Mercurial > dropbear
comparison CHANGES @ 910:89555751c489 asm
merge up to 2013.63, improve ASM makefile rules a bit
| author | Matt Johnston <matt@ucc.asn.au> |
|---|---|
| date | Thu, 27 Feb 2014 21:35:58 +0800 |
| parents | f98618496f82 |
| children | 8664fea5072f |
comparison
equal
deleted
inserted
replaced
| 909:e4b75744acab | 910:89555751c489 |
|---|---|
| 1 2014.63 - Wednesday 19 February 2014 | |
| 2 | |
| 3 - Fix ~. to terminate a client interactive session after waking a laptop | |
| 4 from sleep. | |
| 5 | |
| 6 - Changed port separator syntax again, now using host^port. This is because | |
| 7 IPv6 link-local addresses use %. Reported by Gui Iribarren | |
| 8 | |
| 9 - Avoid constantly relinking dropbearmulti target, fix "make install" | |
| 10 for multi target, thanks to Mike Frysinger | |
| 11 | |
| 12 - Avoid getting stuck in a loop writing huge key files, reported by Bruno | |
| 13 Thomsen | |
| 14 | |
| 15 - Don't link dropbearkey or dropbearconvert to libz or libutil, | |
| 16 thanks to Nicolas Boos | |
| 17 | |
| 18 - Fix linking -lcrypt on systems without /usr/lib, thanks to Nicolas Boos | |
| 19 | |
| 20 - Avoid crash on exit due to cleaned up keys before last packets are sent, | |
| 21 debugged by Ronald Wahl | |
| 22 | |
| 23 - Fix a race condition in rekeying where Dropbear would exit if it received a | |
| 24 still-in-flight packet after initiating rekeying. Reported by Oliver Metz. | |
| 25 This is a longstanding bug but is triggered more easily since 2013.57 | |
| 26 | |
| 27 - Fix README for ecdsa keys, from Catalin Patulea | |
| 28 | |
| 29 - Ensure that generated RSA keys are always exactly the length | |
| 30 requested. Previously Dropbear always generated N+16 or N+15 bit keys. | |
| 31 Thanks to Unit 193 | |
| 32 | |
| 33 - Fix DROPBEAR_CLI_IMMEDIATE_AUTH mode which saves a network round trip if the | |
| 34 first public key succeeds. Still not enabled by default, needs more | |
| 35 compatibility testing with other implementations. | |
| 36 | |
| 37 - Fix for port 0 forwarding in the client and port forwarding with Apache MINA SSHD. Thanks to | |
| 38 | |
| 39 - Fix for bad system linux/pkt-sched.h header file with older Linux | |
| 40 kernels, from Steve Dover | |
| 41 | |
| 42 - Fix signal handlers so that errno is saved, thanks to Erik Ahlén for a patch | |
| 43 and Mark Wickham for independently spotting the same problem. | |
| 44 | |
| 45 2013.62 - Tuesday 3 December 2013 | |
| 46 | |
| 47 - Disable "interactive" QoS connection options when a connection doesn't | |
| 48 have a PTY (eg scp, rsync). Thanks to Catalin Patulea for the patch. | |
| 49 | |
| 50 - Log when a hostkey is generated with -R, fix some bugs in handling server | |
| 51 hostkey commandline options | |
| 52 | |
| 53 - Fix crash in Dropbearconvert and 521 bit key, reported by NiLuJe | |
| 54 | |
| 55 - Update config.guess and config.sub again | |
| 56 | |
| 57 2013.61test - Thursday 14 November 2013 | |
| 58 | |
| 59 - ECC (elliptic curve) support. Supports ECDSA hostkeys (requires new keys to | |
| 60 be generated) and ECDH for setting up encryption keys (no intervention | |
| 61 required). This is significantly faster. | |
| 62 | |
| 63 - [email protected] support for setting up encryption keys. This is | |
| 64 another elliptic curve mode with less potential of NSA interference in | |
| 65 algorithm parameters. curve25519-donna code thanks to Adam Langley | |
| 66 | |
| 67 - -R option to automatically generate hostkeys. This is recommended for | |
| 68 embedded platforms since it allows the system random number device | |
| 69 /dev/urandom a longer startup time to generate a secure seed before the | |
| 70 hostkey is required. | |
| 71 | |
| 72 - Compile fixes for old vendor compilers like Tru64 from Daniel Richard G. | |
| 73 | |
| 74 - Make authorized_keys handling more robust, don't exit encountering | |
| 75 malformed lines. Thanks to Lorin Hochstein and Mark Stillwell | |
| 76 | |
| 77 2013.60 - Wednesday 16 October 2013 | |
| 78 | |
| 79 - Fix "make install" so that it doesn't always install to /bin and /sbin | |
| 80 | |
| 81 - Fix "make install MULTI=1", installing manpages failed | |
| 82 | |
| 83 - Fix "make install" when scp is included since it has no manpage | |
| 84 | |
| 85 - Make --disable-bundled-libtom work | |
| 86 | |
| 1 2013.59 - Friday 4 October 2013 | 87 2013.59 - Friday 4 October 2013 |
| 2 | 88 |
| 3 - Fix crash from -J command | 89 - Fix crash from -J command |
| 4 Thanks to Lluís Batlle i Rossell and Arnaud Mouiche for patches | 90 Thanks to Lluís Batlle i Rossell and Arnaud Mouiche for patches |
| 5 | 91 |
| 12 - Send a banner message to report PAM error messages intended for the user | 98 - Send a banner message to report PAM error messages intended for the user |
| 13 Patch from Martin Donnelly | 99 Patch from Martin Donnelly |
| 14 | 100 |
| 15 - Limit the size of decompressed payloads, avoids memory exhaustion denial | 101 - Limit the size of decompressed payloads, avoids memory exhaustion denial |
| 16 of service | 102 of service |
| 17 Thanks to Logan Lamb for reporting and investigating it | 103 Thanks to Logan Lamb for reporting and investigating it. CVE-2013-4421 |
| 18 | 104 |
| 19 - Avoid disclosing existence of valid users through inconsistent delays | 105 - Avoid disclosing existence of valid users through inconsistent delays |
| 20 Thanks to Logan Lamb for reporting | 106 Thanks to Logan Lamb for reporting. CVE-2013-4434 |
| 21 | 107 |
| 22 - Update config.guess and config.sub for newer architectures | 108 - Update config.guess and config.sub for newer architectures |
| 23 | 109 |
| 24 - Avoid segfault in server for locked accounts | 110 - Avoid segfault in server for locked accounts |
| 25 | 111 |
| 316 | 402 |
| 317 0.49 - Fri 23 February 2007 | 403 0.49 - Fri 23 February 2007 |
| 318 | 404 |
| 319 - Security: dbclient previously would prompt to confirm a | 405 - Security: dbclient previously would prompt to confirm a |
| 320 mismatching hostkey but wouldn't warn loudly. It will now | 406 mismatching hostkey but wouldn't warn loudly. It will now |
| 321 exit upon a mismatch. | 407 exit upon a mismatch. CVE-2007-1099 |
| 322 | 408 |
| 323 - Compile fixes, make sure that all variable definitions are at the start | 409 - Compile fixes, make sure that all variable definitions are at the start |
| 324 of a scope. | 410 of a scope. |
| 325 | 411 |
| 326 - Added -P pidfile argument to the server (from Swen Schillig) | 412 - Added -P pidfile argument to the server (from Swen Schillig) |
| 378 - Check that the circular buffer is properly empty before | 464 - Check that the circular buffer is properly empty before |
| 379 closing a channel, which could cause truncated transfers | 465 closing a channel, which could cause truncated transfers |
| 380 (thanks to Tomas Vanek for helping track it down) | 466 (thanks to Tomas Vanek for helping track it down) |
| 381 | 467 |
| 382 - Implement per-IP pre-authentication connection limits | 468 - Implement per-IP pre-authentication connection limits |
| 383 (after some poking from Pablo Fernandez) | 469 (after some poking from Pablo Fernandez) CVE-2006-1206 |
| 384 | 470 |
| 385 - Exit gracefully if trying to connect to as SSH v1 server | 471 - Exit gracefully if trying to connect to as SSH v1 server |
| 386 (reported by Rushi Lala) | 472 (reported by Rushi Lala) |
| 387 | 473 |
| 388 - Only read /dev/random once at startup when in non-inetd mode | 474 - Only read /dev/random once at startup when in non-inetd mode |
| 399 0.47 - Thurs Dec 8 2005 | 485 0.47 - Thurs Dec 8 2005 |
| 400 | 486 |
| 401 - SECURITY: fix for buffer allocation error in server code, could potentially | 487 - SECURITY: fix for buffer allocation error in server code, could potentially |
| 402 allow authenticated users to gain elevated privileges. All multi-user systems | 488 allow authenticated users to gain elevated privileges. All multi-user systems |
| 403 running the server should upgrade (or apply the patch available on the | 489 running the server should upgrade (or apply the patch available on the |
| 404 Dropbear webpage). | 490 Dropbear webpage). CVE-2005-4178 |
| 405 | 491 |
| 406 - Fix channel handling code so that redirecting to /dev/null doesn't use | 492 - Fix channel handling code so that redirecting to /dev/null doesn't use |
| 407 100% CPU. | 493 100% CPU. |
| 408 | 494 |
| 409 - Turn on zlib compression for dbclient. | 495 - Turn on zlib compression for dbclient. |
| 606 0.43 - Fri Jul 16 2004 17:44:54 +0800 | 692 0.43 - Fri Jul 16 2004 17:44:54 +0800 |
| 607 | 693 |
| 608 - SECURITY: Don't try to free() uninitialised variables in DSS verification | 694 - SECURITY: Don't try to free() uninitialised variables in DSS verification |
| 609 code. Thanks to Arne Bernin for pointing out this bug. This is possibly | 695 code. Thanks to Arne Bernin for pointing out this bug. This is possibly |
| 610 exploitable, all users with DSS and pubkey-auth compiled in are advised to | 696 exploitable, all users with DSS and pubkey-auth compiled in are advised to |
| 611 upgrade. | 697 upgrade. CVE-2004-2486 |
| 612 | 698 |
| 613 - Clean up agent forwarding socket files correctly, patch from Gerrit Pape. | 699 - Clean up agent forwarding socket files correctly, patch from Gerrit Pape. |
| 614 | 700 |
| 615 - Don't go into an infinite loop when portforwarding to servers which don't | 701 - Don't go into an infinite loop when portforwarding to servers which don't |
| 616 send any initial data/banner. Patch from Nikola Vladov | 702 send any initial data/banner. Patch from Nikola Vladov |