<feed xmlns='http://www.w3.org/2005/Atom'>
<title>src/crypto/openssh/openbsd-compat/bsd-snprintf.c, branch main</title>
<subtitle>FreeBSD source tree</subtitle>
<link rel='alternate' type='text/html' href='http://cgit.freebsd.org/src/'/>
<entry>
<title>ssh: Update to OpenSSH 9.4p1</title>
<updated>2023-08-11T03:10:18+00:00</updated>
<author>
<name>Ed Maste</name>
<email>emaste@FreeBSD.org</email>
</author>
<published>2023-08-11T03:10:18+00:00</published>
<link rel='alternate' type='text/html' href='http://cgit.freebsd.org/src/commit/?id=535af610a4fdace6d50960c0ad9be0597eea7a1b'/>
<id>535af610a4fdace6d50960c0ad9be0597eea7a1b</id>
<content type='text'>
Excerpts from the release notes:

 * ssh-agent(1): PKCS#11 modules must now be specified by their full
   paths. Previously dlopen(3) could search for them in system
   library directories.

 * ssh(1): allow forwarding Unix Domain sockets via ssh -W.

 * ssh(1): add support for configuration tags to ssh(1).
   This adds a ssh_config(5) "Tag" directive and corresponding
   "Match tag" predicate that may be used to select blocks of
   configuration similar to the pf.conf(5) keywords of the same
   name.

 * ssh(1): add a "match localnetwork" predicate. This allows matching
   on the addresses of available network interfaces and may be used to
   vary the effective client configuration based on network location.

 * ssh-agent(1): improve isolation between loaded PKCS#11 modules
   by running separate ssh-pkcs11-helpers for each loaded provider.

 * ssh-agent(1), ssh(1): improve defences against invalid PKCS#11
   modules being loaded by checking that the requested module
   contains the required symbol before loading it.

 * ssh(1): don't incorrectly disable hostname canonicalization when
   CanonicalizeHostname=yes and ProxyJump was expicitly set to
   "none". bz3567

Full release notes at https://www.openssh.com/txt/release-9.4

Relnotes:	Yes
Sponsored by:	The FreeBSD Foundation
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Excerpts from the release notes:

 * ssh-agent(1): PKCS#11 modules must now be specified by their full
   paths. Previously dlopen(3) could search for them in system
   library directories.

 * ssh(1): allow forwarding Unix Domain sockets via ssh -W.

 * ssh(1): add support for configuration tags to ssh(1).
   This adds a ssh_config(5) "Tag" directive and corresponding
   "Match tag" predicate that may be used to select blocks of
   configuration similar to the pf.conf(5) keywords of the same
   name.

 * ssh(1): add a "match localnetwork" predicate. This allows matching
   on the addresses of available network interfaces and may be used to
   vary the effective client configuration based on network location.

 * ssh-agent(1): improve isolation between loaded PKCS#11 modules
   by running separate ssh-pkcs11-helpers for each loaded provider.

 * ssh-agent(1), ssh(1): improve defences against invalid PKCS#11
   modules being loaded by checking that the requested module
   contains the required symbol before loading it.

 * ssh(1): don't incorrectly disable hostname canonicalization when
   CanonicalizeHostname=yes and ProxyJump was expicitly set to
   "none". bz3567

Full release notes at https://www.openssh.com/txt/release-9.4

Relnotes:	Yes
Sponsored by:	The FreeBSD Foundation
</pre>
</div>
</content>
</entry>
<entry>
<title>ssh: Update to OpenSSH 9.3p1</title>
<updated>2023-03-16T14:29:55+00:00</updated>
<author>
<name>Ed Maste</name>
<email>emaste@FreeBSD.org</email>
</author>
<published>2023-03-16T14:29:55+00:00</published>
<link rel='alternate' type='text/html' href='http://cgit.freebsd.org/src/commit/?id=4d3fc8b0570b29fb0d6ee9525f104d52176ff0d4'/>
<id>4d3fc8b0570b29fb0d6ee9525f104d52176ff0d4</id>
<content type='text'>
This release fixes a number of security bugs and has minor new
features and bug fixes.  Security fixes, from the release notes
(https://www.openssh.com/txt/release-9.3):

This release contains fixes for a security problem and a memory
safety problem. The memory safety problem is not believed to be
exploitable, but we report most network-reachable memory faults as
security bugs.

 * ssh-add(1): when adding smartcard keys to ssh-agent(1) with the
   per-hop destination constraints (ssh-add -h ...) added in OpenSSH
   8.9, a logic error prevented the constraints from being
   communicated to the agent. This resulted in the keys being added
   without constraints. The common cases of non-smartcard keys and
   keys without destination constraints are unaffected. This problem
   was reported by Luci Stanescu.

 * ssh(1): Portable OpenSSH provides an implementation of the
   getrrsetbyname(3) function if the standard library does not
   provide it, for use by the VerifyHostKeyDNS feature. A
   specifically crafted DNS response could cause this function to
   perform an out-of-bounds read of adjacent stack data, but this
   condition does not appear to be exploitable beyond denial-of-
   service to the ssh(1) client.

   The getrrsetbyname(3) replacement is only included if the system's
   standard library lacks this function and portable OpenSSH was not
   compiled with the ldns library (--with-ldns). getrrsetbyname(3) is
   only invoked if using VerifyHostKeyDNS to fetch SSHFP records. This
   problem was found by the Coverity static analyzer.

Sponsored by:	The FreeBSD Foundation
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
This release fixes a number of security bugs and has minor new
features and bug fixes.  Security fixes, from the release notes
(https://www.openssh.com/txt/release-9.3):

This release contains fixes for a security problem and a memory
safety problem. The memory safety problem is not believed to be
exploitable, but we report most network-reachable memory faults as
security bugs.

 * ssh-add(1): when adding smartcard keys to ssh-agent(1) with the
   per-hop destination constraints (ssh-add -h ...) added in OpenSSH
   8.9, a logic error prevented the constraints from being
   communicated to the agent. This resulted in the keys being added
   without constraints. The common cases of non-smartcard keys and
   keys without destination constraints are unaffected. This problem
   was reported by Luci Stanescu.

 * ssh(1): Portable OpenSSH provides an implementation of the
   getrrsetbyname(3) function if the standard library does not
   provide it, for use by the VerifyHostKeyDNS feature. A
   specifically crafted DNS response could cause this function to
   perform an out-of-bounds read of adjacent stack data, but this
   condition does not appear to be exploitable beyond denial-of-
   service to the ssh(1) client.

   The getrrsetbyname(3) replacement is only included if the system's
   standard library lacks this function and portable OpenSSH was not
   compiled with the ldns library (--with-ldns). getrrsetbyname(3) is
   only invoked if using VerifyHostKeyDNS to fetch SSHFP records. This
   problem was found by the Coverity static analyzer.

Sponsored by:	The FreeBSD Foundation
</pre>
</div>
</content>
</entry>
<entry>
<title>openssh: update to OpenSSH v8.7p1</title>
<updated>2021-09-08T01:05:51+00:00</updated>
<author>
<name>Ed Maste</name>
<email>emaste@FreeBSD.org</email>
</author>
<published>2021-09-08T01:05:51+00:00</published>
<link rel='alternate' type='text/html' href='http://cgit.freebsd.org/src/commit/?id=19261079b74319502c6ffa1249920079f0f69a72'/>
<id>19261079b74319502c6ffa1249920079f0f69a72</id>
<content type='text'>
Some notable changes, from upstream's release notes:

- sshd(8): Remove support for obsolete "host/port" syntax.
- ssh(1): When prompting whether to record a new host key, accept the key
  fingerprint as a synonym for "yes".
- ssh-keygen(1): when acting as a CA and signing certificates with an RSA
  key, default to using the rsa-sha2-512 signature algorithm.
- ssh(1), sshd(8), ssh-keygen(1): this release removes the "ssh-rsa"
  (RSA/SHA1) algorithm from those accepted for certificate signatures.
- ssh-sk-helper(8): this is a new binary. It is used by the FIDO/U2F
  support to provide address-space isolation for token middleware
  libraries (including the internal one).
- ssh(1): this release enables UpdateHostkeys by default subject to some
  conservative preconditions.
- scp(1): this release changes the behaviour of remote to remote copies
  (e.g. "scp host-a:/path host-b:") to transfer through the local host
  by default.
- scp(1): experimental support for transfers using the SFTP protocol as
  a replacement for the venerable SCP/RCP protocol that it has
  traditionally used.

Additional integration work is needed to support FIDO/U2F in the base
system.

Deprecation Notice
------------------

OpenSSH will disable the ssh-rsa signature scheme by default in the
next release.

Reviewed by:	imp
MFC after:	1 month
Relnotes:	Yes
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D29985
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Some notable changes, from upstream's release notes:

- sshd(8): Remove support for obsolete "host/port" syntax.
- ssh(1): When prompting whether to record a new host key, accept the key
  fingerprint as a synonym for "yes".
- ssh-keygen(1): when acting as a CA and signing certificates with an RSA
  key, default to using the rsa-sha2-512 signature algorithm.
- ssh(1), sshd(8), ssh-keygen(1): this release removes the "ssh-rsa"
  (RSA/SHA1) algorithm from those accepted for certificate signatures.
- ssh-sk-helper(8): this is a new binary. It is used by the FIDO/U2F
  support to provide address-space isolation for token middleware
  libraries (including the internal one).
- ssh(1): this release enables UpdateHostkeys by default subject to some
  conservative preconditions.
- scp(1): this release changes the behaviour of remote to remote copies
  (e.g. "scp host-a:/path host-b:") to transfer through the local host
  by default.
- scp(1): experimental support for transfers using the SFTP protocol as
  a replacement for the venerable SCP/RCP protocol that it has
  traditionally used.

Additional integration work is needed to support FIDO/U2F in the base
system.

Deprecation Notice
------------------

OpenSSH will disable the ssh-rsa signature scheme by default in the
next release.

Reviewed by:	imp
MFC after:	1 month
Relnotes:	Yes
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D29985
</pre>
</div>
</content>
</entry>
<entry>
<title>Upgrade to OpenSSH 7.8p1.</title>
<updated>2018-09-10T16:20:12+00:00</updated>
<author>
<name>Dag-Erling Smørgrav</name>
<email>des@FreeBSD.org</email>
</author>
<published>2018-09-10T16:20:12+00:00</published>
<link rel='alternate' type='text/html' href='http://cgit.freebsd.org/src/commit/?id=190cef3d52236565eb22e18b33e9e865ec634aa3'/>
<id>190cef3d52236565eb22e18b33e9e865ec634aa3</id>
<content type='text'>
Approved by:	re (kib@)
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Approved by:	re (kib@)
</pre>
</div>
</content>
</entry>
<entry>
<title>Upgrade to OpenSSH 7.3p1.</title>
<updated>2017-03-02T00:11:32+00:00</updated>
<author>
<name>Dag-Erling Smørgrav</name>
<email>des@FreeBSD.org</email>
</author>
<published>2017-03-02T00:11:32+00:00</published>
<link rel='alternate' type='text/html' href='http://cgit.freebsd.org/src/commit/?id=076ad2f836d5f49dc1375f1677335a48fe0d4b82'/>
<id>076ad2f836d5f49dc1375f1677335a48fe0d4b82</id>
<content type='text'>
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
</pre>
</div>
</content>
</entry>
<entry>
<title>Upgrade to OpenSSH 6.7p1, retaining libwrap support (which has been removed</title>
<updated>2016-01-19T16:18:26+00:00</updated>
<author>
<name>Dag-Erling Smørgrav</name>
<email>des@FreeBSD.org</email>
</author>
<published>2016-01-19T16:18:26+00:00</published>
<link rel='alternate' type='text/html' href='http://cgit.freebsd.org/src/commit/?id=a0ee8cc636cd5c2374ec44ca71226564ea0bca95'/>
<id>a0ee8cc636cd5c2374ec44ca71226564ea0bca95</id>
<content type='text'>
upstream) and a number of security fixes which we had already backported.

MFC after:	1 week
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
upstream) and a number of security fixes which we had already backported.

MFC after:	1 week
</pre>
</div>
</content>
</entry>
<entry>
<title>Upgrade to OpenSSH 6.5p1.</title>
<updated>2014-01-31T13:12:02+00:00</updated>
<author>
<name>Dag-Erling Smørgrav</name>
<email>des@FreeBSD.org</email>
</author>
<published>2014-01-31T13:12:02+00:00</published>
<link rel='alternate' type='text/html' href='http://cgit.freebsd.org/src/commit/?id=f7167e0ea0bf5aaabff9490453b3b71b3f1b4d51'/>
<id>f7167e0ea0bf5aaabff9490453b3b71b3f1b4d51</id>
<content type='text'>
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
</pre>
</div>
</content>
</entry>
<entry>
<title>Upgrade to OpenSSH 5.1p1.</title>
<updated>2008-08-01T02:48:36+00:00</updated>
<author>
<name>Dag-Erling Smørgrav</name>
<email>des@FreeBSD.org</email>
</author>
<published>2008-08-01T02:48:36+00:00</published>
<link rel='alternate' type='text/html' href='http://cgit.freebsd.org/src/commit/?id=d4af9e693f15f5155095f38c7650b24fe74ae351'/>
<id>d4af9e693f15f5155095f38c7650b24fe74ae351</id>
<content type='text'>
I have worked hard to reduce diffs against the vendor branch.  One
notable change in that respect is that we no longer prefer DSA over
RSA - the reasons for doing so went away years ago.  This may cause
some surprises, as ssh will warn about unknown host keys even for
hosts whose keys haven't changed.

MFC after:	6 weeks
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
I have worked hard to reduce diffs against the vendor branch.  One
notable change in that respect is that we no longer prefer DSA over
RSA - the reasons for doing so went away years ago.  This may cause
some surprises, as ssh will warn about unknown host keys even for
hosts whose keys haven't changed.

MFC after:	6 weeks
</pre>
</div>
</content>
</entry>
<entry>
<title>Properly flatten openssh/dist.</title>
<updated>2008-07-22T19:01:18+00:00</updated>
<author>
<name>Dag-Erling Smørgrav</name>
<email>des@FreeBSD.org</email>
</author>
<published>2008-07-22T19:01:18+00:00</published>
<link rel='alternate' type='text/html' href='http://cgit.freebsd.org/src/commit/?id=e3ae3b098db0d696976a0a4a75e7563b0bdbf21a'/>
<id>e3ae3b098db0d696976a0a4a75e7563b0bdbf21a</id>
<content type='text'>
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
</pre>
</div>
</content>
</entry>
<entry>
<title>Vendor import of OpenSSH 4.4p1.</title>
<updated>2006-09-30T13:29:51+00:00</updated>
<author>
<name>Dag-Erling Smørgrav</name>
<email>des@FreeBSD.org</email>
</author>
<published>2006-09-30T13:29:51+00:00</published>
<link rel='alternate' type='text/html' href='http://cgit.freebsd.org/src/commit/?id=761efaa70c2ed8d35722b7bc234a46bf2457f876'/>
<id>761efaa70c2ed8d35722b7bc234a46bf2457f876</id>
<content type='text'>
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
</pre>
</div>
</content>
</entry>
</feed>
