comparison CHANGES @ 1520:84578193ef47

draft CHANGES
author Matt Johnston <matt@ucc.asn.au>
date Sun, 18 Feb 2018 23:48:32 +0800
parents b19877938d6a
children d35cf9a5e0b5
comparison
equal deleted inserted replaced
1519:2f4d52b1334e 1520:84578193ef47
1 Upcoming...
2
3 - IMPORTANT:
4 Custom configuration is now specified in local_options.h rather than options.h
5 Available options and defaults can be seen in default_options.h.in
6
7 To migrate your configuration, compare your customised options.h against the
8 upstream options.h from your relevant version. Any customised options should
9 be put in localoptions.h
10
11 - "configure --enable-static" should now be used instead of "make STATIC=1"
12
13 - Add group14-256 and group16 key exchange options
14
15 - Set hardened build flags by default if supported by the compiler.
16 -Wl,-pie
17 -Wl,-z,now -Wl,-z,relro
18 -fstack-protector-strong
19 -D_FORTIFY_SOURCE=2
20 # spectre v2 mitigation
21 -mfunction-return=thunk
22 -mindirect-branch=thunk
23
24 These can be disabled with configure --disable-harden if needed
25 Spectre patch from Loganaden Velvindron
26
27 - Add runtime -T max_auth_tries option from Kevin Darbyshire-Bryant
28
29 - Add 'dbclient -J &fd' to allow dbclient to connect over an existing socket.
30 See dbclient manpage for a socat example. Patch from Harald Becker
31
32 - Add "-c forced_command" option. Patch from Jeremy Kerr
33
34 - Support server-chosen TCP forwarding ports, patch from houseofkodai
35
36 - Allow choosing outgoing address for dbclient with -b [bind_address][:bind_port]
37 Patch from houseofkodai
38
39 - Update bundled libtomcrypt to 1.18.1, libtommath to 1.0.1
40
41 - Minimum RSA key length has been increased to 1024 bits
42
43 - Set PAM_RHOST which is needed by modules such as pam_abl
44
45 - Improvements to DSS public key validation, found by OSS-Fuzz.
46
47 - Don't exit when an authorized_keys file has malformed entries. Found by OSS-Fuzz
48
49 - Fix null-pointer crash with malformed ECDSA or DSS keys. Found by OSS-Fuzz
50
51 - Numerous code cleanups and small issues fixed by Francois Perrad
52
53 - Test for pkt_sched.h rather than SO_PRIORITY which was problematic with some musl
54 platforms. Reported by Oliver Schneider and Andrew Bainbridge
55
56 - Fix some platform portability problems, from Ben Gardner
57
58 - Add EXEEXT filename suffix for building dropbearmulti, from William Foster
59
60 - Support --enable-<option> properly for configure, from Stefan Hauser
61
62 - configure have_openpty result can be cached, from Eric BĂ©nard
63
64 - handle platforms that return close() < -1 on failure, from Marco Wenzel
65
66 - Build and configuration cleanups from Michael Witten
67
68 - Fix libtomcrypt/libtommath linking order, from Andre McCurdy
69
70 - Fix old Linux platforms that have SYS_clock_gettime but not CLOCK_MONOTONIC
71
72 - Update curve25519-donna implementation to current version
73
1 2017.75 - 18 May 2017 74 2017.75 - 18 May 2017
2 75
3 - Security: Fix double-free in server TCP listener cleanup 76 - Security: Fix double-free in server TCP listener cleanup
4 A double-free in the server could be triggered by an authenticated user if 77 A double-free in the server could be triggered by an authenticated user if
5 dropbear is running with -a (Allow connections to forwarded ports from any host) 78 dropbear is running with -a (Allow connections to forwarded ports from any host)