|
Revision tags: release/14.0.0, release/13.2.0 |
|
| #
4d3fc8b0 |
| 16-Mar-2023 |
Ed Maste <emaste@FreeBSD.org> |
ssh: Update to OpenSSH 9.3p1
This release fixes a number of security bugs and has minor new
features and bug fixes. Security fixes, from the release notes
(https://www.openssh.com/txt/release-9.3):
ssh: Update to OpenSSH 9.3p1
This release fixes a number of security bugs and has minor new
features and bug fixes. Security fixes, from the release notes
(https://www.openssh.com/txt/release-9.3):
This release contains fixes for a security problem and a memory
safety problem. The memory safety problem is not believed to be
exploitable, but we report most network-reachable memory faults as
security bugs.
* ssh-add(1): when adding smartcard keys to ssh-agent(1) with the
per-hop destination constraints (ssh-add -h ...) added in OpenSSH
8.9, a logic error prevented the constraints from being
communicated to the agent. This resulted in the keys being added
without constraints. The common cases of non-smartcard keys and
keys without destination constraints are unaffected. This problem
was reported by Luci Stanescu.
* ssh(1): Portable OpenSSH provides an implementation of the
getrrsetbyname(3) function if the standard library does not
provide it, for use by the VerifyHostKeyDNS feature. A
specifically crafted DNS response could cause this function to
perform an out-of-bounds read of adjacent stack data, but this
condition does not appear to be exploitable beyond denial-of-
service to the ssh(1) client.
The getrrsetbyname(3) replacement is only included if the system's
standard library lacks this function and portable OpenSSH was not
compiled with the ldns library (--with-ldns). getrrsetbyname(3) is
only invoked if using VerifyHostKeyDNS to fetch SSHFP records. This
problem was found by the Coverity static analyzer.
Sponsored by: The FreeBSD Foundation
show more ...
|
|
Revision tags: release/12.4.0, release/13.1.0 |
|
| #
1323ec57 |
| 13-Apr-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update to OpenSSH v8.9p1
Release notes are available at https://www.openssh.com/txt/release-8.9
Some highlights:
* ssh(1), sshd(8), ssh-add(1), ssh-agent(1): add a system for
restricting
ssh: update to OpenSSH v8.9p1
Release notes are available at https://www.openssh.com/txt/release-8.9
Some highlights:
* ssh(1), sshd(8), ssh-add(1), ssh-agent(1): add a system for
restricting forwarding and use of keys added to ssh-agent(1)
* ssh(1), sshd(8): add the sntrup761x25519-sha512@openssh.com hybrid
ECDH/x25519 + Streamlined NTRU Prime post-quantum KEX to the
default KEXAlgorithms list (after the ECDH methods but before the
prime-group DH ones). The next release of OpenSSH is likely to
make this key exchange the default method.
* sshd(8), portable OpenSSH only: this release removes in-built
support for MD5-hashed passwords. If you require these on your
system then we recommend linking against libxcrypt or similar.
Future deprecation notice
=========================
A near-future release of OpenSSH will switch scp(1) from using the
legacy scp/rcp protocol to using SFTP by default.
Legacy scp/rcp performs wildcard expansion of remote filenames (e.g.
"scp host:* .") through the remote shell. This has the side effect of
requiring double quoting of shell meta-characters in file names
included on scp(1) command-lines, otherwise they could be interpreted
as shell commands on the remote side.
MFC after: 1 month
Relnotes: Yes
Sponsored by: The FreeBSD Foundation
show more ...
|
|
Revision tags: release/12.3.0 |
|
| #
19261079 |
| 08-Sep-2021 |
Ed Maste <emaste@FreeBSD.org> |
openssh: update to OpenSSH v8.7p1
Some notable changes, from upstream's release notes:
- sshd(8): Remove support for obsolete "host/port" syntax.
- ssh(1): When prompting whether to record a new ho
openssh: update to OpenSSH v8.7p1
Some notable changes, from upstream's release notes:
- sshd(8): Remove support for obsolete "host/port" syntax.
- ssh(1): When prompting whether to record a new host key, accept the key
fingerprint as a synonym for "yes".
- ssh-keygen(1): when acting as a CA and signing certificates with an RSA
key, default to using the rsa-sha2-512 signature algorithm.
- ssh(1), sshd(8), ssh-keygen(1): this release removes the "ssh-rsa"
(RSA/SHA1) algorithm from those accepted for certificate signatures.
- ssh-sk-helper(8): this is a new binary. It is used by the FIDO/U2F
support to provide address-space isolation for token middleware
libraries (including the internal one).
- ssh(1): this release enables UpdateHostkeys by default subject to some
conservative preconditions.
- scp(1): this release changes the behaviour of remote to remote copies
(e.g. "scp host-a:/path host-b:") to transfer through the local host
by default.
- scp(1): experimental support for transfers using the SFTP protocol as
a replacement for the venerable SCP/RCP protocol that it has
traditionally used.
Additional integration work is needed to support FIDO/U2F in the base
system.
Deprecation Notice
------------------
OpenSSH will disable the ssh-rsa signature scheme by default in the
next release.
Reviewed by: imp
MFC after: 1 month
Relnotes: Yes
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D29985
show more ...
|
|
Revision tags: release/13.0.0, release/12.2.0, release/11.4.0, release/12.1.0, release/11.3.0, release/12.0.0 |
|
| #
3af64f03 |
| 11-Sep-2018 |
Dimitry Andric <dim@FreeBSD.org> |
Merge ^/head r338392 through r338594.
|
| #
190cef3d |
| 10-Sep-2018 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.8p1.
Approved by: re (kib@)
|
|
Revision tags: release/11.2.0 |
|
| #
47dd1d1b |
| 11-May-2018 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.7p1.
|
| #
4f52dfbb |
| 09-May-2018 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.6p1. This will be followed shortly by 7.7p1.
This completely removes client-side support for the SSH 1 protocol,
which was already disabled in 12 but is still enabled in 11. F
Upgrade to OpenSSH 7.6p1. This will be followed shortly by 7.7p1.
This completely removes client-side support for the SSH 1 protocol,
which was already disabled in 12 but is still enabled in 11. For that
reason, we will not be able to merge 7.6p1 or newer back to 11.
show more ...
|
|
Revision tags: release/10.4.0, release/11.1.0, release/11.0.1, release/11.0.0, release/10.3.0 |
|
| #
d9b9dae1 |
| 22-Jan-2016 |
Dimitry Andric <dim@FreeBSD.org> |
Merge ^/head r294169 through r294598.
|
| #
009e81b1 |
| 22-Jan-2016 |
Bjoern A. Zeeb <bz@FreeBSD.org> |
MFH @r294567
|
| #
59d43d11 |
| 20-Jan-2016 |
Glen Barber <gjb@FreeBSD.org> |
MFH
Sponsored by: The FreeBSD Foundation
|
| #
a0ee8cc6 |
| 19-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.7p1, retaining libwrap support (which has been removed
upstream) and a number of security fixes which we had already backported.
MFC after: 1 week
|
|
Revision tags: release/10.2.0, release/10.1.0, release/9.3.0, release/10.0.0, release/9.2.0, release/8.4.0, release/9.1.0, release/8.3.0_cvs, release/8.3.0, release/9.0.0, release/7.4.0_cvs, release/8.2.0_cvs, release/7.4.0, release/8.2.0 |
|
| #
1170f3d1 |
| 11-Nov-2010 |
Dimitry Andric <dim@FreeBSD.org> |
Sync: merge r214895 through r215140 from ^/head.
|
| #
e2f6069c |
| 11-Nov-2010 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.6p1.
|
|
Revision tags: release/8.1.0_cvs, release/8.1.0 |
|
| #
124981e1 |
| 21-Apr-2010 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
MFH OpenSSH 5.4p1
|
|
Revision tags: release/7.3.0_cvs, release/7.3.0 |
|
| #
1a0fda2b |
| 04-Mar-2010 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
IFH@204581
|
|
Revision tags: release/8.0.0_cvs, release/8.0.0 |
|
| #
1ee774f6 |
| 02-Oct-2009 |
Oleksandr Tymoshenko <gonzo@FreeBSD.org> |
- MFC
|
| #
7aee6ffe |
| 01-Oct-2009 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.3p1.
|
|
Revision tags: release/7.2.0_cvs, release/7.2.0, release/7.1.0_cvs, release/7.1.0, release/6.4.0_cvs, release/6.4.0 |
|
| #
d4af9e69 |
| 01-Aug-2008 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.1p1.
I have worked hard to reduce diffs against the vendor branch. One
notable change in that respect is that we no longer prefer DSA over
RSA - the reasons for doing so went a
Upgrade to OpenSSH 5.1p1.
I have worked hard to reduce diffs against the vendor branch. One
notable change in that respect is that we no longer prefer DSA over
RSA - the reasons for doing so went away years ago. This may cause
some surprises, as ssh will warn about unknown host keys even for
hosts whose keys haven't changed.
MFC after: 6 weeks
show more ...
|
|
Revision tags: release/7.0.0_cvs, release/7.0.0, release/6.3.0_cvs, release/6.3.0, release/6.2.0_cvs, release/6.2.0 |
|
| #
761efaa7 |
| 30-Sep-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.4p1.
|
| #
a435c625 |
| 30-Sep-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
This commit was generated by cvs2svn to compensate for changes in r162852,
which included commits to RCS files with non-trunk default branches.
|
|
Revision tags: release/5.5.0_cvs, release/5.5.0, release/6.1.0_cvs, release/6.1.0, release/6.0.0_cvs, release/6.0.0 |
|
| #
5e8dbd04 |
| 05-Jun-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.0p1.
|
| #
1f6afdc0 |
| 05-Jun-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
This commit was generated by cvs2svn to compensate for changes in r146998,
which included commits to RCS files with non-trunk default branches.
|
|
Revision tags: release/5.4.0_cvs, release/5.4.0, release/4.11.0_cvs, release/4.11.0, release/5.3.0_cvs, release/5.3.0 |
|
| #
d74d50a8 |
| 28-Oct-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.9p1.
|
| #
3b4228da |
| 28-Oct-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
This commit was generated by cvs2svn to compensate for changes in r137015,
which included commits to RCS files with non-trunk default branches.
|
|
Revision tags: release/4.10.0_cvs, release/4.10.0, release/5.2.1_cvs, release/5.2.1, release/5.2.0_cvs, release/5.2.0 |
|
| #
d95e11bf |
| 07-Jan-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.7.1p2.
|