diff options
Diffstat (limited to '')
-rw-r--r-- | ChangeLog | 2836 |
1 files changed, 1601 insertions, 1235 deletions
@@ -1,3 +1,1604 @@ +commit fa41f6592ff1b6ead4a652ac75af31eabb05b912 +Author: Damien Miller <djm@mindrot.org> +Date: Mon Jul 1 14:33:26 2024 +1000 + + version numbers + +commit bfebb8a5130a792c5356bd06e1ddef72a0a0449f +Author: djm@openbsd.org <djm@openbsd.org> +Date: Mon Jul 1 04:31:59 2024 +0000 + + upstream: openssh-9.8 + + OpenBSD-Commit-ID: 5f8b89e38a4c5f7c6d52ffa19f796d49f36fab19 + +commit 146c420d29d055cc75c8606327a1cf8439fe3a08 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Mon Jul 1 04:31:17 2024 +0000 + + upstream: when sending ObscureKeystrokeTiming chaff packets, we + + can't rely on channel_did_enqueue to tell that there is data to send. This + flag indicates that the channels code enqueued a packet on _this_ ppoll() + iteration, not that data was enqueued in _any_ ppoll() iteration in the + timeslice. ok markus@ + + OpenBSD-Commit-ID: 009b74fd2769b36b5284a0188ade182f00564136 + +commit 637e4dfea4ed81264e264b6200172ce319c64ead +Author: djm@openbsd.org <djm@openbsd.org> +Date: Mon Jul 1 03:10:19 2024 +0000 + + upstream: use "lcd" to change directory before "lls" rather then "cd", + + since the directory we're trying to list is local. Spotted by Corinna + Vinschen + + OpenBSD-Regress-ID: 821feca4a4bebe491944e624c8f7f2990b891415 + +commit c8cfe258cee0b8466ea84597bf15e1fcff3bc328 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Thu Jun 27 23:01:15 2024 +0000 + + upstream: delete obsolete comment + + OpenBSD-Commit-ID: 5fb04f298ed155053f3fbfdf0c6fe7cdf84bbfa2 + +commit 94b9d37100f6fa536aaa1d1a0e4926fe44fbf04d +Author: djm@openbsd.org <djm@openbsd.org> +Date: Thu Jun 27 22:36:44 2024 +0000 + + upstream: retire unused API + + OpenBSD-Commit-ID: 3e30d7b0615e2707f6bbe70f61b1c2f72f78161b + +commit 268c3a7f5783e731ed60f4e28da66ee3743581d3 +Author: jmc@openbsd.org <jmc@openbsd.org> +Date: Thu Jun 27 21:02:16 2024 +0000 + + upstream: ssl(8) no longer contains a HISTORY section; + + OpenBSD-Commit-ID: 83b7ff34433d79595e9c2a5d2a561a6660251245 + +commit 12b6cc09ce6c430681f03af2a8069e37a664690b +Author: djm@openbsd.org <djm@openbsd.org> +Date: Wed Jun 26 23:47:46 2024 +0000 + + upstream: move child process waitpid() loop out of SIGCHLD handler; + + ok deraadt + + OpenBSD-Commit-ID: 65815a39564e431414aed7c5ace8076f4e9ca741 + +commit d6bcd13297c2ab8b528df5a6898f994734849031 +Author: deraadt@openbsd.org <deraadt@openbsd.org> +Date: Wed Jun 26 23:16:52 2024 +0000 + + upstream: Instead of using possibly complex ssh_signal(), write all + + the parts of the grace_alarm_handler() using the exact things allowed by the + signal-safe rules. This is a good rule of thumb: Handlers should be written + to either set a global volatile sig_atomic_t inspected from outside, and/or + directly perform only safe operations listed in our sigaction(2) manual page. + ok djm markus + + OpenBSD-Commit-ID: 14168ae8368aab76e4ed79e17a667cb46f404ecd + +commit b8793e2b0851f7d71b97554fa5260b23796d6277 +Author: deraadt@openbsd.org <deraadt@openbsd.org> +Date: Wed Jun 26 23:14:14 2024 +0000 + + upstream: save_errno wrappers inside two small signal handlers that + + perform system calls, for systems with libc that do perform libc sigtramps. + ok djm markus + + OpenBSD-Commit-ID: 7749b56419a7c9dcfe4c6c04811e429813346c62 + +commit f23e9332c4c8df37465c4a4f38275ea98980ed7e +Author: jmc@openbsd.org <jmc@openbsd.org> +Date: Mon Jun 24 06:59:39 2024 +0000 + + upstream: - uppercase start of sentence - correct sentence grammar + + ok djm + + OpenBSD-Commit-ID: 1ec4b0fdb633a43667f2c8fff1d600bd647dde25 + +commit 1839e3eb71a759aa795602c1e4196300f4ac2615 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Mon Jun 24 04:05:11 2024 +0000 + + upstream: mention SshdSessionPath option + + OpenBSD-Commit-ID: c29734d36c21003973b15c1c9965c35f36cef30c + +commit 603193e32aef5db7d60c58066d5de89806e79312 +Author: Darren Tucker <dtucker@dtucker.net> +Date: Thu Jun 20 18:45:14 2024 +1000 + + Rerun upstream tests on .sh file changes too. + +commit dbbf9337c19381786a8e5a8a49152fe6b80c780d +Author: dtucker@openbsd.org <dtucker@openbsd.org> +Date: Thu Jun 20 08:23:18 2024 +0000 + + upstream: Work around dbclient cipher/mac query bug. + + Unlike earlier versions, recent Dropbear (at least v2024.85) requires + a host arg when querying supported ciphers and macs via "-c/-m + help". Earlier versions accept but do not require it, so always + provide it. If these queries fail, skip the test with a warning. + + OpenBSD-Regress-ID: 98eb863a3f0363416922efb273885e6b3c7f68d4 + +commit 8de2c8cebc46bbdb94b7a2c120fcadfb66a3cccc +Author: dtucker@openbsd.org <dtucker@openbsd.org> +Date: Thu Jun 20 08:18:34 2024 +0000 + + upstream: Remove dropbear key types not supported + + by current OpenSSH. Allows subsequent test runs to work if OpenSSH is + rebuilt w/out OpenSSL. + + OpenBSD-Regress-ID: e0129eb2b1d31771105903a8055216fbba20a770 + +commit e9b6471c59b21e5d9ef1b3832d4bf727338add85 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Thu Jun 20 00:18:05 2024 +0000 + + upstream: stricter check for overfull tables in penalty record path + + OpenBSD-Commit-ID: 7df01e648a0723418c554e64a9f2b6d38db060a6 + +commit d9336d344eb2a1e898c5e66147b3f108c7214694 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Wed Jun 19 23:24:47 2024 +0000 + + upstream: put back reaping of preauth child process when writes + + from the monitor fail. Not sure how this got lost in the avalanche of + patches. + + OpenBSD-Commit-ID: eb7eb36371e1ac01050b32b70fb2b3e5d98e72f5 + +commit 579d9adb70ec0206a788eb5c63804c31a67e9310 +Author: naddy@openbsd.org <naddy@openbsd.org> +Date: Mon Jun 17 13:50:18 2024 +0000 + + upstream: remove one more mention of DSA + + OpenBSD-Commit-ID: 8515f55a15f02836ba657df341415f63c60526ca + +commit 7089b5f8436ef0b8d3d3ad9ce01045fb9e7aab15 +Author: Darren Tucker <dtucker@dtucker.net> +Date: Wed Jun 19 23:09:05 2024 +1000 + + Move -f to the place needed to restart sshd. + +commit d5f83cfd852b14a25f347f082ab539a9454702ad +Author: Darren Tucker <dtucker@dtucker.net> +Date: Wed Jun 19 21:04:01 2024 +1000 + + Need to supply "-f" to restart sshd. + +commit fad34b4ca25c0ef31e5aa841d461b6f21da5b8c1 +Author: dtucker@openbsd.org <dtucker@openbsd.org> +Date: Wed Jun 19 10:15:51 2024 +0000 + + upstream: Provide defaults for ciphers and macs + + if querying for them fails since on some versions of Dropbear (at least + v2024.85) "-m help" doesn't seem to work. Enable all supported pubkey + algorithms in the server. + + OpenBSD-Regress-ID: 4f95556a49ee9f621789f25217c367a33d2745ca + +commit 5521060e35ada9f957cecdddc06d0524e75409ef +Author: dtucker@openbsd.org <dtucker@openbsd.org> +Date: Wed Jun 19 10:10:46 2024 +0000 + + upstream: Use ed25519 keys for kex tests + + since that's supported by OpenSSH even when built without OpenSSL. + Only test diffie-hellman kex if OpenSSH is compiled with support for it. + + OpenBSD-Regress-ID: a5d09ef9bbd171f9e4ec73ed0d9eeb49a8878e97 + +commit dbd3b833f6e3815e58f2dc6e14f61a51bcd4d6bd +Author: dtucker@openbsd.org <dtucker@openbsd.org> +Date: Wed Jun 19 10:08:34 2024 +0000 + + upstream: Rework dropbear key setup + + to always generate ed25519 keys, other types only if OpenSSH has support + for the corresponding key type. + + OpenBSD-Regress-ID: 8f91f12604cddb9f8d93aa34f3f93a3f6074395d + +commit d6218504e11ae9148adf410fc69b0710a052be36 +Author: Darren Tucker <dtucker@dtucker.net> +Date: Wed Jun 19 20:20:24 2024 +1000 + + Restart sshd after installing it for testing. + + When installing an sshd built without OpenSSL the mismatch between + the running sshd and newly installed sshd-session will cause the + remainder of the test to fail. + +commit 786a4465b6bb702daf4fb17b7c3bcb42b52f0b46 +Author: Darren Tucker <dtucker@dtucker.net> +Date: Tue Jun 18 19:59:59 2024 +1000 + + Remove macos-11 runner. + + Github is retiring them soon. + +commit df1c72a55edbebac14363b57de66ac6a147ecc67 +Author: Damien Miller <djm@mindrot.org> +Date: Wed Jun 19 09:34:34 2024 +1000 + + PAMServiceName may appear in a Match block + +commit de1c2e70e5a5dc3c8d2fe04b24cc93d8ef6930e7 +Author: dtucker@openbsd.org <dtucker@openbsd.org> +Date: Tue Jun 18 08:11:48 2024 +0000 + + upstream: Re-enable ssh-dss tests + + ... if ssh is compiled with DSA support + + OpenBSD-Regress-ID: bbfaf8c17f2b50a2d46ac35cb97af99b990c990d + +commit dabc2c7cf3c141e8e5d5a1a60d6c1d2d2422cf43 +Author: anton@openbsd.org <anton@openbsd.org> +Date: Tue Jun 18 06:14:27 2024 +0000 + + upstream: Stop using DSA in dropbear interop tests. + + OpenBSD-Regress-ID: abfd4457d99d8cc1417fd22ca2c570270f74c1cf + +commit 761438012710169445acc179e3870c53c862bda0 +Author: Damien Miller <djm@mindrot.org> +Date: Tue Jun 18 12:29:45 2024 +1000 + + missed a bit of DSA in the fuzzer + +commit 3f9cc47da588e8de520720e59f98438043fdaf93 +Author: Damien Miller <djm@mindrot.org> +Date: Tue Jun 18 09:35:53 2024 +1000 + + DSA support is disabled, so remove from fuzzers + +commit 00eb95957dea5484b2c7c043f7d2bbc87301bef2 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Mon Jun 17 08:30:29 2024 +0000 + + upstream: disable the DSA signature algorithm by default; ok + + markus@ + + (yes, I know this expands to "the Digitial Signature Algorithm + signature algorithm) + + OpenBSD-Commit-ID: 961ef594e46dd2dcade8dd5721fa565cee79ffed + +commit 5603befe11c9464ea26fe77cbacc95a7cc0b1ea7 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Mon Jun 17 08:28:31 2024 +0000 + + upstream: promote connection-closed messages from verbose to info + + log level; they could be the only record of the connection terminating if the + client doesn't send a SSH2_MSG_DISCONNECT message. ok dtucker@ + + OpenBSD-Commit-ID: 0c8bfaf5e9fdff945cee09ac21e641f6c5d65d3c + +commit b00331402fe5c60d577f3ffcc35e49286cdc6b47 +Author: Damien Miller <djm@mindrot.org> +Date: Mon Jun 17 17:02:18 2024 +1000 + + propagate PAM crashes to PerSourcePenalties + + If the PAM subprocess crashes, exit with a crash status that will be + picked up by the sshd(8) listener process where it can be used by + PerSourcePenalties to block the client. This is similar handling to + the privsep preauth process. + +commit 1c207f456ace38987deda047758d13fbf857f948 +Author: Damien Miller <djm@mindrot.org> +Date: Mon Jun 17 15:06:01 2024 +1000 + + minix doesn't have loopback, so skip penalty tests + + pointed out by dtucker@ + +commit 48443d202eaec52d4d39defdd709a4499a7140c6 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Sun Jun 16 11:54:49 2024 +0000 + + upstream: same treatment for this test + + OpenBSD-Regress-ID: d0cc9efca7833e673ea7b0cb3a679a3acee8d4c7 + +commit 45562a95ea11d328c22d97bf39401cd29684fb1f +Author: djm@openbsd.org <djm@openbsd.org> +Date: Sun Jun 16 08:18:06 2024 +0000 + + upstream: penalty test is still a bit racy + + OpenBSD-Regress-ID: 90c9ac224db454637baf1ebee5857e007321e824 + +commit 8d0f7eb147ef72d18acb16c0b18672d44941a8ca +Author: djm@openbsd.org <djm@openbsd.org> +Date: Sat Jun 15 03:59:10 2024 +0000 + + upstream: crank up penalty timeouts so this should work on even the + + slowest of test builders + + OpenBSD-Regress-ID: 70bda39c83e3fc9d0f3c1fad4542ed33e173d468 + +commit 93c75471a1202ab3e29db6938648d4e2602c0475 +Author: jmc@openbsd.org <jmc@openbsd.org> +Date: Fri Jun 14 05:20:34 2024 +0000 + + upstream: sort -q in the options list; + + OpenBSD-Commit-ID: 6839b38378f38f754de638a5e988c13b4164cc7c + +commit dd7807bbe80a93ffb4616f2bd5cf83ad5a5595fb +Author: djm@openbsd.org <djm@openbsd.org> +Date: Fri Jun 14 05:01:22 2024 +0000 + + upstream: clarify KEXAlgorithms supported vs available. Inspired by + + bz3701 from Colin Watson. + + OpenBSD-Commit-ID: e698e69bea19bd52971d253f2b1094490c4701f7 + +commit d172ad56df85b68316dbadbedad16761a1265874 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Fri Jun 14 05:00:42 2024 +0000 + + upstream: ssh-keyscan -q man bits + + OpenBSD-Commit-ID: ba28d0e1ac609a4c99c453e57e86560c79079db1 + +commit 092e4ff9ccaacbe035f286feb1b56ed499604743 +Author: Damien Miller <djm@mindrot.org> +Date: Fri Jun 14 14:46:35 2024 +1000 + + skip penalty-expire test in valgrind test env + +commit 2866ad08a9c50d7b67ce9424ca990532b806a21a +Author: djm@openbsd.org <djm@openbsd.org> +Date: Fri Jun 14 04:43:11 2024 +0000 + + upstream: split the PerSourcePenalties test in two: one tests penalty + + enforcement but not penalty expiry, the other tests penalty expiry. + + This lets us disable the expiry testing in certain CI test environments. + + OpenBSD-Regress-ID: f56811064f3e3cb52ee73a206b8c2a06af1c8791 + +commit b2c64bc170d75823622a37cab3ca1804ca87ad16 +Author: Damien Miller <djm@mindrot.org> +Date: Fri Jun 14 14:19:23 2024 +1000 + + add a sshd_config PamServiceName option + + Allows selecting which PAM service name to use when UsePAM is + enabled. Defaults to "sshd" unless overridden at compile time + by defining SSHD_PAM_SERVICE. + + bz2102, ok dtucker@ + +commit 9f032a4dd17bf0ae6066223d82aa5e784285d987 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Fri Jun 14 00:26:12 2024 +0000 + + upstream: don't redirect stderr for ssh-keyscan we expect to succeed + + OpenBSD-Regress-ID: 8878b8eb4e070ed2e343166d3eb86db4a08a216c + +commit 1e84d0cf40e94ae3a77d6a7ca8c036d8e3d55a40 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Fri Jun 14 00:25:25 2024 +0000 + + upstream: make host/banner comments go to stderr instead of stdout, + + so they are useful as comments without extra shell redirection and so they + don't clutter actual errors on stderr. + + Add a -q flag to shut them up. + + ok dtucker@ + + OpenBSD-Commit-ID: bec813de56a71adb5c1a76adcf49621130d24264 + +commit 3e806d011855d6bd648ec95b9df630ebbd11c3bf +Author: naddy@openbsd.org <naddy@openbsd.org> +Date: Thu Jun 13 15:06:33 2024 +0000 + + upstream: separate keywords with comma + + OpenBSD-Commit-ID: d65a99666202a8188c4991c18d14374a229f7be5 + +commit abfd1f7a3cbd0a92581a0febba254b2f6649c0d9 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Fri Jun 14 00:23:55 2024 +0000 + + upstream: specify an algorithm for ssh-keyscan, otherwise it will make + + multiple attempts simultaneously and confuse the test + + OpenBSD-Regress-ID: 6e910f3315c4345053db1bf5cbf61826b194d0b9 + +commit a8fbe2f7d0d96d299ee8e69769e3b51067978748 +Author: Damien Miller <djm@mindrot.org> +Date: Thu Jun 13 16:41:29 2024 +1000 + + sshd: don't use argv[0] as PAM service name + + sshd would implicitly use argv[0] as the PAM service name to + allow people to select different PAM service names by making + differently-named copies/links to the sshd binary. + + Splitting sshd into sshd/sshd-session broke this, as the process + that starts PAM is always sshd-session and the user has no control + over this. + + Hardcode "sshd" as the default PAM service name unless/until we + figure out a better way. Should unbreak OSX integration tests. + +commit bf204bd05c3ae650f87e2b96527688579f59774c +Author: Damien Miller <djm@mindrot.org> +Date: Thu Jun 13 15:00:28 2024 +1000 + + prepare for checking in autogenerated files + + We plan to check in automatically generated files (config.h.in, etc) on + release branches. These files are normally ignored by .gitignore, but + this shuffles the contents of this file to make it easy to un-ignore + them. + +commit 425f79a837489904c343b349ef00e09aeaa4e752 +Author: Damien Miller <djm@mindrot.org> +Date: Thu Jun 13 14:41:33 2024 +1000 + + typo in comment + +commit afe10313c1fa8d478af399ee7d54c8f85503013b +Author: Damien Miller <djm@mindrot.org> +Date: Thu Jun 13 14:35:25 2024 +1000 + + fix PTY allocation on Cygwin, broken by sshd split + + Cygwin doesn't support FD passing and so used to disable post-auth + privilege separation entirely because privsep requires PTY allocation + to happen in the privileged monitor process with the PTY file + descriptors being passed back to the unprivileged process. + + This brings back a minimal version of the previous special treatment + for Cygwin (and any other platform that sets DISABLE_FD_PASSING): + privilege separation remains enabled, but PTY allocation happens in + the post-auth user process rather than the monitor. + + This either requires PTY allocation to not need privilege to begin + with (this appears to be the case on Cygwin), or the post-auth + privsep process retain privilege (other platforms that set the + DISABLE_FD_PASSING option). + + Keeping privileges here is bad, but the non-Cygwin systems that set + DISABLE_FD_PASSING are so deeply legacy that this is likely to be the + least of their problems. + +commit f66d4df5749551380a8c4ae642347675a0b6a2e9 +Author: Damien Miller <djm@mindrot.org> +Date: Thu Jun 13 11:33:09 2024 +1000 + + delay lookup of privsep user until config loaded + + sshd-session attempting to use options.kerberos_authentication to + decide whether it needed to lookup the privsep user before the + configuration was loaded. This caused it to get a placeholder value + that caused it always to try to lookup the privsep user, breaking at + least one test environment. + +commit f1c42858b94f5d9b58867b34dce3afb39c6b56a8 +Author: Damien Miller <djm@mindrot.org> +Date: Thu Jun 13 11:16:57 2024 +1000 + + missing file for PerSourcePenalties regress test + +commit 4de80ff4e6fab5a6bb0028e7d57c6c23d1485adb +Author: djm@openbsd.org <djm@openbsd.org> +Date: Wed Jun 12 22:36:00 2024 +0000 + + upstream: split PerSourcePenalties address tracking. Previously it + + used one shared table and overflow policy for IPv4 and IPv6 addresses, now it + will use separate tables and optionally different overflow policies. + + This prevents misbehaviour from IPv6 addresses (which are vastly easier + to obtain many of) from affecting IPv4 connections and may allow for + stricter overflow policies. + + ok deraadt@ + + OpenBSD-Commit-ID: 12637ed0aa4d5f1f3e702da42ea967cbd8bfdfd9 + +commit 06ab4c6931b0aaa4334db2faaa7e1069e76d0df6 +Author: jmc@openbsd.org <jmc@openbsd.org> +Date: Tue Jun 11 05:24:39 2024 +0000 + + upstream: do not mark up "(default: 20ms)"; + + OpenBSD-Commit-ID: 54151ecdecfa1b67dcdda4fd24826ef6e2148ad4 + +commit cfe243cd9fde148ed060637876e27bb55ac78be9 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Tue Jun 11 02:54:51 2024 +0000 + + upstream: reap preauth net child if it hangs up during privsep message + + send, not just message receive + + OpenBSD-Commit-ID: 02a093f4ab4f8f83f0cd1ea2bb35b9ca420448f0 + +commit b0a711c00b9c64afd1c9d6fb538275c6604a2676 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Tue Jun 11 01:58:27 2024 +0000 + + upstream: fix PIDFILE handling, broken for SUDO=doas in last commit + + here + + OpenBSD-Regress-ID: 96fec579af228f87a036e94801eb294af9074625 + +commit 90fb801e2d9241be50a2a7ff79428386442a041f +Author: djm@openbsd.org <djm@openbsd.org> +Date: Tue Jun 11 02:00:30 2024 +0000 + + upstream: reap the pre-auth [net] child if it hangs up during privsep + + message sending, not just receiving + + OpenBSD-Commit-ID: f7341605bf08c4c15830910446e6775323f2f8cb + +commit ef878d58798f6688c7f4d4e417dc0c29023ea831 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Tue Jun 11 01:23:25 2024 +0000 + + upstream: a little more RB_TREE paranoia + + OpenBSD-Commit-ID: 8dc2fd21eebd8830c4a4d25461ac4fe228e11156 + +commit fc4e96b2174d6a894d2033421699d091679baced +Author: djm@openbsd.org <djm@openbsd.org> +Date: Tue Jun 11 01:22:25 2024 +0000 + + upstream: fix off-by-one comparison for PerSourcePenalty + + OpenBSD-Commit-ID: af4f5d01c41ef870b23e55655bfbf73474a6c02b + +commit 82c836df4ff41145553cd7adb11c5b985aeaa06f +Author: djm@openbsd.org <djm@openbsd.org> +Date: Tue Jun 11 01:21:41 2024 +0000 + + upstream: move tree init before possible early return + + OpenBSD-Commit-ID: 72e2c5b69f151c08a7c5bf5ad929b97a92c273df + +commit a2300f015cc4939c4d9c564b58b74e71202dc978 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Tue Jun 11 01:07:35 2024 +0000 + + upstream: update to mention that PerSourcePenalties default to + + being enabled and document the default values for each parameter. + + OpenBSD-Commit-ID: b981288bddfb097aad269f62df4081c688ce0034 + +commit 41987efd356d3fc30139aeab4b09374acf8f91a0 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Tue Jun 11 00:44:52 2024 +0000 + + upstream: reap the [net] child if it hangs up while writing privsep + + message payloads, not just the message header + + OpenBSD-Commit-ID: 24dbd400aa381ac96be7ed2dd49018487dfef6ce + +commit 6211aa085fa91155a24922e5329576ac9a8f3175 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Tue Jun 11 00:40:21 2024 +0000 + + upstream: log waitpid() status for abnormal exits + + OpenBSD-Commit-ID: b317930e06b51819c1a2bc6a4359764fecfb1c2d + +commit a59634c7adb9ae988748d99963dfafb3070d8d41 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Tue Jun 11 00:36:20 2024 +0000 + + upstream: correct error message + + OpenBSD-Commit-ID: 581f60f73099083392887206860229ab104620ed + +commit fa7d7a667f2ee031e72873e36de2d2a36bca973b +Author: deraadt@openbsd.org <deraadt@openbsd.org> +Date: Fri Jun 7 13:23:30 2024 +0000 + + upstream: avoid shadowing issues which some compilers won't accept + + ok djm + + OpenBSD-Commit-ID: 1e89572397dda83433d58c4fa6333a08f51170d4 + +commit 3ad4cd9eeca5c9bc6706db44b6de88e2e4513fd6 +Author: jmc@openbsd.org <jmc@openbsd.org> +Date: Thu Jun 6 21:14:49 2024 +0000 + + upstream: escape the final dot at eol in "e.g." to avoid double + + spacing; + + OpenBSD-Commit-ID: 0a9fb10bc9f7d577afe2da3f498a08bc431115b9 + +commit 0e0c69761a4c33ccd4a256560f522784a753d1a8 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Thu Jun 6 20:25:48 2024 +0000 + + upstream: enable PerSourcePenalties by default. + + ok markus + + NB. if you run a sshd that accepts connections from behind large NAT + blocks, proxies or anything else that aggregates many possible users + behind few IP addresses, then this change may cause legitimate traffic + to be denied. + + Please read the PerSourcePenalties, PerSourcePenaltyExemptList and + PerSourceNetBlockSize options in sshd_config(5) for how to tune your + sshd(8) for your specific circumstances. + + OpenBSD-Commit-ID: 24a0e5c23d37e5a63e16d2c6da3920a51078f6ce + +commit bd1f74741daabeaf20939a85cd8cec08c76d0bec +Author: djm@openbsd.org <djm@openbsd.org> +Date: Thu Jun 6 20:20:42 2024 +0000 + + upstream: mention that PerSourcePenalties don't affect concurrent + + in-progress connections. + + OpenBSD-Commit-ID: 20389da6264f2c97ac3463edfaa1182c212d420c + +commit 9774b938578327d88a651f4c63c504809717590a +Author: djm@openbsd.org <djm@openbsd.org> +Date: Thu Jun 6 19:49:25 2024 +0000 + + upstream: regress test for PerSourcePenalties + + OpenBSD-Regress-ID: a1af13d411b25a727742644459d26480b9a1b0f1 + +commit b8ebd86cefe9812204a10c028dc90de29918667d +Author: djm@openbsd.org <djm@openbsd.org> +Date: Thu Jun 6 19:48:40 2024 +0000 + + upstream: make sure logs are saved from sshd run via start_sshd + + OpenBSD-Regress-ID: de4ef0e32e3ab85ff3a6c36eb08d1909c0dd1b4a + +commit d7b2070bdaa4ebbfafb9975c1d5a62b73289d31f +Author: djm@openbsd.org <djm@openbsd.org> +Date: Thu Jun 6 19:47:48 2024 +0000 + + upstream: simplify + + OpenBSD-Regress-ID: 50316e0d1ae0c0a057a45af042253e54ce23d11c + +commit e6ea3d224513b6bfb93818809d4c7397f5995ba2 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Thu Jun 6 18:48:13 2024 +0000 + + upstream: prepare for PerSourcePenalties being enabled by default + + in future + + OpenBSD-Regress-ID: 5236c6d1c823997aac5a35e2915da30f1903bec7 + +commit c0cb3b8c837761816a60a3cdb54062668df09652 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Thu Jun 6 19:50:01 2024 +0000 + + upstream: disable stderr redirection before closing fds + + OpenBSD-Commit-ID: d42cb895ee4542098050367fc35321c9303f003a + +commit 81c1099d22b81ebfd20a334ce986c4f753b0db29 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Thu Jun 6 17:15:25 2024 +0000 + + upstream: Add a facility to sshd(8) to penalise particular + + problematic client behaviours, controlled by two new sshd_config(5) options: + PerSourcePenalties and PerSourcePenaltyExemptList. + + When PerSourcePenalties are enabled, sshd(8) will monitor the exit + status of its child pre-auth session processes. Through the exit + status, it can observe situations where the session did not + authenticate as expected. These conditions include when the client + repeatedly attempted authentication unsucessfully (possibly indicating + an attack against one or more accounts, e.g. password guessing), or + when client behaviour caused sshd to crash (possibly indicating + attempts to exploit sshd). + + When such a condition is observed, sshd will record a penalty of some + duration (e.g. 30 seconds) against the client's address. If this time + is above a minimum threshold specified by the PerSourcePenalties, then + connections from the client address will be refused (along with any + others in the same PerSourceNetBlockSize CIDR range). + + Repeated offenses by the same client address will accrue greater + penalties, up to a configurable maximum. A PerSourcePenaltyExemptList + option allows certain address ranges to be exempt from all penalties. + + We hope these options will make it significantly more difficult for + attackers to find accounts with weak/guessable passwords or exploit + bugs in sshd(8) itself. + + PerSourcePenalties is off by default, but we expect to enable it + automatically in the near future. + + much feedback markus@ and others, ok markus@ + + OpenBSD-Commit-ID: 89ded70eccb2b4926ef0366a4d58a693de366cca + +commit 916b0b6174e203cf2c5ec9bcf409472eb7ffbf43 +Author: Damien Miller <djm@mindrot.org> +Date: Fri Jun 7 03:31:02 2024 +1000 + + whitespace + +commit 49b55e44182b8294419aa580cbf043d5b9e3d953 +Author: deraadt@openbsd.org <deraadt@openbsd.org> +Date: Tue Jun 4 15:14:45 2024 +0000 + + upstream: enable -fret-clean on amd64, for libc libcrypto ld.so + + kernel, and all the ssh tools. The dynamic objects are entirely ret-clean, + static binaries will contain a blend of cleaning and non-cleaning callers. + + OpenBSD-Commit-ID: 112aacedd3b61cc5c34b1fa6d9fb759214179172 + +commit cc80d51d034bcb24fd0f2564a4bdf1612000a2a2 +Author: Damien Miller <djm@mindrot.org> +Date: Wed Jun 5 02:21:30 2024 +1000 + + remove PRIVSEP macros for osx + +commit 8785491123d4d722b310c20f383570be758f8263 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Sat Jun 1 07:03:37 2024 +0000 + + upstream: be really strict with fds reserved for communication with the + + separate sshd-session process - reserve them early and fatal if we can't + dup2(2) them later. The pre-split fallback to re-reading the configuration + files is not possible, so sshd-session absolutely requires the fd the + configuration is passed over to be in order. + + ok deraadt@ + + OpenBSD-Commit-ID: 308a98ef3c8a6665ebf92c7c9a0fc9600ccd7065 + +commit f1c8918cb98459910fb159373baea053ba4108c0 +Author: Damien Miller <djm@mindrot.org> +Date: Fri May 31 19:12:26 2024 +1000 + + depend + +commit 94b4866cb1f4b0ed29a9f367047b30f81002316f +Author: Damien Miller <djm@mindrot.org> +Date: Fri May 31 19:11:14 2024 +1000 + + rename need_privsep to need_chroot + + privsep is mandatory, chroot is optional (disabled when running + sshd as non-root) + +commit e68a95142e5024b144f8eeccd5ffdee42c34f44c +Author: Damien Miller <djm@mindrot.org> +Date: Fri May 31 19:05:34 2024 +1000 + + remove remaining use_privsep mention + +commit b21d271f651d2536dca819cc6d74032fe98634db +Author: djm@openbsd.org <djm@openbsd.org> +Date: Fri May 31 09:01:08 2024 +0000 + + upstream: warn when -r (deprecated option to disable re-exec) is + + passed + + OpenBSD-Commit-ID: 73145ef5150edbe3ce7889f0844ed8fa6155f551 + +commit a4b5bc246cbca476deeeb4462aa31746a56e3021 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Fri May 31 08:49:35 2024 +0000 + + upstream: typos + + OpenBSD-Commit-ID: edfa72eb06bfa65da30fabf7d2fe76d2d33f77bf + +commit 8054b906983ceaed01fabd8188d3dac24c05ba39 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Mon May 27 01:52:26 2024 +0000 + + upstream: don't need sys/queue.h here + + OpenBSD-Commit-ID: dd137396828171eb19e4911581812ca58de6c578 + +commit 210d4239733da6180ce853538aeb9413d5c62ad5 +Author: naddy@openbsd.org <naddy@openbsd.org> +Date: Sun May 26 20:35:12 2024 +0000 + + upstream: remove references to SSH1 and DSA server keys + + OpenBSD-Commit-ID: 57cc1c98d4f998981473734f144b904af7d178a2 + +commit f0b9261d7fdd0ef86806b49fe76344bd16770cd0 +Author: jsg@openbsd.org <jsg@openbsd.org> +Date: Thu May 23 23:47:16 2024 +0000 + + upstream: remove unused struct fwd_perm_list, no decl with complete + + type ok djm@ + + OpenBSD-Commit-ID: 416fb3970b7e73c76d2963c4f00cf96f2b2ee2fb + +commit 2477a98c3ef78e63b11a1393656e00288f52ae97 +Author: naddy@openbsd.org <naddy@openbsd.org> +Date: Wed May 22 15:24:55 2024 +0000 + + upstream: Do not pass -Werror twice when building with clang. + + OpenBSD-Commit-ID: 5f378c38ad8976d507786dc4db9283a879ec8cd0 + +commit 435844f5675245b4271f8581f15e6d1f34fde3bc +Author: miod@openbsd.org <miod@openbsd.org> +Date: Wed May 22 11:49:36 2024 +0000 + + upstream: Do not pass -Werror if building with gcc 3, for asn1.h + + and bio.h cause (admittedly bogus) warnings with gcc 3. + + OpenBSD-Commit-ID: fb39324748824cb0387e9d67c41d1bef945c54ea + +commit fc5dc092830de23767c6ef67baa18310a64ee533 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Wed May 22 04:20:00 2024 +0000 + + upstream: this test has been broken since 2014, and has been + + testing the same key exchange algorithm repeatedly instead of testing all of + them. Spotted by nreilly AT blackberry.com in bz3692 + + Who broke the test? me. + + OpenBSD-Regress-ID: 48f4f5946276f975667141957d25441b3c9a50e2 + +commit fd4816791beaed2fdae7eea3e1494d1972b2a39d +Author: anton@openbsd.org <anton@openbsd.org> +Date: Sun May 19 19:10:01 2024 +0000 + + upstream: Add missing kex-names.c source file required since the + + ssh split. + + OpenBSD-Regress-ID: ca666223f828fc4b069cb9016bff1eb50faf9fbb + +commit beccb7319c5449f6454889013403c336446d622e +Author: naddy@openbsd.org <naddy@openbsd.org> +Date: Fri May 17 14:42:00 2024 +0000 + + upstream: remove duplicate copy of relink kit for sshd-session + + OpenBSD-Commit-ID: 6d2ded4cd91d4d727c2b26e099b91ea935bed504 + +commit dcd79fa141311c287e0595ede684b7116122fae0 +Author: jsg@openbsd.org <jsg@openbsd.org> +Date: Fri May 17 06:42:04 2024 +0000 + + upstream: remove prototypes with no matching function; ok djm@ + + OpenBSD-Commit-ID: 6d9065dadea5f14a01bece0dbfe2fba1be31c693 + +commit 6454a05e7c6574d70adf17efe505a8581a86ca4f +Author: jsg@openbsd.org <jsg@openbsd.org> +Date: Fri May 17 06:38:00 2024 +0000 + + upstream: remove externs for removed vars; ok djm@ + + OpenBSD-Commit-ID: f51ea791d45c15d4927eb4ae7d877ccc1e5a2aab + +commit f3e4db4601ef7d2feb1d6f7447e432aaf353a616 +Author: deraadt@openbsd.org <deraadt@openbsd.org> +Date: Fri May 17 06:11:17 2024 +0000 + + upstream: -Werror was turned on (probably just for development), + + and this is a simple way to satisfy older gcc. + + OpenBSD-Commit-ID: 7f698df54384b437ce33ab7405f0b86c87019e86 + +commit 24a1f3e5ad6f4a49377d4c74c36637e9a239efd0 +Author: Damien Miller <djm@mindrot.org> +Date: Fri May 17 14:50:43 2024 +1000 + + attempt at updating RPM specs for sshd-session + +commit 17b566eeb7a0c6acc9c48b35c08885901186f861 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Fri May 17 04:42:13 2024 +0000 + + upstream: g/c unused variable + + OpenBSD-Commit-ID: aa6ef0778a1f1bde0d73efba72a777c48d2bd010 + +commit 01fb82eb2aa0a4eaf5c394ea8bb37ea4c26f8a3f +Author: jsg@openbsd.org <jsg@openbsd.org> +Date: Fri May 17 02:39:11 2024 +0000 + + upstream: spelling; ok djm@ + + OpenBSD-Commit-ID: bdea29bb3ed2a5a7782999c4c663b219d2270483 + +commit b88b690e99145a021fc1a1a116a11e0bce0594e7 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Fri May 17 01:45:22 2024 +0000 + + upstream: allow overriding the sshd-session binary path + + OpenBSD-Regress-ID: 5058cd1c4b6ca1a15474e33546142931d9f964da + +commit a68f80f2511f0e0c5cef737a8284cc2dfabad818 +Author: anton@openbsd.org <anton@openbsd.org> +Date: Wed Apr 3 06:01:11 2024 +0000 + + upstream: Since ssh-agent(1) is only readable by root by now, use + + ssh(1) while generating data in tests. + + OpenBSD-Regress-ID: 24eb40de2e6b0ace185caaba35e2d470331ffe68 + +commit 92e55890314ce2b0be21a43ebcbc043b4abc232f +Author: djm@openbsd.org <djm@openbsd.org> +Date: Fri May 17 01:17:40 2024 +0000 + + upstream: fix incorrect debug option name introduce in previous + + commit + + OpenBSD-Commit-ID: 66d69e22b1c072c694a7267c847f212284614ed3 + +commit 4ad72878af7b6ec28da6e230e36a91650ebe84c1 +Author: deraadt@openbsd.org <deraadt@openbsd.org> +Date: Fri May 17 00:33:25 2024 +0000 + + upstream: construct and install a relink-kit for sshd-session ok + + djm + + OpenBSD-Commit-ID: 8b3820adb4da4e139c4b3cffbcc0bde9f08bf0c6 + +commit 02e679a2cb3f6df8e9dbb1519ed578226485157f +Author: Damien Miller <djm@mindrot.org> +Date: Fri May 17 12:21:27 2024 +1000 + + Makefile support for sshd-session + +commit c0416035c5eaf70a8450d11c8833c5f7068ee7ad +Author: djm@openbsd.org <djm@openbsd.org> +Date: Fri May 17 00:32:32 2024 +0000 + + upstream: missing files from previous + + OpenBSD-Commit-ID: 4b7be4434d8799f02365552b641a7a70a7ebeb2f + +commit 03e3de416ed7c34faeb692967737be4a7bbe2eb5 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Fri May 17 00:30:23 2024 +0000 + + upstream: Start the process of splitting sshd into separate + + binaries. This step splits sshd into a listener and a session binary. More + splits are planned. + + After this changes, the listener binary will validate the configuration, + load the hostkeys, listen on port 22 and manage MaxStartups only. All + session handling will be performed by a new sshd-session binary that the + listener fork+execs. + + This reduces the listener process to the minimum necessary and sets us + up for future work on the sshd-session binary. + + feedback/ok markus@ deraadt@ + + NB. if you're updating via source, please restart sshd after installing, + otherwise you run the risk of locking yourself out. + + OpenBSD-Commit-ID: 43c04a1ab96cdbdeb53d2df0125a6d42c5f19934 + +commit 1c0d81357921f8d3bab06841df649edac515ae5b +Author: djm@openbsd.org <djm@openbsd.org> +Date: Thu May 9 09:46:47 2024 +0000 + + upstream: simplify exit message handling, which was more complicated + + than it needed to be because of unexpunged ssh1 remnants. ok markus@ + + OpenBSD-Commit-ID: 8b0cd2c0dee75fb053718f442aa89510b684610b + +commit cbbbf76aa6cd54fce32eacce1300e7abcf9461d4 +Author: tobias@openbsd.org <tobias@openbsd.org> +Date: Mon May 6 19:26:17 2024 +0000 + + upstream: remove SSH1 leftovers + + Authored with Space Meyer <git at the-space dot agency> + + ok djm + + OpenBSD-Commit-ID: 81db602e4cb407baae472689db1c222ed7b2afa3 + +commit bc5dcb8ab9a4e8af54a724883732af378f42ea78 +Author: tobias@openbsd.org <tobias@openbsd.org> +Date: Tue Apr 30 15:40:43 2024 +0000 + + upstream: never close stdin + + The sanitise_stdfd call makes sure that standard file descriptors are + open (if they were closed, they are connected with /dev/null). + + Do not close stdin in any case to prevent error messages when stdin is + read multiple times and to prevent later usage of fd 0 for connections, + e.g. + + echo localhost | ssh-keyscan -f - -f - + + While at it, make stdin-related error messages nicer. + + Authored with Max Kunzelmann <maxdev at posteo dot de> + + ok djm + + OpenBSD-Commit-ID: 48e9b7938e2fa2f9bd47e6de6df66a31e0b375d3 + +commit 6a42b70e56bef1aacdcdf06352396e837883e84f +Author: Damien Miller <djm@mindrot.org> +Date: Wed May 8 09:43:59 2024 +1000 + + sync getrrsetbyname.c with recent upstream changes + +commit 385ecb31e147dfea59c1c488a1d2011d3867e60e +Author: djm@openbsd.org <djm@openbsd.org> +Date: Tue Apr 30 06:23:51 2024 +0000 + + upstream: fix home-directory extension implementation, it always + + returned the current user's home directory contrary to the spec. + + Patch from Jakub Jelen via GHPR477 + + OpenBSD-Commit-ID: 5afd775eab7f9cbe222d7fbae4c793de6c3b3d28 + +commit 14e2b16bc67ffcc188906f65008667e22f73d103 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Tue Apr 30 06:16:55 2024 +0000 + + upstream: flush stdout after writing "sftp>" prompt when not using + + editline. + + From Alpine Linux via GHPR480 + + OpenBSD-Commit-ID: 80bdc7ffe0358dc090eb9b93e6dedb2b087b24cd + +commit 2e69a724051488e3fb3cd11531c4b5bc1764945b +Author: djm@openbsd.org <djm@openbsd.org> +Date: Tue Apr 30 05:53:03 2024 +0000 + + upstream: stricter validation of messaging socket fd number; disallow + + usage of stderr. Based on GHPR492 by RealHurrison + + OpenBSD-Commit-ID: 73dbbe82ea16f73ce1d044d3232bc869ae2f2ce8 + +commit da757b022bf18c6f7d04e685a10cd96ed00f83da +Author: djm@openbsd.org <djm@openbsd.org> +Date: Tue Apr 30 05:45:56 2024 +0000 + + upstream: add missing reserved fields to key constraint protocol + + documentation. + + from Wiktor Kwapisiewicz via GHPR487 + + OpenBSD-Commit-ID: 0dfb69998cfdb3fa00cbb0e7809e7d2f6126e3df + +commit 16d0b82fa08038f35f1b3630c70116979f49784f +Author: Damien Miller <djm@mindrot.org> +Date: Tue Apr 30 12:39:34 2024 +1000 + + depend + +commit 66aaa678dbe59aa21d0d9d89a3596ecedde0254b +Author: djm@openbsd.org <djm@openbsd.org> +Date: Tue Apr 30 02:14:10 2024 +0000 + + upstream: correctly restore sigprocmask around ppoll() reported + + by Tõivo Leedjärv; ok deraadt@ + + OpenBSD-Commit-ID: c0c0f89de5294a166578f071eade2501929c4686 + +commit 80fb0eb21551aed3aebb009ab20aeffeb01e44e0 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Tue Apr 30 02:10:49 2024 +0000 + + upstream: add explict check for server hostkey type against + + HostkeyAlgorithms. Allows HostkeyAlgorithms to disable implicit fallback from + certificate keys to plain keys. ok markus@ + + OpenBSD-Commit-ID: 364087e4a395ff9b2f42bf3aefdb2090bb23643a + +commit 5b28096d31ff7d80748fc845553a4aef5bb05d86 +Author: jsg@openbsd.org <jsg@openbsd.org> +Date: Tue Apr 23 13:34:50 2024 +0000 + + upstream: correct indentation; no functional change ok tb@ + + OpenBSD-Commit-ID: dd9702fd43de546bc6a3f4f025c74d6f3692a0d4 + +commit fd3cb8a82784e05f621dea5b56ac6f89bc53c067 +Author: semarie@openbsd.org <semarie@openbsd.org> +Date: Thu Apr 4 16:00:51 2024 +0000 + + upstream: set right mode on ssh-agent at boot-time + + which sthen@ + ok deraadt@ + + OpenBSD-Commit-ID: 662b5056a2c6171563e1626f9c69f27862b5e7af + +commit 54343a260e3aa4bceca1852dde31cd08e2abd82b +Author: deraadt@openbsd.org <deraadt@openbsd.org> +Date: Tue Apr 2 12:22:38 2024 +0000 + + upstream: Oops, incorrect hex conversion spotted by claudio. + + While here try to improve how it reads a bit better. Surprising the + regression tests didn't spot this error, maybe it fails to roundtrip the + values. + + OpenBSD-Commit-ID: 866cfcc1955aef8f3fc32da0b70c353a1b859f2e + +commit ec78c31409590ad74efc194f886273ed080a545a +Author: deraadt@openbsd.org <deraadt@openbsd.org> +Date: Tue Apr 2 10:02:08 2024 +0000 + + upstream: for parse_ipqos(), use strtonum() instead of mostly + + idiomatic strtoul(), but wow it's so gross. ok djm + + OpenBSD-Commit-ID: cec14a76af2eb7b225300c80fc0e21052be67b05 + +commit 8176e1a6c2e6da9361a7abb6fbf6c23c299f495b +Author: deraadt@openbsd.org <deraadt@openbsd.org> +Date: Tue Apr 2 09:56:58 2024 +0000 + + upstream: can shortcut by returning strtonum() value directly; ok + + djm + + OpenBSD-Commit-ID: 7bb2dd3d6d1f288dac14247d1de446e3d7ba8b8e + +commit 9f543d7022a781f80bb696f9d73f1d1c6f9e31d6 +Author: deraadt@openbsd.org <deraadt@openbsd.org> +Date: Tue Apr 2 09:52:14 2024 +0000 + + upstream: rewrite convtime() to use a isdigit-scanner and + + strtonum() instead of strange strtoul can might be fooled by garage + characters. passes regress/usr.bin/ssh/unittests/misc ok djm + + OpenBSD-Commit-ID: 4b1ef826bb16047aea3f3bdcb385b72ffd450abc + +commit 8673137f780d8d9e4cda3c4605cb5d88d5cea271 +Author: claudio@openbsd.org <claudio@openbsd.org> +Date: Tue Apr 2 09:48:24 2024 +0000 + + upstream: Remove unused ptr[3] char array in pkcs11_decode_hex. + + OK deraadt@ + + OpenBSD-Commit-ID: 3d14433e39fd558f662d3b0431c4c555ef920481 + +commit c7fec708f331f108343d69e4d74c9a5d86d6cfe7 +Author: deraadt@openbsd.org <deraadt@openbsd.org> +Date: Tue Apr 2 09:32:28 2024 +0000 + + upstream: Replace non-idiomatic strtoul(, 16) to parse a region + + of 2-character hex sequences with a low-level replacement designed just for + the task. ok djm + + OpenBSD-Commit-ID: 67bab8b8a4329a19a0add5085eacd6f4cc215e85 + +commit 019a5f483b0f588da6270ec401d0b4bb35032f3f +Author: deraadt@openbsd.org <deraadt@openbsd.org> +Date: Tue Apr 2 09:29:31 2024 +0000 + + upstream: Use strtonum() instead of severely non-idomatic + + strtoul() In particular this will now reject trailing garbage, ie. + '12garbage'. ok djm + + OpenBSD-Commit-ID: c82d95e3ccbfedfc91a8041c2f8bf0cf987d1501 + +commit 8231ca046fa39ea4eb99b79e0a6e09dec50ac952 +Author: deraadt@openbsd.org <deraadt@openbsd.org> +Date: Mon Apr 1 15:50:17 2024 +0000 + + upstream: also create a relink kit for ssh-agent, since it is a + + long-running setgid program carrying keys with some (not very powerful) + communication channels. solution for testing the binary from dtucker. + agreement from djm. Will add it into /etc/rc in a few days. + + OpenBSD-Commit-ID: 2fe8d707ae35ba23c7916adcb818bb5b66837ba0 + +commit bf7bf50bd6a14e49c9c243cb8f4de31e555a5a2e +Author: deraadt@openbsd.org <deraadt@openbsd.org> +Date: Mon Apr 1 15:48:16 2024 +0000 + + upstream: new-style relink kit for sshd. The old scheme created + + a Makefile by concatenating two Makefiles and was incredibly fragile. In the + new way a narrow-purposed install.sh script is created and shipped with the + objects. A recently commited /etc/rc script understands these files. + + OpenBSD-Commit-ID: ef9341d5a50f0d33e3a6fbe995e92964bc7ef2d3 + +commit 00e63688920905e326d8667cb47f17a156b6dc8f +Author: renmingshuai <renmingshuai@huawei.com> +Date: Fri Apr 12 10:20:49 2024 +0800 + + Shell syntax fix (leftover from a sync). + + Signed-off-by: renmingshuai <renmingshuai@huawei.com> + +commit 2eded551ba96e66bc3afbbcc883812c2eac02bd7 +Author: Darren Tucker <dtucker@dtucker.net> +Date: Thu Apr 25 13:20:19 2024 +1000 + + Merge flags for OpenSSL 3.x versions. + + OpenSSL has moved to 3.4 which we don't currently accept. Based on + the OpenSSL versioning policy[0] it looks like all of the 3.x versions + should work with OpenSSH, so remove the distinction in configure and + accept all of them. + + [0] https://openssl.org/policies/general/versioning-policy.html + +commit 8673245918081c6d1dc7fb3733c8eb2c5a902c5e +Author: Darren Tucker <dtucker@dtucker.net> +Date: Thu Apr 25 13:19:03 2024 +1000 + + Remove 9.6 branch from status page. + +commit 70d43049747fa3c66cf876d52271859407cec2fa +Author: Darren Tucker <dtucker@dtucker.net> +Date: Thu Apr 25 13:16:58 2024 +1000 + + Update LibreSSL and OpenSSL versions tested. + + Update LibreSSL versions to current releases (3.8.4 & 3.9.1). + Add newly-released OpenSSL 3.3.0, and add tests against the 3.1 and + 3.3 branches. + +commit 88351eca17dcc55189991ba60e50819b6d4193c1 +Author: 90 <hi@90.gripe> +Date: Fri Apr 5 19:36:06 2024 +0100 + + Fix missing header for systemd notification + +commit 08f579231cd38a1c657aaa6ddeb8ab57a1fd4f5c +Author: Damien Miller <djm@mindrot.org> +Date: Wed Apr 3 14:40:32 2024 +1100 + + notify systemd on listen and reload + + Standalone implementation that does not depend on libsystemd. + With assistance from Luca Boccassi, and feedback/testing from Colin + Watson. bz2641 + +commit 43e7c1c07cf6aae7f4394ca8ae91a3efc46514e2 +Author: Darren Tucker <dtucker@dtucker.net> +Date: Sun Mar 31 21:51:57 2024 +1100 + + Port changes from selfhosted to upstream tests. + + Should get them working again. + +commit 281ea25a44bff53eefb4af7bab7aa670b1f8b6b2 +Author: Darren Tucker <dtucker@dtucker.net> +Date: Sat Mar 30 18:20:16 2024 +1100 + + Check if OpenSSL implementation supports DSA. + + If --enable/disable-dsa-keys is not specified, set based on what OpenSSL + supports. If specified as enabled, but not supported by OpenSSL error + out. ok djm@ + +commit 2d2c068de8d696fe3246f390b146197f51ea1e83 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Sat Mar 30 05:56:22 2024 +0000 + + upstream: in OpenSSH private key format, correct type for subsequent + + private keys in blob. From Jakub Jelen via GHPR430 + + OpenBSD-Commit-ID: d17dbf47554de2d752061592f95b5d772baab50b + +commit c2c0bdd3e96b3ef66d77fccb85ff4962dc76caf0 +Author: Eero Häkkinen <Eero+git@xn--Hkkinen-5wa.fi> +Date: Sat Sep 16 00:55:08 2023 +0300 + + Expose SSH_AUTH_INFO_0 always to PAM auth modules. + + This changes SSH_AUTH_INFO_0 to be exposed to PAM auth modules also + when a password authentication method is in use and not only + when a keyboard-interactive authentication method is in use. + +commit 02c5ad23124ae801cf248d99ea5068fc4331ca01 +Author: Darren Tucker <dtucker@dtucker.net> +Date: Wed Mar 27 17:42:58 2024 +1100 + + Rearrange selfhosted VM scheduling. + + Instead of trying to infer the type of the self hosted tests in each of + the driver scripts (inconsistently...), set one of the following + variables to "true" in the workflow: + + VM: tests run in a virtual machine. + EPHEMERAL: tests run on an ephemeral virtual machine. + PERSISTENT: tests run on a persistent virtual machine + REMOTE: tests run on a physical remote host. + + EPHEMERAL VMs can have multiple instances of any given VM can exist + simultaneously and are run by a runner pool. The other types have a + dedicated runner instance and can only run a single test at a time. + + Other settings: + SSHFS: We need to sshfs mount over the repo so the workflow can collect + build artifacts. This also implies the tests must be run over ssh. + DEBUG_ACTIONS: enable "set -x" in scripts for debugging. + +commit cd8a72707c02615365d0851ac51063ab6bfe258f +Author: Damien Miller <djm@mindrot.org> +Date: Sat Mar 30 16:05:59 2024 +1100 + + add new token-based signing key for dtucker@ + + Verified in person and via signature with old key. + Will remove old key in a bit. + +commit 8d0e46c1ddb5b7f0992591b0dc5d8aaa77cc9dba +Author: Alkaid <zgf574564920@gmail.com> +Date: Tue Mar 12 03:59:12 2024 -0700 + + Fix OpenSSL ED25519 support detection + + Wrong function signature in configure.ac prevents openssh from enabling + the recently new support for ED25519 priv keys in PEM PKCS8 format. + +commit 697359be9c23ee43618243cdbcc9c7981e766752 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Sat Mar 30 04:27:44 2024 +0000 + + upstream: allow WAYLAND_DISPLAY to enable SSH_ASKPASS + + From dkg via GHPR479; ok dtucker@ + + OpenBSD-Commit-ID: 1ac1f9c45da44eabbae89375393c662349239257 + +commit 7844705b0364574cc70b941be72036c2c2966363 +Author: dtucker@openbsd.org <dtucker@openbsd.org> +Date: Fri Mar 29 10:40:07 2024 +0000 + + upstream: Use egrep instead of grep -E. + + Some plaforms don't have the latter so this makes things easier + in -portable. + + OpenBSD-Regress-ID: ff82260eb0db1f11130200b25d820cf73753bbe3 + +commit 22b2b6c555334bffdf357a2e4aa74308b03b83c3 +Author: dtucker@openbsd.org <dtucker@openbsd.org> +Date: Tue Mar 26 08:09:16 2024 +0000 + + upstream: test -h is the POSIXly way of testing for a symlink. Reduces + + diff vs Portable. + + OpenBSD-Regress-ID: 6f31cd6e231e3b8c5c2ca0307573ccb7484bff7d + +commit edcff77f82c2bb2b5653b36f1e47274c5ef3e8be +Author: Darren Tucker <dtucker@dtucker.net> +Date: Tue Mar 26 18:58:58 2024 +1100 + + Fix name of OpenBSD upstream CI jobs. + +commit 861b084429940e024f1b6e9c2779eac95d7a45db +Author: Darren Tucker <dtucker@dtucker.net> +Date: Tue Mar 26 18:55:33 2024 +1100 + + Resync with upstream: ${} around DATAFILE. + +commit 63f248c7693e7f0a3b9a13d2980ac9a7e37f2aea +Author: djm@openbsd.org <djm@openbsd.org> +Date: Mon Mar 25 19:28:09 2024 +0000 + + upstream: optional debugging + + OpenBSD-Regress-ID: b4852bf97ac8fb2e3530f2d5f999edd66058d7bc + +commit 16e2ebe06a62f09d4877b769876d92d6008a896f +Author: dtucker@openbsd.org <dtucker@openbsd.org> +Date: Mon Mar 25 06:05:42 2024 +0000 + + upstream: Verify string returned from local shell command. + + OpenBSD-Regress-ID: 5039bde24d33d809aebfa8d3ad7fe9053224e6f8 + +commit b326f7a1f39ff31324cc3fe2735178fb474c04a4 +Author: dtucker@openbsd.org <dtucker@openbsd.org> +Date: Mon Mar 25 03:30:31 2024 +0000 + + upstream: Improve shell portability: grep -q is not portable so + + redirect stdout, and use printf instead of relying on echo to do \n + substitution. Reduces diff vs Portable. + + Also resync somewhat with upstream. + + OpenBSD-Regress-ID: 9ae876a8ec4c4725f1e9820a0667360ee2398337 + +commit dbf2e319f0c582613fa45a735ea3c242ce56946b +Author: dtucker@openbsd.org <dtucker@openbsd.org> +Date: Mon Mar 25 02:07:08 2024 +0000 + + upstream: Save error code from SSH for use inside case statement, + + from portable. In some shells, "case" will reset the value of $?, so save it + first. + + OpenBSD-Regress-ID: da32e5be19299cb4f0f7de7f29c11257a62d6949 + +commit d2c8c4fa7def4fb057ed05b3db57b62c810a26f6 +Author: dtucker@openbsd.org <dtucker@openbsd.org> +Date: Mon Mar 25 01:40:47 2024 +0000 + + upstream: Increase timeout. Resyncs with portable where some of + + the test VMs are slow enough for this to matter. + + OpenBSD-Regress-ID: 6a83a693602eb0312f06a4ad2cd6f40d99d24b26 + +commit 83621b63514a84791623db3efb59d38bc4bf9563 +Author: dtucker@openbsd.org <dtucker@openbsd.org> +Date: Mon Mar 25 01:28:29 2024 +0000 + + upstream: In PuTTY interop test, don't assume the PuTTY major + + version is 0. Patch from cjwatson at debian.org via bz#3671. + + OpenBSD-Regress-ID: 835ed03c1b04ad46be82e674495521f11b840191 + +commit 8a421b927700f3834b4d985778e252b8e3299f83 +Author: Darren Tucker <dtucker@dtucker.net> +Date: Tue Mar 26 18:38:14 2024 +1100 + + Really mkdir /usr/local/etc in CI tests. + +commit 2946ed522c47ce045314533d426b4e379f745e59 +Author: Darren Tucker <dtucker@dtucker.net> +Date: Tue Mar 26 17:19:09 2024 +1100 + + Better short name for OpenBSD upstream CI jobs too. + +commit 18dbe8eff647aacb82d7e86b4ce63d5beee11f25 +Author: Darren Tucker <dtucker@dtucker.net> +Date: Tue Mar 26 17:13:52 2024 +1100 + + Ensure /usr/local/etc exists before using in tests. + +commit 5fc1085128e3348bb1b5ee4d955cc767b019b3ad +Author: Darren Tucker <dtucker@dtucker.net> +Date: Tue Mar 26 16:50:46 2024 +1100 + + Be more specific about when to rerun workflows. + +commit 5516923e8ae3da0823fea0d7d28aa813627142c0 +Author: Darren Tucker <dtucker@dtucker.net> +Date: Tue Mar 26 16:35:27 2024 +1100 + + Add short names for test jobs on github CI. + +commit dc37d2d2470b4a9cedcee9ac926b7362214e3305 +Author: Darren Tucker <dtucker@dtucker.net> +Date: Tue Mar 26 16:26:14 2024 +1100 + + If we're using xpg4's id, remember to pass args. + +commit fe169487937780392b23d3ff3c00e5898c10f784 +Author: dtucker@openbsd.org <dtucker@openbsd.org> +Date: Tue Mar 26 01:23:11 2024 +0000 + + upstream: Import regenerated moduli. + + OpenBSD-Commit-ID: ad3d1486d105b008c93e952d158e5af4d9d4c531 + +commit 151146f03b490d19145cd421763aa7d42f5c50e2 +Author: job@openbsd.org <job@openbsd.org> +Date: Thu Mar 14 06:23:14 2024 +0000 + + upstream: Clarify how literal IPv6 addresses can be used in -J mode + + OK djm@ + + OpenBSD-Commit-ID: 524ddae97746b3563ad4a887dfd0a6e6ba114c50 + +commit 0d5bdc87a675271862b67eb6a9fb13a202fb4894 +Author: Darren Tucker <dtucker@dtucker.net> +Date: Mon Mar 25 16:14:21 2024 +1100 + + Add Mac OS X 14 test targets. + +commit 2d7964a03e1f50a48040ec6912c0a956df909d21 +Author: Darren Tucker <dtucker@dtucker.net> +Date: Mon Mar 25 14:05:40 2024 +1100 + + Move xpg4 'id' handling into test-exec.sh. + + Handle replacement of 'id' the same way as we do other Portable specific + replacements in test-exec.sh. This brings percent.sh back into sync + with upstream. + +commit 75d1d49ed10d978171cdafad28bdbffdbd48f41e +Author: Darren Tucker <dtucker@dtucker.net> +Date: Mon Mar 25 10:38:03 2024 +1100 + + Update branches shown on ci-status to 9.7 and 9.6. + +commit f9193f03db0029fc9c31fbdb5c66a2737446bd8f +Author: Darren Tucker <dtucker@dtucker.net> +Date: Mon Mar 25 09:28:02 2024 +1100 + + Improve detection of -fzero-call-used-regs=used. + + Should better detect problems with gcc 13 on m68k. bz#3673 from Colin + Watson via bz#3673 and https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110934 + + Signed-off-by: Darren Tucker <dtucker@dtucker.net> + commit 86bdd3853f4d32c85e295e6216a2fe0953ad93f0 Author: Damien Miller <djm@mindrot.org> Date: Mon Mar 11 16:20:49 2024 +1100 @@ -7063,1238 +8664,3 @@ Date: Fri Jul 1 04:45:50 2022 +0000 in format description OpenBSD-Commit-ID: 3de33572733ee7fcfd7db33d37db23d2280254f0 - -commit 32e82a392d9f263485effdd606ff5862d289a4a0 -Author: Darren Tucker <dtucker@dtucker.net> -Date: Fri Jul 1 13:55:19 2022 +1000 - - Skip select+rlimit check if sandboxing is disabled - - It's not needed in that case, and the test can fail when being built - with some compiler memory sanitizer flags. bz#3441 - -commit 4be7184ebe2a2ccef175983517a35ee06766e1b4 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Fri Jul 1 03:52:57 2022 +0000 - - upstream: bump up loglevel from debug to info when unable to open - - authorized keys/principals file for errno != ENOENT; bz2042 ok dtucker - - OpenBSD-Commit-ID: e79aa550d91ade6a80f081bda689da24c086d66b - -commit 6c31ba10e97b6953c4f325f526f3e846dfea647a -Author: dtucker@openbsd.org <dtucker@openbsd.org> -Date: Fri Jul 1 03:39:44 2022 +0000 - - upstream: Don't leak the strings allocated by order_hostkeyalgs() - - and list_hostkey_types() that are passed to compat_pkalg_proposal(). Part of - github PR#324 from ZoltanFridrich, ok djm@ - - This is a roll-forward of the previous rollback now that the required - changes in compat.c have been done. - - OpenBSD-Commit-ID: c7cd93730b3b9f53cdad3ae32462922834ef73eb - -commit 486c4dc3b83b4b67d663fb0fa62bc24138ec3946 -Author: dtucker@openbsd.org <dtucker@openbsd.org> -Date: Fri Jul 1 03:35:45 2022 +0000 - - upstream: Always return allocated strings from the kex filtering so - - that we can free them later. Fix one leak in compat_kex_proposal. Based on - github PR#324 from ZoltanFridrich with some simplications by me. ok djm@ - - OpenBSD-Commit-ID: 9171616da3307612d0ede086fd511142f91246e4 - -commit 96faa0de6c673a2ce84736eba37fc9fb723d9e5c -Author: djm@openbsd.org <djm@openbsd.org> -Date: Fri Jul 1 00:36:30 2022 +0000 - - upstream: ignore SIGPIPE earlier in main(), specifically before - - muxclient() which performs operations that could cause one; Reported by Noam - Lewis via bz3454, ok dtucker@ - - OpenBSD-Commit-ID: 63d8e13276869eebac6d7a05d5a96307f9026e47 - -commit 33efac790f6b09d54894ba6c3e17dfb08b6fc7e1 -Author: jmc@openbsd.org <jmc@openbsd.org> -Date: Tue Jun 28 06:09:14 2022 +0000 - - upstream: reflect the update to -D arg name in usage(); - - OpenBSD-Commit-ID: abdcde4f92b1ef094ae44210ee99d3b0155aad9c - -commit c71a1442d02f0a3586109dfe2cb366de36dee08e -Author: Darren Tucker <dtucker@dtucker.net> -Date: Wed Jun 29 18:28:47 2022 +1000 - - Update OpenSSL tests to the most recent releases. - -commit 2a822f29300b2de7335fbff65f0b187a0c582304 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Mon Jun 27 21:41:55 2022 +0000 - - upstream: allow arguments to sftp -D option, e.g. sftp -D - - "/usr/libexec/sftp-server -el debug3" - - ok markus@ - - OpenBSD-Commit-ID: 5a002b9f3a7aef2731fc0ffa9c921cf15f38ecce - -commit 2369a2810187e08f2af5d58b343956062fb96ee8 -Author: dtucker@openbsd.org <dtucker@openbsd.org> -Date: Fri Jun 24 10:45:06 2022 +0000 - - upstream: Roll back previous KEX changes as they aren't safe until - - compat_pkalg_proposal and friends always allocate their returned strings. - Reported by Qualys. - - OpenBSD-Commit-ID: 1c7a88a0d5033f42f88ab9bec58ef1cf72c81ad0 - -commit 646686136c34c2dbf6a01296dfaa9ebee029386d -Author: dtucker@openbsd.org <dtucker@openbsd.org> -Date: Fri Jun 24 04:37:00 2022 +0000 - - upstream: Don't leak the strings allocated by order_hostkeyalgs() - - and list_hostkey_types() that are passed to compat_pkalg_proposal(). Part of - github PR#324 from ZoltanFridrich, ok djm@ - - OpenBSD-Commit-ID: b2f6e5f60f2bba293b831654328a8a0035ef4a1b - -commit 193c6d8d905dde836b628fc07a7b9cf2d347e2a3 -Author: Darren Tucker <dtucker@dtucker.net> -Date: Sat Jun 25 12:16:15 2022 +1000 - - Zero out LIBFIDO2 when SK support not usable. - - Prevents us from trying to link them into ssh-sk-helper and failing to - build. - -commit 40f5d849d25c60b4ae21261e78484d435f5cfd51 -Author: Darren Tucker <dtucker@dtucker.net> -Date: Sat Jun 25 11:47:28 2022 +1000 - - Disable SK support if FIDO libs not found. - -commit 5fd922ade1b25880fe8a8249f5c0385e413108f9 -Author: Damien Miller <djm@mindrot.org> -Date: Fri Jun 24 14:43:54 2022 +1000 - - fix broken case statement in previous - -commit f51423bdaf0008d46b6af082bcfd7a22a87375f0 -Author: Damien Miller <djm@mindrot.org> -Date: Fri Jun 24 14:40:42 2022 +1000 - - request 1.1x API compatibility for OpenSSL >=3.x - - idea/patch from Pedro Martelletto via GHPR#322; ok dtucker@ - -commit 455cee8d6c2e4c48c5af9faead3599c49948411e -Author: djm@openbsd.org <djm@openbsd.org> -Date: Fri Jun 24 04:27:14 2022 +0000 - - upstream: make it clear that RekeyLimit applies to both transmitted - - and received data. GHPR#328 from Jan Pazdziora - - OpenBSD-Commit-ID: d180a905fec9ff418a75c07bb96ea41c9308c3f9 - -commit 17904f05802988d0bb9ed3c8d1d37411e8f459c3 -Author: tobhe@openbsd.org <tobhe@openbsd.org> -Date: Tue Jun 21 14:52:13 2022 +0000 - - upstream: Make sure not to fclose() the same fd twice in case of an - - error. - - ok dtucker@ - - OpenBSD-Commit-ID: e384c4e05d5521e7866b3d53ca59acd2a86eef99 - -commit f29d6cf98c25bf044079032d22c1a57c63ab9d8e -Author: dtucker@openbsd.org <dtucker@openbsd.org> -Date: Sat Jun 18 02:17:16 2022 +0000 - - upstream: Don't attempt to fprintf a null identity comment. From - - Martin Vahlensieck via tech@. - - OpenBSD-Commit-ID: 4c54d20a8e8e4e9912c38a7b4ef5bfc5ca2e05c2 - -commit ad1762173bb38716a106e8979806149fd0f2753e -Author: dtucker@openbsd.org <dtucker@openbsd.org> -Date: Fri Jun 17 01:00:03 2022 +0000 - - upstream: Log an error if pipe() fails while accepting a - - connection. bz#3447, from vincent-openssh at vinc17 net, ok djm@ - - OpenBSD-Commit-ID: 9d59f19872b94900a5c79da2d57850241ac5df94 - -commit 9c59e7486cc8691401228b43b96a3edbb06e0412 -Author: Damien Miller <djm@mindrot.org> -Date: Fri Jun 24 14:20:43 2022 +1000 - - automatically enable built-in FIDO support - - If libfido2 is found and usable, then enable the built-in - security key support unless --without-security-key-builtin - was requested. - - ok dtucker@ - -commit 7d25b37fb2a5ff4dadabcbdac6087a97479434f5 -Author: Damien Miller <djm@mindrot.org> -Date: Fri Jun 24 13:46:39 2022 +1000 - - fix possible NULL deref when built without FIDO - - Analysis/fix from kircher in bz3443; ok dtucker@ - -commit f5ba85daddfc2da6a8dab6038269e02c0695be44 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Wed Jun 15 16:08:25 2022 +0000 - - upstream: make sure that UseDNS hostname lookup happens in the monitor - - and not in the pledge(2)'d unprivileged process; fixes regression caused by - recent refactoring spotted by henning@ - - OpenBSD-Commit-ID: a089870b95101cd8881a2dff65b2f1627d13e88d - -commit acb2059febaddd71ee06c2ebf63dcf211d9ab9f2 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Fri Jun 3 04:47:21 2022 +0000 - - upstream: move auth_openprincipals() and auth_openkeyfile() over to - - auth2-pubkeyfile.c too; they make more sense there. - - OpenBSD-Commit-ID: 9970d99f900e1117fdaab13e9e910a621b7c60ee - -commit 3d9b0845f34510111cc693bb99a667662ca50cd8 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Fri Jun 3 04:31:54 2022 +0000 - - upstream: test setenv in both client and server, test first-match-wins - - too - - OpenBSD-Regress-ID: 4c8804f9db38a02db480b9923317457b377fe34b - -commit 22e1a3a71ad6d108ff0c5f07f93c3fcbd30f8b40 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Fri Jun 3 04:30:46 2022 +0000 - - upstream: Make SetEnv directives first-match-wins in both - - sshd_config and sshd_config; previously if the same name was reused then the - last would win (which is the opposite to how the config is supposed to work). - - While there, make the ssh_config parsing more like sshd_config. - - bz3438, ok dtucker - - OpenBSD-Commit-ID: 797909c1e0262c0d00e09280459d7ab00f18273b - -commit 38ed6c57e9e592c08e020fa6e82b45b4e1040970 -Author: dtucker@openbsd.org <dtucker@openbsd.org> -Date: Fri Jun 3 04:00:15 2022 +0000 - - upstream: Add missing *-sk types to ssh-keyscan manpage. From - - skazi0 via github PR#294. - - OpenBSD-Commit-ID: fda2c869cdb871f3c90a89fb3f985370bb5d25c0 - -commit ea97ec98c41ec2b755dfab459347db674ff9a5de -Author: dtucker@openbsd.org <dtucker@openbsd.org> -Date: Fri Jun 3 03:21:09 2022 +0000 - - upstream: Add period at end of "not known by any other names" - - message. github PR#320 from jschauma, ok djm@ - - OpenBSD-Commit-ID: bd60809803c4bfd3ebb7c5c4d918b10e275266f2 - -commit 88e376fcd67478ad1660d94bc73ab348ac9f4527 -Author: dtucker@openbsd.org <dtucker@openbsd.org> -Date: Fri Jun 3 03:17:42 2022 +0000 - - upstream: ssh-keygen -A: do not generate DSA keys by default. - - Based on github PR#303 from jsegitz with man page text from jmc@, ok markus@ - djm@ - - OpenBSD-Commit-ID: 5c4c57bdd7063ff03381cfb6696659dd3f9f5b9f - -commit 6b3fb624675082a1e5aa615d1b8479873d8b5731 -Author: naddy@openbsd.org <naddy@openbsd.org> -Date: Tue May 31 14:05:12 2022 +0000 - - upstream: ssh-keygen: implement "verify-required" certificate option. - - This was already documented when support for user-verified FIDO - keys was added, but the ssh-keygen(1) code was missing. - - ok djm@ - - OpenBSD-Commit-ID: f660f973391b593fea4b7b25913c9a15c3eb8a06 - -commit b7f86ffc301be105bba9a3e0618b6fab3ae379bd -Author: jmc@openbsd.org <jmc@openbsd.org> -Date: Sat May 28 05:57:56 2022 +0000 - - upstream: keywords ref ssh_config.5; - - from caspar schutijser - - OpenBSD-Commit-ID: f146a19d7d5c9374c3b9c520da43b2732d7d1a4e - -commit dc7bc52372f2744fa39191577be5306ee57aacd4 -Author: Damien Miller <djm@mindrot.org> -Date: Mon May 30 09:29:09 2022 +1000 - - fix some bugs in the fuzzer - -commit 1781f507c113667613351c19898efaf1e311a865 -Author: Darren Tucker <dtucker@dtucker.net> -Date: Fri May 27 18:19:48 2022 +1000 - - Test against OpenSSL 1.1.1o and 3.0.3. - -commit c53906e0c59e569691b4095d3e8db79cf78fa058 -Author: Darren Tucker <dtucker@dtucker.net> -Date: Fri May 27 18:18:31 2022 +1000 - - Test against LibreSSL 3.5.3. - -commit 9b3ad432ad2f19319bcc089370e356c6315d682f -Author: Damien Miller <djm@mindrot.org> -Date: Fri May 27 17:00:43 2022 +1000 - - fuzzer for authorized_keys parsing - - mostly redundant to authopt_fuzz, but it's sensitive code so IMO it - makes sense to test this layer too - -commit c83d8c4d6f3ccceef84d46de107f6b71cda06359 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Fri May 27 05:02:46 2022 +0000 - - upstream: split the low-level file handling functions out from - - auth2-pubkey.c - - Put them in a new auth2-pubkeyfile.c to make it easier to refer to them - (e.g. in unit/fuzz tests) without having to refer to everything else - pubkey auth brings in. - - ok dtucker@ - - OpenBSD-Commit-ID: 3fdca2c61ad97dc1b8d4a7346816f83dc4ce2217 - -commit 3b0b142d2a0767d8cd838e2f3aefde8a0aaa41e1 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Fri May 27 05:01:25 2022 +0000 - - upstream: refactor authorized_keys/principals handling - - remove "struct ssh *" from arguments - this was only used to pass the - remote host/address. These can be passed in instead and the resulting - code is less tightly coupled to ssh_api.[ch] - - ok dtucker@ - - OpenBSD-Commit-ID: 9d4373d013edc4cc4b5c21a599e1837ac31dda0d - -commit 2c334fd36f80cb91cc42e4b978b10aa35e0df236 -Author: dtucker@openbsd.org <dtucker@openbsd.org> -Date: Fri May 27 04:29:40 2022 +0000 - - upstream: f sshpkt functions fail, then password is not cleared - - with freezero. Unconditionally call freezero to guarantee that password is - removed from RAM. - - From tobias@ and c3h2_ctf via github PR#286, ok djm@ - - OpenBSD-Commit-ID: 6b093619c9515328e25b0f8093779c52402c89cd - -commit 5d3a77f4c5ae774c6796387266503f52c7cdc7c2 -Author: dtucker@openbsd.org <dtucker@openbsd.org> -Date: Fri May 27 04:27:49 2022 +0000 - - upstream: Avoid kill with -1 argument. The out_ctx label can be - - reached before fork has been called. If this happens, then kill -1 would be - called, sending SIGTERM to all processes reachable by the current process. - - From tobias@ and c3h2_ctf via github PR#286, ok djm@ - - OpenBSD-Commit-ID: 6277af1207d81202f5daffdccfeeaed4c763b1a8 - -commit 533b31cd08e4b97f455466f91c36915e2924c15a -Author: dtucker@openbsd.org <dtucker@openbsd.org> -Date: Fri May 27 04:13:24 2022 +0000 - - upstream: Note that ProxyJump also accepts the same tokens as - - ProxyCommand. From pallxk via github PR#305. - - OpenBSD-Commit-ID: 7115ac351b129205f1f1ffa6bbfd62abd76be7c5 - -commit 9d8c80f8a304babe61ca28f2e3fb5eb6dc9c39bf -Author: djm@openbsd.org <djm@openbsd.org> -Date: Wed May 25 06:03:44 2022 +0000 - - upstream: revert previous; it was broken (spotted by Theo) - - OpenBSD-Commit-ID: 457c79afaca2f89ec2606405c1059b98b30d8b0d - -commit 9e0d02ef7ce88b67643bfb1c2272c9f5f04cc680 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Wed May 25 00:31:13 2022 +0000 - - upstream: make SSHBUF_DBG/SSHBUF_TELL (off by default and only enabled - - via #define) dump to stderr rather than stdout - - OpenBSD-Commit-ID: 10298513ee32db8390aecb0397d782d68cb14318 - -commit 2487163630f28be28b7e2396b4bd6511b98f1d3e -Author: Tim Rice <tim@multitalents.net> -Date: Tue May 24 10:21:25 2022 -0700 - - configure.ac: Add missing AC_DEFINE for caph_cache_tzdata test causing - HAVE_CAPH_CACHE_TZDATA to be missing from config.h.in. - Spotted by Bryan Drewery - -commit bedb93415b60db3dfd704a3d525e82adb14a2481 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Sun May 15 23:48:07 2022 +0000 - - upstream: regress test for in-place transfers and clobbering larger - - files with smaller ones; would have caught last regression in scp(1) - - OpenBSD-Regress-ID: 19de4e88dd3a4f7e5c1618c9be3c32415bd93bc2 - -commit b4f0d719c2548cb74da509fb65f384dada4ebd37 -Author: anton@openbsd.org <anton@openbsd.org> -Date: Fri Apr 22 05:08:43 2022 +0000 - - upstream: Only run agent-ptrace.sh if gdb is available as all - - architectures do not ship with gdb. - - OpenBSD-Regress-ID: ec53e928803e6b87f9ac142d38888ca79a45348d - -commit 9b73345f80255a7f3048026462f2c0c6a241eeac -Author: djm@openbsd.org <djm@openbsd.org> -Date: Sun May 15 23:47:21 2022 +0000 - - upstream: fix in-place copies; r1.163 incorrectly skipped truncation in - - all cases, not just at the start of a transfer. This could cause overwrites - of larger files to leave junk at the end. Spotted by tb@ - - OpenBSD-Commit-ID: b189f19cd68119548c8e24e39c79f61e115bf92c - -commit 56a0697fe079ff3e1ba30a2d5c26b5e45f7b71f8 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Fri May 13 06:31:50 2022 +0000 - - upstream: arrange for scp, when in sftp mode, to not ftruncate(3) files - - early - - previous behavious of unconditionally truncating the destination file - would cause "scp ~/foo localhost:" and "scp localhost:foo ~/" to - delete all the contents of their destination. - - spotted by solene@ sthen@, also bz3431; ok dtucker@ - - OpenBSD-Commit-ID: ca39fdd39e0ec1466b9666f15cbcfddea6aaa179 - -commit fbcef70c2832712f027bccea1aa9bc4b4103da93 -Author: dtucker@openbsd.org <dtucker@openbsd.org> -Date: Mon May 9 08:25:27 2022 +0000 - - upstream: Remove errant apostrophe. From haruyama at queen-ml org. - - OpenBSD-Commit-ID: dc6b294567cb84b384ad6ced9ca469f2bbf0bd10 - -commit 0086a286ea6bbd11ca9b664ac3bb12b27443d6eb -Author: djm@openbsd.org <djm@openbsd.org> -Date: Mon May 9 03:09:53 2022 +0000 - - upstream: Allow existing -U (use agent) flag to work with "-Y sign" - - operations, where it will be interpreted to require that the private keys is - hosted in an agent; bz3429, suggested by Adam Szkoda; ok dtucker@ - - OpenBSD-Commit-ID: a7bc69873b99c32c42c7628ed9ea91565ba08c2f - -commit cb010744cc98f651b1029bb09efa986eb54e4ccf -Author: djm@openbsd.org <djm@openbsd.org> -Date: Sun May 8 22:58:35 2022 +0000 - - upstream: improve error message when 'ssh-keygen -Y sign' is unable to - - load a private key; bz3429, reported by Adam Szkoda ok dtucker@ - - OpenBSD-Commit-ID: bb57b285e67bea536ef81b1055467be2fc380e74 - -commit aa61fc82c63d309a90c22ca74fb1da6c6f4372fd -Author: Tobias Heider <me@tobhe.de> -Date: Mon May 9 02:00:01 2022 +0200 - - Remove duplicate bcrypt_pbkdf.o from Makefile - - bcrypt_pbkdf.o is duplicated in the openbsd-compat Makefile's object - file list. - -commit deb506d00da8d11fb04c1e7b9b1e1cc379c1705c -Author: djm@openbsd.org <djm@openbsd.org> -Date: Sun May 8 22:32:36 2022 +0000 - - upstream: When performing operations that glob(3) a remote path, ensure - - that the implicit working directory used to construct that path escapes - glob(3) characters. - - This prevents glob characters from being processed in places they - shouldn't, e.g. "cd /tmp/a*/", "get *.txt" should have the get operation - treat the path "/tmp/a*" literally and not attempt to expand it. - - Reported by Lusia Kundel; ok markus@ - - OpenBSD-Commit-ID: 4f647f58482cbad3d58b1eab7f6a1691433deeef - -commit f38cf74f20b5da113cfa823afd5bfb5c6ba65f3d -Author: Darren Tucker <dtucker@dtucker.net> -Date: Fri May 6 14:50:18 2022 +1000 - - Also retest OpenBSD upstream on .yml changes. - -commit f87a132800ba3710ab130d703448a31ef1128d77 -Author: Darren Tucker <dtucker@dtucker.net> -Date: Fri May 6 14:46:09 2022 +1000 - - Note that, for now, we need variadic macros. - -commit 217b518e0f7c52c4b909e935141a55344c61e644 -Author: Darren Tucker <dtucker@dtucker.net> -Date: Fri May 6 14:39:34 2022 +1000 - - Add ubsan minimal testcase on OpenBSD. - - As suggested by djm@. - -commit 457dce2cfef6a48f5442591cd8b21c7e8cba13f8 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Thu May 5 01:04:14 2022 +0000 - - upstream: sshkey_unshield_private() contains a exact duplicate of - - the code in private2_check_padding(). Pull private2_check_padding() up so the - code can be reused. From Martin Vahlensieck, ok deraadt@ - - OpenBSD-Commit-ID: 876884c3f0e62e8fd8d1594bab06900f971c9c85 - -commit 0e44db4d9cb313e68a59a44d27884af66c02356e -Author: djm@openbsd.org <djm@openbsd.org> -Date: Thu May 5 00:56:58 2022 +0000 - - upstream: channel_new no longer frees remote_name. So update the - - comment accordingly. As remote_name is not modified, it can be const as - well. From Martin Vahlensieck - - OpenBSD-Commit-ID: e4e10dc8dc9f40c166ea5a8e991942bedc75a76a - -commit 37b62fd5caf19c85a48241535277cefff65adace -Author: djm@openbsd.org <djm@openbsd.org> -Date: Thu May 5 00:55:11 2022 +0000 - - upstream: mux.c: mark argument as const; from Martin Vahlensieck - - OpenBSD-Commit-ID: 69a1a93a55986c7c2ad9f733c093b46a47184341 - -commit f4e67c0ad259b4cf10177277a5827fa5545bac53 -Author: markus@openbsd.org <markus@openbsd.org> -Date: Wed May 4 07:31:22 2022 +0000 - - upstream: make sure stdout is non-blocking; ok djm@ - - OpenBSD-Commit-ID: 64940fffbd1b882eda2d7c8c7a43c79368309c0d - -commit e5c036d2092c00bef395e9161dc5ce42d4be9565 -Author: florian@openbsd.org <florian@openbsd.org> -Date: Tue May 3 07:42:27 2022 +0000 - - upstream: Add FIDO AUTHENTICATOR section and explain a bit how FIDO - - works. The wording came mostly from the 8.2 OpenSSH release notes, addapted - to fit the man page. Then move the -O bits into the new section as is already - done for CERTIFICATES and MODULI GENERATION. Finally we can explain the - trade-offs of resident keys. While here, consistently refer to the FIDO - thingies as "FIDO authenticators", not "FIDO tokens". - - input & OK jmc, naddy - - OpenBSD-Commit-ID: dd98748d7644df048f78dcf793b3b63db9ab1d25 - -commit 575771bf79bef7127be6aaccddc46031ea15529e -Author: jmc@openbsd.org <jmc@openbsd.org> -Date: Mon May 2 05:40:37 2022 +0000 - - upstream: remove an obsolete rsa1 format example from an example; - - from megan batty - ok djm - - OpenBSD-Commit-ID: db2c89879c29bf083df996bd830abfb1e70d62bf - -commit 0bc6b4c8f04e292577bdb44d5dc6b630d3448087 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Sun May 1 23:20:30 2022 +0000 - - upstream: fix some integer overflows in sieve_large() that show up when - - trying to generate modp groups > 16k bits. Reported via GHPR#306 by Bertram - Felgenhauer, but fixed in a different way. feedback/ok tb@ - - OpenBSD-Commit-ID: 81cbc6dd3a21c57bd6fadea10e44afe37bca558e - -commit a45615cb172bc827e21ec76750de39dfb30ecc05 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Fri Apr 29 04:55:07 2022 +0000 - - upstream: be stricter in which characters will be accepted in - - specifying a mask length; allow only 0-9. From khaleesicodes via GHPR#278; ok - dtucker@ - - OpenBSD-Commit-ID: e267746c047ea86665cdeccef795a8a56082eeb2 - -commit 4835544d2dd31de6ffc7dba59f92093aea98155b -Author: Darren Tucker <dtucker@dtucker.net> -Date: Sat Apr 30 10:56:41 2022 +1000 - - Add Mac OS X 12 test target. - -commit 97a6a8b8c1f2da09712d0e72d0ef800e4edd34cd -Author: Darren Tucker <dtucker@dtucker.net> -Date: Fri Apr 29 18:27:34 2022 +1000 - - Only run tests when source files change. - - Also run tests on changes to V_9_0 branch. - -commit 6d0392b9ff4b50a56ac5685d1b9392e2cd432ca3 -Author: Darren Tucker <dtucker@dtucker.net> -Date: Fri Apr 29 18:22:34 2022 +1000 - - Remove now-empty int32_minmax.inc. - -commit af59463553b5ad52d3b42c4455ee3c5600158bb7 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Fri Apr 29 03:24:30 2022 +0000 - - upstream: mention that the helpers are used by ssh(1), ssh-agent(1) - - and ssh-keygen(1). Previously only ssh(1) was mentioned. From Pedro - Martelletto - - OpenBSD-Commit-ID: 30f880f989d4b329589c1c404315685960a5f153 - -commit 3e26b3a6eebcee27be177207cc0846fb844b7a56 -Author: dtucker@openbsd.org <dtucker@openbsd.org> -Date: Fri Apr 29 03:16:48 2022 +0000 - - upstream: Don't leak SK device. Patch from Pedro Martelletto via - - github PR#316. ok djm@ - - OpenBSD-Commit-ID: 17d11327545022e727d95fd08b213171c5a4585d - -commit 247082b5013f0d4fcae8f97453f2a2f01bcda811 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Fri Apr 29 03:13:32 2022 +0000 - - upstream: fix memleak on session-bind path; from Pedro Martelletto, ok - - dtucker@ - - OpenBSD-Commit-ID: e85899a26ba402b4c0717b531317e8fc258f0a7e - -commit e05522008092ceb86a87bdd4ad7878424315db89 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Thu Apr 28 02:53:31 2022 +0000 - - upstream: avoid printing hash algorithm twice; from lucas AT sexy.is - - OpenBSD-Commit-ID: 9d24671e10a84141b7c504396cabad600e47a941 - -commit 0979e29356915261d69a9517a1e0aaade7c9fc75 -Author: dtucker@openbsd.org <dtucker@openbsd.org> -Date: Wed Apr 27 11:08:55 2022 +0000 - - upstream: Add authfd path to debug output. ok markus@ - - OpenBSD-Commit-ID: f735a17d1a6f2bee63bfc609d76ef8db8c090890 - -commit 67b7c784769c74fd4d6b147d91e17e1ac1a8a96d -Author: dtucker@openbsd.org <dtucker@openbsd.org> -Date: Tue Apr 26 07:41:44 2022 +0000 - - upstream: Check sshauthopt_new() for NULL. bz#3425, from - - tessgauthier at microsoft.com. ok djm@ - - OpenBSD-Commit-ID: af0315bc3e44aa406daa7e0ae7c2d719a974483f - -commit d571314d14b919fbd7c84a61f9bf2065fc0a6841 -Author: millert@openbsd.org <millert@openbsd.org> -Date: Wed Apr 20 16:00:25 2022 +0000 - - upstream: Remove unnecessary includes: openssl/hmac.h and - - openssl/evp.h. From Martin Vahlensieck. - - OpenBSD-Commit-ID: a6debb5fb0c8a44e43e8d5ca7cc70ad2f3ea31c3 - -commit da8dddf8cc1f2516ff894b8183e83a7c5ba3ef80 -Author: millert@openbsd.org <millert@openbsd.org> -Date: Wed Apr 20 15:59:18 2022 +0000 - - upstream: Add missing includes of stdlib.h and stdint.h. We need - - stdlib.h for malloc(3) and stdint.h for SIZE_MAX. Unlike the other xmss - files, ssh-xmss.c does not include xmss_commons.h so ssh-xmss.c must include - those headers itself. From Martin Vahlensieck - - OpenBSD-Commit-ID: 70e28a9818cee3da1be2ef6503d4b396dd421e6b - -commit fe9d87a6800a7a33be08f4d5ab662a758055ced2 -Author: millert@openbsd.org <millert@openbsd.org> -Date: Wed Apr 20 15:56:49 2022 +0000 - - upstream: Avoid an unnecessary xstrdup in rm_env() when matching - - patterns. Since match_pattern() doesn't modify its arguments (they are - const), there is no need to make an extra copy of the strings in - options->send_env. From Martin Vahlensieck - - OpenBSD-Commit-ID: 2c9db31e3f4d3403b49642c64ee048b2a0a39351 - -commit 7bf2eb958fbb551e7d61e75c176bb3200383285d -Author: Darren Tucker <dtucker@dtucker.net> -Date: Tue Apr 26 23:30:59 2022 +1000 - - Add debian-riscv64 test target. - -commit 3913c935523902482974c4c503bcff20bd850a6a -Author: Darren Tucker <dtucker@dtucker.net> -Date: Mon Apr 25 17:20:06 2022 +1000 - - Update OpenSSL and LibreSSL versions in tests. - -commit dcd8dca29bcdb193ff6be35b96fc55e6e30d37d9 -Author: Darren Tucker <dtucker@dtucker.net> -Date: Sat Apr 23 20:40:28 2022 +1000 - - Include stdlib.h for free() prototype. - - ... which is used inside the CUSTOM_SYS_AUTH_GET_LASTLOGIN_MSG block. - -commit 4cc05de568e1c3edd7834ff3bd9d8214eb34861b -Author: Darren Tucker <dtucker@dtucker.net> -Date: Sat Apr 23 20:17:26 2022 +1000 - - Cache timezone data in capsicum sandbox. - - From emaste at freebsd.org, originally part of FreeBSD commit r339216 - / fc3c19a9 with autoconf bits added by me. - -commit c31404426d212e2964ff9e5e58e1d0fce3d83f27 -Author: dtucker@openbsd.org <dtucker@openbsd.org> -Date: Thu Apr 21 01:36:46 2022 +0000 - - upstream: It looks like we can't completely avoid - - waiting for processes to exit so retrieve the pid via controlmaster and - use that. - - OpenBSD-Regress-ID: 8246f00f22b14e49d2ff1744c94897ead33d457b - -commit d19b21afab5c8e2f3df6bd8aee9766bdad3d8c58 -Author: dtucker@openbsd.org <dtucker@openbsd.org> -Date: Wed Apr 20 13:25:55 2022 +0000 - - upstream: Use ssh -f and ControlPersist .. - - to start up test forwards and ssh -O stop to shut them down intead of - sleep loops. This speeds up the test by an order of magnitude. - - OpenBSD-Regress-ID: eb3db5f805100919b092a3b2579c611fba3e83e7 - -commit 5f76286a126721fa005de6edf3d1c7a265555f19 -Author: dtucker@openbsd.org <dtucker@openbsd.org> -Date: Wed Apr 20 05:24:13 2022 +0000 - - upstream: Simplify forward-control test. - - Since we no longer need to support SSH1 we don't need to run shell - commands on the other end of the connection and can use ssh -N instead. - This also makes the test less racy. - - OpenBSD-Regress-ID: 32e94ce272820cc398f30b848b2b0f080d10302c - -commit 687bbf23572d8bdf25cbbcdf8ac583514e1ba710 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Thu Mar 31 03:07:33 2022 +0000 - - upstream: regression test for sftp cp command - - OpenBSD-Regress-ID: c96bea9edde3a384b254785e7f9b2b24a81cdf82 - -commit f1233f19a6a9fe58f52946f50df4772f5b136761 -Author: dtucker@openbsd.org <dtucker@openbsd.org> -Date: Wed Apr 20 01:13:47 2022 +0000 - - upstream: Import regenerated moduli - - OpenBSD-Commit-ID: f9a0726d957cf10692a231996a1f34e7f9cdfeb0 - -commit fec014785de198b9a325d1b94e324bb958c5fe7b -Author: djm@openbsd.org <djm@openbsd.org> -Date: Wed Apr 20 04:19:11 2022 +0000 - - upstream: Try to continue running local I/O for channels in state - - OPEN during SSH transport rekeying. The most visible benefit is that it - should make ~-escapes work in the client (e.g. to exit) if the connection - happened to have stalled during a rekey event. Based work by and ok dtucker@ - - OpenBSD-Commit-ID: a66e8f254e92edd4ce09c9f750883ec8f1ea5f45 - -commit e68154b0d4f0f5085a050ea896955da1b1be6e30 -Author: dtucker@openbsd.org <dtucker@openbsd.org> -Date: Wed Apr 20 01:13:47 2022 +0000 - - upstream: Import regenerated moduli - - OpenBSD-Commit-ID: f9a0726d957cf10692a231996a1f34e7f9cdfeb0 - -commit 69928b106d8f0fa15b88cf3850d992ed81c44ae0 -Author: tj@openbsd.org <tj@openbsd.org> -Date: Sat Apr 16 00:22:31 2022 +0000 - - upstream: list the correct version number - - for when usage of the sftp protocol became default and fix a typo - from ed maste - - OpenBSD-Commit-ID: 24e1795ed2283fdeacf16413c2f07503bcdebb31 - -commit 21042a05c0b304c16f655efeec97438249d2e2cc -Author: dtucker@openbsd.org <dtucker@openbsd.org> -Date: Tue Apr 12 05:09:49 2022 +0000 - - upstream: Correct path for system known hosts file in description - - of IgnoreUserKnownHosts. Patch from Martin Vahlensieck via tech@ - - OpenBSD-Commit-ID: 9b7784f054fa5aa4d63cb36bd563889477127215 - -commit 53f4aff60a7c1a08a23917bd47496f8901c471f5 -Author: Darren Tucker <dtucker@dtucker.net> -Date: Sat Apr 16 14:33:20 2022 +1000 - - Resync moduli.5 with upstream. - - 1.18: remove duplicate publication year; carsten dot kunze at arcor dot de - 1.19: ssh-keygen's -G/-T have been replaced with -M generate/screen. - -commit d2b888762b9844eb0d8eb59909cdf5af5159f810 -Author: Darren Tucker <dtucker@dtucker.net> -Date: Sat Apr 16 14:31:13 2022 +1000 - - Retire fbsd6 test VM. - - It's long since out of support, relatively slow (it's i686) and the - compiler has trouble with PIE. - -commit cd1f70009860a154b51230d367c55ea5f9a4504e -Author: djm@openbsd.org <djm@openbsd.org> -Date: Mon Apr 11 22:52:08 2022 +0000 - - upstream: clear io_want/io_ready flags at start of poll() cycle; - - avoids plausible spin during rekeying if channel io_want flags are reused - across cycles. ok markus@ deraadt@ - - OpenBSD-Commit-ID: 91034f855b7c73cd2591657c49ac30f10322b967 - -commit aa1920302778273f7f94c2091319aba199068ca0 -Author: dtucker@openbsd.org <dtucker@openbsd.org> -Date: Fri Apr 8 05:43:39 2022 +0000 - - upstream: Note that curve25519-sha256 was later published in - - RFC8731. ok djm@ - - OpenBSD-Commit-ID: 2ac2b5d642d4cf5918eaec8653cad9a4460b2743 - -commit 4673fa8f2be983f2f88d5afd754adb1a2a39ec9e -Author: djm@openbsd.org <djm@openbsd.org> -Date: Fri Apr 8 04:40:40 2022 +0000 - - upstream: two defensive changes from Tobias Stoeckmann via GHPR287 - - enforce stricter invarient for sshbuf_set_parent() - never allow - a buffer to have a previously-set parent changed. - - In sshbuf_reset(), if the reallocation fails, then zero the entire - buffer and not the (potentially smaller) default initial alloc size. - - OpenBSD-Commit-ID: 14583203aa5d50ad38d2e209ae10abaf8955e6a9 - -commit 26eef015e2d2254375e13afaaf753b78932b1bf5 -Author: Damien Miller <djm@mindrot.org> -Date: Mon Apr 11 16:07:09 2022 +1000 - - Revert "update build-aux files to match autoconf-2.71" - - This reverts commit 0a8ca39fac6ad19096b6c263436f8b2dd51606f2. - - It turns out that the checked-in copies of these files are actually newer - than autoconf-2.71's copies, so this was effectively a downgrade. - Spotted by Bo Anderson via github - -commit 0a8ca39fac6ad19096b6c263436f8b2dd51606f2 -Author: Damien Miller <djm@mindrot.org> -Date: Fri Apr 8 14:48:58 2022 +1000 - - update build-aux files to match autoconf-2.71 - - i.e. config.guess, config.sub and install-sh - -commit 94eb6858efecc1b4f02d8a6bd35e149f55c814c8 -Author: Damien Miller <djm@mindrot.org> -Date: Wed Apr 6 10:47:48 2022 +1000 - - update version numbers for release - -commit 8e4a8eadf4fe74e65e6492f34250f8cf7d67e8da -Author: djm@openbsd.org <djm@openbsd.org> -Date: Mon Apr 4 22:45:25 2022 +0000 - - upstream: openssh-9.0 - - OpenBSD-Commit-ID: 0dfb461188f4513ec024c1534da8c1ce14c20b64 - -commit a9f23ea2e3227f406880c2634d066f6f50fa5eaa -Author: naddy@openbsd.org <naddy@openbsd.org> -Date: Thu Mar 31 17:58:44 2022 +0000 - - upstream: ssh: document sntrup761x25519-sha512@openssh.com as - - default KEX - - OpenBSD-Commit-ID: 12545bfa10bcbf552d04d9d9520d0f4e98b0e171 - -commit 9ec2713d122af79d66ebb9c1d6d9ae8621a8945f -Author: naddy@openbsd.org <naddy@openbsd.org> -Date: Thu Mar 31 17:27:27 2022 +0000 - - upstream: man pages: add missing commas between subordinate and - - main clauses - - jmc@ dislikes a comma before "then" in a conditional, so leave those - untouched. - - ok jmc@ - - OpenBSD-Commit-ID: 9520801729bebcb3c9fe43ad7f9776ab4dd05ea3 - -commit 3741df98ffaaff92b474ee70d8ef276b5882f85a -Author: Darren Tucker <dtucker@dtucker.net> -Date: Mon Apr 4 23:52:11 2022 +1000 - - Disable security key on fbsd6 test host. - -commit 32c12236f27ae83bfe6d2983b67c9bc67a83a417 -Author: Darren Tucker <dtucker@dtucker.net> -Date: Mon Apr 4 15:16:51 2022 +1000 - - Specify TEST_SHELL=bash on AIX. - - The system shells cause the agent-restrict test to fail due to some - quoting so explicitly specify bash until we can get configure to - autmatically work around that. - -commit 90452c8b69d065b7c7c285ff78b81418a75bcd76 -Author: Darren Tucker <dtucker@dtucker.net> -Date: Fri Apr 1 23:38:44 2022 +1100 - - Only return events from ppoll that were requested. - - If the underlying system's select() returns bits that were not in the - request set, our ppoll() implementation can return revents for events - not requested, which can apparently cause a hang. Only return revents - for activity in the requested event set. bz#3416, analysis and fix by - yaroslav.kuzmin at vmssoftware com, ok djm@ - -commit 6c49eb5fabc56f4865164ed818aa5112d09c31a8 -Author: Darren Tucker <dtucker@dtucker.net> -Date: Fri Apr 1 23:21:40 2022 +1100 - - Only run regression tests on slow VMs. - -commit f67e47903977b42cb6abcd5565a61bd7293e4dc3 -Author: Darren Tucker <dtucker@dtucker.net> -Date: Fri Apr 1 23:21:06 2022 +1100 - - Increase test timeout to allow slow VMs to finish - -commit 02488c1b54065ddc4f25835dbd2618b2a2fe21f5 -Author: Darren Tucker <dtucker@dtucker.net> -Date: Fri Apr 1 16:27:38 2022 +1100 - - Use bash or ksh if available for SH in Makefile. - -commit 34c7018c316af4773e432066de28d0ef9d0888cd -Author: Darren Tucker <dtucker@dtucker.net> -Date: Fri Apr 1 14:56:54 2022 +1100 - - Set Makefile SHELL as determined by configure. - - This should improve compatibility for users with non-POSIX shells. If - using Makefile.in directly (eg make -f Makefile.in distprep) then SHELL - will need to be specified on the command line (along with MANFMT in that - particular case). ok djm@ - -commit 5b054d76402faab38c48377efd112426469553a0 -Author: Darren Tucker <dtucker@dtucker.net> -Date: Fri Apr 1 13:16:47 2022 +1100 - - Skip slow tests on (very) slow test targets. - -commit b275818065b31a865142c48c2acf6a7c1655c542 -Author: Damien Miller <djm@mindrot.org> -Date: Thu Mar 31 14:11:36 2022 +1100 - - depend - -commit 3fa539c3ffaabd6211995512d33e29150f88c5c5 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Thu Mar 31 03:07:03 2022 +0000 - - upstream: add a sftp client "cp" command that supports server-side - - copying of files. Useful for this task and for testing the copy-data - extension. Patch from Mike Frysinger; ok dtucker@ - - OpenBSD-Commit-ID: 1bb1b950af0d49f0d5425b1f267e197aa1b57444 - -commit 7988bfc4b701c4b3fe9b36c8561a3d1c5d4c9a74 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Thu Mar 31 03:05:49 2022 +0000 - - upstream: add support for the "corp-data" protocol extension to - - allow server-side copies to be performed without having to go via the client. - Patch by Mike Frysinger, ok dtucker@ - - OpenBSD-Commit-ID: 00aa510940fedd66dab1843b58682de4eb7156d5 - -commit 32dc1c29a4ac9c592ddfef0a4895eb36c1f567ba -Author: djm@openbsd.org <djm@openbsd.org> -Date: Wed Mar 30 21:13:23 2022 +0000 - - upstream: select post-quantum KEX - - sntrup761x25519-sha512@openssh.com as the default; ok markus@ - - OpenBSD-Commit-ID: f02d99cbfce22dffec2e2ab1b60905fbddf48fb9 - -commit d6556de1db0822c76ba2745cf5c097d9472adf7c -Author: djm@openbsd.org <djm@openbsd.org> -Date: Wed Mar 30 21:10:25 2022 +0000 - - upstream: fix poll() spin when a channel's output fd closes without - - data in the channel buffer. Introduce more exact packing of channel fds into - the pollfd array. fixes bz3405 and bz3411; ok deraadt@ markus@ - - OpenBSD-Commit-ID: 06740737849c9047785622ad5d472cb6a3907d10 - -commit 8a74a96d25ca4d32fbf298f6c0ac5a148501777d -Author: djm@openbsd.org <djm@openbsd.org> -Date: Wed Mar 30 04:33:09 2022 +0000 - - upstream: ssh is almost out of getopt() characters; note the - - remaining remaining available ones in a comment - - OpenBSD-Commit-ID: 48d38cef59d6bc8e84c6c066f6d601875d3253fd - -commit 6d4fc51adb9d8a42f67b5474f02f877422379de6 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Wed Mar 30 04:27:51 2022 +0000 - - upstream: avoid NULL deref via ssh-keygen -Y find-principals. - - bz3409, reported by Mateusz Adamowski - - OpenBSD-Commit-ID: a3b2c02438052ee858e0ee18e5a288586b5df2c5 - -commit e937514920335b92b543fd9be79cd6481d1eb0b6 -Author: Darren Tucker <dtucker@dtucker.net> -Date: Mon Mar 28 17:51:03 2022 +1100 - - Add AIX 5.1 test target. - -commit 4bbe815ba974b4fd89cc3fc3e3ef1be847a0befe -Author: Darren Tucker <dtucker@dtucker.net> -Date: Sat Mar 26 22:01:31 2022 +1100 - - Drop leading "v" from release version identifier. - - It's present in the git tags but not in the release tarball names. - Also drop extra "/" from URL path. - -commit f5cdd3b3c275dffaebfca91df782dca29975e9ac -Author: Darren Tucker <dtucker@dtucker.net> -Date: Sat Mar 26 16:28:04 2022 +1100 - - Use tarballs when testing LibreSSL releases. - - This means they'll still work when the combination of -portable and - openbsd github repos no longer match. - -commit 24dc37d198f35a7cf71bf4d5384363c7ef4209d4 -Author: Darren Tucker <dtucker@dtucker.net> -Date: Sat Mar 26 15:02:45 2022 +1100 - - Remove now-unused passwd variable. - -commit 5b467ceef2c356f0a77f5e8ab4eb0fac367e4d24 -Author: Darren Tucker <dtucker@dtucker.net> -Date: Sat Mar 26 13:15:44 2022 +1100 - - Missing semicolon. - -commit 2923d026e55998133c0f6e5186dca2a3c0fa5ff5 -Author: Darren Tucker <dtucker@dtucker.net> -Date: Sat Mar 26 12:49:50 2022 +1100 - - Factor out platform-specific locked account check. - - Also fixes an incorrect free on platforms with both libiaf and shadow - passwords (probably only Unixware). Prompted by github PR#284, - originally from @c3h2_ctf and stoeckmann@. - -commit d23efe4b12886ffe416be10bc0a7da6ca8aa72d1 -Author: Darren Tucker <dtucker@dtucker.net> -Date: Sat Mar 26 08:13:46 2022 +1100 - - Add OpenWRT mips and mipsel test targets. - -commit 16ea8b85838dd7a4dbeba4e51ac4f43fd68b1e5b -Author: djm@openbsd.org <djm@openbsd.org> -Date: Sun Mar 20 08:52:17 2022 +0000 - - upstream: don't leak argument list; bz3404, reported by Balu - - Gajjala ok dtucker@ - - OpenBSD-Commit-ID: fddc32d74e5dd5cff1a49ddd6297b0867eae56a6 - -commit a72bde294fe0518c9a44ba63864093a1ef2425e3 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Sun Mar 20 08:51:21 2022 +0000 - - upstream: make addargs() and replacearg() a little more robust and - - improve error reporting - - make freeargs(NULL) a noop like the other free functions - - ok dtucker as part of bz3403 - - OpenBSD-Commit-ID: 15f86da83176978b4d1d288caa24c766dfa2983d - -commit 731087d2619fa7f01e675b23f57af10d745e8af2 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Fri Mar 18 04:04:11 2022 +0000 - - upstream: don't try to resolve ListenAddress directives in the sshd - - re-exec path - we're never going to use the result and if the operation fails - then it can prevent connections from being accepted. Reported by Aaron - Poffenberger; with / ok dtucker@ - - OpenBSD-Commit-ID: 44c53a43909a328e2f5ab26070fdef3594eded60 - -commit 1c83c082128694ddd11ac05fdf31d70312ff1763 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Fri Mar 18 02:50:21 2022 +0000 - - upstream: remove blank line - - OpenBSD-Commit-ID: d5e0182965b2fbfb03ad5f256d1a1ce5706bcddf - -commit 807be68684da7a1fe969c399ddce2fafb7997dcb -Author: djm@openbsd.org <djm@openbsd.org> -Date: Fri Mar 18 02:32:22 2022 +0000 - - upstream: helpful comment - - OpenBSD-Commit-ID: e3315a45cb04e7feeb614d76ec80a9fe4ca0e8c7 - -commit a0b5816f8f1f645acdf74f7bc11b34455ec30bac -Author: djm@openbsd.org <djm@openbsd.org> -Date: Fri Mar 18 02:31:25 2022 +0000 - - upstream: ssh-keygen -Y check-novalidate requires namespace or SEGV - - will ensue. Patch from Mateusz Adamowski via GHPR#307 - - OpenBSD-Commit-ID: 99e8ec38f9feb38bce6de240335be34aedeba5fd - -commit 5a252d54a63be30d5ba4be76210942d754a531c0 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Tue Mar 15 05:27:37 2022 +0000 - - upstream: improve DEBUG_CHANNEL_POLL debugging message - - OpenBSD-Commit-ID: 2275eb7bc4707d019b1a0194b9c92c0b78da848f - -commit ce324cf58ba2840e31afeb996935800780c8fa4b -Author: cheloha@openbsd.org <cheloha@openbsd.org> -Date: Sun Mar 13 23:27:54 2022 +0000 - - upstream: ssh: xstrdup(): use memcpy(3) - - Copying the given string into the buffer with strlcpy(3) confers no - benefit in this context because we have already determined the - string's length with strlen(3) in order to allocate that buffer. - - Thread: https://marc.info/?l=openbsd-tech&m=164687525802691&w=2 - - ok dtucker@ millert@ - - OpenBSD-Commit-ID: f8bfc082e36e2d2dc4e1feece02fe274155ca11a |