# HG changeset patch # User Matt Johnston # Date 1592235374 -28800 # Node ID 25b0ce1936c444e888a67b974e1fde9dcf65be01 # Parent 72bb7fb1fced1acf385acc31c5a33c82109b5167 changelog for 2020.79 diff -r 72bb7fb1fced -r 25b0ce1936c4 CHANGES --- a/CHANGES Mon Jun 15 23:17:27 2020 +0800 +++ b/CHANGES Mon Jun 15 23:36:14 2020 +0800 @@ -1,3 +1,57 @@ +2020.79 - 15 June 2020 + +- Support ed25519 hostkeys and authorized_keys, many thanks to Vladislav Grishenko. + This also replaces curve25519 with a TweetNaCl implementation that reduces code size. + +- Add chacha20-poly1305 authenticated cipher. This will perform faster than AES + on many platforms. Thanks to Vladislav Grishenko + +- Support using rsa-sha2 signatures. No changes are needed to hostkeys/authorized_keys + entries, existing RSA keys can be used with the new signature format (signatures + are ephemeral within a session). Old ssh-rsa signatures will no longer + be supported by OpenSSH in future so upgrading is recommended. + +- Use getrandom() call on Linux to ensure sufficient entropy has been gathered at startup. + Dropbear now avoids reading from the random source at startup, instead waiting until + the first connection. It is possible that some platforms were running without enough + entropy previously, those could potentially block at first boot generating host keys. + The dropbear "-R" option is one way to avoid that. + +- Upgrade libtomcrypt to 1.18.2 and libtommath to 1.2.0, many thanks to Steffen Jaeckel for + updating Dropbear to use the current API. Dropbear's configure script will check + for sufficient system library versions, otherwise using the bundled versions. + +- CBC ciphers, 3DES, hmac-sha1-96, and x11 forwarding are now disabled by default. + They can be set in localoptions.h if required. + Blowfish has been removed. + +- Support AES GCM, patch from Vladislav Grishenko. This is disabled by default, + Dropbear doesn't currently use hardware accelerated AES. + +- Added an API for specifying user public keys as an authorized_keys replacement. + See pubkeyapi.h for details, thanks to Fabrizio Bertocci + +- Fix idle detection clashing with keepalives, thanks to jcmathews + +- Include IP addresses in more early exit messages making it easier for fail2ban + processing. Patch from Kevin Darbyshire-Bryant + +- scp fix for CVE-2018-20685 where a server could modify name of output files + +- SSH_ORIGINAL_COMMAND is set for "dropbear -c" forced command too + +- Fix writing key files on systems without hard links, from Matt Robinson + +- Compatibility fixes for IRIX from Kazuo Kuroi + +- Re-enable printing MOTD by default, was lost moving from options.h. Thanks to zciendor + +- Call fsync() is called on parent directory when writing key files to ensure they are flushed + +- Fix "make install" for manpages in out-of-tree builds, from Gabor Z. Papp + +- Some notes are added in DEVELOPER.md + 2019.78 - 27 March 2019 - Fix dbclient regression in 2019.77. After exiting the terminal would be left diff -r 72bb7fb1fced -r 25b0ce1936c4 debian/changelog --- a/debian/changelog Mon Jun 15 23:17:27 2020 +0800 +++ b/debian/changelog Mon Jun 15 23:36:14 2020 +0800 @@ -1,3 +1,9 @@ +dropbear (2020.79-0.1) unstable; urgency=low + + * New upstream release. + + -- Matt Johnston Mon, 15 Jun 2020 22:51:57 +0800 + dropbear (2019.78-0.1) unstable; urgency=low * New upstream release. diff -r 72bb7fb1fced -r 25b0ce1936c4 sysoptions.h --- a/sysoptions.h Mon Jun 15 23:17:27 2020 +0800 +++ b/sysoptions.h Mon Jun 15 23:36:14 2020 +0800 @@ -4,7 +4,7 @@ *******************************************************************/ #ifndef DROPBEAR_VERSION -#define DROPBEAR_VERSION "2019.78" +#define DROPBEAR_VERSION "2020.79" #endif #define LOCAL_IDENT "SSH-2.0-dropbear_" DROPBEAR_VERSION