Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
openssh: Update version from 7.5 to 7.9
From the [announcement][1]: > Potentially-incompatible changes > ================================ > > This release includes a number of changes that may affect existing > configurations: > > * ssh(1), sshd(8): the setting of the new CASignatureAlgorithms > option (see below) bans the use of DSA keys as certificate > authorities. > > * sshd(8): the authentication success/failure log message has > changed format slightly. It now includes the certificate > fingerprint (previously it included only key ID and CA key > fingerprint). > > Changes since OpenSSH 7.8 > ========================= > > This is primarily a bugfix release. > > New Features > ------------ > > * ssh(1), sshd(8): allow most port numbers to be specified using > service names from getservbyname(3) (typically /etc/services). > > * ssh(1): allow the IdentityAgent configuration directive to accept > environment variable names. This supports the use of multiple > agent sockets without needing to use fixed paths. > > * sshd(8): support signalling sessions via the SSH protocol. > A limited subset of signals is supported and only for login or > command sessions (i.e. not subsystems) that were not subject to > a forced command via authorized_keys or sshd_config. bz#1424 > > * ssh(1): support "ssh -Q sig" to list supported signature options. > Also "ssh -Q help" to show the full set of supported queries. > > * ssh(1), sshd(8): add a CASignatureAlgorithms option for the > client and server configs to allow control over which signature > formats are allowed for CAs to sign certificates. For example, > this allows banning CAs that sign certificates using the RSA-SHA1 > signature algorithm. > > * sshd(8), ssh-keygen(1): allow key revocation lists (KRLs) to > revoke keys specified by SHA256 hash. > > * ssh-keygen(1): allow creation of key revocation lists directly > from base64-encoded SHA256 fingerprints. This supports revoking > keys using only the information contained in sshd(8) > authentication log messages. > > Bugfixes > -------- > > * ssh(1), ssh-keygen(1): avoid spurious "invalid format" errors when > attempting to load PEM private keys while using an incorrect > passphrase. bz#2901 > > * sshd(8): when a channel closed message is received from a client, > close the stderr file descriptor at the same time stdout is > closed. This avoids stuck processes if they were waiting for > stderr to close and were insensitive to stdin/out closing. bz#2863 > > * ssh(1): allow ForwardX11Timeout=0 to disable the untrusted X11 > forwarding timeout and support X11 forwarding indefinitely. > Previously the behaviour of ForwardX11Timeout=0 was undefined. > > * sshd(8): when compiled with GSSAPI support, cache supported method > OIDs regardless of whether GSSAPI authentication is enabled in the > main section of sshd_config. This avoids sandbox violations if > GSSAPI authentication was later enabled in a Match block. bz#2107 > > * sshd(8): do not fail closed when configured with a text key > revocation list that contains a too-short key. bz#2897 > > * ssh(1): treat connections with ProxyJump specified the same as > ones with a ProxyCommand set with regards to hostname > canonicalisation (i.e. don't try to canonicalise the hostname > unless CanonicalizeHostname is set to 'always'). bz#2896 > > * ssh(1): fix regression in OpenSSH 7.8 that could prevent public- > key authentication using certificates hosted in a ssh-agent(1) > or against sshd(8) from OpenSSH <7.8. > > Portability > ----------- > > * All: support building against the openssl-1.1 API (releases 1.1.0g > and later). The openssl-1.0 API will remain supported at least > until OpenSSL terminates security patch support for that API version. > > * sshd(8): allow the futex(2) syscall in the Linux seccomp sandbox; > apparently required by some glibc/OpenSSL combinations. > > * sshd(8): handle getgrouplist(3) returning more than > _SC_NGROUPS_MAX groups. Some platforms consider this limit more > as a guideline. [1]: https://lists.mindrot.org/pipermail/openssh-unix-announce/2018-October/000135.html
- Loading branch information
