head 1.39; access; symbols pkgsrc-2023Q4:1.39.0.2 pkgsrc-2023Q4-base:1.39 pkgsrc-2023Q3:1.38.0.4 pkgsrc-2023Q3-base:1.38 pkgsrc-2023Q2:1.38.0.2 pkgsrc-2023Q2-base:1.38 pkgsrc-2023Q1:1.37.0.20 pkgsrc-2023Q1-base:1.37 pkgsrc-2022Q4:1.37.0.18 pkgsrc-2022Q4-base:1.37 pkgsrc-2022Q3:1.37.0.16 pkgsrc-2022Q3-base:1.37 pkgsrc-2022Q2:1.37.0.14 pkgsrc-2022Q2-base:1.37 pkgsrc-2022Q1:1.37.0.12 pkgsrc-2022Q1-base:1.37 pkgsrc-2021Q4:1.37.0.10 pkgsrc-2021Q4-base:1.37 pkgsrc-2021Q3:1.37.0.8 pkgsrc-2021Q3-base:1.37 pkgsrc-2021Q2:1.37.0.6 pkgsrc-2021Q2-base:1.37 pkgsrc-2021Q1:1.37.0.4 pkgsrc-2021Q1-base:1.37 pkgsrc-2020Q4:1.37.0.2 pkgsrc-2020Q4-base:1.37 pkgsrc-2020Q3:1.36.0.12 pkgsrc-2020Q3-base:1.36 pkgsrc-2020Q2:1.36.0.10 pkgsrc-2020Q2-base:1.36 pkgsrc-2020Q1:1.36.0.6 pkgsrc-2020Q1-base:1.36 pkgsrc-2019Q4:1.36.0.8 pkgsrc-2019Q4-base:1.36 pkgsrc-2019Q3:1.36.0.4 pkgsrc-2019Q3-base:1.36 pkgsrc-2019Q2:1.36.0.2 pkgsrc-2019Q2-base:1.36 pkgsrc-2019Q1:1.35.0.6 pkgsrc-2019Q1-base:1.35 pkgsrc-2018Q4:1.35.0.4 pkgsrc-2018Q4-base:1.35 pkgsrc-2018Q3:1.35.0.2 pkgsrc-2018Q3-base:1.35 pkgsrc-2018Q2:1.34.0.6 pkgsrc-2018Q2-base:1.34 pkgsrc-2018Q1:1.34.0.4 pkgsrc-2018Q1-base:1.34 pkgsrc-2017Q4:1.34.0.2 pkgsrc-2017Q4-base:1.34 pkgsrc-2017Q3:1.33.0.4 pkgsrc-2017Q3-base:1.33 pkgsrc-2017Q2:1.32.0.2 pkgsrc-2017Q2-base:1.32 pkgsrc-2017Q1:1.31.0.26 pkgsrc-2017Q1-base:1.31 pkgsrc-2016Q4:1.31.0.24 pkgsrc-2016Q4-base:1.31 pkgsrc-2016Q3:1.31.0.22 pkgsrc-2016Q3-base:1.31 pkgsrc-2016Q2:1.31.0.20 pkgsrc-2016Q2-base:1.31 pkgsrc-2016Q1:1.31.0.18 pkgsrc-2016Q1-base:1.31 pkgsrc-2015Q4:1.31.0.16 pkgsrc-2015Q4-base:1.31 pkgsrc-2015Q3:1.31.0.14 pkgsrc-2015Q3-base:1.31 pkgsrc-2015Q2:1.31.0.12 pkgsrc-2015Q2-base:1.31 pkgsrc-2015Q1:1.31.0.10 pkgsrc-2015Q1-base:1.31 pkgsrc-2014Q4:1.31.0.8 pkgsrc-2014Q4-base:1.31 pkgsrc-2014Q3:1.31.0.6 pkgsrc-2014Q3-base:1.31 pkgsrc-2014Q2:1.31.0.4 pkgsrc-2014Q2-base:1.31 pkgsrc-2014Q1:1.31.0.2 pkgsrc-2014Q1-base:1.31 pkgsrc-2013Q4:1.28.0.4 pkgsrc-2013Q4-base:1.28 pkgsrc-2013Q3:1.28.0.2 pkgsrc-2013Q3-base:1.28 pkgsrc-2013Q2:1.27.0.6 pkgsrc-2013Q2-base:1.27 pkgsrc-2013Q1:1.27.0.4 pkgsrc-2013Q1-base:1.27 pkgsrc-2012Q4:1.27.0.2 pkgsrc-2012Q4-base:1.27 pkgsrc-2012Q3:1.26.0.2 pkgsrc-2012Q3-base:1.26 pkgsrc-2012Q2:1.25.0.12 pkgsrc-2012Q2-base:1.25 pkgsrc-2012Q1:1.25.0.10 pkgsrc-2012Q1-base:1.25 pkgsrc-2011Q4:1.25.0.8 pkgsrc-2011Q4-base:1.25 pkgsrc-2011Q3:1.25.0.6 pkgsrc-2011Q3-base:1.25 pkgsrc-2011Q2:1.25.0.4 pkgsrc-2011Q2-base:1.25 pkgsrc-2011Q1:1.25.0.2 pkgsrc-2011Q1-base:1.25 pkgsrc-2010Q4:1.24.0.12 pkgsrc-2010Q4-base:1.24 pkgsrc-2010Q3:1.24.0.10 pkgsrc-2010Q3-base:1.24 pkgsrc-2010Q2:1.24.0.8 pkgsrc-2010Q2-base:1.24 pkgsrc-2010Q1:1.24.0.6 pkgsrc-2010Q1-base:1.24 pkgsrc-2009Q4:1.24.0.4 pkgsrc-2009Q4-base:1.24 pkgsrc-2009Q3:1.24.0.2 pkgsrc-2009Q3-base:1.24 pkgsrc-2009Q2:1.23.0.20 pkgsrc-2009Q2-base:1.23 pkgsrc-2009Q1:1.23.0.18 pkgsrc-2009Q1-base:1.23 pkgsrc-2008Q4:1.23.0.16 pkgsrc-2008Q4-base:1.23 pkgsrc-2008Q3:1.23.0.14 pkgsrc-2008Q3-base:1.23 cube-native-xorg:1.23.0.12 cube-native-xorg-base:1.23 pkgsrc-2008Q2:1.23.0.10 pkgsrc-2008Q2-base:1.23 cwrapper:1.23.0.8 pkgsrc-2008Q1:1.23.0.6 pkgsrc-2008Q1-base:1.23 pkgsrc-2007Q4:1.23.0.4 pkgsrc-2007Q4-base:1.23 pkgsrc-2007Q3:1.23.0.2 pkgsrc-2007Q3-base:1.23 pkgsrc-2007Q2:1.19.0.4 pkgsrc-2007Q2-base:1.19 pkgsrc-2007Q1:1.19.0.2 pkgsrc-2007Q1-base:1.19 pkgsrc-2006Q4:1.18.0.8 pkgsrc-2006Q4-base:1.18 pkgsrc-2006Q3:1.18.0.6 pkgsrc-2006Q3-base:1.18 pkgsrc-2006Q2:1.18.0.4 pkgsrc-2006Q2-base:1.18 pkgsrc-2006Q1:1.18.0.2 pkgsrc-2006Q1-base:1.18 pkgsrc-2005Q4:1.15.0.2 pkgsrc-2005Q4-base:1.15 pkgsrc-2005Q3:1.13.0.2 pkgsrc-2005Q3-base:1.13 pkgsrc-2005Q2:1.11.0.2 pkgsrc-2005Q2-base:1.11 pkgsrc-2005Q1:1.8.0.2 pkgsrc-2005Q1-base:1.8 pkgsrc-2004Q4:1.7.0.2 pkgsrc-2004Q4-base:1.7 pkgsrc-2004Q3:1.6.0.2 pkgsrc-2004Q3-base:1.6 pkgsrc-2004Q2:1.3.0.4 pkgsrc-2004Q2-base:1.3 pkgsrc-2004Q1:1.3.0.2 pkgsrc-2004Q1-base:1.3 pkgsrc-2003Q4:1.2.0.2 pkgsrc-2003Q4-base:1.2 pkgsrc-base:1.1.1.1 TNF:1.1.1; locks; strict; comment @# @; 1.39 date 2023.12.20.17.09.35; author wiz; state Exp; branches; next 1.38; commitid ZdcEsDSwlO817eRE; 1.38 date 2023.05.25.21.28.09; author wiz; state Exp; branches; next 1.37; commitid bajZlwGNrPXkgoqE; 1.37 date 2020.12.19.11.07.10; author nia; state Exp; branches; next 1.36; commitid nY8Y8cpBCKYYklAC; 1.36 date 2019.06.10.13.44.35; author nia; state Exp; branches; next 1.35; commitid MzDiMRQsgZEs8EqB; 1.35 date 2018.07.04.13.40.33; author jperkin; state Exp; branches; next 1.34; commitid NnIyRkdX3Lbg3PIA; 1.34 date 2017.11.09.19.00.25; author snj; state Exp; branches; next 1.33; commitid iUgSkkiw3cWitoeA; 1.33 date 2017.09.23.20.14.57; author wiedi; state Exp; branches; next 1.32; commitid J3RzIMRY4CYyom8A; 1.32 date 2017.05.16.21.54.21; author snj; state Exp; branches; next 1.31; commitid lZPazwhkZpVV6FRz; 1.31 date 2014.03.14.22.40.17; author agc; state Exp; branches 1.31.26.1; next 1.30; commitid tFFVXIfInZkRCIsx; 1.30 date 2014.01.31.17.32.19; author agc; state Exp; branches; next 1.29; commitid U2j958CUmogXfinx; 1.29 date 2014.01.27.19.53.06; author drochner; state Exp; branches; next 1.28; commitid 0QkgkxM0n8udbNmx; 1.28 date 2013.09.14.03.40.01; author mspo; state Exp; branches; next 1.27; commitid T8bG6XG9ymKU7m5x; 1.27 date 2012.10.23.18.16.26; author asau; state Exp; branches; next 1.26; 1.26 date 2012.08.13.17.47.26; author drochner; state Exp; branches; next 1.25; 1.25 date 2011.03.10.10.20.16; author drochner; state Exp; branches; next 1.24; 1.24 date 2009.08.26.21.10.11; author snj; state Exp; branches; next 1.23; 1.23 date 2007.09.06.19.15.10; author jlam; state Exp; branches; next 1.22; 1.22 date 2007.09.06.16.31.55; author jlam; state Exp; branches; next 1.21; 1.21 date 2007.09.06.15.55.06; author jlam; state Exp; branches; next 1.20; 1.20 date 2007.09.05.21.08.06; author drochner; state Exp; branches; next 1.19; 1.19 date 2007.03.23.20.07.02; author drochner; state Exp; branches; next 1.18; 1.18 date 2006.03.14.20.03.43; author drochner; state Exp; branches; next 1.17; 1.17 date 2006.03.04.21.30.33; author jlam; state Exp; branches; next 1.16; 1.16 date 2006.02.05.23.10.43; author joerg; state Exp; branches; next 1.15; 1.15 date 2005.12.14.18.00.12; author reed; state Exp; branches; next 1.14; 1.14 date 2005.12.05.20.50.55; author rillig; state Exp; branches; next 1.13; 1.13 date 2005.08.09.17.31.06; author drochner; state Exp; branches 1.13.2.1; next 1.12; 1.12 date 2005.07.19.18.07.59; author drochner; state Exp; branches; next 1.11; 1.11 date 2005.05.22.20.08.29; author jlam; state Exp; branches; next 1.10; 1.10 date 2005.04.29.16.14.41; author drochner; state Exp; branches; next 1.9; 1.9 date 2005.04.11.21.47.11; author tv; state Exp; branches; next 1.8; 1.8 date 2005.01.18.17.30.59; author drochner; state Exp; branches; next 1.7; 1.7 date 2004.10.03.00.18.08; author tv; state Exp; branches; next 1.6; 1.6 date 2004.08.31.10.27.38; author martti; state Exp; branches; next 1.5; 1.5 date 2004.06.26.19.30.58; author grant; state Exp; branches; next 1.4; 1.4 date 2004.06.21.18.27.47; author drochner; state Exp; branches; next 1.3; 1.3 date 2004.01.24.15.00.22; author grant; state Exp; branches; next 1.2; 1.2 date 2003.10.30.23.22.32; author xtraeme; state Exp; branches; next 1.1; 1.1 date 2003.08.19.15.46.44; author agc; state Exp; branches 1.1.1.1; next ; 1.31.26.1 date 2017.05.29.18.21.24; author bsiegert; state Exp; branches; next ; commitid f8DQajWwxOHMwjTz; 1.13.2.1 date 2005.12.17.23.44.25; author salo; state Exp; branches; next ; 1.1.1.1 date 2003.08.19.15.46.44; author agc; state Exp; branches; next ; desc @@ 1.39 log @dropbear: update to 2022.83nb1. Include terrapin fix and bump PKGREVISION to make clear this is not 2022.83. 2022.83 - 14 November 2022 Features and Changes: Note >> for compatibility/configuration changes - >> Disable DROPBEAR_DSS by default It is only 1024 bit and uses sha1, most distros disable it by default already. - Added DROPBEAR_RSA_SHA1 option to allow disabling sha1 rsa signatures. >> RSA with sha1 will be disabled in a future release (rsa keys will continue to work OK, with sha256 signatures used instead). - Add option for requiring both password and pubkey (-t) Patch from Jackkal - Add 'no-touch-required' and 'verify-required' options for sk keys Patch from Egor Duda - >> DROPBEAR_SK_KEYS config option now replaces separate DROPBEAR_SK_ECDSA and DROPBEAR_SK_ED25519 options. - Add 'permitopen' option for authorized_keys to restrict forwarded ports Patch from Tuomas Haikarainen - >> Added LTM_CFLAGS configure argument to set flags for building bundled libtommath. This also restores the previous arguments used in 2020.81 (-O3 -funroll-loops). That gives a big speedup for RSA key generation, which regressed in 2022.82. There is a tradeoff with code size, so -Os can be used if required. https://github.com/mkj/dropbear/issues/174 Reported by David Bernard - Add '-z' flag to disable setting QoS traffic class. This may be necessary to work with broken networks or network drivers, exposed after changes to use AF21 in 2022.82 https://github.com/mkj/dropbear/issues/193 Reported by yuhongwei380, patch from Petr Štetiar - Allow overriding user shells with COMPAT_USER_SHELLS Based on a patch from Matt Robinson - Improve permission error message Patch from k-kurematsu - >> Remove HMAC_MD5 entirely Regression fixes from 2022.82: - Fix X11 build - Fix build warning - Fix compilation when disabling pubkey authentication Patch from MaxMougg - Fix MAX_UNAUTH_CLIENTS regression Reported by ptpt52 - Avoid using slower prime testing in bundled libtomcrypt when DSS is disabled https://github.com/mkj/dropbear/issues/174 Suggested by Steffen Jaeckel - Fix Dropbear plugin support https://github.com/mkj/dropbear/issues/194 Reported by Struan Bartlett Other fixes: - Fix long standing incorrect compression size check. Dropbear (client or server) would erroneously exit with "bad packet, oversized decompressed" when receiving a compressed packet of exactly the maximum size. - Fix missing setsid() removed in 2020.79 https://github.com/mkj/dropbear/issues/180 Reported and debugged by m5jt and David Bernard - Try keyboard-interactive auth before password, in dbclient. This was unintentionally changed back in 2013 https://github.com/mkj/dropbear/pull/190 Patch from Michele Giacomoli - Drain the terminal when reading the fingerprint confirmation response https://github.com/mkj/dropbear/pull/191 Patch from Michele Giacomoli - Fix utx wtmp variable typo. This has been wrong for a long time but only recently became a problem when wtmp was detected. https://github.com/mkj/dropbear/pull/189 Patch from Michele Giacomoli - Improve configure test for hardening options. Fixes building on AIX https://github.com/mkj/dropbear/issues/158 - Fix debian/dropbear.init newline From wulei-student Infrastructure: - Test off-by-default compile options - Set -Wundef to catch typos in #if statements 2022.82 - 1 April 2022 Features and Changes: Note >> for compatibility/configuration changes - Implemented OpenSSH format private key handling for dropbearconvert. Keys can be read in OpenSSH format or the old PEM format. >> Keys are now written in OpenSSH format rather than PEM. ED25519 support is now correct. DSS keys are still PEM format. - Use SHA256 for key fingerprints - >> Reworked -v verbose printing, specifying multiple times will increase verbosity. -vvvv is equivalent to the old DEBUG_TRACE -v level, it can be configured at compile time in localoptions.h (see default_options.h) Lower -v options can be used to check connection progress or algorithm negotiation. Thanks to Hans Harder for the implementation localoptions.h DEBUG_TRACE should be set to 4 for the same result as the previous DEBUG_TRACE 1. - Added server support for U2F/FIDO keys (ecdsa-sk and ed25519-sk) in authorized_keys. no-touch-required option isn't allowed yet. Thanks to Egor Duda for the implementation - autoconf output (configure script etc) is now committed to version control. >> It isn't necessary to run "autoconf" any more on a checkout. - sha1 will be omitted from the build if KEX/signing/MAC algorithms don't require it. Instead sha256 is used for random number generation. See sysoptions.h to see which algorithms require which hashes. - Set SSH_PUBKEYINFO environment variable based on the authorized_keys entry used for auth. The first word of the comment after the key is used (must only have characters a-z A-Z 0-9 .,_-+@@) Patch from Hans Harder, modified by Matt Johnston - Let dbclient multihop mode be used with '-J'. Patch from Hans Harder - Allow home-directory relative paths ~/path for various settings and command line options. *_PRIV_FILENAME DROPBEAR_PIDFILE SFTPSERVER_PATH MOTD_FILENAME Thanks to Begley Brothers Inc >> The default DROPBEAR_DEFAULT_CLI_AUTHKEY has now changed, it now needs a tilde prefix. - LANG environment variable is carried over from the Dropbear server process From Maxim Kochetkov - Add /usr/sbin and /sbin to $PATH when logging in as root. Patch from Raphaël Hertzog https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=903403 - Added client option "-o DisableTrivialAuth". It disallows a server immediately giving successful authentication (without presenting any password/pubkey prompt). This avoids a UI confusion issue where it may appear that the user is accepting a SSH agent prompt from their local machine, but are actually accepting a prompt sent immediately by the remote server. CVE-2021-36369 though the description there is a bit confused. It only applies to Dropbear as a client. Thanks to Manfred Kaiser from Austrian MilCERT - Add -q client option to hide remote banner, from Hans Harder - Add -e option to pass all server environment variables to child processes. This should be used with caution. Patch from Roland Vollgraf (github #118) - >> Use DSCP for QoS traffic classes. Priority (tty) traffic is now set to AF21 "interactive". Previously TOS classes were used, they are not used by modern traffic classifiers. Non-tty traffic is left at default priority. - >> Disable dh-group1 key exchange by default. It has been disabled server side by default since 2018. - >> Removed Twofish cipher Fixes: - Fix flushing channel data when pty was allocated (github #85) Data wasn't completely transmitted at channel close. Reported and initial patch thanks to Yousong Zhou - Dropbear now re-executes itself rather than just forking for each connection (only on Linux). This allows ASLR to randomise address space for each connection as a security mitigation. It should not have any visible impact - if there are any performance impacts in the wild please report it. - Check authorized_keys permissions as the user, fixes NFS squash root. Patch from Chris Dragan (github #107) - A missing home directory is now non-fatal, starting in / instead - Fixed IPv6 [address]:port parsing for dbclient -b Reported by Fabio Molinari - Improve error logging so that they are logged on the server rather than being sent to the client over the connection - Max window size is increased to 10MB, more graceful fallback if it's invalid. - Fix correctness of Dropbear's handling of global requests. Patch from Dirkjan Bussink - Fix some small bugs found by fuzzers, null pointer dereference crash and leaks (post authentication) - $HOME variable is used before /etc/passwd when expanding paths such as ~/.ssh/id_dropbear (for the client). Patch from Matt Robinson - C89 build fixes from Guillaume Picquet Infrastructure: - Improvements to fuzzers. Added post-auth fuzzer, and a mutator that can handle the structure of SSH packet streams. Added cifuzz to run on commits and pull requests. Thanks to OSS-Fuzz for the tools/clusters and reward funding. - Dropbear source tarballs generated by release.sh are now reproducible from a Git or Mercurial checkout, they will be identical on any system. Tested on ubuntu and macos. - Added some integration testing using pytest. Currently this has tests for various channel handling edge cases, ASLR fork randomisation, dropbearconvert, and SSH_PUBKEYINFO - Set up github actions. This runs the pytest suite and other checks. - build matrix includes c89, dropbearmulti, bundled libtom, macos, DEBUG_TRACE - test for configure script regeneration - build a tarball for external reproducibility @ text @# $NetBSD: Makefile,v 1.38 2023/05/25 21:28:09 wiz Exp $ DISTNAME= dropbear-2022.83 PKGREVISION= 1 CATEGORIES= security MASTER_SITES= https://matt.ucc.asn.au/dropbear/releases/ EXTRACT_SUFX= .tar.bz2 MAINTAINER= snj@@NetBSD.org HOMEPAGE= https://matt.ucc.asn.au/dropbear/dropbear.html COMMENT= Small SSH2 server and client, aimed at embedded market LICENSE= modified-bsd GNU_CONFIGURE= yes CONFIGURE_ARGS+= --sysconfdir=${PKG_SYSCONFDIR:Q} --disable-bundled-libtom USE_TOOLS+= gmake PKG_OPTIONS_VAR= PKG_OPTIONS.dropbear PKG_SUPPORTED_OPTIONS= pam .include "../../mk/bsd.prefs.mk" .include "../../mk/bsd.options.mk" .if !empty(PKG_OPTIONS:Mpam) . include "../../mk/pam.buildlink3.mk" CONFIGURE_ARGS+= --enable-pam SUBST_CLASSES+= pam SUBST_MESSAGE.pam= Enabling PAM in options.h SUBST_STAGE.pam= pre-configure SUBST_FILES.pam= options.h SUBST_SED.pam= -e "s/ENABLE_SVR_PASSWORD_AUTH/ENABLE_SVR_PAM_AUTH/" .endif OWN_DIRS+= ${PKG_SYSCONFDIR}/dropbear SUBST_CLASSES+= config SUBST_MESSAGE.config= Fixing path to config directory. SUBST_STAGE.config= post-build SUBST_FILES.config= dropbear.8 dropbearkey.1 SUBST_SED.config= -e "s,/etc/dropbear/,"${PKG_SYSCONFDIR:Q}"/dropbear/,g" # needed by dbscp CPPFLAGS+= -DDROPBEAR_PATH_SSH_PROGRAM="\"${PREFIX}/bin/dbclient\"" .include "../../x11/xauth/builtin.mk" CPPFLAGS+= -DXAUTH_COMMAND="\"${XAUTHBASE}/bin/xauth\"" CFLAGS.NetBSD+= -DHAVE_NETINET_IN_SYSTM_H LDFLAGS.SunOS+= -lsocket -lnsl BUILD_TARGET= all scp post-install: ${INSTALL_PROGRAM} ${WRKSRC}/scp ${DESTDIR}${PREFIX}/bin/dbscp .include "../../devel/zlib/buildlink3.mk" .include "../../math/ltm/buildlink3.mk" .include "../../security/libtomcrypt/buildlink3.mk" .include "../../mk/bsd.pkg.mk" @ 1.38 log @dropbear: re-word a comment to avoid false positives @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.37 2020/12/19 11:07:10 nia Exp $ d3 2 a4 1 DISTNAME= dropbear-2020.81 @ 1.37 log @dropbear: Update to 2020.81 @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.36 2019/06/10 13:44:35 nia Exp $ d41 1 a41 1 # used by dbscp @ 1.36 log @dropbear: Update to 2019.78 Changes: 2019.78 - 27 March 2019 - Fix dbclient regression in 2019.77. After exiting the terminal would be left in a bad state. Reported by Ryan Woodsmall 2019.77 - 23 March 2019 - Fix server -R option with ECDSA - only advertise one key size which will be accepted. Reported by Peter Krefting, 2018.76 regression. - Fix server regression in 2018.76 where multiple client -R forwards were all forwarded to the first destination. Reported by Iddo Samet. - Make failure delay more consistent to avoid revealing valid usernames, set server password limit of 100 characters. Problem reported by usd responsible disclosure team - Change handling of failed authentication to avoid disclosing valid usernames, CVE-2018-15599. - Fix dbclient to reliably return the exit code from the remote server. Reported by W. Mike Petullo - Fix export of 521-bit ECDSA keys, from Christian Hohnstädt - Add -o Port=xxx option to work with sshfs, from xcko - Merged fuzzing code, see FUZZER-NOTES.md - Add a DROPBEAR_SVR_MULTIUSER=0 compile option to run on single-user Linux kernels (CONFIG_MULTIUSER disabled). From Patrick Stewart - Increase allowed username to 100 characters, reported by W. Mike Petullo - Update config.sub and config.guess, should now work with RISC-V - Cygwin compile fix from karel-m - Don't require GNU sed (accidentally in 2018.76), reported by Samuel Hsu - Fix for IRIX and writev(), reported by Kazuo Kuroi - Other fixes and cleanups from François Perrad, Andre McCurdy, Konstantin Demin, Michael Jones, Pawel Rapkiewicz 2018.76 - 27 February 2018 > > > Configuration/compatibility changes IMPORTANT Custom configuration is now specified in localoptions.h rather than options.h Available options and defaults can be seen in default_options.h To migrate your configuration, compare your customised options.h against the upstream options.h from your relevant version. Any customised options should be put in localoptions.h in the build directory. - "configure --enable-static" should now be used instead of "make STATIC=1" This will avoid 'hardened build' flags that conflict with static binaries - Set 'hardened build' flags by default if supported by the compiler. These can be disabled with configure --disable-harden if needed. -Wl,-pie -Wl,-z,now -Wl,-z,relro -fstack-protector-strong -D_FORTIFY_SOURCE=2 # spectre v2 mitigation -mfunction-return=thunk -mindirect-branch=thunk Spectre patch from Loganaden Velvindron - "dropbear -r" option for hostkeys no longer attempts to load the default hostkey paths as well. If desired these can be specified manually. Patch from CamVan Nguyen - group1-sha1 key exchange is disabled in the server by default since the fixed 1024-bit group may be susceptible to attacks - twofish ciphers are now disabled in the default configuration - Default generated ECDSA key size is now 256 (rather than 521) for better interoperability - Minimum RSA key length has been increased to 1024 bits > > > Other features and fixes - Add runtime -T max_auth_tries option from Kevin Darbyshire-Bryant - Add 'dbclient -J &fd' to allow dbclient to connect over an existing socket. See dbclient manpage for a socat example. Patch from Harald Becker - Add "-c forced_command" option. Patch from Jeremy Kerr - Restricted group -G option added with patch from stellarpower - Support server-chosen TCP forwarding ports, patch from houseofkodai - Allow choosing outgoing address for dbclient with -b [bind_address][:bind_port] Patch from houseofkodai - Makefile will now rebuild object files when header files are modified - Add group14-256 and group16 key exchange options - curve25519-sha256 also supported without @@libssh.org suffix - Update bundled libtomcrypt to 1.18.1, libtommath to 1.0.1 This fixes building with some recent versions of clang - Set PAM_RHOST which is needed by modules such as pam_abl - Improvements to DSS and RSA public key validation, found by OSS-Fuzz. - Don't exit when an authorized_keys file has malformed entries. Found by OSS-Fuzz - Fix null-pointer crash with malformed ECDSA or DSS keys. Found by OSS-Fuzz - Numerous code cleanups and small issues fixed by Francois Perrad - Test for pkt_sched.h rather than SO_PRIORITY which was problematic with some musl platforms. Reported by Oliver Schneider and Andrew Bainbridge - Fix some platform portability problems, from Ben Gardner - Add EXEEXT filename suffix for building dropbearmulti, from William Foster - Support --enable-