+20070306
+ - (djm) OpenBSD CVS Sync
+ - jmc@cvs.openbsd.org 2007/03/01 16:19:33
+ [sshd_config.5]
+ sort the `match' keywords;
+ - djm@cvs.openbsd.org 2007/03/06 10:13:14
+ [version.h]
+ openssh-4.6; "please" deraadt@
+ - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
+ [contrib/suse/openssh.spec] crank spec files for release
+ - (djm) [README] correct link to release notes
+ - (djm) Release 4.6p1
+
+20070304
+ - (djm) [configure.ac] add a --without-openssl-header-check option to
+ configure, as some platforms (OS X) ship OpenSSL headers whose version
+ does not match that of the shipping library. ok dtucker@
+ - (dtucker) [openbsd-compat/openssl-compat.h] Bug #1291: Work around a
+ bug in OpenSSL 0.9.8e that prevents aes256-ctr, aes192-ctr and arcfour256
+ ciphers from working correctly (disconnects with "Bad packet length"
+ errors) as found by Ben Harris. ok djm@
+
+20070303
+ - (dtucker) [regress/agent-ptrace.sh] Make ttrace gdb error a little more
+ general to cover newer gdb versions on HP-UX.
+
+20070302
+ - (dtucker) [configure.ac] For Cygwin, read files in textmode (which allows
+ CRLF as well as LF lineendings) and write in binary mode. Patch from
+ vinschen at redhat.com.
+ - (dtucker) [INSTALL] Update to autoconf-2.61.
+
+20070301
+ - (dtucker) OpenBSD CVS Sync
+ - dtucker@cvs.openbsd.org 2007/03/01 10:28:02
+ [auth2.c sshd_config.5 servconf.c]
+ Remove ChallengeResponseAuthentication support inside a Match
+ block as its interaction with KbdInteractive makes it difficult to
+ support. Also, relocate the CR/kbdint option special-case code into
+ servconf. "please commit" djm@, ok markus@ for the relocation.
+ - (tim) [buildpkg.sh.in openssh.xml.in] Clean up Solaris 10 smf(5) bits.
+ "Looks sane" dtucker@
+
+20070228
+ - (dtucker) OpenBSD CVS Sync
+ - dtucker@cvs.openbsd.org 2007/02/28 00:55:30
+ [ssh-agent.c]
+ Remove expired keys periodically so they don't remain in memory when
+ the agent is entirely idle, as noted by David R. Piegdon. This is the
+ simple fix, a more efficient one will be done later. With markus,
+ deraadt, with & ok djm.
+
+20070225
+ - (dtucker) OpenBSD CVS Sync
+ - djm@cvs.openbsd.org 2007/02/20 10:25:14
+ [clientloop.c]
+ set maximum packet and window sizes the same for multiplexed clients
+ as normal connections; ok markus@
+ - dtucker@cvs.openbsd.org 2007/02/21 11:00:05
+ [sshd.c]
+ Clear alarm() before restarting sshd on SIGHUP. Without this, if there's
+ a SIGALRM pending (for SSH1 key regeneration) when sshd is SIGHUP'ed, the
+ newly exec'ed sshd will get the SIGALRM and not have a handler for it,
+ and the default action will terminate the listening sshd. Analysis and
+ patch from andrew at gaul.org.
+ - dtucker@cvs.openbsd.org 2007/02/22 12:58:40
+ [servconf.c]
+ Check activep so Match and GatewayPorts work together; ok markus@
+ - ray@cvs.openbsd.org 2007/02/24 03:30:11
+ [moduli.c]
+ - strlen returns size_t, not int.
+ - Pass full buffer size to fgets.
+ OK djm@, millert@, and moritz@.
+
+20070219
+ - (dtucker) OpenBSD CVS Sync
+ - jmc@cvs.openbsd.org 2007/01/10 13:23:22
+ [ssh_config.5]
+ do not use a list for SYNOPSIS;
+ this is actually part of a larger report sent by eric s. raymond
+ and forwarded by brad, but i only read half of it. spotted by brad.
+ - jmc@cvs.openbsd.org 2007/01/12 20:20:41
+ [ssh-keygen.1 ssh-keygen.c]
+ more secsh -> rfc 4716 updates;
+ spotted by wiz@netbsd
+ ok markus
+ - dtucker@cvs.openbsd.org 2007/01/17 23:22:52
+ [readconf.c]
+ Honour activep for times (eg ServerAliveInterval) while parsing
+ ssh_config and ~/.ssh/config so they work properly with Host directives.
+ From mario.lorenz@wincor-nixdorf.com via bz #1275. ok markus@
+ - stevesk@cvs.openbsd.org 2007/01/21 01:41:54
+ [auth-skey.c kex.c ssh-keygen.c session.c clientloop.c]
+ spaces
+ - stevesk@cvs.openbsd.org 2007/01/21 01:45:35
+ [readconf.c]
+ spaces
+ - djm@cvs.openbsd.org 2007/01/22 11:32:50
+ [sftp-client.c]
+ return error from do_upload() when a write fails. fixes bz#1252: zero
+ exit status from sftp when uploading to a full device. report from
+ jirkat AT atlas.cz; ok dtucker@
+ - djm@cvs.openbsd.org 2007/01/22 13:06:21
+ [scp.c]
+ fix detection of whether we should show progress meter or not: scp
+ tested isatty(stderr) but wrote the progress meter to stdout. This patch
+ makes it test stdout. bz#1265 reported by junkmail AT bitsculpture.com;
+ of dtucker@
+ - stevesk@cvs.openbsd.org 2007/02/14 14:32:00
+ [bufbn.c]
+ typos in comments; ok jmc@
+ - dtucker@cvs.openbsd.org 2007/02/19 10:45:58
+ [monitor_wrap.c servconf.c servconf.h monitor.c sshd_config.5]
+ Teach Match how handle config directives that are used before
+ authentication. This allows configurations such as permitting password
+ authentication from the local net only while requiring pubkey from
+ offsite. ok djm@, man page bits ok jmc@
+ - (dtucker) [contrib/findssl.sh] Add "which" as a shell function since some
+ platforms don't have it. Patch from dleonard at vintela.com.
+ - (dtucker) [openbsd-compat/getrrsetbyname.c] Don't attempt to calloc
+ an array for signatures when there are none since "calloc(0, n) returns
+ NULL on some platforms (eg Tru64), which is explicitly permitted by
+ POSIX. Diagnosis and patch by svallet genoscope.cns.fr.
+
+20070128
+ - (djm) [channels.c serverloop.c] Fix so-called "hang on exit" (bz #52)
+ when closing a tty session when a background process still holds tty
+ fds open. Great detective work and patch by Marc Aurele La France,
+ slightly tweaked by me; ok dtucker@
+
+20070123
+ - (dtucker) [openbsd-compat/bsd-snprintf.c] Static declarations for public
+ library interfaces aren't very helpful. Fix up the DOPR_OUTCH macro
+ so it works properly and modify its callers so that they don't pre or
+ post decrement arguments that are conditionally evaluated. While there,
+ put SNPRINTF_CONST back as it prevents build failures in some
+ configurations. ok djm@ (for most of it)
+
+20070122
+ - (djm) [ssh-rand-helper.8] manpage nits;
+ from dleonard AT vintela.com (bz#1529)
+
+20070117
+ - (dtucker) [packet.c] Re-remove in_systm.h since it's already in includes.h
+ and multiple including it causes problems on old IRIXes. (It snuck back
+ in during a sync.) Found (again) by Georg Schwarz.
+
+20070114
+ - (dtucker) [ssh-keygen.c] av -> argv to match earlier sync.
+ - (djm) [openbsd-compat/bsd-snprintf.c] Fix integer overflow in return
+ value of snprintf replacement, similar to bugs in various libc
+ implementations. This overflow is not exploitable in OpenSSH.
+ While I'm fiddling with it, make it a fair bit faster by inlining the
+ append-char routine; ok dtucker@
+
+20070105
+ - (djm) OpenBSD CVS Sync
+ - deraadt@cvs.openbsd.org 2006/11/14 19:41:04
+ [ssh-keygen.c]
+ use argc and argv not some made up short form
+ - ray@cvs.openbsd.org 2006/11/23 01:35:11
+ [misc.c sftp.c]
+ Don't access buf[strlen(buf) - 1] for zero-length strings.
+ ``ok by me'' djm@.
+ - markus@cvs.openbsd.org 2006/12/11 21:25:46
+ [ssh-keygen.1 ssh.1]
+ add rfc 4716 (public key format); ok jmc
+ - djm@cvs.openbsd.org 2006/12/12 03:58:42
+ [channels.c compat.c compat.h]
+ bz #1019: some ssh.com versions apparently can't cope with the
+ remote port forwarding bind_address being a hostname, so send
+ them an address for cases where they are not explicitly
+ specified (wildcard or localhost bind). reported by daveroth AT
+ acm.org; ok dtucker@ deraadt@
+ - dtucker@cvs.openbsd.org 2006/12/13 08:34:39
+ [servconf.c]
+ Make PermitOpen work with multiple values like the man pages says.
+ bz #1267 with details from peter at dmtz.com, with & ok djm@
+ - dtucker@cvs.openbsd.org 2006/12/14 10:01:14
+ [servconf.c]
+ Make "PermitOpen all" first-match within a block to match the way other
+ options work. ok markus@ djm@
+ - jmc@cvs.openbsd.org 2007/01/02 09:57:25
+ [sshd_config.5]
+ do not use lists for SYNOPSIS;
+ from eric s. raymond via brad
+ - stevesk@cvs.openbsd.org 2007/01/03 00:53:38
+ [ssh-keygen.c]
+ remove small dead code; arnaud.lacombe.1@ulaval.ca via Coverity scan
+ - stevesk@cvs.openbsd.org 2007/01/03 03:01:40
+ [auth2-chall.c channels.c dns.c sftp.c ssh-keygen.c ssh.c]
+ spaces
+ - stevesk@cvs.openbsd.org 2007/01/03 04:09:15
+ [sftp.c]
+ ARGSUSED for lint
+ - stevesk@cvs.openbsd.org 2007/01/03 07:22:36
+ [sftp-server.c]
+ spaces
+
+20061205
+ - (djm) [auth.c] Fix NULL pointer dereference in fakepw(). Crash would
+ occur if the server did not have the privsep user and an invalid user
+ tried to login and both privsep and krb5 auth are disabled; ok dtucker@
+ - (djm) [bsd-asprintf.c] Better test for bad vsnprintf lengths; ok dtucker@
+
+20061108
+ - (dtucker) OpenBSD CVS Sync
+ - markus@cvs.openbsd.org 2006/11/07 13:02:07
+ [dh.c]
+ BN_hex2bn returns int; from dtucker@
+
+20061107
+ - (dtucker) [sshd.c] Use privsep_pw if we have it, but only require it
+ if we absolutely need it. Pointed out by Corinna, ok djm@
+ - (dtucker) OpenBSD CVS Sync
+ - markus@cvs.openbsd.org 2006/11/06 21:25:28
+ [auth-rsa.c kexgexc.c kexdhs.c key.c ssh-dss.c sshd.c kexgexs.c
+ ssh-keygen.c bufbn.c moduli.c scard.c kexdhc.c sshconnect1.c dh.c rsa.c]
+ add missing checks for openssl return codes; with & ok djm@
+ - markus@cvs.openbsd.org 2006/11/07 10:31:31
+ [monitor.c version.h]
+ correctly check for bad signatures in the monitor, otherwise the monitor
+ and the unpriv process can get out of sync. with dtucker@, ok djm@,
+ dtucker@
+ - (dtucker) [README contrib/{caldera,redhat,contrib}/openssh.spec] Bump
+ versions.
+ - (dtucker) Release 4.5p1.
+
+20061105
+ - (djm) OpenBSD CVS Sync
+ - otto@cvs.openbsd.org 2006/10/28 18:08:10
+ [ssh.1]
+ correct/expand example of usage of -w; ok jmc@ stevesk@
+ - markus@cvs.openbsd.org 2006/10/31 16:33:12
+ [kexdhc.c kexdhs.c kexgexc.c kexgexs.c]
+ check DH_compute_key() for -1 even if it should not happen because of
+ earlier calls to dh_pub_is_valid(); report krahmer at suse.de; ok djm
+
+20061101
+ - (dtucker) [openbsd-compat/port-solaris.c] Bug #1255: Make only hwerr
+ events fatal in Solaris process contract support and tell it to signal
+ only processes in the same process group when something happens.
+ Based on information from andrew.benham at thus.net and similar to
+ a patch from Chad Mynhier. ok djm@
+
+20061027
+- (djm) [auth.c] gc some dead code
+
+20061023
+ - (djm) OpenBSD CVS Sync
+ - ray@cvs.openbsd.org 2006/09/30 17:48:22
+ [sftp.c]
+ Clear errno before calling the strtol functions.
+ From Paul Stoeber <x0001 at x dot de1 dot cc>.
+ OK deraadt@.
+ - djm@cvs.openbsd.org 2006/10/06 02:29:19
+ [ssh-agent.c ssh-keyscan.c ssh.c]
+ sys/resource.h needs sys/time.h; prompted by brad@
+ (NB. Id sync only for portable)
+ - djm@cvs.openbsd.org 2006/10/09 23:36:11
+ [session.c]
+ xmalloc -> xcalloc that was missed previously, from portable
+ (NB. Id sync only for portable, obviously)
+ - markus@cvs.openbsd.org 2006/10/10 10:12:45
+ [sshconnect.c]
+ sleep before retrying (not after) since sleep changes errno; fixes
+ pr 5250; rad@twig.com; ok dtucker djm
+ - markus@cvs.openbsd.org 2006/10/11 12:38:03
+ [clientloop.c serverloop.c]
+ exit instead of doing a blocking tcp send if we detect a client/server
+ timeout, since the tcp sendqueue might be already full (of alive
+ requests); ok dtucker, report mpf
+ - djm@cvs.openbsd.org 2006/10/22 02:25:50
+ [sftp-client.c]
+ cancel progress meter when upload write fails; ok deraadt@
+ - (tim) [Makefile.in scard/Makefile.in] Add datarootdir= lines to keep
+ autoconf 2.60 from complaining.
+
20061018
- (dtucker) OpenBSD CVS Sync
- ray@cvs.openbsd.org 2006/09/25 04:55:38