commit 627824480c01f0b24541842c7206ab9009644d02 -Author: Darren Tucker <dtucker@zip.com.au> -Date: Fri Mar 11 14:47:41 2016 +1100 - - Include priv.h for priv_set_t. - - From alex at cooperi.net. - -commit e960051f9a264f682c4d2fefbeecffcfc66b0ddf -Author: Darren Tucker <dtucker@zip.com.au> -Date: Wed Mar 9 13:14:18 2016 +1100 - - Wrap stdint.h inside #ifdef HAVE_STDINT_H. - -commit 2c48bd344d2c4b5e08dae9aea5ff44fc19a5e363 -Author: Darren Tucker <dtucker@zip.com.au> -Date: Wed Mar 9 12:46:50 2016 +1100 - - Add compat to monotime_double(). - - Apply all of the portability changes in monotime() to monotime() double. - Fixes build on at least older FreeBSD systems. - -commit 7b40ef6c2eef40c339f6ea8920cb8a44838e10c9 -Author: Damien Miller <djm@mindrot.org> -Date: Tue Mar 8 14:12:58 2016 -0800 - - make a regress-binaries target - - Easier to build all the regression/unit test binaries in one pass - than going through all of ${REGRESS_BINARIES} - -commit c425494d6b6181beb54a1b3763ef9e944fd3c214 -Author: Damien Miller <djm@mindrot.org> -Date: Tue Mar 8 14:03:54 2016 -0800 - - unbreak kexfuzz for -Werror without __bounded__ - -commit 3ed9218c336607846563daea5d5ab4f701f4e042 -Author: Damien Miller <djm@mindrot.org> -Date: Tue Mar 8 14:01:29 2016 -0800 - - unbreak PAM after canohost refactor - -commit 885fb2a44ff694f01e4f6470f803629e11f62961 -Author: Darren Tucker <dtucker@zip.com.au> -Date: Tue Mar 8 11:58:43 2016 +1100 - - auth_get_canonical_hostname in portable code. - - "refactor canohost.c" replaced get_canonical_hostname, this makes the - same change to some portable-specific code. - -commit 95767262caa6692eff1e1565be1f5cb297949a89 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Mon Mar 7 19:02:43 2016 +0000 - - upstream commit - - refactor canohost.c: move functions that cache results closer - to the places that use them (authn and session code). After this, no state is - cached in canohost.c - - feedback and ok markus@ - - Upstream-ID: 5f2e4df88d4803fc8ec59ec53629105e23ce625e - -commit af0bb38ffd1f2c4f9f43b0029be2efe922815255 -Author: Damien Miller <djm@mindrot.org> -Date: Fri Mar 4 15:11:55 2016 +1100 - - hook unittests/misc/kexfuzz into build - -commit 331b8e07ee5bcbdca12c11cc8f51a7e8de09b248 -Author: dtucker@openbsd.org <dtucker@openbsd.org> -Date: Fri Mar 4 02:48:06 2016 +0000 - - upstream commit - - Filter debug messages out of log before picking the last - two lines. Should prevent problems if any more debug output is added late in - the connection. - - Upstream-Regress-ID: 345d0a9589c381e7d640a4ead06cfaadf4db1363 - -commit 0892edaa3ce623381d3a7635544cbc69b31cf9cb -Author: djm@openbsd.org <djm@openbsd.org> -Date: Fri Mar 4 02:30:36 2016 +0000 - - upstream commit - - add KEX fuzzer harness; ok deraadt@ - - Upstream-Regress-ID: 3df5242d30551b12b828aa9ba4a4cec0846be8d1 - -commit ae2562c47d41b68dbb00240fd6dd60bed205367a -Author: dtucker@openbsd.org <dtucker@openbsd.org> -Date: Thu Mar 3 00:46:53 2016 +0000 - - upstream commit - - Look back 3 lines for possible error messages. Changes - to the code mean that "Bad packet length" errors are 3 lines back instead of - the previous two, which meant we didn't skip some offsets that we intended - to. - - Upstream-Regress-ID: 24f36912740a634d509a3144ebc8eb7c09b9c684 - -commit 988e429d903acfb298bfddfd75e7994327adfed0 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Fri Mar 4 03:35:44 2016 +0000 - - upstream commit - - fix ClientAliveInterval when a time-based RekeyLimit is - set; previously keepalive packets were not being sent. bz#2252 report and - analysis by Christian Wittenhorst and Garrett Lee feedback and ok dtucker@ - - Upstream-ID: d48f9deadd35fdacdd5106b41bb07630ddd4aa81 - -commit 8ef04d7a94bcdb8b0085fdd2a79a844b7d40792d -Author: dtucker@openbsd.org <dtucker@openbsd.org> -Date: Wed Mar 2 22:43:52 2016 +0000 - - upstream commit - - Improve accuracy of reported transfer speeds by waiting - for the ack from the other end. Pointed out by mmcc@, ok deraadt@ markus@ - - Upstream-ID: 99f1cf15c9a8f161086b814d414d862795ae153d - -commit b8d4eafe29684fe4f5bb587f7eab948e6ed62723 -Author: dtucker@openbsd.org <dtucker@openbsd.org> -Date: Wed Mar 2 22:42:40 2016 +0000 - - upstream commit - - Improve precision of progressmeter for sftp and scp by - storing sub-second timestamps. Pointed out by mmcc@, ok deraadt@ markus@ - - Upstream-ID: 38fd83a3d83dbf81c8ff7b5d1302382fe54970ab - -commit 18f64b969c70ed00e74b9d8e50359dbe698ce4c0 -Author: jca@openbsd.org <jca@openbsd.org> -Date: Mon Feb 29 20:22:36 2016 +0000 - - upstream commit - - Print ssize_t with %zd; ok deraadt@ mmcc@ - - Upstream-ID: 0590313bbb013ff6692298c98f7e0be349d124bd - -commit 6e7f68ce38130c794ec1fb8d2a6091fbe982628d -Author: djm@openbsd.org <djm@openbsd.org> -Date: Sun Feb 28 22:27:00 2016 +0000 - - upstream commit - - rearrange DH public value tests to be a little more clear - - rearrange DH private value generation to explain rationale more - clearly and include an extra sanity check. - - ok deraadt - - Upstream-ID: 9ad8a07e1a12684e1b329f9bd88941b249d4b2ad - -commit 2ed17aa34008bdfc8db674315adc425a0712be11 -Author: Darren Tucker <dtucker@zip.com.au> -Date: Tue Mar 1 15:24:20 2016 +1100 - - Import updated moduli file from OpenBSD. - - Note that 1.5k bit groups have been removed. - -commit 72b061d4ba0f909501c595d709ea76e06b01e5c9 -Author: Darren Tucker <dtucker@zip.com.au> -Date: Fri Feb 26 14:40:04 2016 +1100 - - Add a note about using xlc on AIX. - -commit fd4e4f2416baa2e6565ea49d52aade296bad3e28 -Author: Darren Tucker <dtucker@zip.com.au> -Date: Wed Feb 24 10:44:25 2016 +1100 - - Skip PrintLastLog in config dump mode. - - When DISABLE_LASTLOG is set, do not try to include PrintLastLog in the - config dump since it'll be reported as UNKNOWN. - -commit 99135c764fa250801da5ec3b8d06cbd0111caae8 -Author: Damien Miller <djm@mindrot.org> -Date: Tue Feb 23 20:17:23 2016 +1100 - - update spec/README versions ahead of release - -commit b86a334aaaa4d1e643eb1fd71f718573d6d948b5 -Author: Damien Miller <djm@mindrot.org> -Date: Tue Feb 23 20:16:53 2016 +1100 - - put back portable patchlevel to p1 - -commit 555dd35ff176847e3c6bd068ba2e8db4022eb24f -Author: djm@openbsd.org <djm@openbsd.org> -Date: Tue Feb 23 09:14:34 2016 +0000 - - upstream commit - - openssh-7.2 - - Upstream-ID: 9db776b26014147fc907ece8460ef2bcb0f11e78 - -commit 1acc058d0a7913838c830ed998a1a1fb5b7864bf -Author: Damien Miller <djm@mindrot.org> -Date: Tue Feb 23 16:12:13 2016 +1100 - - Disable tests where fs perms are incorrect - - Some tests have strict requirements on the filesystem permissions - for certain files and directories. This adds a regress/check-perm - tool that copies the relevant logic from sshd to exactly test - the paths in question. This lets us skip tests when the local - filesystem doesn't conform to our expectations rather than - continuing and failing the test run. - - ok dtucker@ - -commit 39f303b1f36d934d8410b05625f25c7bcb75db4d -Author: Damien Miller <djm@mindrot.org> -Date: Tue Feb 23 12:56:59 2016 +1100 - - fix sandbox on OSX Lion - - sshd was failing with: - - ssh_sandbox_child: sandbox_init: dlopen(/usr/lib/libsandbox.1.dylib, 261):cw - image not found [preauth] - - caused by chroot before sandboxing. Avoid by explicitly linking libsandbox - to sshd. Spotted by Darren. - -commit 0d1451a32c7436e6d3d482351e776bc5e7824ce4 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Tue Feb 23 01:34:14 2016 +0000 - - upstream commit - - fix spurious error message when incorrect passphrase - entered for keys; reported by espie@ ok deraadt@ - - Upstream-ID: 58b2e46e63ed6912ed1ee780bd3bd8560f9a5899 - -commit 09d87d79741beb85768b5e788d7dfdf4bc3543dc -Author: sobrado@openbsd.org <sobrado@openbsd.org> -Date: Sat Feb 20 23:06:23 2016 +0000 - - upstream commit - - set ssh(1) protocol version to 2 only. - - ok djm@ - - Upstream-ID: e168daf9d27d7e392e3c9923826bd8e87b2b3a10 - -commit 9262e07826ba5eebf8423f7ac9e47ec488c47869 -Author: sobrado@openbsd.org <sobrado@openbsd.org> -Date: Sat Feb 20 23:02:39 2016 +0000 - - upstream commit - - add missing ~/.ssh/id_ecdsa and ~/.ssh/id_ed25519 to - IdentityFile. - - ok djm@ - - Upstream-ID: 6ce99466312e4ae7708017c3665e3edb976f70cf - -commit c12f0fdce8f985fca8d71829fd64c5b89dc777f5 -Author: sobrado@openbsd.org <sobrado@openbsd.org> -Date: Sat Feb 20 23:01:46 2016 +0000 - - upstream commit - - AddressFamily defaults to any. - - ok djm@ - - Upstream-ID: 0d94aa06a4b889bf57a7f631c45ba36d24c13e0c - -commit 907091acb188b1057d50c2158f74c3ecf1c2302b -Author: Darren Tucker <dtucker@zip.com.au> -Date: Fri Feb 19 09:05:39 2016 +1100 - - Make Solaris privs code build on older systems. - - Not all systems with Solaris privs have priv_basicset so factor that - out and provide backward compatibility code. Similarly, not all have - PRIV_NET_ACCESS so wrap that in #ifdef. Based on code from - alex at cooperi.net and djm@ with help from carson at taltos.org and - wieland at purdue.edu. - -commit 292a8dee14e5e67dcd1b49ba5c7b9023e8420d59 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Wed Feb 17 22:20:14 2016 +0000 - - upstream commit - - rekey refactor broke SSH1; spotted by Tom G. Christensen - - Upstream-ID: 43f0d57928cc077c949af0bfa71ef574dcb58243 - -commit 3a13cb543df9919aec2fc6b75f3dd3802facaeca -Author: djm@openbsd.org <djm@openbsd.org> -Date: Wed Feb 17 08:57:34 2016 +0000 - - upstream commit - - rsa-sha2-512,rsa-sha2-256 cannot be selected explicitly - in *KeyTypes options yet. Remove them from the lists of algorithms for now. - committing on behalf of markus@ ok djm@ - - Upstream-ID: c6e8820eb8e610ac21551832c0c89684a9a51bb7 - -commit a685ae8d1c24fb7c712c55a4f3280ee76f5f1e4b -Author: jmc@openbsd.org <jmc@openbsd.org> -Date: Wed Feb 17 07:38:19 2016 +0000 - - upstream commit - - since these pages now clearly tell folks to avoid v1, - normalise the docs from a v2 perspective (i.e. stop pointing out which bits - are v2 only); - - ok/tweaks djm ok markus - - Upstream-ID: eb474f8c36fb6a532dc05c282f7965e38dcfa129 - -commit c5c3f3279a0e4044b8de71b70d3570d692d0f29d -Author: djm@openbsd.org <djm@openbsd.org> -Date: Wed Feb 17 05:29:04 2016 +0000 - - upstream commit - - make sandboxed privilege separation the default, not just - for new installs; "absolutely" deraadt@ - - Upstream-ID: 5221ef3b927d2df044e9aa3f5db74ae91743f69b - -commit eb3f7337a651aa01d5dec019025e6cdc124ed081 -Author: jmc@openbsd.org <jmc@openbsd.org> -Date: Tue Feb 16 07:47:54 2016 +0000 - - upstream commit - - no need to state that protocol 2 is the default twice; - - Upstream-ID: b1e4c36b0c2e12e338e5b66e2978f2ac953b95eb - -commit e7901efa9b24e5b0c7e74f2c5520d47eead4d005 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Tue Feb 16 05:11:04 2016 +0000 - - upstream commit - - Replace list of ciphers and MACs adjacent to -1/-2 flag - descriptions in ssh(1) with a strong recommendation not to use protocol 1. - Add a similar warning to the Protocol option descriptions in ssh_config(5) - and sshd_config(5); - - prompted by and ok mmcc@ - - Upstream-ID: 961f99e5437d50e636feca023978950a232ead5e - -commit 5a0fcb77287342e2fc2ba1cee79b6af108973dc2 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Tue Feb 16 03:37:48 2016 +0000 - - upstream commit - - add a "Close session" log entry (at loglevel=verbose) to - correspond to the existing "Starting session" one. Also include the session - id number to make multiplexed sessions more apparent. - - feedback and ok dtucker@ - - Upstream-ID: e72d2ac080e02774376325136e532cb24c2e617c - -commit 624fd395b559820705171f460dd33d67743d13d6 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Wed Feb 17 02:24:17 2016 +0000 - - upstream commit - - include bad $SSH_CONNECTION in failure output - - Upstream-Regress-ID: b22d72edfde78c403aaec2b9c9753ef633cc0529 - -commit 60d860e54b4f199e5e89963b1c086981309753cb -Author: Darren Tucker <dtucker@zip.com.au> -Date: Wed Feb 17 13:37:09 2016 +1100 - - Rollback addition of va_start. - - va_start was added in 0f754e29dd3760fc0b172c1220f18b753fb0957e, however - it has the wrong number of args and it's not usable in non-variadic - functions anyway so it breaks things (for example Solaris 2.6 as - reported by Tom G. Christensen).i ok djm@ - -commit 2fee909c3cee2472a98b26eb82696297b81e0d38 -Author: Darren Tucker <dtucker@zip.com.au> -Date: Wed Feb 17 09:48:15 2016 +1100 - - Look for gethostbyname in libresolv and libnsl. - - Should fix build problem on Solaris 2.6 reported by Tom G. Christensen. - -commit 5ac712d81a84396aab441a272ec429af5b738302 -Author: Damien Miller <djm@mindrot.org> -Date: Tue Feb 16 10:45:02 2016 +1100 - - make existing ssh_malloc_init only for __OpenBSD__ - -commit 24c9bded569d9f2449ded73f92fb6d12db7a9eec -Author: djm@openbsd.org <djm@openbsd.org> -Date: Mon Feb 15 23:32:37 2016 +0000 - - upstream commit - - memleak of algorithm name in mm_answer_sign; reported by - Jakub Jelen - - Upstream-ID: ccd742cd25952240ebd23d7d4d6b605862584d08 - -commit ffb1e7e896139a42ceb78676f637658f44612411 -Author: dtucker@openbsd.org <dtucker@openbsd.org> -Date: Mon Feb 15 09:47:49 2016 +0000 - - upstream commit - - Add a function to enable security-related malloc_options. - With and ok deraadt@, something similar has been in the snaps for a while. - - Upstream-ID: 43a95523b832b7f3b943d2908662191110c380ed - -commit ef39e8c0497ff0564990a4f9e8b7338b3ba3507c -Author: Damien Miller <djm@mindrot.org> -Date: Tue Feb 16 10:34:39 2016 +1100 - - sync ssh-copy-id with upstream 783ef08b0a75 - -commit d2d772f55b19bb0e8d03c2fe1b9bb176d9779efd -Author: djm@openbsd.org <djm@openbsd.org> -Date: Fri Feb 12 00:20:30 2016 +0000 - - upstream commit - - avoid fatal() for PKCS11 tokens that present empty key IDs - bz#1773, ok markus@ - - Upstream-ID: 044a764fee526f2c4a9d530bd10695422d01fc54 - -commit e4c918a6c721410792b287c9fd21356a1bed5805 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Thu Feb 11 02:56:32 2016 +0000 - - upstream commit - - sync crypto algorithm lists in ssh_config(5) and - sshd_config(5) with current reality. bz#2527 - - Upstream-ID: d7fd1b6c1ed848d866236bcb1d7049d2bb9b2ff6 - -commit e30cabfa4ab456a30b3224f7f545f1bdfc4a2517 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Thu Feb 11 02:21:34 2016 +0000 - - upstream commit - - fix regression in openssh-6.8 sftp client: existing - destination directories would incorrectly terminate recursive uploads; - bz#2528 - - Upstream-ID: 3306be469f41f26758e3d447987ac6d662623e18 - -commit 714e367226ded4dc3897078be48b961637350b05 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Tue Feb 9 05:30:04 2016 +0000 - - upstream commit - - turn off more old crypto in the client: hmac-md5, ripemd, - truncated HMACs, RC4, blowfish. ok markus@ dtucker@ - - Upstream-ID: 96aa11c2c082be45267a690c12f1d2aae6acd46e - -commit 5a622844ff7f78dcb75e223399f9ef0977e8d0a3 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Mon Feb 8 23:40:12 2016 +0000 - - upstream commit - - don't attempt to percent_expand() already-canonicalised - addresses, avoiding unnecessary failures when attempting to connect to scoped - IPv6 addresses (that naturally contain '%' characters) - - Upstream-ID: f24569cffa1a7cbde5f08dc739a72f4d78aa5c6a - -commit 19bcf2ea2d17413f2d9730dd2a19575ff86b9b6a -Author: djm@openbsd.org <djm@openbsd.org> -Date: Mon Feb 8 10:57:07 2016 +0000 - - upstream commit - - refactor activation of rekeying - - This makes automatic rekeying internal to the packet code (previously - the server and client loops needed to assist). In doing to it makes - application of rekey limits more accurate by accounting for packets - about to be sent as well as packets queued during rekeying events - themselves. - - Based on a patch from dtucker@ which was in turn based on a patch - Aleksander Adamowski in bz#2521; ok markus@ - - Upstream-ID: a441227fd64f9739850ca97b4cf794202860fcd8 - -commit 603ba41179e4b53951c7b90ee95b6ef3faa3f15d -Author: naddy@openbsd.org <naddy@openbsd.org> -Date: Fri Feb 5 13:28:19 2016 +0000 - - upstream commit - - Only check errno if read() has returned an error. EOF is - not an error. This fixes a problem where the mux master would sporadically - fail to notice that the client had exited. ok mikeb@ djm@ - - Upstream-ID: 3c2dadc21fac6ef64665688aac8a75fffd57ae53 - -commit 56d7dac790693ce420d225119283bc355cff9185 -Author: jsg@openbsd.org <jsg@openbsd.org> -Date: Fri Feb 5 04:31:21 2016 +0000 - - upstream commit - - avoid an uninitialised value when NumberOfPasswordPrompts - is 0 ok markus@ djm@ - - Upstream-ID: 11b068d83c2865343aeb46acf1e9eec00f829b6b - -commit deae7d52d59c5019c528f977360d87fdda15d20b -Author: djm@openbsd.org <djm@openbsd.org> -Date: Fri Feb 5 03:07:06 2016 +0000 - - upstream commit - - mention internal DH-GEX fallback groups; bz#2302 - - Upstream-ID: e7b395fcca3122cd825515f45a2e41c9a157e09e - -commit cac3b6665f884d46192c0dc98a64112e8b11a766 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Fri Feb 5 02:37:56 2016 +0000 - - upstream commit - - better description for MaxSessions; bz#2531 - - Upstream-ID: e2c0d74ee185cd1a3e9d4ca1f1b939b745b354da - -commit 5ef4b0fdcc7a239577a754829b50022b91ab4712 -Author: Damien Miller <djm@mindrot.org> -Date: Wed Jan 27 17:45:56 2016 +1100 - - avoid FreeBSD RCS Id in comment - - Change old $FreeBSD version string in comment so it doesn't - become an RCS ident downstream; requested by des AT des.no - -commit 696d12683c90d20a0a9c5f4275fc916b7011fb04 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Thu Feb 4 23:43:48 2016 +0000 - - upstream commit - - printf argument casts to avoid warnings on strict - compilers - - Upstream-ID: 7b9f6712cef01865ad29070262d366cf13587c9c - -commit 5658ef2501e785fbbdf5de2dc33b1ff7a4dca73a -Author: millert@openbsd.org <millert@openbsd.org> -Date: Mon Feb 1 21:18:17 2016 +0000 - - upstream commit - - Avoid ugly "DISPLAY "(null)" invalid; disabling X11 - forwarding" message when DISPLAY is not set. This could also result in a - crash on systems with a printf that doesn't handle NULL. OK djm@ - - Upstream-ID: 20ee0cfbda678a247264c20ed75362042b90b412 - -commit 537f88ec7bcf40bd444ac5584c707c5588c55c43 -Author: dtucker@openbsd.org <dtucker@openbsd.org> -Date: Fri Jan 29 05:18:15 2016 +0000 - - upstream commit - - Add regression test for RekeyLimit parsing of >32bit values - (4G and 8G). - - Upstream-Regress-ID: 548390350c62747b6234f522a99c319eee401328 - -commit 4c6cb8330460f94e6c7ae28a364236d4188156a3 -Author: dtucker@openbsd.org <dtucker@openbsd.org> -Date: Fri Jan 29 23:04:46 2016 +0000 - - upstream commit - - Remove leftover roaming dead code. ok djm markus. - - Upstream-ID: 13d1f9c8b65a5109756bcfd3b74df949d53615be - -commit 28136471809806d6246ef41e4341467a39fe2f91 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Fri Jan 29 05:46:01 2016 +0000 - - upstream commit - - include packet type of non-data packets in debug3 output; - ok markus dtucker - - Upstream-ID: 034eaf639acc96459b9c5ce782db9fcd8bd02d41 - -commit 6fd6e28daccafaa35f02741036abe64534c361a1 -Author: dtucker@openbsd.org <dtucker@openbsd.org> -Date: Fri Jan 29 03:31:03 2016 +0000 - - upstream commit - - Revert "account for packets buffered but not yet - processed" change as it breaks for very small RekeyLimit values due to - continuous rekeying. ok djm@ - - Upstream-ID: 7e03f636cb45ab60db18850236ccf19079182a19 - -commit 921ff00b0ac429666fb361d2d6cb1c8fff0006cb -Author: dtucker@openbsd.org <dtucker@openbsd.org> -Date: Fri Jan 29 02:54:45 2016 +0000 - - upstream commit - - Allow RekeyLimits in excess of 4G up to 2**63 bits - (limited by the return type of scan_scaled). Part of bz#2521, ok djm. - - Upstream-ID: 13bea82be566b9704821b1ea05bf7804335c7979 - -commit c0060a65296f01d4634f274eee184c0e93ba0f23 -Author: dtucker@openbsd.org <dtucker@openbsd.org> -Date: Fri Jan 29 02:42:46 2016 +0000 - - upstream commit - - Account for packets buffered but not yet processed when - computing whether or not it is time to perform rekeying. bz#2521, based - loosely on a patch from olo at fb.com, ok djm@ - - Upstream-ID: 67e268b547f990ed220f3cb70a5624d9bda12b8c - -commit 44cf930e670488c85c9efeb373fa5f4b455692ac -Author: djm@openbsd.org <djm@openbsd.org> -Date: Wed Jan 27 06:44:58 2016 +0000 - - upstream commit - - change old $FreeBSD version string in comment so it doesn't - become an RCS ident downstream; requested by des AT des.no - - Upstream-ID: 8ca558c01f184e596b45e4fc8885534b2c864722 - -commit ebacd377769ac07d1bf3c75169644336056b7060 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Wed Jan 27 00:53:12 2016 +0000 - - upstream commit - - make the debug messages a bit more useful here - - Upstream-ID: 478ccd4e897e0af8486b294aa63aa3f90ab78d64 - -commit 458abc2934e82034c5c281336d8dc0f910aecad3 -Author: jsg@openbsd.org <jsg@openbsd.org> -Date: Sat Jan 23 05:31:35 2016 +0000 - - upstream commit - - Zero a stack buffer with explicit_bzero() instead of - memset() when returning from client_loop() for consistency with - buffer_free()/sshbuf_free(). - - ok dtucker@ deraadt@ djm@ - - Upstream-ID: bc9975b2095339811c3b954694d7d15ea5c58f66 - -commit 65a3c0dacbc7dbb75ddb6a70ebe22d8de084d0b0 -Author: dtucker@openbsd.org <dtucker@openbsd.org> -Date: Wed Jan 20 09:22:39 2016 +0000 - - upstream commit - - Include sys/time.h for gettimeofday. From sortie at - maxsi.org. - - Upstream-ID: 6ed0c33b836d9de0a664cd091e86523ecaa2fb3b - -commit fc77ccdc2ce6d5d06628b8da5048a6a5f6ffca5a -Author: markus@openbsd.org <markus@openbsd.org> -Date: Thu Jan 14 22:56:56 2016 +0000 - - upstream commit - - fd leaks; report Qualys Security Advisory team; ok - deraadt@ - - Upstream-ID: 4ec0f12b9d8fa202293c9effa115464185aa071d - -commit a306863831c57ec5fad918687cc5d289ee8e2635 -Author: markus@openbsd.org <markus@openbsd.org> -Date: Thu Jan 14 16:17:39 2016 +0000 - - upstream commit - - remove roaming support; ok djm@ - - Upstream-ID: 2cab8f4b197bc95776fb1c8dc2859dad0c64dc56 - -commit 6ef49e83e30688504552ac10875feabd5521565f -Author: deraadt@openbsd.org <deraadt@openbsd.org> -Date: Thu Jan 14 14:34:34 2016 +0000 - - upstream commit - - Disable experimental client-side roaming support. Server - side was disabled/gutted for years already, but this aspect was surprisingly - forgotten. Thanks for report from Qualys - - Upstream-ID: 2328004b58f431a554d4c1bf67f5407eae3389df - -commit 8d7b523b96d3be180572d9d338cedaafc0570f60 -Author: Damien Miller <djm@mindrot.org> -Date: Thu Jan 14 11:08:19 2016 +1100 - - bump version numbers - -commit 8c3d512a1fac8b9c83b4d0c9c3f2376290bd84ca -Author: Damien Miller <djm@mindrot.org> -Date: Thu Jan 14 11:04:04 2016 +1100 - - openssh-7.1p2 - -commit e6c85f8889c5c9eb04796fdb76d2807636b9eef5 -Author: Damien Miller <djm@mindrot.org> -Date: Fri Jan 15 01:30:36 2016 +1100 - - forcibly disable roaming support in the client - -commit ed4ce82dbfa8a3a3c8ea6fa0db113c71e234416c -Author: djm@openbsd.org <djm@openbsd.org> -Date: Wed Jan 13 23:04:47 2016 +0000 - - upstream commit - - eliminate fallback from untrusted X11 forwarding to trusted - forwarding when the X server disables the SECURITY extension; Reported by - Thomas Hoger; ok deraadt@ - - Upstream-ID: f76195bd2064615a63ef9674a0e4096b0713f938 - -commit 9a728cc918fad67c8a9a71201088b1e150340ba4 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Tue Jan 12 23:42:54 2016 +0000 - - upstream commit - - use explicit_bzero() more liberally in the buffer code; ok - deraadt - - Upstream-ID: 0ece37069fd66bc6e4f55eb1321f93df372b65bf - -commit 4626cbaf78767fc8e9c86dd04785386c59ae0839 -Author: Damien Miller <djm@mindrot.org> -Date: Fri Jan 8 14:24:56 2016 +1100 - - Support Illumos/Solaris fine-grained privileges - - Includes a pre-auth privsep sandbox and several pledge() - emulations. bz#2511, patch by Alex Wilson. - - ok dtucker@ - -commit 422d1b3ee977ff4c724b597fb2e437d38fc8de9d -Author: djm@openbsd.org <djm@openbsd.org> -Date: Thu Dec 31 00:33:52 2015 +0000 - - upstream commit - - fix three bugs in KRL code related to (unused) signature - support: verification length was being incorrectly calculated, multiple - signatures were being incorrectly processed and a NULL dereference that - occurred when signatures were verified. Reported by Carl Jackson - - Upstream-ID: e705e97ad3ccce84291eaa651708dd1b9692576b - -commit 6074c84bf95d00f29cc7d5d3cd3798737851aa1a -Author: djm@openbsd.org <djm@openbsd.org> -Date: Wed Dec 30 23:46:14 2015 +0000 - - upstream commit - - unused prototype - - Upstream-ID: f3eef4389d53ed6c0d5c77dcdcca3060c745da97 - -commit 6213f0e180e54122bb1ba928e11c784e2b4e5380 -Author: guenther@openbsd.org <guenther@openbsd.org> -Date: Sat Dec 26 20:51:35 2015 +0000 - - upstream commit - - Use pread/pwrite instead separate lseek+read/write for - lastlog. Cast to off_t before multiplication to avoid truncation on ILP32 - - ok kettenis@ mmcc@ - - Upstream-ID: fc40092568cd195719ddf1a00aa0742340d616cf - -commit d7d2bc95045a43dd56ea696cc1d030ac9d77e81f -Author: semarie@openbsd.org <semarie@openbsd.org> -Date: Sat Dec 26 07:46:03 2015 +0000 - - upstream commit - - adjust pledge promises for ControlMaster: when using - "ask" or "autoask", the process will use ssh-askpass for asking confirmation. - - problem found by halex@ - - ok halex@ - - Upstream-ID: 38a58b30ae3eef85051c74d3c247216ec0735f80 - -commit 271df8185d9689b3fb0523f58514481b858f6843 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Sun Dec 13 22:42:23 2015 +0000 - - upstream commit - - unbreak connections with peers that set - first_kex_follows; fix from Matt Johnston va bz#2515 - - Upstream-ID: decc88ec4fc7515594fdb42b04aa03189a44184b - -commit 43849a47c5f8687699eafbcb5604f6b9c395179f -Author: doug@openbsd.org <doug@openbsd.org> -Date: Fri Dec 11 17:41:37 2015 +0000 - - upstream commit - - Add "id" to ssh-agent pledge for subprocess support. - - Found the hard way by Jan Johansson when using ssh-agent with X. Also, - rearranged proc/exec and retval to match other pledge calls in the tree. - - ok djm@ - - Upstream-ID: 914255f6850e5e7fa830a2de6c38605333b584db - -commit 52d7078421844b2f88329f5be3de370b0a938636 -Author: mmcc@openbsd.org <mmcc@openbsd.org> -Date: Fri Dec 11 04:21:11 2015 +0000 - - upstream commit - - Remove NULL-checks before sshbuf_free(). - - ok djm@ - - Upstream-ID: 5ebed00ed5f9f03b119a345085e8774565466917 - -commit a4b9e0f4e4a6980a0eb8072f76ea611cab5b77e7 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Fri Dec 11 03:24:25 2015 +0000 - - upstream commit - - include remote port number in a few more messages; makes - tying log messages together into a session a bit easier; bz#2503 ok dtucker@ - - Upstream-ID: 9300dc354015f7a7368d94a8ff4a4266a69d237e - -commit 6091c362e89079397e68744ae30df121b0a72c07 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Fri Dec 11 03:20:09 2015 +0000 - - upstream commit - - don't try to load SSHv1 private key when compiled without - SSHv1 support. From Iain Morgan bz#2505 - - Upstream-ID: 8b8e7b02a448cf5e5635979df2d83028f58868a7 - -commit cce6a36bb95e81fa8bfb46daf22eabcf13afc352 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Fri Dec 11 03:19:09 2015 +0000 - - upstream commit - - use SSH_MAX_PUBKEY_BYTES consistently as buffer size when - reading key files. Increase it to match the size of the buffers already being - used. - - Upstream-ID: 1b60586b484b55a947d99a0b32bd25e0ced56fae - -commit 89540b6de025b80404a0cb8418c06377f3f98848 -Author: mmcc@openbsd.org <mmcc@openbsd.org> -Date: Fri Dec 11 02:31:47 2015 +0000 - - upstream commit - - Remove NULL-checks before sshkey_free(). - - ok djm@ - - Upstream-ID: 3e35afe8a25e021216696b5d6cde7f5d2e5e3f52 - -commit 79394ed6d74572c2d2643d73937dad33727fc240 -Author: dtucker@openbsd.org <dtucker@openbsd.org> -Date: Fri Dec 11 02:29:03 2015 +0000 - - upstream commit - - fflush stdout so that output is seen even when running in - debug mode when output may otherwise not be flushed. Patch from dustin at - null-ptr.net. - - Upstream-ID: b0c6b4cd2cdb01d7e9eefbffdc522e35b5bc4acc - -commit ee607cccb6636eb543282ba90e0677b0604d8b7a -Author: Darren Tucker <dtucker@zip.com.au> -Date: Tue Dec 15 15:23:49 2015 +1100 - - Increase robustness of redhat/openssh.spec - - - remove configure --with-rsh, because this option isn't supported anymore - - replace last occurrence of BuildPreReq by BuildRequires - - update grep statement to query the krb5 include directory - - Patch from CarstenGrohmann via github, ok djm. - -commit b5fa0cd73555b991a543145603658d7088ec6b60 -Author: Darren Tucker <dtucker@zip.com.au> -Date: Tue Dec 15 15:10:32 2015 +1100 - - Allow --without-ssl-engine with --without-openssl - - Patch from Mike Frysinger via github. - -commit c1d7e546f6029024f3257cc25c92f2bddf163125 -Author: Darren Tucker <dtucker@zip.com.au> -Date: Tue Dec 15 14:27:09 2015 +1100 - - Include openssl crypto.h for SSLeay. - - Patch from doughdemon via github. - -commit c6f5f01651526e88c00d988ce59d71f481ebac62 -Author: Darren Tucker <dtucker@zip.com.au> -Date: Tue Dec 15 13:59:12 2015 +1100 - - Add sys/time.h for gettimeofday. - - Should allow it it compile with MUSL libc. Based on patch from - doughdemon via github. - -commit 39736be06c7498ef57d6970f2d85cf066ae57c82 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Fri Dec 11 02:20:28 2015 +0000 - - upstream commit - - correct error messages; from Tomas Kuthan bz#2507 - - Upstream-ID: 7454a0affeab772398052954c79300aa82077093 - -commit 94141b7ade24afceeb6762a3f99e09e47a6c42b6 -Author: mmcc@openbsd.org <mmcc@openbsd.org> -Date: Fri Dec 11 00:20:04 2015 +0000 - - upstream commit - - Pass (char *)NULL rather than (char *)0 to execl and - execlp. - - ok dtucker@ - - Upstream-ID: 56c955106cbddba86c3dd9bbf786ac0d1b361492 - -commit d59ce08811bf94111c2f442184cf7d1257ffae24 -Author: mmcc@openbsd.org <mmcc@openbsd.org> -Date: Thu Dec 10 17:08:40 2015 +0000 - - upstream commit - - Remove NULL-checks before free(). - - ok dtucker@ - - Upstream-ID: e3d3cb1ce900179906af36517b5eea0fb15e6ef8 - -commit 8e56dd46cb37879c73bce2d6032cf5e7f82d5a71 -Author: mmcc@openbsd.org <mmcc@openbsd.org> -Date: Thu Dec 10 07:01:35 2015 +0000 - - upstream commit - - Fix a couple "the the" typos. ok dtucker@ - - Upstream-ID: ec364c5af32031f013001fd28d1bd3dfacfe9a72 - -commit 6262a0522ddc2c0f2e9358dcb68d59b46e9c533e -Author: markus@openbsd.org <markus@openbsd.org> -Date: Mon Dec 7 20:04:09 2015 +0000 - - upstream commit - - stricter encoding type checks for ssh-rsa; ok djm@ - - Upstream-ID: 8cca7c787599a5e8391e184d0b4f36fdc3665650 - -commit d86a3ba7af160c13496102aed861ae48a4297072 -Author: Damien Miller <djm@mindrot.org> -Date: Wed Dec 9 09:18:45 2015 +1100 - - Don't set IPV6_V6ONLY on OpenBSD - - It isn't necessary and runs afoul of pledge(2) restrictions. - -commit da98c11d03d819a15429d8fff9688acd7505439f -Author: djm@openbsd.org <djm@openbsd.org> -Date: Mon Dec 7 02:20:46 2015 +0000 - - upstream commit - - basic unit tests for rsa-sha2-* signature types - - Upstream-Regress-ID: 7dc4b9db809d578ff104d591b4d86560c3598d3c - -commit 3da893fdec9936dd2c23739cdb3c0c9d4c59fca0 -Author: markus@openbsd.org <markus@openbsd.org> -Date: Sat Dec 5 20:53:21 2015 +0000 - - upstream commit - - prefer rsa-sha2-512 over -256 for hostkeys, too; noticed - by naddy@ - - Upstream-ID: 685f55f7ec566a8caca587750672723a0faf3ffe - -commit 8b56e59714d87181505e4678f0d6d39955caf10e -Author: tobias@openbsd.org <tobias@openbsd.org> -Date: Fri Dec 4 21:51:06 2015 +0000 - - upstream commit - - Properly handle invalid %-format by calling fatal. - - ok deraadt, djm - - Upstream-ID: 5692bce7d9f6eaa9c488cb93d3b55e758bef1eac - -commit 76c9fbbe35aabc1db977fb78e827644345e9442e -Author: markus@openbsd.org <markus@openbsd.org> -Date: Fri Dec 4 16:41:28 2015 +0000 - - upstream commit - - implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures - (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and - draft-ssh-ext-info-04.txt; with & ok djm@ - - Upstream-ID: cf82ce532b2733e5c4b34bb7b7c94835632db309 - -commit 6064a8b8295cb5a17b5ebcfade53053377714f40 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Fri Dec 4 00:24:55 2015 +0000 - - upstream commit - - clean up agent_fd handling; properly initialise it to -1 - and make tests consistent - - ok markus@ - - Upstream-ID: ac9554323d5065745caf17b5e37cb0f0d4825707 - -commit b91926a97620f3e51761c271ba57aa5db790f48d -Author: semarie@openbsd.org <semarie@openbsd.org> -Date: Thu Dec 3 17:00:18 2015 +0000 - - upstream commit - - pledges ssh client: - mux client: which is used when - ControlMaster is in use. will end with "stdio proc tty" (proc is to - permit sending SIGWINCH to mux master on window resize) - - - client loop: several levels of pledging depending of your used options - - ok deraadt@ - - Upstream-ID: 21676155a700e51f2ce911e33538e92a2cd1d94b - -commit bcce47466bbc974636f588b5e4a9a18ae386f64a -Author: doug@openbsd.org <doug@openbsd.org> -Date: Wed Dec 2 08:30:50 2015 +0000 - - upstream commit - - Add "cpath" to the ssh-agent pledge so the cleanup - handler can unlink(). - - ok djm@ - - Upstream-ID: 9e632991d48241d56db645602d381253a3d8c29d - -commit a90d001543f46716b6590c6dcc681d5f5322f8cf -Author: djm@openbsd.org <djm@openbsd.org> -Date: Wed Dec 2 08:00:58 2015 +0000 - - upstream commit - - ssh-agent pledge needs proc for askpass; spotted by todd@ - - Upstream-ID: 349aa261b29cc0e7de47ef56167769c432630b2a - -commit d952162b3c158a8f23220587bb6c8fcda75da551 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Tue Dec 1 23:29:24 2015 +0000 - - upstream commit - - basic pledge() for ssh-agent, more refinement needed - - Upstream-ID: 5b5b03c88162fce549e45e1b6dd833f20bbb5e13 - -commit f0191d7c8e76e30551084b79341886d9bb38e453 -Author: Damien Miller <djm@mindrot.org> -Date: Mon Nov 30 10:53:25 2015 +1100 - - Revert "stub for pledge(2) for systems that lack it" - - This reverts commit 14c887c8393adde2d9fd437d498be30f8c98535c. - - dtucker beat me to it :/ - -commit 6283cc72eb0e49a3470d30e07ca99a1ba9e89676 -Author: Damien Miller <djm@mindrot.org> -Date: Mon Nov 30 10:37:03 2015 +1100 - - revert 7d4c7513: bring back S/Key prototypes - - (but leave RCSID changes) - -commit 14c887c8393adde2d9fd437d498be30f8c98535c -Author: Damien Miller <djm@mindrot.org> -Date: Mon Nov 30 09:45:29 2015 +1100 - - stub for pledge(2) for systems that lack it - -commit 452c0b6af5d14c37553e30059bf74456012493f3 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Sun Nov 29 22:18:37 2015 +0000 - - upstream commit - - pledge, better fatal() messages; feedback deraadt@ - - Upstream-ID: 3e00f6ccfe2b9a7a2d1dbba5409586180801488f - -commit 6da413c085dba37127687b2617a415602505729b -Author: deraadt@openbsd.org <deraadt@openbsd.org> -Date: Sat Nov 28 06:50:52 2015 +0000 - - upstream commit - - do not leak temp file if there is no known_hosts file - from craig leres, ok djm - - Upstream-ID: c820497fd5574844c782e79405c55860f170e426 - -commit 3ddd15e1b63a4d4f06c8ab16fbdd8a5a61764f16 -Author: Darren Tucker <dtucker@zip.com.au> -Date: Mon Nov 30 07:23:53 2015 +1100 - - Add a null implementation of pledge. - - Fixes builds on almost everything. - -commit b1d6b3971ef256a08692efc409fc9ada719111cc -Author: djm@openbsd.org <djm@openbsd.org> -Date: Sat Nov 28 06:41:03 2015 +0000 - - upstream commit - - don't include port number in tcpip-forward replies for - requests that don't allocate a port; bz#2509 diagnosed by Ron Frederick ok - markus - - Upstream-ID: 77efad818addb61ec638b5a2362f1554e21a970a - -commit 9080bd0b9cf10d0f13b1f642f20cb84285cb8d65 -Author: deraadt@openbsd.org <deraadt@openbsd.org> -Date: Fri Nov 27 00:49:31 2015 +0000 - - upstream commit - - pledge "stdio rpath wpath cpath fattr tty proc exec" - except for the -p option (which sadly has insane semantics...) ok semarie - dtucker - - Upstream-ID: 8854bbd58279abe00f6c33f8094bdc02c8c65059 - -commit 4d90625b229cf6b3551d81550a9861897509a65f -Author: halex@openbsd.org <halex@openbsd.org> -Date: Fri Nov 20 23:04:01 2015 +0000 - - upstream commit - - allow comment change for all supported formats - - ok djm@ - - Upstream-ID: 5fc477cf2f119b2d44aa9c683af16cb00bb3744b - -commit 8ca915fc761519dd1f7766a550ec597a81db5646 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Fri Nov 20 01:45:29 2015 +0000 - - upstream commit - - add cast to make -Werror clean - - Upstream-ID: 288db4f8f810bd475be01320c198250a04ff064d - -commit ac9473580dcd401f8281305af98635cdaae9bf96 -Author: Damien Miller <djm@mindrot.org> -Date: Fri Nov 20 12:35:41 2015 +1100 - - fix multiple authentication using S/Key w/ privsep - - bz#2502, patch from Kevin Korb and feandil_ - -commit 88b6fcdeb87a2fb76767854d9eb15006662dca57 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Thu Nov 19 08:23:27 2015 +0000 - - upstream commit - - ban ConnectionAttempts=0, it makes no sense and would cause - ssh_connect_direct() to print an uninitialised stack variable; bz#2500 - reported by dvw AT phas.ubc.ca - - Upstream-ID: 32b5134c608270583a90b93a07b3feb3cbd5f7d5 - -commit 964ab3ee7a8f96bdbc963d5b5a91933d6045ebe7 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Thu Nov 19 01:12:32 2015 +0000 - - upstream commit - - trailing whitespace - - Upstream-ID: 31fe0ad7c4d08e87f1d69c79372f5e3c5cd79051 - -commit f96516d052dbe38561f6b92b0e4365d8e24bb686 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Thu Nov 19 01:09:38 2015 +0000 - - upstream commit - - print host certificate contents at debug level - - Upstream-ID: 39354cdd8a2b32b308fd03f98645f877f540f00d - -commit 499cf36fecd6040e30e2912dd25655bc574739a7 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Thu Nov 19 01:08:55 2015 +0000 - - upstream commit - - move the certificate validity formatting code to - sshkey.[ch] - - Upstream-ID: f05f7c78fab20d02ff1d5ceeda533ef52e8fe523 - -commit bcb7bc77bbb1535d1008c7714085556f3065d99d -Author: djm@openbsd.org <djm@openbsd.org> -Date: Wed Nov 18 08:37:28 2015 +0000 - - upstream commit - - fix "ssh-keygen -l" of private key, broken in support for - multiple plain keys on stdin - - Upstream-ID: 6b3132d2c62d03d0bad6f2bcd7e2d8b7dab5cd9d - -commit 259adb6179e23195c8f6913635ea71040d1ccd63 -Author: millert@openbsd.org <millert@openbsd.org> -Date: Mon Nov 16 23:47:52 2015 +0000 - - upstream commit - - Replace remaining calls to index(3) with strchr(3). OK - jca@ krw@ - - Upstream-ID: 33837d767a0cf1db1489b96055f9e330bc0bab6d - -commit c56a255162c2166884539c0a1f7511575325b477 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Mon Nov 16 22:53:07 2015 +0000 - - upstream commit - - Allow fingerprinting from standard input "ssh-keygen -lf - -" - - Support fingerprinting multiple plain keys in a file and authorized_keys - files too (bz#1319) - - ok markus@ - - Upstream-ID: 903f8b4502929d6ccf53509e4e07eae084574b77 - -commit 5b4010d9b923cf1b46c9c7b1887c013c2967e204 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Mon Nov 16 22:51:05 2015 +0000 - - upstream commit - - always call privsep_preauth_child() regardless of whether - sshd was started by root; it does important priming before sandboxing and - failing to call it could result in sandbox violations later; ok markus@ - - Upstream-ID: c8a6d0d56c42f3faab38460dc917ca0d1705d383 - -commit 3a9f84b58b0534bbb485f1eeab75665e2d03371f -Author: djm@openbsd.org <djm@openbsd.org> -Date: Mon Nov 16 22:50:01 2015 +0000 - - upstream commit - - improve sshkey_read() semantics; only update *cpp when a - key is successfully read; ok markus@ - - Upstream-ID: f371e78e8f4fab366cf69a42bdecedaed5d1b089 - -commit db6f8dc5dd5655b59368efd074994d4568bc3556 -Author: logan@openbsd.org <logan@openbsd.org> -Date: Mon Nov 16 06:13:04 2015 +0000 - - upstream commit - - 1) Use xcalloc() instead of xmalloc() to check for - potential overflow. (Feedback from both mmcc@ and djm@) 2) move set_size - just before the for loop. (suggested by djm@) - - OK djm@ - - Upstream-ID: 013534c308187284756c3141f11d2c0f33c47213 - -commit 383f10fb84a0fee3c01f9d97594f3e22aa3cd5e0 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Mon Nov 16 00:30:02 2015 +0000 - - upstream commit - - Add a new authorized_keys option "restrict" that - includes all current and future key restrictions (no-*-forwarding, etc). Also - add permissive versions of the existing restrictions, e.g. "no-pty" -> "pty". - This simplifies the task of setting up restricted keys and ensures they are - maximally-restricted, regardless of any permissions we might implement in the - future. - - Example: - - restrict,pty,command="nethack" ssh-ed25519 AAAAC3NzaC1lZDI1... - - Idea from Jann Horn; ok markus@ - - Upstream-ID: 04ceb9d448e46e67e13887a7ae5ea45b4f1719d0 - -commit e41a071f7bda6af1fb3f081bed0151235fa61f15 -Author: jmc@openbsd.org <jmc@openbsd.org> -Date: Sun Nov 15 23:58:04 2015 +0000 - - upstream commit - - correct section number for ssh-agent; - - Upstream-ID: 44be72fd8bcc167635c49b357b1beea8d5674bd6 - -commit 1a11670286acddcc19f5eff0966c380831fc4638 -Author: jmc@openbsd.org <jmc@openbsd.org> -Date: Sun Nov 15 23:54:15 2015 +0000 - - upstream commit - - do not confuse mandoc by presenting "Dd"; - - Upstream-ID: 1470fce171c47b60bbc7ecd0fc717a442c2cfe65 - -commit f361df474c49a097bfcf16d1b7b5c36fcd844b4b -Author: jcs@openbsd.org <jcs@openbsd.org> -Date: Sun Nov 15 22:26:49 2015 +0000 - - upstream commit - - Add an AddKeysToAgent client option which can be set to - 'yes', 'no', 'ask', or 'confirm', and defaults to 'no'. When enabled, a - private key that is used during authentication will be added to ssh-agent if - it is running (with confirmation enabled if set to 'confirm'). - - Initial version from Joachim Schipper many years ago. - - ok markus@ - - Upstream-ID: a680db2248e8064ec55f8be72d539458c987d5f4 - -commit d87063d9baf5479b6e813d47dfb694a97df6f6f5 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Fri Nov 13 04:39:35 2015 +0000 - - upstream commit - - send SSH2_MSG_UNIMPLEMENTED replies to unexpected - messages during KEX; bz#2949, ok dtucker@ - - Upstream-ID: 2b3abdff344d53c8d505f45c83a7b12e84935786 - -commit 9fd04681a1e9b0af21e08ff82eb674cf0a499bfc -Author: djm@openbsd.org <djm@openbsd.org> -Date: Fri Nov 13 04:38:06 2015 +0000 - - upstream commit - - Support "none" as an argument for sshd_config - ForceCommand and ChrootDirectory. Useful inside Match blocks to override a - global default. bz#2486 ok dtucker@ - - Upstream-ID: 7ef478d6592bc7db5c7376fc33b4443e63dccfa5 - -commit 94bc0b72c29e511cbbc5772190d43282e5acfdfe -Author: djm@openbsd.org <djm@openbsd.org> -Date: Fri Nov 13 04:34:15 2015 +0000 - - upstream commit - - support multiple certificates (one per line) and - reading from standard input (using "-f -") for "ssh-keygen -L"; ok dtucker@ - - Upstream-ID: ecbadeeef3926e5be6281689b7250a32a80e88db - -commit b6b9108f5b561c83612cb97ece4134eb59fde071 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Fri Nov 13 02:57:46 2015 +0000 - - upstream commit - - list a couple more options usable in Match blocks; - bz#2489 - - Upstream-ID: e4d03f39d254db4c0cc54101921bb89fbda19879 - -commit a7994b3f5a5a5a33b52b0a6065d08e888f0a99fb -Author: djm@openbsd.org <djm@openbsd.org> -Date: Wed Nov 11 04:56:39 2015 +0000 - - upstream commit - - improve PEEK/POKE macros: better casts, don't multiply - evaluate arguments; ok deraadt@ - - Upstream-ID: 9a1889e19647615ededbbabab89064843ba92d3e - -commit 7d4c7513a7f209cb303a608ac6e46b3f1dfc11ec -Author: djm@openbsd.org <djm@openbsd.org> -Date: Wed Nov 11 01:48:01 2015 +0000 - - upstream commit - - remove prototypes for long-gone s/key support; ok - dtucker@ - - Upstream-ID: db5bed3c57118af986490ab23d399df807359a79 - -commit 07889c75926c040b8e095949c724e66af26441cb -Author: Damien Miller <djm@mindrot.org> -Date: Sat Nov 14 18:44:49 2015 +1100 - - read back from libcrypto RAND when privdropping - - makes certain libcrypto implementations cache a /dev/urandom fd - in preparation of sandboxing. Based on patch by Greg Hartman. - -commit 1560596f44c01bb0cef977816410950ed17b8ecd -Author: Darren Tucker <dtucker@zip.com.au> -Date: Tue Nov 10 11:14:47 2015 +1100 - - Fix compiler warnings in the openssl header check. - - Noted by Austin English. - -commit e72a8575ffe1d8adff42c9abe9ca36938acc036b -Author: jmc@openbsd.org <jmc@openbsd.org> -Date: Sun Nov 8 23:24:03 2015 +0000 - - upstream commit - - -c before -H, in SYNOPSIS and usage(); - - Upstream-ID: 25e8c58a69e1f37fcd54ac2cd1699370acb5e404 - -commit 3a424cdd21db08c7b0ded902f97b8f02af5aa485 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Sun Nov 8 22:30:20 2015 +0000 - - upstream commit - - Add "ssh-keyscan -c ..." flag to allow fetching - certificates instead of plain keys; ok markus@ - - Upstream-ID: 0947e2177dba92339eced9e49d3c5bf7dda69f82 - -commit 69fead5d7cdaa73bdece9fcba80f8e8e70b90346 -Author: jmc@openbsd.org <jmc@openbsd.org> -Date: Sun Nov 8 22:08:38 2015 +0000 - - upstream commit - - remove slogin links; ok deraadt markus djm - - Upstream-ID: 39ba08548acde4c54f2d4520c202c2a863a3c730 - -commit 2fecfd486bdba9f51b3a789277bb0733ca36e1c0 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Sun Nov 8 21:59:11 2015 +0000 - - upstream commit - - fix OOB read in packet code caused by missing return - statement found by Ben Hawkes; ok markus@ deraadt@ - - Upstream-ID: a3e3a85434ebfa0690d4879091959591f30efc62 - -commit 5e288923a303ca672b686908320bc5368ebec6e6 -Author: mmcc@openbsd.org <mmcc@openbsd.org> -Date: Fri Nov 6 00:31:41 2015 +0000 - - upstream commit - - 1. rlogin and rsh are long gone 2. protocol version isn't - of core relevance here, and v1 is going away - - ok markus@, deraadt@ - - Upstream-ID: 8b46bc94cf1ca7c8c1a75b1c958b2bb38d7579c8 - -commit 8b29008bbe97f33381d9b4b93fcfa304168d0286 -Author: jmc@openbsd.org <jmc@openbsd.org> -Date: Thu Nov 5 09:48:05 2015 +0000 - - upstream commit - - "commandline" -> "command line", since there are so few - examples of the former in the pages, so many of the latter, and in some of - these pages we had multiple spellings; - - prompted by tj - - Upstream-ID: 78459d59bff74223f8139d9001ccd56fc4310659 - -commit 996b24cebf20077fbe5db07b3a2c20c2d9db736e -Author: Darren Tucker <dtucker@zip.com.au> -Date: Thu Oct 29 20:57:34 2015 +1100 - - (re)wrap SYS_sendsyslog in ifdef. - - Replace ifdef that went missing in commit - c61b42f2678f21f05653ac2d3d241b48ab5d59ac. Fixes build on older - OpenBSDs. - -commit b67e2e76fcf1ae7c802eb27ca927e16c91a513ff -Author: djm@openbsd.org <djm@openbsd.org> -Date: Thu Oct 29 08:05:17 2015 +0000 - - upstream commit - - regress test for "PubkeyAcceptedKeyTypes +..." inside a - Match block - - Upstream-Regress-ID: 246c37ed64a2e5704d4c158ccdca1ff700e10647 - -commit abd9dbc3c0d8c8c7561347cfa22166156e78c077 -Author: dtucker@openbsd.org <dtucker@openbsd.org> -Date: Mon Oct 26 02:50:58 2015 +0000 - - upstream commit - - Fix typo certopt->certopts in shell variable. This would - cause the test to hang at a host key prompt if you have an A or CNAME for - "proxy" in your local domain. - - Upstream-Regress-ID: 6ea03bcd39443a83c89e2c5606392ceb9585836a - -commit ed08510d38aef930a061ae30d10f2a9cf233bafa -Author: djm@openbsd.org <djm@openbsd.org> -Date: Thu Oct 29 08:05:01 2015 +0000 - - upstream commit - - Fix "PubkeyAcceptedKeyTypes +..." inside a Match block; - ok dtucker@ - - Upstream-ID: 853662c4036730b966aab77684390c47b9738c69 - -commit a4aef3ed29071719b2af82fdf1ac3c2514f82bc5 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Tue Oct 27 08:54:52 2015 +0000 - - upstream commit - - fix execv arguments in a way less likely to cause grief - for -portable; ok dtucker@ - - Upstream-ID: 5902bf0ea0371f39f1300698dc3b8e4105fc0fc5 - -commit 63d188175accea83305e89fafa011136ff3d96ad -Author: djm@openbsd.org <djm@openbsd.org> -Date: Tue Oct 27 01:44:45 2015 +0000 - - upstream commit - - log certificate serial in verbose() messages to match the - main auth success/fail message; ok dtucker@ - - Upstream-ID: dfc48b417c320b97c36ff351d303c142f2186288 - -commit 2aaba0cfd560ecfe92aa50c00750e6143842cf1f -Author: djm@openbsd.org <djm@openbsd.org> -Date: Tue Oct 27 00:49:53 2015 +0000 - - upstream commit - - avoid de-const warning & shrink; ok dtucker@ - - Upstream-ID: 69a85ef94832378952a22c172009cbf52aaa11db - -commit 03239c18312b9bab7d1c3b03062c61e8bbc1ca6e -Author: dtucker@openbsd.org <dtucker@openbsd.org> -Date: Sun Oct 25 23:42:00 2015 +0000 - - upstream commit - - Expand tildes in filenames passed to -i before checking - whether or not the identity file exists. This means that if the shell - doesn't do the expansion (eg because the option and filename were given as a - single argument) then we'll still add the key. bz#2481, ok markus@ - - Upstream-ID: db1757178a14ac519e9a3e1a2dbd21113cb3bfc6 - -commit 97e184e508dd33c37860c732c0eca3fc57698b40 -Author: dtucker@openbsd.org <dtucker@openbsd.org> -Date: Sun Oct 25 23:14:03 2015 +0000 - - upstream commit - - Do not prepend "exec" to the shell command run by "Match - exec" in a config file. It's an unnecessary optimization from repurposed - ProxyCommand code and prevents some things working with some shells. - bz#2471, pointed out by res at qoxp.net. ok markus@ - - Upstream-ID: a1ead25ae336bfa15fb58d8c6b5589f85b4c33a3 - -commit 8db134e7f457bcb069ec72bc4ee722e2af557c69 -Author: Darren Tucker <dtucker@zip.com.au> -Date: Thu Oct 29 10:48:23 2015 +1100 - - Prevent name collisions with system glob (bz#2463) - - Move glob.h from includes.h to the only caller (sftp) and override the - names for the symbols. This prevents name collisions with the system glob - in the case where something other than ssh uses it (eg kerberos). With - jjelen at redhat.com, ok djm@ - -commit 86c10dbbef6a5800d2431a66cf7f41a954bb62b5 -Author: dtucker@openbsd.org <dtucker@openbsd.org> -Date: Fri Oct 23 02:22:01 2015 +0000 - - upstream commit - - Update expected group sizes to match recent code changes. - - Upstream-Regress-ID: 0004f0ea93428969fe75bcfff0d521c553977794 - -commit 9ada37d36003a77902e90a3214981e417457cf13 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Sat Oct 24 22:56:19 2015 +0000 - - upstream commit - - fix keyscan output for multiple hosts/addrs on one line - when host hashing or a non standard port is in use; bz#2479 ok dtucker@ - - Upstream-ID: 5321dabfaeceba343da3c8a8b5754c6f4a0a307b - -commit 44fc7cd7dcef6c52c6b7e9ff830dfa32879bd319 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Sat Oct 24 22:52:22 2015 +0000 - - upstream commit - - skip "Could not chdir to home directory" message when - chrooted - - patch from Christian Hesse in bz#2485 ok dtucker@ - - Upstream-ID: 86783c1953da426dff5b03b03ce46e699d9e5431 - -commit a820a8618ec44735dabc688fab96fba38ad66bb2 -Author: sthen@openbsd.org <sthen@openbsd.org> -Date: Sat Oct 24 08:34:09 2015 +0000 - - upstream commit - - Handle the split of tun(4) "link0" into tap(4) in ssh - tun-forwarding. Adapted from portable (using separate devices for this is the - normal case in most OS). ok djm@ - - Upstream-ID: 90facf4c59ce73d6741db1bc926e578ef465cd39 - -commit 66d2e229baa9fe57b868c373b05f7ff3bb20055b -Author: gsoares@openbsd.org <gsoares@openbsd.org> -Date: Wed Oct 21 11:33:03 2015 +0000 - - upstream commit - - fix memory leak in error path ok djm@ - - Upstream-ID: dd2f402b0a0029b755df029fc7f0679e1365ce35 - -commit 7d6c0362039ceacdc1366b5df29ad5d2693c13e5 -Author: mmcc@openbsd.org <mmcc@openbsd.org> -Date: Tue Oct 20 23:24:25 2015 +0000 - - upstream commit - - Compare pointers to NULL rather than 0. - - ok djm@ - - Upstream-ID: 21616cfea27eda65a06e772cc887530b9a1a27f8 - -commit f98a09cacff7baad8748c9aa217afd155a4d493f -Author: mmcc@openbsd.org <mmcc@openbsd.org> -Date: Tue Oct 20 03:36:35 2015 +0000 - - upstream commit - - Replace a function-local allocation with stack memory. - - ok djm@ - - Upstream-ID: c09fbbab637053a2ab9f33ca142b4e20a4c5a17e - -commit ac908c1eeacccfa85659594d92428659320fd57e -Author: Damien Miller <djm@mindrot.org> -Date: Thu Oct 22 09:35:24 2015 +1100 - - turn off PrintLastLog when --disable-lastlog - - bz#2278 from Brent Paulson - -commit b56deb847f4a0115a8bf488bf6ee8524658162fd -Author: djm@openbsd.org <djm@openbsd.org> -Date: Fri Oct 16 22:32:22 2015 +0000 - - upstream commit - - increase the minimum modulus that we will send or accept in - diffie-hellman-group-exchange to 2048 bits; ok markus@ - - Upstream-ID: 06dce7a24c17b999a0f5fadfe95de1ed6a1a9b6a - -commit 5ee0063f024bf5b3f3ffb275b8cd20055d62b4b9 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Fri Oct 16 18:40:49 2015 +0000 - - upstream commit - - better handle anchored FQDNs (e.g. 'cvs.openbsd.org.') in - hostname canonicalisation - treat them as already canonical and remove the - trailing '.' before matching ssh_config; ok markus@ - - Upstream-ID: f7619652e074ac3febe8363f19622aa4853b679a - -commit e92c499a75477ecfe94dd7b4aed89f20b1fac5a7 -Author: mmcc@openbsd.org <mmcc@openbsd.org> -Date: Fri Oct 16 17:07:24 2015 +0000 - - upstream commit - - 0 -> NULL when comparing with a char*. - - ok dtucker@, djm@. - - Upstream-ID: a928e9c21c0a9020727d99738ff64027c1272300 - -commit b1d38a3cc6fe349feb8d16a5f520ef12d1de7cb2 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Thu Oct 15 23:51:40 2015 +0000 - - upstream commit - - fix some signed/unsigned integer type mismatches in - format strings; reported by Nicholas Lemonias - - Upstream-ID: 78cd55420a0eef68c4095bdfddd1af84afe5f95c - -commit 1a2663a15d356bb188196b6414b4c50dc12fd42b -Author: djm@openbsd.org <djm@openbsd.org> -Date: Thu Oct 15 23:08:23 2015 +0000 - - upstream commit - - argument to sshkey_from_private() and sshkey_demote() - can't be NULL - - Upstream-ID: 0111245b1641d387977a9b38da15916820a5fd1f - -commit 0f754e29dd3760fc0b172c1220f18b753fb0957e -Author: Damien Miller <djm@mindrot.org> -Date: Fri Oct 16 10:53:14 2015 +1100 - - need va_copy before va_start - - reported by Nicholas Lemonias - -commit eb6c50d82aa1f0d3fc95f5630ea69761e918bfcd -Author: Damien Miller <djm@mindrot.org> -Date: Thu Oct 15 15:48:28 2015 -0700 - - fix compilation on systems without SYMLOOP_MAX - -commit fafe1d84a210fb3dae7744f268059cc583db8c12 -Author: Damien Miller <djm@mindrot.org> -Date: Wed Oct 14 09:22:15 2015 -0700 - - s/SANDBOX_TAME/SANDBOX_PLEDGE/g - -commit 8f22911027ff6c17d7226d232ccd20727f389310 -Author: Damien Miller <djm@mindrot.org> -Date: Wed Oct 14 08:28:19 2015 +1100 - - upstream commit - - revision 1.20 - date: 2015/10/13 20:55:37; author: millert; state: Exp; lines: +2 -2; commitid: X39sl5ay1czgFIgp; - In rev 1.15 the sizeof argument was fixed in a strlcat() call but - the truncation check immediately following it was not updated to - match. Not an issue in practice since the buffers are the same - size. OK deraadt@ - -commit 23fa695bb735f54f04d46123662609edb6c76767 -Author: Damien Miller <djm@mindrot.org> -Date: Wed Oct 14 08:27:51 2015 +1100 - - upstream commit - - revision 1.19 - date: 2015/01/16 16:48:51; author: deraadt; state: Exp; lines: +3 -3; commitid: 0DYulI8hhujBHMcR; - Move to the <limits.h> universe. - review by millert, binary checking process with doug, concept with guenther - -commit c71be375a69af00c2d0a0c24d8752bec12d8fd1b -Author: Damien Miller <djm@mindrot.org> -Date: Wed Oct 14 08:27:08 2015 +1100 - - upstream commit - - revision 1.18 - date: 2014/10/19 03:56:28; author: doug; state: Exp; lines: +9 -9; commitid: U6QxmtbXrGoc02S5; - Revert last commit due to changed semantics found by make release. - -commit c39ad23b06e9aecc3ff788e92f787a08472905b1 -Author: Damien Miller <djm@mindrot.org> -Date: Wed Oct 14 08:26:24 2015 +1100 - - upstream commit - - revision 1.17 - date: 2014/10/18 20:43:52; author: doug; state: Exp; lines: +10 -10; commitid: I74hI1tVZtsspKEt; - Better POSIX compliance in realpath(3). - - millert@ made changes to realpath.c based on FreeBSD's version. I merged - Todd's changes into dl_realpath.c. - - ok millert@, guenther@ - -commit e929a43f957dbd1254aca2aaf85c8c00cbfc25f4 -Author: Damien Miller <djm@mindrot.org> -Date: Wed Oct 14 08:25:55 2015 +1100 - - upstream commit - - revision 1.16 - date: 2013/04/05 12:59:54; author: kurt; state: Exp; lines: +3 -1; - - Add comments regarding copies of these files also in libexec/ld.so - okay guenther@ - -commit 5225db68e58a1048cb17f0e36e0d33bc4a8fc410 -Author: Damien Miller <djm@mindrot.org> -Date: Wed Oct 14 08:25:32 2015 +1100 - - upstream commit - - revision 1.15 - date: 2012/09/13 15:39:05; author: deraadt; state: Exp; lines: +2 -2; - specify the bounds of the dst to strlcat (both values were static and - equal, but it is more correct) - from Michal Mazurek - -commit 7365fe5b4859de2305e40ea132da3823830fa710 -Author: Damien Miller <djm@mindrot.org> -Date: Wed Oct 14 08:25:09 2015 +1100 - - upstream commit - - revision 1.14 - date: 2011/07/24 21:03:00; author: miod; state: Exp; lines: +35 -13; - Recent Single Unix will malloc memory if the second argument of realpath() - is NULL, and third-party software is starting to rely upon this. - Adapted from FreeBSD via Jona Joachim (jaj ; hcl-club , .lu), with minor - tweaks from nicm@ and yours truly. - -commit e679c09cd1951f963793aa3d9748d1c3fdcf808f -Author: djm@openbsd.org <djm@openbsd.org> -Date: Tue Oct 13 16:15:21 2015 +0000 - - upstream commit - - apply PubkeyAcceptedKeyTypes filtering earlier, so all - skipped keys are noted before pubkey authentication starts. ok dtucker@ - - Upstream-ID: ba4f52f54268a421a2a5f98bb375403f4cb044b8 - -commit 179c353f564ec7ada64b87730b25fb41107babd7 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Tue Oct 13 00:21:27 2015 +0000 - - upstream commit - - free the correct IV length, don't assume it's always the - cipher blocksize; ok dtucker@ - - Upstream-ID: c260d9e5ec73628d9ff4b067fbb060eff5a7d298 - -commit 2539dce2a049a8f6bb0d44cac51f07ad48e691d3 -Author: deraadt@openbsd.org <deraadt@openbsd.org> -Date: Fri Oct 9 01:37:08 2015 +0000 - - upstream commit - - Change all tame callers to namechange to pledge(2). - - Upstream-ID: 17e654fc27ceaf523c60f4ffd9ec7ae4e7efc7f2 - -commit 9846a2f4067383bb76b4e31a9d2303e0a9c13a73 -Author: Damien Miller <djm@mindrot.org> -Date: Thu Oct 8 04:30:48 2015 +1100 - - hook tame(2) sandbox up to build - - OpenBSD only for now - -commit 0c46bbe68b70bdf0d6d20588e5847e71f3739fe6 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Wed Oct 7 15:59:12 2015 +0000 - - upstream commit - - include PubkeyAcceptedKeyTypes in ssh -G config dump - - Upstream-ID: 6c097ce6ffebf6fe393fb7988b5d152a5d6b36bb - -commit bdcb73fb7641b1cf73c0065d1a0dd57b1e8b778e -Author: sobrado@openbsd.org <sobrado@openbsd.org> -Date: Wed Oct 7 14:45:30 2015 +0000 - - upstream commit - - UsePrivilegeSeparation defaults to sandbox now. - - ok djm@ - - Upstream-ID: bff136c38bcae89df82e044d2f42de21e1ad914f - -commit 2905d6f99c837bb699b6ebc61711b19acd030709 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Wed Oct 7 00:54:06 2015 +0000 - - upstream commit - - don't try to change tun device flags if they are already - what we need; makes it possible to use tun/tap networking as non- root user - if device permissions and interface flags are pre-established; based on patch - by Ossi Herrala - - Upstream-ID: 89099ac4634cd477b066865acf54cb230780fd21 - -commit 0dc74512bdb105b048883f07de538b37e5e024d4 -Author: Damien Miller <djm@mindrot.org> -Date: Mon Oct 5 18:33:05 2015 -0700 - - unbreak merge botch - -commit fdd020e86439afa7f537e2429d29d4b744c94331 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Tue Oct 6 01:20:59 2015 +0000 - - upstream commit - - adapt to recent sshkey_parse_private_fileblob() API - change - - Upstream-Regress-ID: 5c0d818da511e33e0abf6a92a31bd7163b7ad988 - -commit 21ae8ee3b630b0925f973db647a1b9aa5fcdd4c5 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Thu Sep 24 07:15:39 2015 +0000 - - upstream commit - - fix command-line option to match what was actually - committed - - Upstream-Regress-ID: 3e8c24a2044e8afd37e7ce17b69002ca817ac699 - -commit e14ac43b75e68f1ffbd3e1a5e44143c8ae578dcd -Author: djm@openbsd.org <djm@openbsd.org> -Date: Thu Sep 24 06:16:53 2015 +0000 - - upstream commit - - regress test for CertificateFile; patch from Meghana Bhat - via bz#2436 - - Upstream-Regress-ID: e7a6e980cbe0f8081ba2e83de40d06c17be8bd25 - -commit 905b054ed24e0d5b4ef226ebf2c8bfc02ae6d4ad -Author: djm@openbsd.org <djm@openbsd.org> -Date: Mon Oct 5 17:11:21 2015 +0000 - - upstream commit - - some more bzero->explicit_bzero, from Michael McConville - - Upstream-ID: 17f19545685c33327db2efdc357c1c9225ff00d0 - -commit b007159a0acdbcf65814b3ee05dbe2cf4ea46011 -Author: deraadt@openbsd.org <deraadt@openbsd.org> -Date: Fri Oct 2 15:52:55 2015 +0000 - - upstream commit - - fix email - - Upstream-ID: 72150f2d54b94de14ebef1ea054ef974281bf834 - -commit b19e1b4ab11884c4f62aee9f8ab53127a4732658 -Author: deraadt@openbsd.org <deraadt@openbsd.org> -Date: Fri Oct 2 01:39:52 2015 +0000 - - upstream commit - - a sandbox using tame ok djm - - Upstream-ID: 4ca24e47895e72f5daaa02f3e3d3e5ca2d820fa3 - -commit c61b42f2678f21f05653ac2d3d241b48ab5d59ac -Author: deraadt@openbsd.org <deraadt@openbsd.org> -Date: Fri Oct 2 01:39:26 2015 +0000 - - upstream commit - - re-order system calls in order of risk, ok i'll be - honest, ordered this way they look like tame... ok djm - - Upstream-ID: 42a1e6d251fd8be13c8262bee026059ae6328813 - -commit c5f7c0843cb6e6074a93c8ac34e49ce33a6f5546 -Author: jmc@openbsd.org <jmc@openbsd.org> -Date: Fri Sep 25 18:19:54 2015 +0000 - - upstream commit - - some certificatefile tweaks; ok djm - - Upstream-ID: 0e5a7852c28c05fc193419cc7e50e64c1c535af0 - -commit 4e44a79a07d4b88b6a4e5e8c1bed5f58c841b1b8 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Thu Sep 24 06:15:11 2015 +0000 - - upstream commit - - add ssh_config CertificateFile option to explicitly list - a certificate; patch from Meghana Bhat on bz#2436; ok markus@ - - Upstream-ID: 58648ec53c510b41c1f46d8fe293aadc87229ab8 - -commit e3cbb06ade83c72b640a53728d362bbefa0008e2 -Author: sobrado@openbsd.org <sobrado@openbsd.org> -Date: Tue Sep 22 08:33:23 2015 +0000 - - upstream commit - - fix two typos. - - Upstream-ID: 424402c0d8863a11b51749bacd7f8d932083b709 |