Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 4 Aug 2017 12:57:25 +0000 (UTC)
From:      =?UTF-8?Q?Dag-Erling_Sm=c3=b8rgrav?= <des@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   svn commit: r322052 - in head/crypto/openssh: . contrib/cygwin contrib/redhat contrib/suse openbsd-compat regress regress/unittests regress/unittests/conversion regress/unittests/match regress/unit...
Message-ID:  <201708041257.v74CvPSb030136@repo.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: des
Date: Fri Aug  4 12:57:24 2017
New Revision: 322052
URL: https://svnweb.freebsd.org/changeset/base/322052

Log:
  Upgrade to OpenSSH 7.5p1.

Added:
  head/crypto/openssh/regress/unittests/conversion/
     - copied from r321987, vendor-crypto/openssh/dist/regress/unittests/conversion/
Deleted:
  head/crypto/openssh/auth1.c
Modified:
  head/crypto/openssh/ChangeLog
  head/crypto/openssh/INSTALL
  head/crypto/openssh/Makefile.in
  head/crypto/openssh/README
  head/crypto/openssh/auth-pam.c
  head/crypto/openssh/auth2-pubkey.c
  head/crypto/openssh/auth2.c
  head/crypto/openssh/channels.c
  head/crypto/openssh/channels.h
  head/crypto/openssh/clientloop.c
  head/crypto/openssh/compat.c
  head/crypto/openssh/config.h
  head/crypto/openssh/configure.ac
  head/crypto/openssh/contrib/cygwin/ssh-host-config
  head/crypto/openssh/contrib/redhat/openssh.spec
  head/crypto/openssh/contrib/suse/openssh.spec
  head/crypto/openssh/digest-openssl.c
  head/crypto/openssh/freebsd-configure.sh
  head/crypto/openssh/hostfile.c
  head/crypto/openssh/kex.c
  head/crypto/openssh/krl.c
  head/crypto/openssh/log.c
  head/crypto/openssh/match.c
  head/crypto/openssh/match.h
  head/crypto/openssh/misc.c
  head/crypto/openssh/monitor.c
  head/crypto/openssh/mux.c
  head/crypto/openssh/openbsd-compat/bsd-misc.c
  head/crypto/openssh/openbsd-compat/bsd-misc.h
  head/crypto/openssh/openbsd-compat/fmt_scaled.c
  head/crypto/openssh/packet.c
  head/crypto/openssh/packet.h
  head/crypto/openssh/pathnames.h
  head/crypto/openssh/readconf.c
  head/crypto/openssh/regress/Makefile
  head/crypto/openssh/regress/agent-getpeereid.sh
  head/crypto/openssh/regress/allow-deny-users.sh
  head/crypto/openssh/regress/cert-file.sh
  head/crypto/openssh/regress/forwarding.sh
  head/crypto/openssh/regress/integrity.sh
  head/crypto/openssh/regress/test-exec.sh
  head/crypto/openssh/regress/unittests/Makefile
  head/crypto/openssh/regress/unittests/match/tests.c
  head/crypto/openssh/regress/unittests/test_helper/test_helper.c
  head/crypto/openssh/regress/unittests/test_helper/test_helper.h
  head/crypto/openssh/regress/unittests/utf8/tests.c
  head/crypto/openssh/sandbox-seccomp-filter.c
  head/crypto/openssh/servconf.c
  head/crypto/openssh/serverloop.c
  head/crypto/openssh/session.c
  head/crypto/openssh/sftp-client.c
  head/crypto/openssh/sftp.c
  head/crypto/openssh/ssh-agent.c
  head/crypto/openssh/ssh-keygen.c
  head/crypto/openssh/ssh-keyscan.c
  head/crypto/openssh/ssh.c
  head/crypto/openssh/ssh_config
  head/crypto/openssh/ssh_config.5
  head/crypto/openssh/ssh_namespace.h
  head/crypto/openssh/sshconnect.c
  head/crypto/openssh/sshconnect1.c
  head/crypto/openssh/sshconnect2.c
  head/crypto/openssh/sshd.8
  head/crypto/openssh/sshd.c
  head/crypto/openssh/sshd_config
  head/crypto/openssh/sshd_config.5
  head/crypto/openssh/sshkey.c
  head/crypto/openssh/sshkey.h
  head/crypto/openssh/utf8.c
  head/crypto/openssh/version.h
Directory Properties:
  head/crypto/openssh/   (props changed)

Modified: head/crypto/openssh/ChangeLog
==============================================================================
--- head/crypto/openssh/ChangeLog	Fri Aug  4 10:33:22 2017	(r322051)
+++ head/crypto/openssh/ChangeLog	Fri Aug  4 12:57:24 2017	(r322052)
@@ -1,3 +1,1174 @@
+commit d38f05dbdd291212bc95ea80648b72b7177e9f4e
+Author: Darren Tucker <dtucker@zip.com.au>
+Date:   Mon Mar 20 13:38:27 2017 +1100
+
+    Add llabs() implementation.
+
+commit 72536316a219b7394996a74691a5d4ec197480f7
+Author: Damien Miller <djm@mindrot.org>
+Date:   Mon Mar 20 12:23:04 2017 +1100
+
+    crank version numbers
+
+commit 3be52bc36bdfd24ded7e0f46999e7db520fb4e3f
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Mon Mar 20 01:18:59 2017 +0000
+
+    upstream commit
+    
+    openssh-7.5
+    
+    Upstream-ID: b8b9a4a949427c393cd868215e1724ceb3467ee5
+
+commit db84e52fe9cfad57f22e7e23c5fbf00092385129
+Author: Damien Miller <djm@mindrot.org>
+Date:   Mon Mar 20 12:07:20 2017 +1100
+
+    I'm a doofus.
+    
+    Unbreak obvious syntax error.
+
+commit 89f04852db27643717c9c3a2b0dde97ae50099ee
+Author: Damien Miller <djm@mindrot.org>
+Date:   Mon Mar 20 11:53:34 2017 +1100
+
+    on Cygwin, check paths from server for backslashes
+    
+    Pointed out by Jann Horn of Google Project Zero
+
+commit 7ef1f9bafc2cc8d97ff2fbd4f280002b6e8ea5d9
+Author: Damien Miller <djm@mindrot.org>
+Date:   Mon Mar 20 11:48:34 2017 +1100
+
+    Yet another synonym for ASCII: "646"
+    
+    Used by NetBSD; this unbreaks mprintf() and friends there for the C
+    locale (caught by dtucker@ and his menagerie of test systems).
+
+commit 9165abfea3f68a0c684a6ed2e575e59bc31a3a6b
+Author: Damien Miller <djm@mindrot.org>
+Date:   Mon Mar 20 09:58:34 2017 +1100
+
+    create test mux socket in /tmp
+    
+    Creating the socket in $OBJ could blow past the (quite limited)
+    path limit for Unix domain sockets. As a bandaid for bz#2660,
+    reported by Colin Watson; ok dtucker@
+
+commit 2adbe1e63bc313d03e8e84e652cc623af8ebb163
+Author: markus@openbsd.org <markus@openbsd.org>
+Date:   Wed Mar 15 07:07:39 2017 +0000
+
+    upstream commit
+    
+    disallow KEXINIT before NEWKEYS; ok djm; report by
+    vegard.nossum at oracle.com
+    
+    Upstream-ID: 3668852d1f145050e62f1da08917de34cb0c5234
+
+commit 2fbf91684d76d38b9cf06550b69c9e41bca5a71c
+Author: Darren Tucker <dtucker@zip.com.au>
+Date:   Thu Mar 16 14:05:46 2017 +1100
+
+    Include includes.h for compat bits.
+
+commit b55f634e96b9c5b0cd991e23a9ca181bec4bdbad
+Author: Darren Tucker <dtucker@zip.com.au>
+Date:   Thu Mar 16 13:45:17 2017 +1100
+
+    Wrap stdint.h in #ifdef HAVE_STDINT_H
+
+commit 55a1117d7342a0bf8b793250cf314bab6b482b99
+Author: Damien Miller <djm@mindrot.org>
+Date:   Thu Mar 16 11:22:42 2017 +1100
+
+    Adapt Cygwin config script to privsep knob removal
+    
+    Patch from Corinna Vinschen.
+
+commit 1a321bfdb91defe3c4d9cca5651724ae167e5436
+Author: deraadt@openbsd.org <deraadt@openbsd.org>
+Date:   Wed Mar 15 03:52:30 2017 +0000
+
+    upstream commit
+    
+    accidents happen to the best of us; ok djm
+    
+    Upstream-ID: b7a9dbd71011ffde95e06f6945fe7197dedd1604
+
+commit 25f837646be8c2017c914d34be71ca435dfc0e07
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Wed Mar 15 02:25:09 2017 +0000
+
+    upstream commit
+    
+    fix regression in 7.4: deletion of PKCS#11-hosted keys
+    would fail unless they were specified by full physical pathname. Report and
+    fix from Jakub Jelen via bz#2682; ok dtucker@
+    
+    Upstream-ID: 5b5bc20ca11cacb5d5eb29c3f93fd18425552268
+
+commit a8c5eeacf032a7d3408957e45dd7603cc1baf55f
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Wed Mar 15 02:19:09 2017 +0000
+
+    upstream commit
+    
+    Fix segfault when sshd attempts to load RSA1 keys (can
+    only happen when protocol v.1 support is enabled for the client). Reported by
+    Jakub Jelen in bz#2686; ok dtucker
+    
+    Upstream-ID: 8fdaec2ba4b5f65db1d094f6714ce64b25d871d7
+
+commit 66705948c0639a7061a0d0753266da7685badfec
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Tue Mar 14 07:19:07 2017 +0000
+
+    upstream commit
+    
+    Mark the sshd_config UsePrivilegeSeparation option as
+    deprecated, effectively making privsep mandatory in sandboxing mode. ok
+    markus@ deraadt@
+    
+    (note: this doesn't remove the !privsep code paths, though that will
+    happen eventually).
+    
+    Upstream-ID: b4c52666256c4dd865f8ce9431af5d6ce2d74a0a
+
+commit f86586b03fe6cd8f595289bde200a94bc2c191af
+Author: Damien Miller <djm@mindrot.org>
+Date:   Tue Mar 14 18:26:29 2017 +1100
+
+    Make seccomp-bpf sandbox work on Linux/X32
+    
+    Allow clock_gettime syscall with X32 bit masked off. Apparently
+    this is required for at least some kernel versions. bz#2142
+    Patch mostly by Colin Watson. ok dtucker@
+
+commit 2429cf78dd2a9741ce27ba25ac41c535274a0af6
+Author: Damien Miller <djm@mindrot.org>
+Date:   Tue Mar 14 18:01:52 2017 +1100
+
+    require OpenSSL >=1.0.1
+
+commit e3ea335abeab731c68f2b2141bee85a4b0bf680f
+Author: Damien Miller <djm@mindrot.org>
+Date:   Tue Mar 14 17:48:43 2017 +1100
+
+    Remove macro trickery; no binary change
+    
+    This stops the SC_ALLOW(), SC_ALLOW_ARG() and SC_DENY() macros
+    prepending __NR_ to the syscall number parameter and just makes
+    them explicit in the macro invocations.
+    
+    No binary change in stripped object file before/after.
+
+commit 5f1596e11d55539678c41f68aed358628d33d86f
+Author: Damien Miller <djm@mindrot.org>
+Date:   Tue Mar 14 13:15:18 2017 +1100
+
+    support ioctls for ICA crypto card on Linux/s390
+    
+    Based on patch from Eduardo Barretto; ok dtucker@
+
+commit b1b22dd0df2668b322dda174e501dccba2cf5c44
+Author: Darren Tucker <dtucker@zip.com.au>
+Date:   Tue Mar 14 14:19:36 2017 +1100
+
+    Plumb conversion test into makefile.
+
+commit f57783f1ddfb4cdfbd612c6beb5ec01cb5b9a6b9
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date:   Tue Mar 14 01:20:29 2017 +0000
+
+    upstream commit
+    
+    Add unit test for convtime().
+    
+    Upstream-Regress-ID: 8717bc0ca4c21120f6dd3a1d3b7a363f707c31e1
+
+commit 8884b7247d094cd11ff9e39c325ba928c5bdbc6c
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date:   Tue Mar 14 01:10:07 2017 +0000
+
+    upstream commit
+    
+    Add ASSERT_LONG_* helpers.
+    
+    Upstream-Regress-ID: fe15beaea8f5063c7f21b0660c722648e3d76431
+
+commit c6774d21185220c0ba11e8fd204bf0ad1a432071
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date:   Tue Mar 14 00:55:37 2017 +0000
+
+    upstream commit
+    
+    Fix convtime() overflow test on boundary condition,
+    spotted by & ok djm.
+    
+    Upstream-ID: 51f14c507ea87a3022e63f574100613ab2ba5708
+
+commit f5746b40cfe6d767c8e128fe50c43274b31cd594
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date:   Tue Mar 14 00:25:03 2017 +0000
+
+    upstream commit
+    
+    Check for integer overflow when parsing times in
+    convtime().  Reported by nicolas.iooss at m4x.org, ok djm@
+    
+    Upstream-ID: 35e6a4e98f6fa24df50bfb8ba1307cf70e966f13
+
+commit f5907982f42a8d88a430b8a46752cbb7859ba979
+Author: Darren Tucker <dtucker@zip.com.au>
+Date:   Tue Mar 14 13:38:15 2017 +1100
+
+    Add a "unit" target to run only unit tests.
+
+commit 9e96b41682aed793fadbea5ccd472f862179fb02
+Author: Damien Miller <djm@mindrot.org>
+Date:   Tue Mar 14 12:24:47 2017 +1100
+
+    Fix weakness in seccomp-bpf sandbox arg inspection
+    
+    Syscall arguments are passed via an array of 64-bit values in struct
+    seccomp_data, but we were only inspecting the bottom 32 bits and not
+    even those correctly for BE systems.
+    
+    Fortunately, the only case argument inspection was used was in the
+    socketcall filtering so using this for sandbox escape seems
+    impossible.
+    
+    ok dtucker
+
+commit 8ff3fc3f2f7c13e8968717bc2b895ee32c441275
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Sat Mar 11 23:44:16 2017 +0000
+
+    upstream commit
+    
+    regress tests for loading certificates without public keys;
+    bz#2617 based on patch from Adam Eijdenberg; ok markus@ dtucker@
+    
+    Upstream-Regress-ID: 0145d19328ed995b73fe2d9da33596b17429d0d0
+
+commit 1e24552716194db8f2f620587b876158a9ef56ad
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Sat Mar 11 23:40:26 2017 +0000
+
+    upstream commit
+    
+    allow ssh to use certificates accompanied by a private
+    key file but no corresponding plain *.pub public key. bz#2617 based on patch
+    from Adam Eijdenberg; ok dtucker@ markus@
+    
+    Upstream-ID: 295668dca2c39505281577217583ddd2bd4b00b9
+
+commit 0fb1a617a07b8df5de188dd5a0c8bf293d4bfc0e
+Author: markus@openbsd.org <markus@openbsd.org>
+Date:   Sat Mar 11 13:07:35 2017 +0000
+
+    upstream commit
+    
+    Don't count the initial block twice when computing how
+    many bytes to discard for the work around for the attacks against CBC-mode.
+    ok djm@; report from Jean Paul, Kenny, Martin and Torben @ RHUL
+    
+    Upstream-ID: f445f509a4e0a7ba3b9c0dae7311cb42458dc1e2
+
+commit ef653dd5bd5777132d9f9ee356225f9ee3379504
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date:   Fri Mar 10 07:18:32 2017 +0000
+
+    upstream commit
+    
+    krl.c
+    
+    Upstream-ID: fc5e695d5d107d730182e2da7b23f00b489e0ee1
+
+commit d94c1dfef2ea30ca67b1204ada7c3b537c54f4d0
+Author: Damien Miller <djm@mindrot.org>
+Date:   Sun Mar 12 10:48:14 2017 +1100
+
+    sync fmt_scaled.c with OpenBSD
+    
+    revision 1.13
+    date: 2017/03/11 23:37:23;  author: djm;  state: Exp;  lines: +14 -1;  commitid: jnFKyHkB3CEiEZ2R;
+    fix signed integer overflow in scan_scaled. Found by Nicolas Iooss
+    using AFL against ssh_config. ok deraadt@ millert@
+    ----------------------------
+    revision 1.12
+    date: 2013/11/29 19:00:51;  author: deraadt;  state: Exp;  lines: +6 -5;
+    fairly simple unsigned char casts for ctype
+    ok krw
+    ----------------------------
+    revision 1.11
+    date: 2012/11/12 14:07:20;  author: halex;  state: Exp;  lines: +4 -2;
+    make scan_scaled set errno to EINVAL rather than ERANGE if it encounters
+    an invalid multiplier, like the man page says it should
+    
+    "looks sensible" deraadt@, ok ian@
+    ----------------------------
+    revision 1.10
+    date: 2009/06/20 15:00:04;  author: martynas;  state: Exp;  lines: +4 -4;
+    use llabs instead of the home-grown version;  and some comment changes
+    ok ian@, millert@
+    ----------------------------
+
+commit 894221a63fa061e52e414ca58d47edc5fe645968
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Fri Mar 10 05:01:13 2017 +0000
+
+    upstream commit
+    
+    When updating hostkeys, accept RSA keys if
+    HostkeyAlgorithms contains any RSA keytype. Previously, ssh could ignore RSA
+    keys when any of the ssh-rsa-sha2-* methods was enabled in HostkeyAlgorithms
+    nit ssh-rsa (SHA1 signatures) was not. bz#2650 reported by Luis Ressel; ok
+    dtucker@
+    
+    Upstream-ID: c5e8cfee15c42f4a05d126158a0766ea06da79d2
+
+commit dd3e2298663f4cc1a06bc69582d00dcfee27d73c
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Fri Mar 10 04:24:55 2017 +0000
+
+    upstream commit
+    
+    make hostname matching really insensitive to case;
+    bz#2685, reported by Petr Cerny; ok dtucker@
+    
+    Upstream-ID: e467622ff154269e36ba8b6c9e3d105e1c4a9253
+
+commit 77a9be9446697fe8b5499fe651f4a82a71a4b51f
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Fri Mar 10 03:52:48 2017 +0000
+
+    upstream commit
+    
+    reword a comment to make it fit 80 columns
+    
+    Upstream-ID: 4ef509a66b96c7314bbcc87027c2af71fa9d0ba4
+
+commit 61b8ef6a66efaec07e023342cb94a10bdc2254dc
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Fri Mar 10 04:27:32 2017 +0000
+
+    upstream commit
+    
+    better match sshd config parser behaviour: fatal() if
+    line is overlong, increase line buffer to match sshd's; bz#2651 reported by
+    Don Fong; ok dtucker@
+    
+    Upstream-ID: b175ae7e0ba403833f1ee566edf10f67443ccd18
+
+commit db2597207e69912f2592cd86a1de8e948a9d7ffb
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Fri Mar 10 04:26:06 2017 +0000
+
+    upstream commit
+    
+    ensure hostname is lower-case before hashing it;
+    bz#2591 reported by Griff Miller II; ok dtucker@
+    
+    Upstream-ID: c3b8b93804f376bd00d859b8bcd9fc0d86b4db17
+
+commit df9936936c695f85c1038bd706d62edf752aca4b
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Fri Mar 10 04:24:55 2017 +0000
+
+    upstream commit
+    
+    make hostname matching really insensitive to case;
+    bz#2685, reported by Petr Cerny; ok dtucker@
+    
+    Upstream-ID: e632b7a9bf0d0558d5ff56dab98b7cca6c3db549
+
+commit 67eed24bfa7645d88fa0b883745fccb22a0e527e
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date:   Fri Mar 10 04:11:00 2017 +0000
+
+    upstream commit
+    
+    Remove old null check from config dumper.  Patch from
+    jjelen at redhat.com vi bz#2687, ok djm@
+    
+    Upstream-ID: 824ab71467b78c4bab0dd1b3a38e8bc5f63dd528
+
+commit 183ba55aaaecca0206184b854ad6155df237adbe
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Fri Mar 10 04:07:20 2017 +0000
+
+    upstream commit
+    
+    fix regression in 7.4 server-sig-algs, where we were
+    accidentally excluding SHA2 RSA signature methods. bz#2680, patch from Nuno
+    Goncalves; ok dtucker@
+    
+    Upstream-ID: 81ac8bfb30960447740b9b8f6a214dcf322f12e8
+
+commit 66be4fe8c4435af5bbc82998501a142a831f1181
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date:   Fri Mar 10 03:53:11 2017 +0000
+
+    upstream commit
+    
+    Check for NULL return value from key_new.  Patch from
+    jjelen at redhat.com via bz#2687, ok djm@
+    
+    Upstream-ID: 059e33cd43cba88dc8caf0b1936fd4dd88fd5b8e
+
+commit ec2892b5c7fea199914cb3a6afb3af38f84990bf
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Fri Mar 10 03:52:48 2017 +0000
+
+    upstream commit
+    
+    reword a comment to make it fit 80 columns
+    
+    Upstream-ID: b4b48b4487c0821d16e812c40c9b09f03b28e349
+
+commit 7fadbb6da3f4122de689165651eb39985e1cba85
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date:   Fri Mar 10 03:48:57 2017 +0000
+
+    upstream commit
+    
+    Check for NULL argument to sshkey_read.  Patch from
+    jjelen at redhat.com via bz#2687, ok djm@
+    
+    Upstream-ID: c2d00c2ea50c4861d271d0a586f925cc64a87e0e
+
+commit 5a06b9e019e2b0b0f65a223422935b66f3749de3
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date:   Fri Mar 10 03:45:40 2017 +0000
+
+    upstream commit
+    
+    Plug some mem leaks mostly on error paths.  From jjelen
+    at redhat.com via bz#2687, ok djm@
+    
+    Upstream-ID: 3fb030149598957a51b7c8beb32bf92cf30c96f2
+
+commit f6edbe9febff8121f26835996b1229b5064d31b7
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date:   Fri Mar 10 03:24:48 2017 +0000
+
+    upstream commit
+    
+    Plug mem leak on GLOB_NOMATCH case.  From jjelen at
+    redhat.com via bz#2687, ok djm@
+    
+    Upstream-ID: 8016a7ae97719d3aa55fb723fc2ad3200058340d
+
+commit 566b3a46e89a2fda2db46f04f2639e92da64a120
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date:   Fri Mar 10 03:22:40 2017 +0000
+
+    upstream commit
+    
+    Plug descriptor leaks of auth_sock.  From jjelen at
+    redhat.com via bz#2687, ok djm@
+    
+    Upstream-ID: 248acb99a5ed2fdca37d1aa33c0fcee7be286d88
+
+commit 8a2834454c73dfc1eb96453c0e97690595f3f4c2
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Fri Mar 10 03:18:24 2017 +0000
+
+    upstream commit
+    
+    correctly hash hosts with a port number. Reported by Josh
+    Powers in bz#2692; ok dtucker@
+    
+    Upstream-ID: 468e357ff143e00acc05bdd2803a696b3d4b6442
+
+commit 9747b9c742de409633d4753bf1a752cbd211e2d3
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Fri Mar 10 03:15:58 2017 +0000
+
+    upstream commit
+    
+    don't truncate off \r\n from long stderr lines; bz#2688,
+    reported by Brian Dyson; ok dtucker@
+    
+    Upstream-ID: cdfdc4ba90639af807397ce996153c88af046ca4
+
+commit 4a4b75adac862029a1064577eb5af299b1580cdd
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date:   Fri Mar 10 02:59:51 2017 +0000
+
+    upstream commit
+    
+    Validate digest arg in ssh_digest_final; from jjelen at
+    redhat.com via bz#2687, ok djm@
+    
+    Upstream-ID: dbe5494dfddfe523fab341a3dab5a79e7338f878
+
+commit bee0167be2340d8de4bdc1ab1064ec957c85a447
+Author: Darren Tucker <dtucker@zip.com.au>
+Date:   Fri Mar 10 13:40:18 2017 +1100
+
+    Check for NULL from malloc.
+    
+    Part of bz#2687, from jjelen at redhat.com.
+
+commit da39b09d43b137a5a3d071b51589e3efb3701238
+Author: Darren Tucker <dtucker@zip.com.au>
+Date:   Fri Mar 10 13:22:32 2017 +1100
+
+    If OSX is using launchd, remove screen no.
+    
+    Check for socket with and without screen number.  From Apple and Jakob
+    Schlyter via bz#2341, with contributions from Ron Frederick, ok djm@
+
+commit 8fb15311a011517eb2394bb95a467c209b8b336c
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Wed Mar 8 12:07:47 2017 +0000
+
+    upstream commit
+    
+    quote [host]:port in generated ProxyJump commandline; the
+    [ / ] characters can confuse some shells (e.g. zsh). Reported by Lauri
+    Tirkkonen via bugs@
+    
+    Upstream-ID: 65cdd161460e1351c3d778e974c1c2a4fa4bc182
+
+commit 18501151cf272a15b5f2c5e777f2e0933633c513
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date:   Mon Mar 6 02:03:20 2017 +0000
+
+    upstream commit
+    
+    Check l->hosts before dereferencing; fixes potential null
+    pointer deref. ok djm@
+    
+    Upstream-ID: 81c0327c6ec361da794b5c680601195cc23d1301
+
+commit d072370793f1a20f01ad827ba8fcd3b8f2c46165
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date:   Mon Mar 6 00:44:51 2017 +0000
+
+    upstream commit
+    
+    linenum is unsigned long so use %lu in log formats.  ok
+    deraadt@
+    
+    Upstream-ID: 9dc582d9bb887ebe0164e030d619fc20b1a4ea08
+
+commit 12d3767ba4c84c32150cbe6ff6494498780f12c9
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Fri Mar 3 06:13:11 2017 +0000
+
+    upstream commit
+    
+    fix ssh-keygen -H accidentally corrupting known_hosts that
+    contained already-hashed entries. HKF_MATCH_HOST_HASHED is only set by
+    hostkeys_foreach() when hostname matching is in use, so we need to look for
+    the hash marker explicitly.
+    
+    Upstream-ID: da82ad653b93e8a753580d3cf5cd448bc2520528
+
+commit d7abb771bd5a941b26144ba400a34563a1afa589
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Tue Feb 28 06:10:08 2017 +0000
+
+    upstream commit
+    
+    small memleak: free fd_set on connection timeout (though
+    we are heading to exit anyway). From Tom Rix in bz#2683
+    
+    Upstream-ID: 10e3dadbb8199845b66581473711642d9e6741c4
+
+commit 78142e3ab3887e53a968d6e199bcb18daaf2436e
+Author: jmc@openbsd.org <jmc@openbsd.org>
+Date:   Mon Feb 27 14:30:33 2017 +0000
+
+    upstream commit
+    
+    errant dot; from klemens nanni
+    
+    Upstream-ID: 83d93366a5acf47047298c5d3ebc5e7426f37921
+
+commit 8071a6924c12bb51406a9a64a4b2892675112c87
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Fri Feb 24 03:16:34 2017 +0000
+
+    upstream commit
+    
+    might as well set the listener socket CLOEXEC
+    
+    Upstream-ID: 9c538433d6a0ca79f5f21decc5620e46fb68ab57
+
+commit d5499190559ebe374bcdfa8805408646ceffad64
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Sun Feb 19 00:11:29 2017 +0000
+
+    upstream commit
+    
+    add test cases for C locale; ok schwarze@
+    
+    Upstream-Regress-ID: 783d75de35fbc923d46e2a5e6cee30f8f381ba87
+
+commit 011c8ffbb0275281a0cf330054cf21be10c43e37
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Sun Feb 19 00:10:57 2017 +0000
+
+    upstream commit
+    
+    Add a common nl_langinfo(CODESET) alias for US-ASCII
+    "ANSI_X3.4-1968" that is used by Linux. Fixes mprintf output truncation for
+    non-UTF-8 locales on Linux spotted by dtucker@; ok deraadt@ schwarze@
+    
+    Upstream-ID: c6808956ebffd64066f9075d839f74ff0dd60719
+
+commit 0c4430a19b73058a569573492f55e4c9eeaae67b
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date:   Tue Feb 7 23:03:11 2017 +0000
+
+    upstream commit
+    
+    Remove deprecated SSH1 options RSAAuthentication and
+    RhostsRSAAuthentication from regression test sshd_config.
+    
+    Upstream-Regress-ID: 8066b753d9dce7cf02ff87af5c727ff680d99491
+
+commit 3baa4cdd197c95d972ec3d07f1c0d08f2d7d9199
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date:   Fri Feb 17 02:32:05 2017 +0000
+
+    upstream commit
+    
+    Do not show rsa1 key type in usage when compiled without
+    SSH1 support.
+    
+    Upstream-ID: 068b5c41357a02f319957746fa4e84ea73960f57
+
+commit ecc35893715f969e98fee118481f404772de4132
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date:   Fri Feb 17 02:31:14 2017 +0000
+
+    upstream commit
+    
+    ifdef out "rsa1" from the list of supported keytypes when
+    compiled without SSH1 support.  Found by kdunlop at guralp.com, ok djm@
+    
+    Upstream-ID: cea93a26433d235bb1d64b1d990f19a9c160a70f
+
+commit 10577c6d96a55b877a960b2d0b75edef1b9945af
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Fri Feb 17 02:04:15 2017 +0000
+
+    upstream commit
+    
+    For ProxyJump/-J, surround host name with brackets to
+    allow literal IPv6 addresses. From Dick Visser; ok dtucker@
+    
+    Upstream-ID: 3a5d3b0171250daf6a5235e91bce09c1d5746bf1
+
+commit b2afdaf1b52231aa23d2153f4a8c5a60a694dda4
+Author: jsg@openbsd.org <jsg@openbsd.org>
+Date:   Wed Feb 15 23:38:31 2017 +0000
+
+    upstream commit
+    
+    Fix memory leaks in match_filter_list() error paths.
+    
+    ok dtucker@ markus@
+    
+    Upstream-ID: c7f96ac0877f6dc9188bbc908100a8d246cc7f0e
+
+commit 6d5a41b38b55258213ecfaae9df7a758caa752a1
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Wed Feb 15 01:46:47 2017 +0000
+
+    upstream commit
+    
+    fix division by zero crash in "df" output when server
+    returns zero total filesystem blocks/inodes. Spotted by Guido Vranken; ok
+    dtucker@
+    
+    Upstream-ID: 6fb6c2ae6b289aa07b6232dbc0be54682ef5419f
+
+commit bd5d7d239525d595ecea92765334af33a45d9d63
+Author: Darren Tucker <dtucker@zip.com.au>
+Date:   Sun Feb 12 15:45:15 2017 +1100
+
+    ifdef out EVP_R_PRIVATE_KEY_DECODE_ERROR
+    
+    EVP_R_PRIVATE_KEY_DECODE_ERROR was added in OpenSSL 1.0.0 so ifdef out
+    for the benefit of OpenSSL versions prior to that.
+
+commit 155d540d00ff55f063421ec182ec8ff2b7ab6cbe
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Fri Feb 10 04:34:50 2017 +0000
+
+    upstream commit
+    
+    bring back r1.34 that was backed out for problems loading
+    public keys:
+    
+    translate OpenSSL error codes to something more
+    meaninful; bz#2522 reported by Jakub Jelen, ok dtucker@
+    
+    with additional fix from Jakub Jelen to solve the backout.
+    bz#2525 bz#2523 re-ok dtucker@
+    
+    Upstream-ID: a9d5bc0306f4473d9b4f4484f880e95f3c1cc031
+
+commit a287c5ad1e0bf9811c7b9221979b969255076019
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Fri Feb 10 03:36:40 2017 +0000
+
+    upstream commit
+    
+    Sanitise escape sequences in key comments sent to printf
+    but preserve valid UTF-8 when the locale supports it; bz#2520 ok dtucker@
+    
+    Upstream-ID: e8eed28712ba7b22d49be534237eed019875bd1e
+
+commit e40269be388972848aafcca7060111c70aab5b87
+Author: millert@openbsd.org <millert@openbsd.org>
+Date:   Wed Feb 8 20:32:43 2017 +0000
+
+    upstream commit
+    
+    Avoid printf %s NULL.  From semarie@, OK djm@
+    
+    Upstream-ID: 06beef7344da0208efa9275d504d60d2a5b9266c
+
+commit 5b90709ab8704dafdb31e5651073b259d98352bc
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Mon Feb 6 09:22:51 2017 +0000
+
+    upstream commit
+    
+    Restore \r\n newline sequence for server ident string. The CR
+    got lost in the flensing of SSHv1. Pointed out by Stef Bon
+    
+    Upstream-ID: 5333fd43ce5396bf5999496096fac5536e678fac
+
+commit 97c31c46ee2e6b46dfffdfc4f90bbbf188064cbc
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Fri Feb 3 23:01:42 2017 +0000
+
+    upstream commit
+    
+    unit test for match_filter_list() function; still want a
+    better name for this...
+    
+    Upstream-Regress-ID: 840ad6118552c35111f0a897af9c8d93ab8de92a
+
+commit f1a193464a7b77646f0d0cedc929068e4a413ab4
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Fri Feb 3 23:05:57 2017 +0000
+
+    upstream commit
+    
+    use ssh_packet_set_log_preamble() to include connection
+    username in packet log messages, e.g.
+    
+    Connection closed by invalid user foo 10.1.1.1 port 44056 [preauth]
+    
+    ok markus@ bz#113
+    
+    Upstream-ID: 3591b88bdb5416d6066fb3d49d8fff2375bf1a15
+
+commit 07edd7e9537ab32aa52abb5fb2a915c350fcf441
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Fri Feb 3 23:03:33 2017 +0000
+
+    upstream commit
+    
+    add ssh_packet_set_log_preamble() to allow inclusion of a
+    preamble string in disconnect messages; ok markus@
+    
+    Upstream-ID: 34cb41182cd76d414c214ccb01c01707849afead
+
+commit 68bc8cfa7642d3ccbf2cd64281c16b8b9205be59
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Fri Feb 3 23:01:19 2017 +0000
+
+    upstream commit
+    
+    support =- for removing methods from algorithms lists,
+    e.g. Ciphers=-*cbc; suggested by Cristian Ionescu-Idbohrn in bz#2671 "I like
+    it" markus@
+    
+    Upstream-ID: c78c38f9f81a963b33d0eade559f6048add24a6d
+
+commit c924b2ef941028a1f31e6e94f54dfeeeef462a4e
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Fri Feb 3 05:05:56 2017 +0000
+
+    upstream commit
+    
+    allow form-feed characters at EOL; bz#2431 ok dtucker@
+    
+    Upstream-ID: 1f453afaba6da2ae69d6afdf1ae79a917552f1a2
+
+commit 523db8540b720c4d21ab0ff6f928476c70c38aab
+Author: Damien Miller <djm@mindrot.org>
+Date:   Fri Feb 3 16:01:22 2017 +1100
+
+    prefer to use ldns-config to find libldns
+    
+    Should fix bz#2603 - "Build with ldns and without kerberos support
+    fails if ldns compiled with kerberos support" by including correct
+    cflags/libs
+    
+    ok dtucker@
+
+commit c998bf0afa1a01257a53793eba57941182e9e0b7
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date:   Fri Feb 3 02:56:00 2017 +0000
+
+    upstream commit
+    
+    Make ssh_packet_set_rekey_limits take u32 for the number of
+    seconds until rekeying (negative values are rejected at config parse time).
+    This allows the removal of some casts and a signed vs unsigned comparison
+    warning.
+    
+    rekey_time is cast to int64 for the comparison which is a no-op
+    on OpenBSD, but should also do the right thing in -portable on
+    anything still using 32bit time_t (until the system time actually
+    wraps, anyway).
+    
+    some early guidance deraadt@, ok djm@
+    
+    Upstream-ID: c9f18613afb994a07e7622eb326f49de3d123b6c
+
+commit 3ec5fa4ba97d4c4853620daea26a33b9f1fe3422
+Author: jsg@openbsd.org <jsg@openbsd.org>
+Date:   Thu Feb 2 10:54:25 2017 +0000
+
+    upstream commit
+    
+    In vasnmprintf() return an error if malloc fails and
+    don't set a function argument to the address of free'd memory.
+    
+    ok djm@
+    
+    Upstream-ID: 1efffffff2f51d53c9141f245b90ac23d33b9779
+
+commit 858252fb1d451ebb0969cf9749116c8f0ee42753
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date:   Wed Feb 1 02:59:09 2017 +0000
+
+    upstream commit
+    
+    Return true reason for port forwarding failures where
+    feasible rather than always "administratively prohibited".  bz#2674, ok djm@
+    
+    Upstream-ID: d901d9887951774e604ca970e1827afaaef9e419
+
+commit 6ba9f893838489add6ec4213c7a997b425e4a9e0
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date:   Mon Jan 30 23:27:39 2017 +0000
+
+    upstream commit
+    
+    Small correction to the known_hosts section on when it is
+    updated. Patch from lkppo at free.fr some time ago, pointed out by smallm at
+    sdf.org
+    
+    Upstream-ID: 1834d7af179dea1a12ad2137f84566664af225d5
+
+commit c61d5ec3c11e7ff9779b6127421d9f166cf10915
+Author: Darren Tucker <dtucker@zip.com.au>
+Date:   Fri Feb 3 14:10:34 2017 +1100
+
+    Remove _XOPEN_SOURCE from wide char detection.
+    
+    Having _XOPEN_SOURCE unconditionally causes problems on some platforms
+    and configurations, notably Solaris 64-bit binaries.  It was there for
+    the benefit of Linux put the required bits in the *-*linux* section.
+    
+    Patch from yvoinov at gmail.com.
+
+commit f25ee13b3e81fd80efeb871dc150fe49d7fc8afd
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Mon Jan 30 05:22:14 2017 +0000
+
+    upstream commit
+    
+    fully unbreak: some $SSH invocations did not have -F
+    specified and could pick up the ~/.ssh/config of the user running the tests
+    
+    Upstream-Regress-ID: f362d1892c0d3e66212d5d3fc02d915c58ef6b89
+
+commit 6956e21fb26652887475fe77ea40d2efcf25908b
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Mon Jan 30 04:54:07 2017 +0000
+
+    upstream commit
+    
+    partially unbreak: was not specifying hostname on some
+    $SSH invocations
+    
+    Upstream-Regress-ID: bc8a5e98e57bad0a92ef4f34ed91c1d18294e2cc
+
+commit 52763dd3fe0a4678dafdf7aeb32286e514130afc
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Mon Jan 30 01:03:00 2017 +0000
+
+    upstream commit
+    
+    revise keys/principals command hang fix (bz#2655) to
+    consume entire output, avoiding sending SIGPIPE to subprocesses early; ok
+    dtucker@
+    
+    Upstream-ID: 7cb04b31a61f8c78c4e48ceededcd2fd5c4ee1bc
+
+commit 381a2615a154a82c4c53b787f4a564ef894fe9ac
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Mon Jan 30 00:38:50 2017 +0000
+
+    upstream commit
+    
+    small cleanup post SSHv1 removal:
+    
+    remove SSHv1-isms in commented examples
+    
+    reorder token table to group deprecated and compile-time conditional tokens
+    better
+    
+    fix config dumping code for some compile-time conditional options that
+    weren't being correctly skipped (SSHv1 and PKCS#11)
+    
+    Upstream-ID: f2e96b3cb3158d857c5a91ad2e15925df3060105
+
+commit 4833d01591b7eb049489d9558b65f5553387ed43
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Mon Jan 30 00:34:01 2017 +0000
+
+    upstream commit
+    
+    some explicit NULL tests when dumping configured
+    forwardings; from Karsten Weiss
+    
+    Upstream-ID: 40957b8dea69672b0e50df6b4a91a94e3e37f72d
+
+commit 326e2fae9f2e3e067b5651365eba86b35ee5a6b2
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Mon Jan 30 00:32:28 2017 +0000
+
+    upstream commit
+    
+    misplaced braces in test; from Karsten Weiss
+    
+    Upstream-ID: f7b794074d3aae8e35b69a91d211c599c94afaae
+
+commit 3e032a95e46bfaea9f9e857678ac8fa5f63997fb
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Mon Jan 30 00:32:03 2017 +0000
+
+    upstream commit
+    
+    don't dereference authctxt before testing != NULL, it
+    causes compilers to make assumptions; from Karsten Weiss
+    
+    Upstream-ID: 794243aad1e976ebc717885b7a97a25e00c031b2
+
+commit 01cfaa2b1cfb84f3cdd32d1bf82b120a8d30e057
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Fri Jan 6 02:51:16 2017 +0000
+
+    upstream commit
+    
+    use correct ssh-add program; bz#2654, from Colin Watson
+    
+    Upstream-Regress-ID: 7042a36e1bdaec6562f6e57e9d047efe9c7a6030
+
+commit e5c7ec67cdc42ae2584085e0fc5cc5ee91133cf5
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date:   Fri Jan 6 02:26:10 2017 +0000
+
+    upstream commit
+    
+    Account for timeouts in the integrity tests as failures.
+    
+    If the first test in a series for a given MAC happens to modify the low
+    bytes of a packet length, then ssh will time out and this will be
+    interpreted as a test failure.  Patch from cjwatson at debian.org via
+    bz#2658.
+    
+    Upstream-Regress-ID: e7467613b0badedaa300bc6fc7495ec2f44e2fb9

*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201708041257.v74CvPSb030136>