# HG changeset patch # User Matt Johnston # Date 1092325296 0 # Node ID 59d16db56e9f931804e27d30d1d81b818188a078 # Parent eee77ac31ccc4786ac7ec172156ed89c5044bcde Simple text changes diff -r eee77ac31ccc -r 59d16db56e9f CHANGES --- a/CHANGES Thu Aug 12 14:56:22 2004 +0000 +++ b/CHANGES Thu Aug 12 15:41:36 2004 +0000 @@ -1,3 +1,63 @@ +0.43 - Fri Jul 16 2004 17:44:54 +0800 + +- SECURITY: Don't try to free() uninitialised variables in DSS verification + code. Thanks to Arne Bernin for pointing out this bug. This is possibly + exploitable, all users with DSS and pubkey-auth compiled in are advised to + upgrade. + +- Clean up agent forwarding socket files correctly, patch from Gerrit Pape. + +- Don't go into an infinite loop when portforwarding to servers which don't + send any initial data/banner. Patch from Nikola Vladov + +- Fix for network vs. host byte order in logging remote TCP ports, also + from Gerrit Pape. + +- Initialise many pointers to NULL, for general safety. Also checked cleanup + code for mp_ints (related to security issues above). + +0.42 - Wed Jun 16 2004 12:44:54 +0800 + +- Updated to Gerrit Pape's official Debian subdirectory + +- Fixed bad check when opening /dev/urandom - thanks to Danny Sung. + +- Added -i inetd mode flag, and associated options in options.h . Dropbear + can be compiled with either normal mode, inetd, or both modes. Thanks + to Gerrit Pape for basic patch and motivation. + +- Use rather than for POSIX compliance. Thanks to Bill + Sommerfield. + +- Fixed a TCP forwarding (client-local, -L style) bug which caused the whole + session to close if the TCP connection failed. Thanks to Andrew Braund for + reporting it and helping track it down. + +- Re-enable sigpipe for child processes. Thanks to Gerrit Pape for some + suggestions, and BSD manpages for a clearer explanation of the behaviour. + +- Added manpages, thanks to Gerrit Pape. + +- Changed license text for LibTomCrypt and LibTomMath. + +- Added strip-static target + +- Fixed a bug in agent-forwarding cleanup handler - would segfault + (dereferencing a null pointer) if agent forwarding had failed. + +- Fix behaviour of authorized_keys parsing, so larger (>1024 bit) DSA keys will + work. Thanks to Dr. Markus Waldeck for the report. + +- Fixed local port forwarding code so that the "-j" option will make forwarding + attempts fail more gracefully. + +- Allow repeated requests in a single session if previous ones fail - this fixes PuTTY and some other SCP clients, which try SFTP, then fall-back to SCP if it + isn't available. Thanks to Stirling Westrup for the report. + +- Updated to LibTomCrypt 0.96 and LibTomMath 0.30. The AES code now uses + smaller non-precomputed tables if DROPBEAR_SMALL_CODE is defined in + options.h, leading to a significant reduction in the binary size. + 0.41 - Mon Jan 19 2004 22:40:19 +0800 - Fix in configure so that cross-compiling works, thanks to numerous people for diff -r eee77ac31ccc -r 59d16db56e9f INSTALL --- a/INSTALL Thu Aug 12 14:56:22 2004 +0000 +++ b/INSTALL Thu Aug 12 15:41:36 2004 +0000 @@ -78,7 +78,11 @@ You may want to manually disable lastlog recording when using uClibc, configure with --disable-lastlog. -One common problem is pty allocation. There are a number of types of pty allocation which can be used -- if they work properly, the end result is the same for each type. Running configure should detect the best type to use automatically, however for some embedded systems, this may be incorrect. Some things to note: +One common problem is pty allocation. There are a number of types of pty +allocation which can be used -- if they work properly, the end result is the +same for each type. Running configure should detect the best type to use +automatically, however for some systems, this may be incorrect. Some +things to note: If your system expects /dev/pts to be mounted (this is a uClibc option), make sure that it is. diff -r eee77ac31ccc -r 59d16db56e9f LICENSE --- a/LICENSE Thu Aug 12 14:56:22 2004 +0000 +++ b/LICENSE Thu Aug 12 15:41:36 2004 +0000 @@ -23,9 +23,8 @@ ===== -LibTomCrypt and LibTomMath are (c) Tom St Denis, under TDCAL (Tom Doesn't Care -About Licenses) some files are from public domain sources, see -libtomcrypt/legal.txt +LibTomCrypt and LibTomMath are written by Tom St Denis, and are Public Domain. +Some files are from other public domain sources, see libtomcrypt/legal.txt ===== diff -r eee77ac31ccc -r 59d16db56e9f TODO --- a/TODO Thu Aug 12 14:56:22 2004 +0000 +++ b/TODO Thu Aug 12 15:41:36 2004 +0000 @@ -1,28 +1,24 @@ Current: -Things which need doing: +Things which might need doing: - Make options.h generated from configure perhaps? -- investigate self-pipe? +- Improved queueing of unauthed connections + - fix agent fwd problems + - improve channel window adjustment algorithm (circular buffering) -- Don't use pregenerated AES tables - -- check PRNG - check that there aren't timing issues with valid/invalid user authentication feedback. -- IP6 (binding to :: takes over ipv4 as well, sigh. If anyone wants to suggest - a clean way (ie no V4MAPPED or setsockopt things) please let me know :) -- Binding to different interfaces (see ipv6 probably) +- Binding to different interfaces -- PAM ?? -- inetd - possible RSA blinding? need to check whether this is vuln to timing attacks +- check PRNG - CTR mode, SSH_MSG_IGNORE sending to improve CBC security -- DH Group Exchange possibly +- DH Group Exchange possibly, or just add group14 (whatever it's called today) - Use m_burn for clearing sensitive items in LTM/LTC