Mercurial > dropbear
comparison CHANGES @ 1557:61a793b6e471 fuzz
merge from main
| author | Matt Johnston <matt@ucc.asn.au> |
|---|---|
| date | Wed, 28 Feb 2018 21:28:59 +0800 |
| parents | e46f7f1da56a |
| children | 2fd52c383163 |
comparison
equal
deleted
inserted
replaced
| 1546:bb8eaa26bc93 | 1557:61a793b6e471 |
|---|---|
| 1 Upcoming... | 1 2018.76 - 27 February 2018 |
| 2 | 2 |
| 3 - IMPORTANT: | 3 > > > Configuration/compatibility changes |
| 4 IMPORTANT | |
| 4 Custom configuration is now specified in local_options.h rather than options.h | 5 Custom configuration is now specified in local_options.h rather than options.h |
| 5 Available options and defaults can be seen in default_options.h | 6 Available options and defaults can be seen in default_options.h |
| 6 | 7 |
| 7 To migrate your configuration, compare your customised options.h against the | 8 To migrate your configuration, compare your customised options.h against the |
| 8 upstream options.h from your relevant version. Any customised options should | 9 upstream options.h from your relevant version. Any customised options should |
| 9 be put in localoptions.h | 10 be put in localoptions.h |
| 10 | 11 |
| 11 - "configure --enable-static" should now be used instead of "make STATIC=1" | 12 - "configure --enable-static" should now be used instead of "make STATIC=1" |
| 12 | 13 This will avoid 'hardened build' flags that conflict with static binaries |
| 13 - Add group14-256 and group16 key exchange options | 14 |
| 14 | 15 - Set 'hardened build' flags by default if supported by the compiler. |
| 15 - Set hardened build flags by default if supported by the compiler. | 16 These can be disabled with configure --disable-harden if needed. |
| 16 -Wl,-pie | 17 -Wl,-pie |
| 17 -Wl,-z,now -Wl,-z,relro | 18 -Wl,-z,now -Wl,-z,relro |
| 18 -fstack-protector-strong | 19 -fstack-protector-strong |
| 19 -D_FORTIFY_SOURCE=2 | 20 -D_FORTIFY_SOURCE=2 |
| 20 # spectre v2 mitigation | 21 # spectre v2 mitigation |
| 21 -mfunction-return=thunk | 22 -mfunction-return=thunk |
| 22 -mindirect-branch=thunk | 23 -mindirect-branch=thunk |
| 23 | 24 |
| 24 These can be disabled with configure --disable-harden if needed | |
| 25 Spectre patch from Loganaden Velvindron | 25 Spectre patch from Loganaden Velvindron |
| 26 | |
| 27 - "dropbear -r" option for hostkeys no longer attempts to load the default | |
| 28 hostkey paths as well. If desired these can be specified manually. | |
| 29 Patch from CamVan Nguyen | |
| 30 | |
| 31 - group1-sha1 key exchange is disabled in the server by default since | |
| 32 the fixed 1024-bit group may be susceptible to attacks | |
| 33 | |
| 34 - twofish ciphers are now disabled in the default configuration | |
| 35 | |
| 36 - Default generated ECDSA key size is now 256 (rather than 521) | |
| 37 for better interoperability | |
| 38 | |
| 39 - Minimum RSA key length has been increased to 1024 bits | |
| 40 | |
| 41 > > > Other features and fixes | |
| 26 | 42 |
| 27 - Add runtime -T max_auth_tries option from Kevin Darbyshire-Bryant | 43 - Add runtime -T max_auth_tries option from Kevin Darbyshire-Bryant |
| 28 | 44 |
| 29 - Add 'dbclient -J &fd' to allow dbclient to connect over an existing socket. | 45 - Add 'dbclient -J &fd' to allow dbclient to connect over an existing socket. |
| 30 See dbclient manpage for a socat example. Patch from Harald Becker | 46 See dbclient manpage for a socat example. Patch from Harald Becker |
| 31 | 47 |
| 32 - Add "-c forced_command" option. Patch from Jeremy Kerr | 48 - Add "-c forced_command" option. Patch from Jeremy Kerr |
| 33 | 49 |
| 50 - Restricted group -G option added with patch from stellarpower | |
| 51 | |
| 34 - Support server-chosen TCP forwarding ports, patch from houseofkodai | 52 - Support server-chosen TCP forwarding ports, patch from houseofkodai |
| 35 | 53 |
| 36 - Allow choosing outgoing address for dbclient with -b [bind_address][:bind_port] | 54 - Allow choosing outgoing address for dbclient with -b [bind_address][:bind_port] |
| 37 Patch from houseofkodai | 55 Patch from houseofkodai |
| 38 | 56 |
| 57 - Makefile will now rebuild object files when header files are modified | |
| 58 | |
| 59 - Add group14-256 and group16 key exchange options | |
| 60 | |
| 61 - curve25519-sha256 also supported without @libssh.org suffix | |
| 62 | |
| 39 - Update bundled libtomcrypt to 1.18.1, libtommath to 1.0.1 | 63 - Update bundled libtomcrypt to 1.18.1, libtommath to 1.0.1 |
| 40 | 64 This fixes building with some recent versions of clang |
| 41 - Minimum RSA key length has been increased to 1024 bits | |
| 42 | 65 |
| 43 - Set PAM_RHOST which is needed by modules such as pam_abl | 66 - Set PAM_RHOST which is needed by modules such as pam_abl |
| 44 | 67 |
| 45 - Improvements to DSS public key validation, found by OSS-Fuzz. | 68 - Improvements to DSS and RSA public key validation, found by OSS-Fuzz. |
| 46 | 69 |
| 47 - Don't exit when an authorized_keys file has malformed entries. Found by OSS-Fuzz | 70 - Don't exit when an authorized_keys file has malformed entries. Found by OSS-Fuzz |
| 48 | 71 |
| 49 - Fix null-pointer crash with malformed ECDSA or DSS keys. Found by OSS-Fuzz | 72 - Fix null-pointer crash with malformed ECDSA or DSS keys. Found by OSS-Fuzz |
| 50 | 73 |