From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 60409 invoked by alias); 3 Apr 2018 15:29:16 -0000 Mailing-List: contact cygwin-announce-help@cygwin.com; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-announce-owner@cygwin.com Reply-To: The Cygwin Mailing List Mail-Followup-To: cygwin-announce@cygwin.com Received: (qmail 113701 invoked by uid 89); 3 Apr 2018 15:23:40 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-99.7 required=5.0 tests=AWL,BAYES_00,GOOD_FROM_CORINNA_CYGWIN,KAM_ASCII_DIVIDERS,KAM_LAZY_DOMAIN_SECURITY,KAM_NUMSUBJECT,RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.2 spammy=responses, donated, donations, listening X-HELO: mout.kundenserver.de Date: Tue, 03 Apr 2018 15:29:00 -0000 From: Corinna Vinschen To: cygwin-announce@cygwin.com Subject: Updated: OpenSSH-7.7p1-1 Message-ID: <20180403152334.GE2833@calimero.vinschen.de> Mail-Followup-To: cygwin-announce@cygwin.com MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline User-Agent: Mutt/1.9.2 (2017-12-15) X-UI-Out-Filterresults: notjunk:1;V01:K0:+/6sQAdMSOs=:BNblENERy/xLZnnXYBh54Z wJPkqo/0cGYJ122PV+jkBz33on/s7e+A77QzKVLcu6k35eQY9OboDitivPNCQBCWOwygvv9qt JaBVGWGid+O+HICIfHxMVWsB08itUSMhxUC/9QJtE2ajoADM8xInuPxrdggul+/B8oJClzsS5 Pohouu7vhXEGk+42rS4pUBe+uerlpLT1r5h63WSICY3VmHk0cjiPvqwql/tq0GtdWHuG8Ws3C 5GQxD+ENClZ14qNjLTW8myJ9GZbjc7Lyp5wLauEeYi8gYmUWm3v0yuuON5o2gp3YSydTWS5wS 2BbJ0qNeAK1rnc7eacdhVHYbTUehGa3wNx4UTgetugoFk7GHpVcYEVee65NqOGQouJ0QpBMpn zDu6BWwMiG3v7ZUyOdmpc9ds3bldLWM0Y2inbceb8dPaEWV9MHuqIMzdA09oqCo1L/OASEXiE jrp9MpHJbChuECBGWeQUjefbFGNtcbIYg5jC374m0Jale5ihHyTCuBihzJdISv4UC1S2XMRop fnutZdAZ6Y/MaM9Q8YaXqoi3rHxYwE1A6hNnCda21s3Dg/mv0cMCV/priPrYAAmpzjvYCsLuQ yeFtzjLqDWv1Z3T5Xls0ZjPaUXOusbGZI68a65Q2V3ai976PtP8e4boB8x9RuvNpPtsdzAUu9 I/opXZLEuAquXswiLjMM5rF4vWb9lrgn/z3Qd1zx7X9ejiF9o9lcABdvIgYHp7+dn8i9jY9rj TIpRyFumYfWLBNsMd5+Gd3LszD3dj0en6PVD4g== X-SW-Source: 2018-04/txt/msg00004.txt.bz2 I've just updated the Cygwin version of OpenSSH to 7.7p1-1. This is primarily an upstream bugfix release. The original upstream release message: ========================================================================= OpenSSH 7.7 has just been released. It will be available from the mirrors listed at http://www.openssh.com/ shortly. OpenSSH is a 100% complete SSH protocol 2.0 implementation and includes sftp client and server support. Once again, we would like to thank the OpenSSH community for their continued support of the project, especially those who contributed code or patches, reported bugs, tested snapshots or donated to the project. More information on donations may be found at: http://www.openssh.com/donations.html Potentially-incompatible changes ================================ This release includes a number of changes that may affect existing configurations: * ssh(1)/sshd(8): Drop compatibility support for some very old SSH implementations, including ssh.com <=2.* and OpenSSH <= 3.*. These versions were all released in or before 2001 and predate the final SSH RFCs. The support in question isn't necessary for RFC-compliant SSH implementations. Changes since OpenSSH 7.6 ========================= This is primarily a bugfix release. New Features ------------ * All: Add experimental support for PQC XMSS keys (Extended Hash- Based Signatures) based on the algorithm described in https://tools.ietf.org/html/draft-irtf-cfrg-xmss-hash-based-signatures-12 The XMSS signature code is experimental and not compiled in by default. * sshd(8): Add a "rdomain" criteria for the sshd_config Match keyword to allow conditional configuration that depends on which routing domain a connection was received on (currently supported on OpenBSD and Linux). * sshd_config(5): Add an optional rdomain qualifier to the ListenAddress directive to allow listening on different routing domains. This is supported only on OpenBSD and Linux at present. * sshd_config(5): Add RDomain directive to allow the authenticated session to be placed in an explicit routing domain. This is only supported on OpenBSD at present. * sshd(8): Add "expiry-time" option for authorized_keys files to allow for expiring keys. * ssh(1): Add a BindInterface option to allow binding the outgoing connection to an interface's address (basically a more usable BindAddress) * ssh(1): Expose device allocated for tun/tap forwarding via a new %T expansion for LocalCommand. This allows LocalCommand to be used to prepare the interface. * sshd(8): Expose the device allocated for tun/tap forwarding via a new SSH_TUNNEL environment variable. This allows automatic setup of the interface and surrounding network configuration automatically on the server. * ssh(1)/scp(1)/sftp(1): Add URI support to ssh, sftp and scp, e.g. ssh://user@host or sftp://user@host/path. Additional connection parameters described in draft-ietf-secsh-scp-sftp-ssh-uri-04 are not implemented since the ssh fingerprint format in the draft uses the deprecated MD5 hash with no way to specify the any other algorithm. * ssh-keygen(1): Allow certificate validity intervals that specify only a start or stop time (instead of both or neither). * sftp(1): Allow "cd" and "lcd" commands with no explicit path argument. lcd will change to the local user's home directory as usual. cd will change to the starting directory for session (because the protocol offers no way to obtain the remote user's home directory). bz#2760 * sshd(8): When doing a config test with sshd -T, only require the attributes that are actually used in Match criteria rather than (an incomplete list of) all criteria. Bugfixes -------- * ssh(1)/sshd(8): More strictly check signature types during key exchange against what was negotiated. Prevents downgrade of RSA signatures made with SHA-256/512 to SHA-1. * sshd(8): Fix support for client that advertise a protocol version of "1.99" (indicating that they are prepared to accept both SSHv1 and SSHv2). This was broken in OpenSSH 7.6 during the removal of SSHv1 support. bz#2810 * ssh(1): Warn when the agent returns a ssh-rsa (SHA1) signature when a rsa-sha2-256/512 signature was requested. This condition is possible when an old or non-OpenSSH agent is in use. bz#2799 * ssh-agent(1): Fix regression introduced in 7.6 that caused ssh-agent to fatally exit if presented an invalid signature request message. * sshd_config(5): Accept yes/no flag options case-insensitively, as has been the case in ssh_config(5) for a long time. bz#2664 * ssh(1): Improve error reporting for failures during connection. Under some circumstances misleading errors were being shown. bz#2814 * ssh-keyscan(1): Add -D option to allow printing of results directly in SSHFP format. bz#2821 * regress tests: fix PuTTY interop test broken in last release's SSHv1 removal. bz#2823 * ssh(1): Compatibility fix for some servers that erroneously drop the connection when the IUTF8 (RFC8160) option is sent. * scp(1): Disable RemoteCommand and RequestTTY in the ssh session started by scp (sftp was already doing this.) * ssh-keygen(1): Refuse to create a certificate with an unusable number of principals. * ssh-keygen(1): Fatally exit if ssh-keygen is unable to write all the public key during key generation. Previously it would silently ignore errors writing the comment and terminating newline. * ssh(1): Do not modify hostname arguments that are addresses by automatically forcing them to lower-case. Instead canonicalise them to resolve ambiguities (e.g. ::0001 => ::1) before they are matched against known_hosts. bz#2763 * ssh(1): Don't accept junk after "yes" or "no" responses to hostkey prompts. bz#2803 * sftp(1): Have sftp print a warning about shell cleanliness when decoding the first packet fails, which is usually caused by shells polluting stdout of non-interactive startups. bz#2800 * ssh(1)/sshd(8): Switch timers in packet code from using wall-clock time to monotonic time, allowing the packet layer to better function over a clock step and avoiding possible integer overflows during steps. * Numerous manual page fixes and improvements. Portability ----------- * sshd(8): Correctly detect MIPS ABI in use at configure time. Fixes sandbox violations on some environments. * sshd(8): Remove UNICOS support. The hardware and software are literal museum pieces and support in sshd is too intrusive to justify maintaining. * All: Build and link with "retpoline" flags when available to mitigate the "branch target injection" style (variant 2) of the Spectre branch-prediction vulnerability. * All: Add auto-generated dependency information to Makefile. * Numerous fixed to the RPM spec files. ========================================================================= Have fun, Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Project Co-Leader cygwin AT cygwin DOT com Red Hat