Mercurial > dropbear
comparison CHANGES @ 1552:e46f7f1da56a
CHANGES for 2018.76
author | Matt Johnston <matt@ucc.asn.au> |
---|---|
date | Tue, 27 Feb 2018 22:14:04 +0800 |
parents | d35cf9a5e0b5 |
children | 2fd52c383163 |
comparison
equal
deleted
inserted
replaced
1551:1acbdf64088e | 1552:e46f7f1da56a |
---|---|
1 Upcoming... | 1 2018.76 - 27 February 2018 |
2 | 2 |
3 - IMPORTANT: | 3 > > > Configuration/compatibility changes |
4 IMPORTANT | |
4 Custom configuration is now specified in local_options.h rather than options.h | 5 Custom configuration is now specified in local_options.h rather than options.h |
5 Available options and defaults can be seen in default_options.h | 6 Available options and defaults can be seen in default_options.h |
6 | 7 |
7 To migrate your configuration, compare your customised options.h against the | 8 To migrate your configuration, compare your customised options.h against the |
8 upstream options.h from your relevant version. Any customised options should | 9 upstream options.h from your relevant version. Any customised options should |
9 be put in localoptions.h | 10 be put in localoptions.h |
10 | 11 |
11 - "configure --enable-static" should now be used instead of "make STATIC=1" | 12 - "configure --enable-static" should now be used instead of "make STATIC=1" |
12 | 13 This will avoid 'hardened build' flags that conflict with static binaries |
13 - Add group14-256 and group16 key exchange options | 14 |
14 | 15 - Set 'hardened build' flags by default if supported by the compiler. |
15 - Set hardened build flags by default if supported by the compiler. | 16 These can be disabled with configure --disable-harden if needed. |
16 -Wl,-pie | 17 -Wl,-pie |
17 -Wl,-z,now -Wl,-z,relro | 18 -Wl,-z,now -Wl,-z,relro |
18 -fstack-protector-strong | 19 -fstack-protector-strong |
19 -D_FORTIFY_SOURCE=2 | 20 -D_FORTIFY_SOURCE=2 |
20 # spectre v2 mitigation | 21 # spectre v2 mitigation |
21 -mfunction-return=thunk | 22 -mfunction-return=thunk |
22 -mindirect-branch=thunk | 23 -mindirect-branch=thunk |
23 | 24 |
24 These can be disabled with configure --disable-harden if needed | |
25 Spectre patch from Loganaden Velvindron | 25 Spectre patch from Loganaden Velvindron |
26 | |
27 - "dropbear -r" option for hostkeys no longer attempts to load the default | |
28 hostkey paths as well. If desired these can be specified manually. | |
29 Patch from CamVan Nguyen | |
30 | |
31 - group1-sha1 key exchange is disabled in the server by default since | |
32 the fixed 1024-bit group may be susceptible to attacks | |
33 | |
34 - twofish ciphers are now disabled in the default configuration | |
35 | |
36 - Default generated ECDSA key size is now 256 (rather than 521) | |
37 for better interoperability | |
38 | |
39 - Minimum RSA key length has been increased to 1024 bits | |
40 | |
41 > > > Other features and fixes | |
26 | 42 |
27 - Add runtime -T max_auth_tries option from Kevin Darbyshire-Bryant | 43 - Add runtime -T max_auth_tries option from Kevin Darbyshire-Bryant |
28 | 44 |
29 - Add 'dbclient -J &fd' to allow dbclient to connect over an existing socket. | 45 - Add 'dbclient -J &fd' to allow dbclient to connect over an existing socket. |
30 See dbclient manpage for a socat example. Patch from Harald Becker | 46 See dbclient manpage for a socat example. Patch from Harald Becker |
31 | 47 |
32 - Add "-c forced_command" option. Patch from Jeremy Kerr | 48 - Add "-c forced_command" option. Patch from Jeremy Kerr |
33 | 49 |
50 - Restricted group -G option added with patch from stellarpower | |
51 | |
34 - Support server-chosen TCP forwarding ports, patch from houseofkodai | 52 - Support server-chosen TCP forwarding ports, patch from houseofkodai |
35 | 53 |
36 - Allow choosing outgoing address for dbclient with -b [bind_address][:bind_port] | 54 - Allow choosing outgoing address for dbclient with -b [bind_address][:bind_port] |
37 Patch from houseofkodai | 55 Patch from houseofkodai |
38 | 56 |
57 - Makefile will now rebuild object files when header files are modified | |
58 | |
59 - Add group14-256 and group16 key exchange options | |
60 | |
61 - curve25519-sha256 also supported without @libssh.org suffix | |
62 | |
39 - Update bundled libtomcrypt to 1.18.1, libtommath to 1.0.1 | 63 - Update bundled libtomcrypt to 1.18.1, libtommath to 1.0.1 |
40 | 64 This fixes building with some recent versions of clang |
41 - Minimum RSA key length has been increased to 1024 bits | |
42 | 65 |
43 - Set PAM_RHOST which is needed by modules such as pam_abl | 66 - Set PAM_RHOST which is needed by modules such as pam_abl |
44 | 67 |
45 - Improvements to DSS public key validation, found by OSS-Fuzz. | 68 - Improvements to DSS and RSA public key validation, found by OSS-Fuzz. |
46 | 69 |
47 - Don't exit when an authorized_keys file has malformed entries. Found by OSS-Fuzz | 70 - Don't exit when an authorized_keys file has malformed entries. Found by OSS-Fuzz |
48 | 71 |
49 - Fix null-pointer crash with malformed ECDSA or DSS keys. Found by OSS-Fuzz | 72 - Fix null-pointer crash with malformed ECDSA or DSS keys. Found by OSS-Fuzz |
50 | 73 |