[arch-dev-public] [signoff] openssh-5.7p1-1

Guillaume ALAUX guillaume at archlinux.org
Tue Jan 25 17:19:16 EST 2011 

On Mon, 2011-01-24 at 13:09 +0100, Gaetan Bisson wrote:
> Hi everyone,
> 
> OpenSSH 5.7 has just been released. Due to Guillaume's work on this
> package, the upgrade was quite straightforward and openssh-5.7p1-1 is
> now in [testing]. All tests pass on both architectures.
> 
> Enjoy your shiny new ECDSA keys!
> 
> (And then please signoff.)
> 
> -- 
> Gaetan
> 
> 
> Changes since OpenSSH 5.6
> =========================
> 
> Features:
> 
>  * Implement Elliptic Curve Cryptography modes for key exchange (ECDH)
>    and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA
>    offer better performance than plain DH and DSA at the same equivalent
>    symmetric key length, as well as much shorter keys.
>      
>    Only the mandatory sections of RFC5656 are implemented, specifically
>    the three REQUIRED curves nistp256, nistp384 and nistp521 and only
>    ECDH and ECDSA. Point compression (optional in RFC5656) is NOT
>    implemented.
>      
>    Certificate host and user keys using the new ECDSA key types are
>    supported - an ECDSA key may be certified, and an ECDSA key may act
>    as a CA to sign certificates.
> 
>    ECDH in a 256 bit curve field is the preferred key agreement
>    algorithm when both the client and server support it. ECDSA host
>    keys are preferred when learning a host's keys for the first time,
>    or can be learned using ssh-keyscan(1).
>      
>  * sftp(1)/sftp-server(8): add a protocol extension to support a hard
>    link operation. It is available through the "ln" command in the
>    client. The old "ln" behaviour of creating a symlink is available
>    using its "-s" option or through the preexisting "symlink" command
> 
>  * scp(1): Add a new -3 option to scp: Copies between two remote hosts
>    are transferred through the local host.  Without this option the
>    data is copied directly between the two remote hosts. 
> 
>  * ssh(1): automatically order the hostkeys requested by the client
>    based on which hostkeys are already recorded in known_hosts. This
>    avoids hostkey warnings when connecting to servers with new ECDSA
>    keys, since these are now preferred when learning hostkeys for the
>    first time.
> 
>  * ssh(1)/sshd(8): add a new IPQoS option to specify arbitrary
>    TOS/DSCP/QoS values instead of hardcoding lowdelay/throughput.
>    bz#1733
> 
>  * sftp(1): the sftp client is now significantly faster at performing
>    directory listings, using OpenBSD glob(3) extensions to preserve
>    the results of stat(3) operations performed in the course of its
>    execution rather than performing expensive round trips to fetch
>    them again afterwards.
> 
>  * ssh(1): "atomically" create the listening mux socket by binding it on
>    a temporary name and then linking it into position after listen() has
>    succeeded. This allows the mux clients to determine that the server
>    socket is either ready or stale without races. stale server sockets
>    are now automatically removed. (also fixes bz#1711)
> 
>  * ssh(1)/sshd(8): add a KexAlgorithms knob to the client and server
>    configuration to allow selection of which key exchange methods are
>    used by ssh(1) and sshd(8) and their order of preference.
> 
>  * sftp(1)/scp(1): factor out bandwidth limiting code from scp(1) into
>    a generic bandwidth limiter that can be attached using the atomicio
>    callback mechanism and use it to add a bandwidth limit option to
>    sftp(1). bz#1147
>  
> BugFixes:
> 
>  * ssh(1)/ssh-agent(1): honour $TMPDIR for client xauth and ssh-agent
>    temporary directories. bz#1809
> 
>  * ssh(1): avoid NULL deref on receiving a channel request on an unknown
>    or invalid channel; bz#1842
> 
>  * sshd(8): remove a debug() that pollutes stderr on client connecting
>    to a server in debug mode; bz#1719
> 
>  * scp(1): pass through ssh command-line flags and options when doing
>    remote-remote transfers, e.g. to enable agent forwarding which is
>    particularly useful in this case; bz#1837
> 
>  * sftp-server(8): umask should be parsed as octal
> 
>  * sftp(1): escape '[' in filename tab-completion
> 
>  * ssh(1): Typo in confirmation message.  bz#1827
> 
>  * sshd(8): prevent free() of string in .rodata when overriding
>    AuthorizedKeys in a Match block
> 
>  * sshd(8): Use default shell /bin/sh if $SHELL is ""
> 
>  * ssh(1): kill proxy command on fatal() (we already killed it on
>    clean exit);
> 
>  * ssh(1): install a SIGCHLD handler to reap expiried child process;
>    bz#1812
> 
>  * Support building against openssl-1.0.0a
> 
> Portable OpenSSH Bugfixes:
> 
>  * Use mandoc as preferred manpage formatter if it is present, followed
>    by nroff and groff respectively.
> 
>  * sshd(8): Relax permission requirement on btmp logs to allow group
>    read/write
> 
>  * bz#1840: fix warning when configuring --with-ssl-engine
> 
>  * sshd(8): Use correct uid_t/pid_t types instead of int. bz#1817
> 
>  * sshd(8): bz#1824: Add Solaris Project support.
> 
>  * sshd(8): Check is_selinux_enabled for exact return code since it can
>    apparently return -1 under some conditions.

Signoff x86_64

-- 
Guillaume
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 230 bytes
Desc: This is a digitally signed message part
URL: <http://mailman.archlinux.org/pipermail/arch-dev-public/attachments/20110125/e37cab5e/attachment.asc>

More information about the arch-dev-public mailing list