Mercurial > dropbear
comparison CHANGES @ 1733:d529a52b2f7c coverity coverity
merge coverity from main
| author | Matt Johnston <matt@ucc.asn.au> |
|---|---|
| date | Fri, 26 Jun 2020 21:07:34 +0800 |
| parents | cddc90de1b6f |
| children | 8b27de2c92ee |
comparison
equal
deleted
inserted
replaced
| 1643:b59623a64678 | 1733:d529a52b2f7c |
|---|---|
| 1 2020.80 - 26 June 2020 | |
| 2 | |
| 3 - Don't block authorized_keys logins with no-X11-forwarding or no-agent-forwarding | |
| 4 restrictions when X11 or agent forwarding are disabled at compile time. | |
| 5 This is more of a problem now X11 is disabled by default, reported by Guilhem Moulin | |
| 6 | |
| 7 - Reduce binary size by 4kB (x64) when using bundled libtommath | |
| 8 | |
| 9 - Define GNU_SOURCE for getrandom() on uclibc, reported by Laurent Bercot and | |
| 10 Fabrice Fontaine | |
| 11 | |
| 12 - Improve checking libtomcrypt version compatibility | |
| 13 | |
| 14 - Add some style notes to DEVELOPING.md | |
| 15 | |
| 16 2020.79 - 15 June 2020 | |
| 17 | |
| 18 - Support ed25519 hostkeys and authorized_keys, many thanks to Vladislav Grishenko. | |
| 19 This also replaces curve25519 with a TweetNaCl implementation that reduces code size. | |
| 20 | |
| 21 - Add chacha20-poly1305 authenticated cipher. This will perform faster than AES | |
| 22 on many platforms. Thanks to Vladislav Grishenko | |
| 23 | |
| 24 - Support using rsa-sha2 signatures. No changes are needed to hostkeys/authorized_keys | |
| 25 entries, existing RSA keys can be used with the new signature format (signatures | |
| 26 are ephemeral within a session). Old ssh-rsa signatures will no longer | |
| 27 be supported by OpenSSH in future so upgrading is recommended. | |
| 28 | |
| 29 - Use getrandom() call on Linux to ensure sufficient entropy has been gathered at startup. | |
| 30 Dropbear now avoids reading from the random source at startup, instead waiting until | |
| 31 the first connection. It is possible that some platforms were running without enough | |
| 32 entropy previously, those could potentially block at first boot generating host keys. | |
| 33 The dropbear "-R" option is one way to avoid that. | |
| 34 | |
| 35 - Upgrade libtomcrypt to 1.18.2 and libtommath to 1.2.0, many thanks to Steffen Jaeckel for | |
| 36 updating Dropbear to use the current API. Dropbear's configure script will check | |
| 37 for sufficient system library versions, otherwise using the bundled versions. | |
| 38 | |
| 39 - CBC ciphers, 3DES, hmac-sha1-96, and x11 forwarding are now disabled by default. | |
| 40 They can be set in localoptions.h if required. | |
| 41 Blowfish has been removed. | |
| 42 | |
| 43 - Support AES GCM, patch from Vladislav Grishenko. This is disabled by default, | |
| 44 Dropbear doesn't currently use hardware accelerated AES. | |
| 45 | |
| 46 - Added an API for specifying user public keys as an authorized_keys replacement. | |
| 47 See pubkeyapi.h for details, thanks to Fabrizio Bertocci | |
| 48 | |
| 49 - Fix idle detection clashing with keepalives, thanks to jcmathews | |
| 50 | |
| 51 - Include IP addresses in more early exit messages making it easier for fail2ban | |
| 52 processing. Patch from Kevin Darbyshire-Bryant | |
| 53 | |
| 54 - scp fix for CVE-2018-20685 where a server could modify name of output files | |
| 55 | |
| 56 - SSH_ORIGINAL_COMMAND is set for "dropbear -c" forced command too | |
| 57 | |
| 58 - Fix writing key files on systems without hard links, from Matt Robinson | |
| 59 | |
| 60 - Compatibility fixes for IRIX from Kazuo Kuroi | |
| 61 | |
| 62 - Re-enable printing MOTD by default, was lost moving from options.h. Thanks to zciendor | |
| 63 | |
| 64 - Call fsync() is called on parent directory when writing key files to ensure they are flushed | |
| 65 | |
| 66 - Fix "make install" for manpages in out-of-tree builds, from Gabor Z. Papp | |
| 67 | |
| 68 - Some notes are added in DEVELOPING.md | |
| 69 | |
| 70 2019.78 - 27 March 2019 | |
| 71 | |
| 72 - Fix dbclient regression in 2019.77. After exiting the terminal would be left | |
| 73 in a bad state. Reported by Ryan Woodsmall | |
| 74 | |
| 75 2019.77 - 23 March 2019 | |
| 76 | |
| 77 - Fix server -R option with ECDSA - only advertise one key size which will be accepted. | |
| 78 Reported by Peter Krefting, 2018.76 regression. | |
| 79 | |
| 80 - Fix server regression in 2018.76 where multiple client -R forwards were all forwarded | |
| 81 to the first destination. Reported by Iddo Samet. | |
| 82 | |
| 83 - Make failure delay more consistent to avoid revealing valid usernames, set server password | |
| 84 limit of 100 characters. Problem reported by usd responsible disclosure team | |
| 85 | |
| 86 - Change handling of failed authentication to avoid disclosing valid usernames, | |
| 87 CVE-2018-15599. | |
| 88 | |
| 89 - Fix dbclient to reliably return the exit code from the remote server. | |
| 90 Reported by W. Mike Petullo | |
| 91 | |
| 92 - Fix export of 521-bit ECDSA keys, from Christian Hohnstädt | |
| 93 | |
| 94 - Add -o Port=xxx option to work with sshfs, from xcko | |
| 95 | |
| 96 - Merged fuzzing code, see FUZZER-NOTES.md | |
| 97 | |
| 98 - Add a DROPBEAR_SVR_MULTIUSER=0 compile option to run on | |
| 99 single-user Linux kernels (CONFIG_MULTIUSER disabled). From Patrick Stewart | |
| 100 | |
| 101 - Increase allowed username to 100 characters, reported by W. Mike Petullo | |
| 102 | |
| 103 - Update config.sub and config.guess, should now work with RISC-V | |
| 104 | |
| 105 - Cygwin compile fix from karel-m | |
| 106 | |
| 107 - Don't require GNU sed (accidentally in 2018.76), reported by Samuel Hsu | |
| 108 | |
| 109 - Fix for IRIX and writev(), reported by Kazuo Kuroi | |
| 110 | |
| 111 - Other fixes and cleanups from François Perrad, Andre McCurdy, Konstantin Demin, | |
| 112 Michael Jones, Pawel Rapkiewicz | |
| 113 | |
| 114 | |
| 1 2018.76 - 27 February 2018 | 115 2018.76 - 27 February 2018 |
| 2 | 116 |
| 3 > > > Configuration/compatibility changes | 117 > > > Configuration/compatibility changes |
| 4 IMPORTANT | 118 IMPORTANT |
| 5 Custom configuration is now specified in localoptions.h rather than options.h | 119 Custom configuration is now specified in localoptions.h rather than options.h |