From owner-svn-src-vendor@freebsd.org Thu Mar 10 20:10:27 2016 Return-Path: Delivered-To: svn-src-vendor@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 010B2ACB1EB; Thu, 10 Mar 2016 20:10:27 +0000 (UTC) (envelope-from des@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id ADC51854; Thu, 10 Mar 2016 20:10:26 +0000 (UTC) (envelope-from des@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id u2AKAP75088526; Thu, 10 Mar 2016 20:10:25 GMT (envelope-from des@FreeBSD.org) Received: (from des@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id u2AKAPEb088524; Thu, 10 Mar 2016 20:10:25 GMT (envelope-from des@FreeBSD.org) Message-Id: <201603102010.u2AKAPEb088524@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: des set sender to des@FreeBSD.org using -f From: =?UTF-8?Q?Dag-Erling_Sm=c3=b8rgrav?= Date: Thu, 10 Mar 2016 20:10:25 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-vendor@freebsd.org Subject: svn commit: r296619 - in vendor-crypto/openssh/dist: . contrib contrib/redhat contrib/suse openbsd-compat regress regress/unittests/sshkey X-SVN-Group: vendor-crypto MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-vendor@freebsd.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: SVN commit messages for the vendor work area tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Mar 2016 20:10:27 -0000 Author: des Date: Thu Mar 10 20:10:25 2016 New Revision: 296619 URL: https://svnweb.freebsd.org/changeset/base/296619 Log: Vendor import of OpenSSH 7.2p1. Added: vendor-crypto/openssh/dist/platform-pledge.c (contents, props changed) vendor-crypto/openssh/dist/regress/cert-file.sh (contents, props changed) vendor-crypto/openssh/dist/regress/check-perm.c (contents, props changed) vendor-crypto/openssh/dist/sandbox-pledge.c (contents, props changed) vendor-crypto/openssh/dist/sandbox-solaris.c (contents, props changed) Deleted: vendor-crypto/openssh/dist/roaming_client.c vendor-crypto/openssh/dist/roaming_common.c vendor-crypto/openssh/dist/roaming_dummy.c vendor-crypto/openssh/dist/roaming_serv.c Modified: vendor-crypto/openssh/dist/ChangeLog vendor-crypto/openssh/dist/Makefile.in vendor-crypto/openssh/dist/README vendor-crypto/openssh/dist/README.platform vendor-crypto/openssh/dist/auth-bsdauth.c vendor-crypto/openssh/dist/auth-krb5.c vendor-crypto/openssh/dist/auth-options.c vendor-crypto/openssh/dist/auth-pam.c vendor-crypto/openssh/dist/auth.h vendor-crypto/openssh/dist/auth2-pubkey.c vendor-crypto/openssh/dist/authfd.c vendor-crypto/openssh/dist/authfd.h vendor-crypto/openssh/dist/authfile.c vendor-crypto/openssh/dist/channels.c vendor-crypto/openssh/dist/cipher.c vendor-crypto/openssh/dist/clientloop.c vendor-crypto/openssh/dist/clientloop.h vendor-crypto/openssh/dist/config.h.in vendor-crypto/openssh/dist/configure vendor-crypto/openssh/dist/configure.ac vendor-crypto/openssh/dist/contrib/redhat/openssh.spec vendor-crypto/openssh/dist/contrib/ssh-copy-id vendor-crypto/openssh/dist/contrib/ssh-copy-id.1 vendor-crypto/openssh/dist/contrib/suse/openssh.spec vendor-crypto/openssh/dist/defines.h vendor-crypto/openssh/dist/dh.h vendor-crypto/openssh/dist/includes.h vendor-crypto/openssh/dist/kex.c vendor-crypto/openssh/dist/kex.h vendor-crypto/openssh/dist/kexc25519s.c vendor-crypto/openssh/dist/kexdhs.c vendor-crypto/openssh/dist/kexecdhs.c vendor-crypto/openssh/dist/kexgexs.c vendor-crypto/openssh/dist/key.c vendor-crypto/openssh/dist/key.h vendor-crypto/openssh/dist/krl.c vendor-crypto/openssh/dist/krl.h vendor-crypto/openssh/dist/loginrec.c vendor-crypto/openssh/dist/misc.c vendor-crypto/openssh/dist/moduli.0 vendor-crypto/openssh/dist/monitor.c vendor-crypto/openssh/dist/monitor_wrap.c vendor-crypto/openssh/dist/monitor_wrap.h vendor-crypto/openssh/dist/mux.c vendor-crypto/openssh/dist/myproposal.h vendor-crypto/openssh/dist/opacket.c vendor-crypto/openssh/dist/opacket.h vendor-crypto/openssh/dist/openbsd-compat/bsd-misc.c vendor-crypto/openssh/dist/openbsd-compat/bsd-misc.h vendor-crypto/openssh/dist/openbsd-compat/bsd-poll.h vendor-crypto/openssh/dist/openbsd-compat/glob.c vendor-crypto/openssh/dist/openbsd-compat/glob.h vendor-crypto/openssh/dist/openbsd-compat/openbsd-compat.h vendor-crypto/openssh/dist/openbsd-compat/port-solaris.c vendor-crypto/openssh/dist/openbsd-compat/port-solaris.h vendor-crypto/openssh/dist/openbsd-compat/realpath.c vendor-crypto/openssh/dist/packet.c vendor-crypto/openssh/dist/packet.h vendor-crypto/openssh/dist/platform.h vendor-crypto/openssh/dist/readconf.c vendor-crypto/openssh/dist/readconf.h vendor-crypto/openssh/dist/readpass.c vendor-crypto/openssh/dist/regress/Makefile vendor-crypto/openssh/dist/regress/agent-ptrace.sh vendor-crypto/openssh/dist/regress/dhgex.sh vendor-crypto/openssh/dist/regress/hostkey-rotate.sh vendor-crypto/openssh/dist/regress/keys-command.sh vendor-crypto/openssh/dist/regress/keyscan.sh vendor-crypto/openssh/dist/regress/limit-keytype.sh vendor-crypto/openssh/dist/regress/principals-command.sh vendor-crypto/openssh/dist/regress/proxy-connect.sh vendor-crypto/openssh/dist/regress/rekey.sh vendor-crypto/openssh/dist/regress/setuid-allowed.c vendor-crypto/openssh/dist/regress/sftp-chroot.sh vendor-crypto/openssh/dist/regress/unittests/sshkey/test_file.c vendor-crypto/openssh/dist/regress/unittests/sshkey/test_fuzz.c vendor-crypto/openssh/dist/regress/unittests/sshkey/test_sshkey.c vendor-crypto/openssh/dist/roaming.h vendor-crypto/openssh/dist/sandbox-seccomp-filter.c vendor-crypto/openssh/dist/sandbox-systrace.c vendor-crypto/openssh/dist/scp.0 vendor-crypto/openssh/dist/scp.1 vendor-crypto/openssh/dist/scp.c vendor-crypto/openssh/dist/servconf.c vendor-crypto/openssh/dist/serverloop.c vendor-crypto/openssh/dist/session.c vendor-crypto/openssh/dist/sftp-client.c vendor-crypto/openssh/dist/sftp-client.h vendor-crypto/openssh/dist/sftp-server-main.c vendor-crypto/openssh/dist/sftp-server.0 vendor-crypto/openssh/dist/sftp-server.c vendor-crypto/openssh/dist/sftp.0 vendor-crypto/openssh/dist/sftp.1 vendor-crypto/openssh/dist/sftp.c vendor-crypto/openssh/dist/ssh-add.0 vendor-crypto/openssh/dist/ssh-add.c vendor-crypto/openssh/dist/ssh-agent.0 vendor-crypto/openssh/dist/ssh-agent.1 vendor-crypto/openssh/dist/ssh-agent.c vendor-crypto/openssh/dist/ssh-dss.c vendor-crypto/openssh/dist/ssh-ecdsa.c vendor-crypto/openssh/dist/ssh-keygen.0 vendor-crypto/openssh/dist/ssh-keygen.1 vendor-crypto/openssh/dist/ssh-keygen.c vendor-crypto/openssh/dist/ssh-keyscan.0 vendor-crypto/openssh/dist/ssh-keyscan.1 vendor-crypto/openssh/dist/ssh-keyscan.c vendor-crypto/openssh/dist/ssh-keysign.0 vendor-crypto/openssh/dist/ssh-keysign.8 vendor-crypto/openssh/dist/ssh-keysign.c vendor-crypto/openssh/dist/ssh-pkcs11-client.c vendor-crypto/openssh/dist/ssh-pkcs11-helper.0 vendor-crypto/openssh/dist/ssh-pkcs11-helper.c vendor-crypto/openssh/dist/ssh-pkcs11.c vendor-crypto/openssh/dist/ssh-rsa.c vendor-crypto/openssh/dist/ssh.0 vendor-crypto/openssh/dist/ssh.1 vendor-crypto/openssh/dist/ssh.c vendor-crypto/openssh/dist/ssh.h vendor-crypto/openssh/dist/ssh2.h vendor-crypto/openssh/dist/ssh_api.c vendor-crypto/openssh/dist/ssh_config vendor-crypto/openssh/dist/ssh_config.0 vendor-crypto/openssh/dist/ssh_config.5 vendor-crypto/openssh/dist/sshbuf-getput-basic.c vendor-crypto/openssh/dist/sshbuf.c vendor-crypto/openssh/dist/sshbuf.h vendor-crypto/openssh/dist/sshconnect.c vendor-crypto/openssh/dist/sshconnect.h vendor-crypto/openssh/dist/sshconnect1.c vendor-crypto/openssh/dist/sshconnect2.c vendor-crypto/openssh/dist/sshd.0 vendor-crypto/openssh/dist/sshd.8 vendor-crypto/openssh/dist/sshd.c vendor-crypto/openssh/dist/sshd_config vendor-crypto/openssh/dist/sshd_config.0 vendor-crypto/openssh/dist/sshd_config.5 vendor-crypto/openssh/dist/ssherr.c vendor-crypto/openssh/dist/sshkey.c vendor-crypto/openssh/dist/sshkey.h vendor-crypto/openssh/dist/sshlogin.c vendor-crypto/openssh/dist/uidswap.c vendor-crypto/openssh/dist/version.h vendor-crypto/openssh/dist/xmalloc.c vendor-crypto/openssh/dist/xmalloc.h Modified: vendor-crypto/openssh/dist/ChangeLog ============================================================================== --- vendor-crypto/openssh/dist/ChangeLog Thu Mar 10 18:21:03 2016 (r296618) +++ vendor-crypto/openssh/dist/ChangeLog Thu Mar 10 20:10:25 2016 (r296619) @@ -1,7615 +1,8907 @@ -commit c88ac102f0eb89f2eaa314cb2e2e0ca3c890c443 -Author: Damien Miller -Date: Thu Jan 14 11:08:19 2016 +1100 +commit 72b061d4ba0f909501c595d709ea76e06b01e5c9 +Author: Darren Tucker +Date: Fri Feb 26 14:40:04 2016 +1100 - bump version numbers + Add a note about using xlc on AIX. + +commit fd4e4f2416baa2e6565ea49d52aade296bad3e28 +Author: Darren Tucker +Date: Wed Feb 24 10:44:25 2016 +1100 + + Skip PrintLastLog in config dump mode. + + When DISABLE_LASTLOG is set, do not try to include PrintLastLog in the + config dump since it'll be reported as UNKNOWN. -commit 302bc21e6fadacb04b665868cd69b625ef69df90 +commit 99135c764fa250801da5ec3b8d06cbd0111caae8 Author: Damien Miller -Date: Thu Jan 14 11:04:04 2016 +1100 +Date: Tue Feb 23 20:17:23 2016 +1100 - openssh-7.1p2 + update spec/README versions ahead of release -commit 6b33763242c063e4e0593877e835eeb1fd1b60aa +commit b86a334aaaa4d1e643eb1fd71f718573d6d948b5 Author: Damien Miller -Date: Thu Jan 14 11:02:58 2016 +1100 +Date: Tue Feb 23 20:16:53 2016 +1100 - forcibly disable roaming support in the client + put back portable patchlevel to p1 -commit 34d364f0d2e1e30a444009f0e04299bb7c94ba13 +commit 555dd35ff176847e3c6bd068ba2e8db4022eb24f Author: djm@openbsd.org -Date: Mon Oct 5 17:11:21 2015 +0000 +Date: Tue Feb 23 09:14:34 2016 +0000 upstream commit - some more bzero->explicit_bzero, from Michael McConville + openssh-7.2 - Upstream-ID: 17f19545685c33327db2efdc357c1c9225ff00d0 + Upstream-ID: 9db776b26014147fc907ece8460ef2bcb0f11e78 -commit 8f5b93026797b9f7fba90d0c717570421ccebbd3 -Author: guenther@openbsd.org -Date: Fri Sep 11 08:50:04 2015 +0000 +commit 1acc058d0a7913838c830ed998a1a1fb5b7864bf +Author: Damien Miller +Date: Tue Feb 23 16:12:13 2016 +1100 - upstream commit - - Use explicit_bzero() when zeroing before free() + Disable tests where fs perms are incorrect - from Michael McConville (mmcconv1 (at) sccs.swarthmore.edu) - ok millert@ djm@ + Some tests have strict requirements on the filesystem permissions + for certain files and directories. This adds a regress/check-perm + tool that copies the relevant logic from sshd to exactly test + the paths in question. This lets us skip tests when the local + filesystem doesn't conform to our expectations rather than + continuing and failing the test run. - Upstream-ID: 2e3337db046c3fe70c7369ee31515ac73ec00f50 + ok dtucker@ -commit d77148e3a3ef6c29b26ec74331455394581aa257 -Author: djm@openbsd.org -Date: Sun Nov 8 21:59:11 2015 +0000 +commit 39f303b1f36d934d8410b05625f25c7bcb75db4d +Author: Damien Miller +Date: Tue Feb 23 12:56:59 2016 +1100 - upstream commit + fix sandbox on OSX Lion - fix OOB read in packet code caused by missing return - statement found by Ben Hawkes; ok markus@ deraadt@ + sshd was failing with: - Upstream-ID: a3e3a85434ebfa0690d4879091959591f30efc62 - -commit 076d849e17ab12603627f87b301e2dca71bae518 -Author: Damien Miller -Date: Sat Nov 14 18:44:49 2015 +1100 - - read back from libcrypto RAND when privdropping + ssh_sandbox_child: sandbox_init: dlopen(/usr/lib/libsandbox.1.dylib, 261):cw + image not found [preauth] - makes certain libcrypto implementations cache a /dev/urandom fd - in preparation of sandboxing. Based on patch by Greg Hartman. + caused by chroot before sandboxing. Avoid by explicitly linking libsandbox + to sshd. Spotted by Darren. -commit f72adc0150011a28f177617a8456e1f83733099d +commit 0d1451a32c7436e6d3d482351e776bc5e7824ce4 Author: djm@openbsd.org -Date: Sun Dec 13 22:42:23 2015 +0000 +Date: Tue Feb 23 01:34:14 2016 +0000 upstream commit - unbreak connections with peers that set - first_kex_follows; fix from Matt Johnston va bz#2515 + fix spurious error message when incorrect passphrase + entered for keys; reported by espie@ ok deraadt@ - Upstream-ID: decc88ec4fc7515594fdb42b04aa03189a44184b + Upstream-ID: 58b2e46e63ed6912ed1ee780bd3bd8560f9a5899 -commit 04bd8d019ccd906cac1a2b362517b8505f3759e6 -Author: djm@openbsd.org -Date: Tue Jan 12 23:42:54 2016 +0000 +commit 09d87d79741beb85768b5e788d7dfdf4bc3543dc +Author: sobrado@openbsd.org +Date: Sat Feb 20 23:06:23 2016 +0000 upstream commit - use explicit_bzero() more liberally in the buffer code; ok - deraadt + set ssh(1) protocol version to 2 only. - Upstream-ID: 0ece37069fd66bc6e4f55eb1321f93df372b65bf + ok djm@ + + Upstream-ID: e168daf9d27d7e392e3c9923826bd8e87b2b3a10 -commit e91346dc2bbf460246df2ab591b7613908c1b0ad -Author: Damien Miller -Date: Fri Aug 21 14:49:03 2015 +1000 +commit 9262e07826ba5eebf8423f7ac9e47ec488c47869 +Author: sobrado@openbsd.org +Date: Sat Feb 20 23:02:39 2016 +0000 - we don't use Github for issues/pull-requests + upstream commit + + add missing ~/.ssh/id_ecdsa and ~/.ssh/id_ed25519 to + IdentityFile. + + ok djm@ + + Upstream-ID: 6ce99466312e4ae7708017c3665e3edb976f70cf -commit a4f5b507c708cc3dc2c8dd2d02e4416d7514dc23 -Author: Damien Miller -Date: Fri Aug 21 14:43:55 2015 +1000 +commit c12f0fdce8f985fca8d71829fd64c5b89dc777f5 +Author: sobrado@openbsd.org +Date: Sat Feb 20 23:01:46 2016 +0000 - fix URL for connect.c + upstream commit + + AddressFamily defaults to any. + + ok djm@ + + Upstream-ID: 0d94aa06a4b889bf57a7f631c45ba36d24c13e0c -commit d026a8d3da0f8186598442997c7d0a28e7275414 -Author: Damien Miller -Date: Fri Aug 21 13:47:10 2015 +1000 +commit 907091acb188b1057d50c2158f74c3ecf1c2302b +Author: Darren Tucker +Date: Fri Feb 19 09:05:39 2016 +1100 - update version numbers for 7.1 + Make Solaris privs code build on older systems. + + Not all systems with Solaris privs have priv_basicset so factor that + out and provide backward compatibility code. Similarly, not all have + PRIV_NET_ACCESS so wrap that in #ifdef. Based on code from + alex at cooperi.net and djm@ with help from carson at taltos.org and + wieland at purdue.edu. -commit 78f8f589f0ca1c9f41e5a9bae3cda5ce8a6b42ed +commit 292a8dee14e5e67dcd1b49ba5c7b9023e8420d59 Author: djm@openbsd.org -Date: Fri Aug 21 03:45:26 2015 +0000 +Date: Wed Feb 17 22:20:14 2016 +0000 upstream commit - openssh-7.1 + rekey refactor broke SSH1; spotted by Tom G. Christensen - Upstream-ID: ff7b1ef4b06caddfb45e08ba998128c88be3d73f + Upstream-ID: 43f0d57928cc077c949af0bfa71ef574dcb58243 -commit 32a181980c62fce94f7f9ffaf6a79d90f0c309cf +commit 3a13cb543df9919aec2fc6b75f3dd3802facaeca Author: djm@openbsd.org -Date: Fri Aug 21 03:42:19 2015 +0000 +Date: Wed Feb 17 08:57:34 2016 +0000 upstream commit - fix inverted logic that broke PermitRootLogin; reported - by Mantas Mikulenas; ok markus@ + rsa-sha2-512,rsa-sha2-256 cannot be selected explicitly + in *KeyTypes options yet. Remove them from the lists of algorithms for now. + committing on behalf of markus@ ok djm@ - Upstream-ID: 260dd6a904c1bb7e43267e394b1c9cf70bdd5ea5 + Upstream-ID: c6e8820eb8e610ac21551832c0c89684a9a51bb7 -commit ce445b0ed927e45bd5bdce8f836eb353998dd65c -Author: deraadt@openbsd.org -Date: Thu Aug 20 22:32:42 2015 +0000 +commit a685ae8d1c24fb7c712c55a4f3280ee76f5f1e4b +Author: jmc@openbsd.org +Date: Wed Feb 17 07:38:19 2016 +0000 upstream commit - Do not cast result of malloc/calloc/realloc* if stdlib.h - is in scope ok krw millert - - Upstream-ID: 5e50ded78cadf3841556649a16cc4b1cb6c58667 - -commit 05291e5288704d1a98bacda269eb5a0153599146 -Author: naddy@openbsd.org -Date: Thu Aug 20 19:20:06 2015 +0000 - - upstream commit + since these pages now clearly tell folks to avoid v1, + normalise the docs from a v2 perspective (i.e. stop pointing out which bits + are v2 only); - In the certificates section, be consistent about using - "host_key" and "user_key" for the respective key types. ok sthen@ deraadt@ + ok/tweaks djm ok markus - Upstream-ID: 9e037ea3b15577b238604c5533e082a3947f13cb + Upstream-ID: eb474f8c36fb6a532dc05c282f7965e38dcfa129 -commit 8543d4ef6f2e9f98c3e6b77c894ceec30c5e4ae4 +commit c5c3f3279a0e4044b8de71b70d3570d692d0f29d Author: djm@openbsd.org -Date: Wed Aug 19 23:21:42 2015 +0000 +Date: Wed Feb 17 05:29:04 2016 +0000 upstream commit - Better compat matching for WinSCP, add compat matching - for FuTTY (fork of PuTTY); ok markus@ deraadt@ + make sandboxed privilege separation the default, not just + for new installs; "absolutely" deraadt@ - Upstream-ID: 24001d1ac115fa3260fbdc329a4b9aeb283c5389 + Upstream-ID: 5221ef3b927d2df044e9aa3f5db74ae91743f69b -commit ec6eda16ebab771aa3dfc90629b41953b999cb1e -Author: djm@openbsd.org -Date: Wed Aug 19 23:19:01 2015 +0000 +commit eb3f7337a651aa01d5dec019025e6cdc124ed081 +Author: jmc@openbsd.org +Date: Tue Feb 16 07:47:54 2016 +0000 upstream commit - fix double-free() in error path of DSA key generation - reported by Mateusz Kocielski; ok markus@ + no need to state that protocol 2 is the default twice; - Upstream-ID: 4735d8f888b10599a935fa1b374787089116713c + Upstream-ID: b1e4c36b0c2e12e338e5b66e2978f2ac953b95eb -commit 45b0eb752c94954a6de046bfaaf129e518ad4b5b +commit e7901efa9b24e5b0c7e74f2c5520d47eead4d005 Author: djm@openbsd.org -Date: Wed Aug 19 23:18:26 2015 +0000 +Date: Tue Feb 16 05:11:04 2016 +0000 upstream commit - fix free() of uninitialised pointer reported by Mateusz - Kocielski; ok markus@ + Replace list of ciphers and MACs adjacent to -1/-2 flag + descriptions in ssh(1) with a strong recommendation not to use protocol 1. + Add a similar warning to the Protocol option descriptions in ssh_config(5) + and sshd_config(5); - Upstream-ID: 519552b050618501a06b7b023de5cb104e2c5663 + prompted by and ok mmcc@ + + Upstream-ID: 961f99e5437d50e636feca023978950a232ead5e -commit c837643b93509a3ef538cb6624b678c5fe32ff79 +commit 5a0fcb77287342e2fc2ba1cee79b6af108973dc2 Author: djm@openbsd.org -Date: Wed Aug 19 23:17:51 2015 +0000 +Date: Tue Feb 16 03:37:48 2016 +0000 upstream commit - fixed unlink([uninitialised memory]) reported by Mateusz - Kocielski; ok markus@ + add a "Close session" log entry (at loglevel=verbose) to + correspond to the existing "Starting session" one. Also include the session + id number to make multiplexed sessions more apparent. - Upstream-ID: 14a0c4e7d891f5a8dabc4b89d4f6b7c0d5a20109 + feedback and ok dtucker@ + + Upstream-ID: e72d2ac080e02774376325136e532cb24c2e617c -commit 1f8d3d629cd553031021068eb9c646a5f1e50994 -Author: jmc@openbsd.org -Date: Fri Aug 14 15:32:41 2015 +0000 +commit 624fd395b559820705171f460dd33d67743d13d6 +Author: djm@openbsd.org +Date: Wed Feb 17 02:24:17 2016 +0000 upstream commit - match myproposal.h order; from brian conway (i snuck in a - tweak while here) - - ok dtucker + include bad $SSH_CONNECTION in failure output - Upstream-ID: 35174a19b5237ea36aa3798f042bf5933b772c67 + Upstream-Regress-ID: b22d72edfde78c403aaec2b9c9753ef633cc0529 -commit 1dc8d93ce69d6565747eb44446ed117187621b26 -Author: deraadt@openbsd.org -Date: Thu Aug 6 14:53:21 2015 +0000 +commit 60d860e54b4f199e5e89963b1c086981309753cb +Author: Darren Tucker +Date: Wed Feb 17 13:37:09 2016 +1100 - upstream commit - - add prohibit-password as a synonymn for without-password, - since the without-password is causing too many questions. Harden it to ban - all but pubkey, hostbased, and GSSAPI auth (when the latter is enabled) from - djm, ok markus + Rollback addition of va_start. - Upstream-ID: d53317d7b28942153e6236d3fd6e12ceb482db7a + va_start was added in 0f754e29dd3760fc0b172c1220f18b753fb0957e, however + it has the wrong number of args and it's not usable in non-variadic + functions anyway so it breaks things (for example Solaris 2.6 as + reported by Tom G. Christensen).i ok djm@ -commit 90a95a4745a531b62b81ce3b025e892bdc434de5 -Author: Damien Miller -Date: Tue Aug 11 13:53:41 2015 +1000 +commit 2fee909c3cee2472a98b26eb82696297b81e0d38 +Author: Darren Tucker +Date: Wed Feb 17 09:48:15 2016 +1100 - update version in README + Look for gethostbyname in libresolv and libnsl. + + Should fix build problem on Solaris 2.6 reported by Tom G. Christensen. -commit 318c37743534b58124f1bab37a8a0087a3a9bd2f +commit 5ac712d81a84396aab441a272ec429af5b738302 Author: Damien Miller -Date: Tue Aug 11 13:53:09 2015 +1000 +Date: Tue Feb 16 10:45:02 2016 +1100 - update versions in *.spec + make existing ssh_malloc_init only for __OpenBSD__ -commit 5e75f5198769056089fb06c4d738ab0e5abc66f7 -Author: Damien Miller -Date: Tue Aug 11 13:34:12 2015 +1000 +commit 24c9bded569d9f2449ded73f92fb6d12db7a9eec +Author: djm@openbsd.org +Date: Mon Feb 15 23:32:37 2016 +0000 - set sshpam_ctxt to NULL after free + upstream commit - Avoids use-after-free in monitor when privsep child is compromised. - Reported by Moritz Jodeit; ok dtucker@ - -commit d4697fe9a28dab7255c60433e4dd23cf7fce8a8b -Author: Damien Miller -Date: Tue Aug 11 13:33:24 2015 +1000 - - Don't resend username to PAM; it already has it. + memleak of algorithm name in mm_answer_sign; reported by + Jakub Jelen - Pointed out by Moritz Jodeit; ok dtucker@ - -commit 88763a6c893bf3dfe951ba9271bf09715e8d91ca -Author: Darren Tucker -Date: Mon Jul 27 12:14:25 2015 +1000 - - Import updated moduli file from OpenBSD. + Upstream-ID: ccd742cd25952240ebd23d7d4d6b605862584d08 -commit 55b263fb7cfeacb81aaf1c2036e0394c881637da -Author: Damien Miller -Date: Mon Aug 10 11:13:44 2015 +1000 +commit ffb1e7e896139a42ceb78676f637658f44612411 +Author: dtucker@openbsd.org +Date: Mon Feb 15 09:47:49 2016 +0000 - let principals-command.sh work for noexec /var/run + upstream commit + + Add a function to enable security-related malloc_options. + With and ok deraadt@, something similar has been in the snaps for a while. + + Upstream-ID: 43a95523b832b7f3b943d2908662191110c380ed -commit 2651e34cd11b1aac3a0fe23b86d8c2ff35c07897 +commit ef39e8c0497ff0564990a4f9e8b7338b3ba3507c Author: Damien Miller -Date: Thu Aug 6 11:43:42 2015 +1000 +Date: Tue Feb 16 10:34:39 2016 +1100 - work around echo -n / sed behaviour in tests + sync ssh-copy-id with upstream 783ef08b0a75 -commit d85dad81778c1aa8106acd46930b25fdf0d15b2a +commit d2d772f55b19bb0e8d03c2fe1b9bb176d9779efd Author: djm@openbsd.org -Date: Wed Aug 5 05:27:33 2015 +0000 +Date: Fri Feb 12 00:20:30 2016 +0000 upstream commit - adjust for RSA minimum modulus switch; ok deraadt@ + avoid fatal() for PKCS11 tokens that present empty key IDs + bz#1773, ok markus@ - Upstream-Regress-ID: 5a72c83431b96224d583c573ca281cd3a3ebfdae + Upstream-ID: 044a764fee526f2c4a9d530bd10695422d01fc54 -commit 57e8e229bad5fe6056b5f1199665f5f7008192c6 +commit e4c918a6c721410792b287c9fd21356a1bed5805 Author: djm@openbsd.org -Date: Tue Aug 4 05:23:06 2015 +0000 +Date: Thu Feb 11 02:56:32 2016 +0000 upstream commit - backout SSH_RSA_MINIMUM_MODULUS_SIZE increase for this - release; problems spotted by sthen@ ok deraadt@ markus@ + sync crypto algorithm lists in ssh_config(5) and + sshd_config(5) with current reality. bz#2527 - Upstream-ID: d0bd60dde9e8c3cd7030007680371894c1499822 + Upstream-ID: d7fd1b6c1ed848d866236bcb1d7049d2bb9b2ff6 -commit f097d0ea1e0889ca0fa2e53a00214e43ab7fa22a +commit e30cabfa4ab456a30b3224f7f545f1bdfc4a2517 Author: djm@openbsd.org -Date: Sun Aug 2 09:56:42 2015 +0000 +Date: Thu Feb 11 02:21:34 2016 +0000 upstream commit - openssh 7.0; ok deraadt@ + fix regression in openssh-6.8 sftp client: existing + destination directories would incorrectly terminate recursive uploads; + bz#2528 - Upstream-ID: c63afdef537f57f28ae84145c5a8e29e9250221f + Upstream-ID: 3306be469f41f26758e3d447987ac6d662623e18 -commit 3d5728a0f6874ce4efb16913a12963595070f3a9 -Author: chris@openbsd.org -Date: Fri Jul 31 15:38:09 2015 +0000 +commit 714e367226ded4dc3897078be48b961637350b05 +Author: djm@openbsd.org +Date: Tue Feb 9 05:30:04 2016 +0000 upstream commit - Allow PermitRootLogin to be overridden by config - - ok markus@ deeradt@ + turn off more old crypto in the client: hmac-md5, ripemd, + truncated HMACs, RC4, blowfish. ok markus@ dtucker@ - Upstream-ID: 5cf3e26ed702888de84e2dc9d0054ccf4d9125b4 + Upstream-ID: 96aa11c2c082be45267a690c12f1d2aae6acd46e -commit 6f941396b6835ad18018845f515b0c4fe20be21a +commit 5a622844ff7f78dcb75e223399f9ef0977e8d0a3 Author: djm@openbsd.org -Date: Thu Jul 30 23:09:15 2015 +0000 +Date: Mon Feb 8 23:40:12 2016 +0000 upstream commit - fix pty permissions; patch from Nikolay Edigaryev; ok - deraadt + don't attempt to percent_expand() already-canonicalised + addresses, avoiding unnecessary failures when attempting to connect to scoped + IPv6 addresses (that naturally contain '%' characters) - Upstream-ID: 40ff076d2878b916fbfd8e4f45dbe5bec019e550 + Upstream-ID: f24569cffa1a7cbde5f08dc739a72f4d78aa5c6a -commit f4373ed1e8fbc7c8ce3fc4ea97d0ba2e0c1d7ef0 -Author: deraadt@openbsd.org -Date: Thu Jul 30 19:23:02 2015 +0000 +commit 19bcf2ea2d17413f2d9730dd2a19575ff86b9b6a +Author: djm@openbsd.org +Date: Mon Feb 8 10:57:07 2016 +0000 upstream commit - change default: PermitRootLogin without-password matching - install script changes coming as well ok djm markus + refactor activation of rekeying - Upstream-ID: 0e2a6c4441daf5498b47a61767382bead5eb8ea6 + This makes automatic rekeying internal to the packet code (previously + the server and client loops needed to assist). In doing to it makes + application of rekey limits more accurate by accounting for packets + about to be sent as well as packets queued during rekeying events + themselves. + + Based on a patch from dtucker@ which was in turn based on a patch + Aleksander Adamowski in bz#2521; ok markus@ + + Upstream-ID: a441227fd64f9739850ca97b4cf794202860fcd8 -commit 0c30ba91f87fcda7e975e6ff8a057f624e87ea1c -Author: Damien Miller -Date: Thu Jul 30 12:31:39 2015 +1000 +commit 603ba41179e4b53951c7b90ee95b6ef3faa3f15d +Author: naddy@openbsd.org +Date: Fri Feb 5 13:28:19 2016 +0000 - downgrade OOM adjustment logging: verbose -> debug + upstream commit + + Only check errno if read() has returned an error. EOF is + not an error. This fixes a problem where the mux master would sporadically + fail to notice that the client had exited. ok mikeb@ djm@ + + Upstream-ID: 3c2dadc21fac6ef64665688aac8a75fffd57ae53 -commit f9eca249d4961f28ae4b09186d7dc91de74b5895 -Author: djm@openbsd.org -Date: Thu Jul 30 00:01:34 2015 +0000 +commit 56d7dac790693ce420d225119283bc355cff9185 +Author: jsg@openbsd.org +Date: Fri Feb 5 04:31:21 2016 +0000 upstream commit - Allow ssh_config and sshd_config kex parameters options be - prefixed by a '+' to indicate that the specified items be appended to the - default rather than replacing it. - - approach suggested by dtucker@, feedback dlg@, ok markus@ + avoid an uninitialised value when NumberOfPasswordPrompts + is 0 ok markus@ djm@ - Upstream-ID: 0f901137298fc17095d5756ff1561a7028e8882a + Upstream-ID: 11b068d83c2865343aeb46acf1e9eec00f829b6b -commit 5cefe769105a2a2e3ca7479d28d9a325d5ef0163 +commit deae7d52d59c5019c528f977360d87fdda15d20b Author: djm@openbsd.org -Date: Wed Jul 29 08:34:54 2015 +0000 +Date: Fri Feb 5 03:07:06 2016 +0000 upstream commit - fix bug in previous; was printing incorrect string for - failed host key algorithms negotiation + mention internal DH-GEX fallback groups; bz#2302 - Upstream-ID: 22c0dc6bc61930513065d92e11f0753adc4c6e6e + Upstream-ID: e7b395fcca3122cd825515f45a2e41c9a157e09e -commit f319912b0d0e1675b8bb051ed8213792c788bcb2 +commit cac3b6665f884d46192c0dc98a64112e8b11a766 Author: djm@openbsd.org -Date: Wed Jul 29 04:43:06 2015 +0000 +Date: Fri Feb 5 02:37:56 2016 +0000 upstream commit - include the peer's offer when logging a failure to - negotiate a mutual set of algorithms (kex, pubkey, ciphers, etc.) ok markus@ + better description for MaxSessions; bz#2531 - Upstream-ID: bbb8caabf5c01790bb845f5ce135565248d7c796 + Upstream-ID: e2c0d74ee185cd1a3e9d4ca1f1b939b745b354da -commit b6ea0e573042eb85d84defb19227c89eb74cf05a +commit 5ef4b0fdcc7a239577a754829b50022b91ab4712 +Author: Damien Miller +Date: Wed Jan 27 17:45:56 2016 +1100 + + avoid FreeBSD RCS Id in comment + + Change old $FreeBSD version string in comment so it doesn't + become an RCS ident downstream; requested by des AT des.no + +commit 696d12683c90d20a0a9c5f4275fc916b7011fb04 Author: djm@openbsd.org -Date: Tue Jul 28 23:20:42 2015 +0000 +Date: Thu Feb 4 23:43:48 2016 +0000 upstream commit - add Cisco to the list of clients that choke on the - hostkeys update extension. Pointed out by Howard Kash + printf argument casts to avoid warnings on strict + compilers - Upstream-ID: c9eadde28ecec056c73d09ee10ba4570dfba7e84 + Upstream-ID: 7b9f6712cef01865ad29070262d366cf13587c9c -commit 3f628c7b537291c1019ce86af90756fb4e66d0fd -Author: guenther@openbsd.org -Date: Mon Jul 27 16:29:23 2015 +0000 +commit 5658ef2501e785fbbdf5de2dc33b1ff7a4dca73a +Author: millert@openbsd.org +Date: Mon Feb 1 21:18:17 2016 +0000 upstream commit - Permit kbind(2) use in the sandbox now, to ease testing - of ld.so work using it - - reminded by miod@, ok deraadt@ + Avoid ugly "DISPLAY "(null)" invalid; disabling X11 + forwarding" message when DISPLAY is not set. This could also result in a + crash on systems with a printf that doesn't handle NULL. OK djm@ - Upstream-ID: 523922e4d1ba7a091e3824e77a8a3c818ee97413 + Upstream-ID: 20ee0cfbda678a247264c20ed75362042b90b412 -commit ebe27ebe520098bbc0fe58945a87ce8490121edb -Author: millert@openbsd.org -Date: Mon Jul 20 18:44:12 2015 +0000 +commit 537f88ec7bcf40bd444ac5584c707c5588c55c43 +Author: dtucker@openbsd.org +Date: Fri Jan 29 05:18:15 2016 +0000 upstream commit - Move .Pp before .Bl, not after to quiet mandoc -Tlint. - Noticed by jmc@ + Add regression test for RekeyLimit parsing of >32bit values + (4G and 8G). - Upstream-ID: 59fadbf8407cec4e6931e50c53cfa0214a848e23 + Upstream-Regress-ID: 548390350c62747b6234f522a99c319eee401328 -commit d5d91d0da819611167782c66ab629159169d94d4 -Author: millert@openbsd.org -Date: Mon Jul 20 18:42:35 2015 +0000 +commit 4c6cb8330460f94e6c7ae28a364236d4188156a3 +Author: dtucker@openbsd.org +Date: Fri Jan 29 23:04:46 2016 +0000 upstream commit - Sync usage with SYNOPSIS + Remove leftover roaming dead code. ok djm markus. - Upstream-ID: 7a321a170181a54f6450deabaccb6ef60cf3f0b7 + Upstream-ID: 13d1f9c8b65a5109756bcfd3b74df949d53615be -commit 79ec2142fbc68dd2ed9688608da355fc0b1ed743 -Author: millert@openbsd.org -Date: Mon Jul 20 15:39:52 2015 +0000 +commit 28136471809806d6246ef41e4341467a39fe2f91 +Author: djm@openbsd.org +Date: Fri Jan 29 05:46:01 2016 +0000 upstream commit - Better desciption of Unix domain socket forwarding. - bz#2423; ok jmc@ + include packet type of non-data packets in debug3 output; + ok markus dtucker - Upstream-ID: 85e28874726897e3f26ae50dfa2e8d2de683805d + Upstream-ID: 034eaf639acc96459b9c5ce782db9fcd8bd02d41 -commit d56fd1828074a4031b18b8faa0bf949669eb18a0 -Author: Damien Miller -Date: Mon Jul 20 11:19:51 2015 +1000 - - make realpath.c compile -Wsign-compare clean - -commit c63c9a691dca26bb7648827f5a13668832948929 -Author: djm@openbsd.org -Date: Mon Jul 20 00:30:01 2015 +0000 +commit 6fd6e28daccafaa35f02741036abe64534c361a1 +Author: dtucker@openbsd.org +Date: Fri Jan 29 03:31:03 2016 +0000 upstream commit - mention that the default of UseDNS=no implies that - hostnames cannot be used for host matching in sshd_config and - authorized_keys; bz#2045, ok dtucker@ + Revert "account for packets buffered but not yet + processed" change as it breaks for very small RekeyLimit values due to + continuous rekeying. ok djm@ - Upstream-ID: 0812705d5f2dfa59aab01f2764ee800b1741c4e1 + Upstream-ID: 7e03f636cb45ab60db18850236ccf19079182a19 -commit 63ebcd0005e9894fcd6871b7b80aeea1fec0ff76 -Author: djm@openbsd.org -Date: Sat Jul 18 08:02:17 2015 +0000 +commit 921ff00b0ac429666fb361d2d6cb1c8fff0006cb +Author: dtucker@openbsd.org +Date: Fri Jan 29 02:54:45 2016 +0000 upstream commit - don't ignore PKCS#11 hosted keys that return empty - CKA_ID; patch by Jakub Jelen via bz#2429; ok markus + Allow RekeyLimits in excess of 4G up to 2**63 bits + (limited by the return type of scan_scaled). Part of bz#2521, ok djm. - Upstream-ID: 2f7c94744eb0342f8ee8bf97b2351d4e00116485 + Upstream-ID: 13bea82be566b9704821b1ea05bf7804335c7979 -commit b15fd989c8c62074397160147a8d5bc34b3f3c63 -Author: djm@openbsd.org -Date: Sat Jul 18 08:00:21 2015 +0000 +commit c0060a65296f01d4634f274eee184c0e93ba0f23 +Author: dtucker@openbsd.org +Date: Fri Jan 29 02:42:46 2016 +0000 upstream commit - skip uninitialised PKCS#11 slots; patch from Jakub Jelen - in bz#2427 ok markus@ + Account for packets buffered but not yet processed when + computing whether or not it is time to perform rekeying. bz#2521, based + loosely on a patch from olo at fb.com, ok djm@ - Upstream-ID: 744c1e7796e237ad32992d0d02148e8a18f27d29 + Upstream-ID: 67e268b547f990ed220f3cb70a5624d9bda12b8c -commit 5b64f85bb811246c59ebab70aed331f26ba37b18 +commit 44cf930e670488c85c9efeb373fa5f4b455692ac Author: djm@openbsd.org -Date: Sat Jul 18 07:57:14 2015 +0000 +Date: Wed Jan 27 06:44:58 2016 +0000 upstream commit - only query each keyboard-interactive device once per - authentication request regardless of how many times it is listed; ok markus@ + change old $FreeBSD version string in comment so it doesn't + become an RCS ident downstream; requested by des AT des.no - Upstream-ID: d73fafba6e86030436ff673656ec1f33d9ffeda1 + Upstream-ID: 8ca558c01f184e596b45e4fc8885534b2c864722 -commit cd7324d0667794eb5c236d8a4e0f236251babc2d +commit ebacd377769ac07d1bf3c75169644336056b7060 Author: djm@openbsd.org -Date: Fri Jul 17 03:34:27 2015 +0000 +Date: Wed Jan 27 00:53:12 2016 +0000 upstream commit - remove -u flag to diff (only used for error output) to make - things easier for -portable + make the debug messages a bit more useful here - Upstream-Regress-ID: a5d6777d2909540d87afec3039d9bb2414ade548 + Upstream-ID: 478ccd4e897e0af8486b294aa63aa3f90ab78d64 -commit deb8d99ecba70b67f4af7880b11ca8768df9ec3a -Author: djm@openbsd.org -Date: Fri Jul 17 03:09:19 2015 +0000 +commit 458abc2934e82034c5c281336d8dc0f910aecad3 +Author: jsg@openbsd.org +Date: Sat Jan 23 05:31:35 2016 +0000 upstream commit - direct-streamlocal@openssh.com Unix domain foward - messages do not contain a "reserved for future use" field and in fact, - serverloop.c checks that there isn't one. Remove erroneous mention from - PROTOCOL description. bz#2421 from Daniel Black + Zero a stack buffer with explicit_bzero() instead of + memset() when returning from client_loop() for consistency with + buffer_free()/sshbuf_free(). - Upstream-ID: 3d51a19e64f72f764682f1b08f35a8aa810a43ac + ok dtucker@ deraadt@ djm@ + + Upstream-ID: bc9975b2095339811c3b954694d7d15ea5c58f66 -commit 356b61f365405b5257f5b2ab446e5d7bd33a7b52 -Author: djm@openbsd.org -Date: Fri Jul 17 03:04:27 2015 +0000 +commit 65a3c0dacbc7dbb75ddb6a70ebe22d8de084d0b0 +Author: dtucker@openbsd.org +Date: Wed Jan 20 09:22:39 2016 +0000 upstream commit - describe magic for setting up Unix domain socket fowards - via the mux channel; bz#2422 patch from Daniel Black + Include sys/time.h for gettimeofday. From sortie at + maxsi.org. - Upstream-ID: 943080fe3864715c423bdeb7c920bb30c4eee861 + Upstream-ID: 6ed0c33b836d9de0a664cd091e86523ecaa2fb3b -commit d3e2aee41487d55b8d7d40f538b84ff1db7989bc -Author: Darren Tucker -Date: Fri Jul 17 12:52:34 2015 +1000 +commit fc77ccdc2ce6d5d06628b8da5048a6a5f6ffca5a +Author: markus@openbsd.org +Date: Thu Jan 14 22:56:56 2016 +0000 - Check if realpath works on nonexistent files. - - On some platforms the native realpath doesn't work with non-existent - files (this is actually specified in some versions of POSIX), however - the sftp spec says its realpath with "canonicalize any given path name". - On those platforms, use realpath from the compat library. + upstream commit - In addition, when compiling with -DFORTIFY_SOURCE, glibc redefines - the realpath symbol to the checked version, so redefine ours to - something else so we pick up the compat version we want. + fd leaks; report Qualys Security Advisory team; ok + deraadt@ - bz#2428, ok djm@ + Upstream-ID: 4ec0f12b9d8fa202293c9effa115464185aa071d -commit 25b14610dab655646a109db5ef8cb4c4bf2a48a0 -Author: djm@openbsd.org -Date: Fri Jul 17 02:47:45 2015 +0000 +commit a306863831c57ec5fad918687cc5d289ee8e2635 +Author: markus@openbsd.org +Date: Thu Jan 14 16:17:39 2016 +0000 upstream commit - fix incorrect test for SSH1 keys when compiled without SSH1 - support + remove roaming support; ok djm@ - Upstream-ID: 6004d720345b8e481c405e8ad05ce2271726e451 + Upstream-ID: 2cab8f4b197bc95776fb1c8dc2859dad0c64dc56 -commit df56a8035d429b2184ee94aaa7e580c1ff67f73a -Author: djm@openbsd.org -Date: Wed Jul 15 08:00:11 2015 +0000 +commit 6ef49e83e30688504552ac10875feabd5521565f +Author: deraadt@openbsd.org +Date: Thu Jan 14 14:34:34 2016 +0000 upstream commit - fix NULL-deref when SSH1 reenabled + Disable experimental client-side roaming support. Server + side was disabled/gutted for years already, but this aspect was surprisingly + forgotten. Thanks for report from Qualys - Upstream-ID: f22fd805288c92b3e9646782d15b48894b2d5295 + Upstream-ID: 2328004b58f431a554d4c1bf67f5407eae3389df -commit 41e38c4d49dd60908484e6703316651333f16b93 +commit 8d7b523b96d3be180572d9d338cedaafc0570f60 +Author: Damien Miller +Date: Thu Jan 14 11:08:19 2016 +1100 + + bump version numbers + +commit 8c3d512a1fac8b9c83b4d0c9c3f2376290bd84ca +Author: Damien Miller +Date: Thu Jan 14 11:04:04 2016 +1100 + + openssh-7.1p2 + +commit e6c85f8889c5c9eb04796fdb76d2807636b9eef5 +Author: Damien Miller +Date: Fri Jan 15 01:30:36 2016 +1100 + + forcibly disable roaming support in the client + +commit ed4ce82dbfa8a3a3c8ea6fa0db113c71e234416c Author: djm@openbsd.org -Date: Wed Jul 15 07:19:50 2015 +0000 +Date: Wed Jan 13 23:04:47 2016 +0000 upstream commit - regen RSA1 test keys; the last batch was missing their - private parts + eliminate fallback from untrusted X11 forwarding to trusted + forwarding when the X server disables the SECURITY extension; Reported by + Thomas Hoger; ok deraadt@ - Upstream-Regress-ID: 7ccf437305dd63ff0b48dd50c5fd0f4d4230c10a + Upstream-ID: f76195bd2064615a63ef9674a0e4096b0713f938 -commit 5bf0933184cb622ca3f96d224bf3299fd2285acc -Author: markus@openbsd.org -Date: Fri Jul 10 06:23:25 2015 +0000 +commit 9a728cc918fad67c8a9a71201088b1e150340ba4 +Author: djm@openbsd.org +Date: Tue Jan 12 23:42:54 2016 +0000 upstream commit - Adapt tests, now that DSA if off by default; use - PubkeyAcceptedKeyTypes and PubkeyAcceptedKeyTypes to test DSA. + use explicit_bzero() more liberally in the buffer code; ok + deraadt - Upstream-Regress-ID: 0ff2a3ff5ac1ce5f92321d27aa07b98656efcc5c + Upstream-ID: 0ece37069fd66bc6e4f55eb1321f93df372b65bf -commit 7a6e3fd7b41dbd3756b6bf9acd67954c0b1564cc -Author: markus@openbsd.org -Date: Tue Jul 7 14:54:16 2015 +0000 +commit 4626cbaf78767fc8e9c86dd04785386c59ae0839 +Author: Damien Miller +Date: Fri Jan 8 14:24:56 2016 +1100 - upstream commit + Support Illumos/Solaris fine-grained privileges - regen test data after mktestdata.sh changes + Includes a pre-auth privsep sandbox and several pledge() + emulations. bz#2511, patch by Alex Wilson. - Upstream-Regress-ID: 3495ecb082b9a7c048a2d7c5c845d3bf181d25a4 + ok dtucker@ -commit 7c8c174c69f681d4910fa41c37646763692b28e2 -Author: markus@openbsd.org -Date: Tue Jul 7 14:53:30 2015 +0000 +commit 422d1b3ee977ff4c724b597fb2e437d38fc8de9d +Author: djm@openbsd.org +Date: Thu Dec 31 00:33:52 2015 +0000 upstream commit - adapt tests to new minimum RSA size and default FP format + fix three bugs in KRL code related to (unused) signature + support: verification length was being incorrectly calculated, multiple + signatures were being incorrectly processed and a NULL dereference that + occurred when signatures were verified. Reported by Carl Jackson - Upstream-Regress-ID: a4b30afd174ce82b96df14eb49fb0b81398ffd0e + Upstream-ID: e705e97ad3ccce84291eaa651708dd1b9692576b -commit 6a977a4b68747ade189e43d302f33403fd4a47ac +commit 6074c84bf95d00f29cc7d5d3cd3798737851aa1a Author: djm@openbsd.org -Date: Fri Jul 3 04:39:23 2015 +0000 +Date: Wed Dec 30 23:46:14 2015 +0000 upstream commit - legacy v00 certificates are gone; adapt and don't try to - test them; "sure" markus@ dtucker@ + unused prototype - Upstream-Regress-ID: c57321e69b3cd4a3b3396dfcc43f0803d047da12 + Upstream-ID: f3eef4389d53ed6c0d5c77dcdcca3060c745da97 -commit 0c4123ad5e93fb90fee9c6635b13a6cdabaac385 -Author: djm@openbsd.org -Date: Wed Jul 1 23:11:18 2015 +0000 +commit 6213f0e180e54122bb1ba928e11c784e2b4e5380 +Author: guenther@openbsd.org +Date: Sat Dec 26 20:51:35 2015 +0000 upstream commit *** DIFF OUTPUT TRUNCATED AT 1000 LINES ***