Alexander Marx [Thu, 1 Apr 2021 12:47:18 +0000 (14:47 +0200)]
BUG12301: Iptables “host/network ‘none’ not found”
Fixes: #12301
When using hosts with MAC-addresses in a hostgroup,
the rule won't be generated if those hosts are selected as target.
There is a hint but due to a wrong hashparameter the hint was not shown.
Adolf Belka [Wed, 17 Mar 2021 21:42:22 +0000 (22:42 +0100)]
sudo: Update to 1.9.6p1
- Update from 1.9.5p2 to 1.9.6p1
- Update not required for rootfile
- Changelog
Major changes between version 1.9.6p1 and 1.9.6:
Fixed a regression introduced in sudo 1.9.6 that resulted in an error message instead of a usage message when sudo is run with no arguments.
Major changes between version 1.9.6 and 1.9.5p2:
Fixed a sudo_sendlog compilation problem with the AIX xlC compiler.
Fixed a regression introduced in sudo 1.9.4 where the --disable-root-mailer configure option had no effect.
Added a --disable-leaks configure option that avoids some memory leaks on exit that would otherwise occur. This is intended to be used with development tools that measure memory leaks. It is not safe to use in production at this time.
Plugged some memory leaks identified by oss-fuzz and ASAN.
Fixed the handling of sudoOptions for an LDAP sudoRole that contains multiple sudoCommands. Previously, some of the options would only be applied to the first sudoCommand.
Fixed a potential out of bounds read in the parsing of NOTBEFORE and NOTAFTER sudoers command options (and their LDAP equivalents).
The parser used for reading I/O log JSON files is now more resilient when processing invalid JSON.
Fixed typos that prevented make uninstall from working. GitHub issue #87.
Fixed a regression introduced in sudo 1.9.4 where the last line in a sudoers file might not have a terminating NUL character added if no newline was present.
Integrated oss-fuzz and LLVM's libFuzzer with sudo. The new --enable-fuzzer configure option can be combined with the --enable-sanitizer option to build sudo with fuzzing support. Multiple fuzz targets are available for fuzzing different parts of sudo. Fuzzers are built and tested via make fuzz or as part of make check (even when sudo is not built with fuzzing support). Fuzzing support currently requires the LLVM clang compiler (not gcc).
Fixed the --enable-static-sudoers configure option. GitHub issue #92.
Fixed a potential out of bounds read sudo when is run by a user with more groups than the value of max_groups in sudo.conf.
Added an admin_flag sudoers option to make the use of the ~/.sudo_as_admin_successful file configurable on systems where sudo is build with the --enable-admin-flag configure option. This mostly affects Ubuntu and its derivatives. GitHub issue #56.
The max_groups setting in sudo.conf is now limited to 1024. This setting is obsolete and should no longer be needed.
Fixed a bug in the tilde expansion of CHROOT=dir and CWD=dir sudoers command options. A path ~/foo was expanded to /home/userfoo instead of /home/user/foo. This also affects the runchroot and runcwd Defaults settings.
Fixed a bug on systems without a native getdelim(3) function where very long lines could cause parsing of the sudoers file to end prematurely. Bug #960.
Fixed a potential integer overflow when converting the timestamp_timeout and passwd_timeout sudoers settings to a timespec struct.
The default for the group_source setting in sudo.conf is now dynamic on macOS. Recent versions of macOS do not reliably return all of a user's non-local groups via getgroups(2), even when _DARWIN_UNLIMITED_GETGROUPS is defined. Bug #946.
Fixed a potential use-after-free in the PAM conversation function. Bug #967.
Fixed potential redefinition of sys/stat.h macros in sudo_compat.h. Bug #968.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 17 Mar 2021 21:41:48 +0000 (22:41 +0100)]
attr: Update to 2.5.1
- Update from 2.4.48 to 2.5.1
- Update rootfile
- Changelog
Version 2.5.1
Fix libtool library versioning regression Andreas Gruenbacher
Version 2.4.48
Update po files and German translation Andreas Gruenbacher
getfattr: Add --one-file-system option Andreas Gruenbacher
Move struct stat into struct walk_tree_args Andreas Gruenbacher
Move list of open directories into struct walk_tree_args Andreas Gruenbacher
Move walk_tree_rec arguments into a separate struct Andreas Gruenbacher
xattr.conf: Indicate afs metadata xattrs should be skipped when copying David Howells
Fix typos in manual pages Samanta Navarro
Update my email address Andreas Gruenbacher
man: add examples to setfattr.1 Achilles Gaikwad
install-data: Don't remove unrelated empty directories Andreas Gruenbacher
attr: Replace bzero with memset Rosen Penev
getfattr: don't count terminating NULL in well_enough_printable Jeff Layton
attr_list, attr_listf: Guard against unterminated buffer Andreas Gruenbacher
attr_multi, attr_multif: Don't set errno to -EINVAL Andreas Gruenbacher
Switch back to syscall() Andreas Gruenbacher
attr_list.3: Fix the attributes.h include path Andreas Gruenbacher
getfattr.1: by default only user namespace attributes are dumped Simon Ruderich
Enable large-file support on systems that do not enable it by default Dmitry V. Levin
man: standardize AUTHORS section Mike Frysinger
man: fix bold style in SEE ALSO section Mike Frysinger
test: escape left brace in a regex in test/run Troy Dawson
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 17 Mar 2021 21:41:31 +0000 (22:41 +0100)]
acl: Update to 2.3.1
- Update from 2.2.53 to 2.3.1
- Updated rootfile
- Changelog
Version 2.3.1
Fix libtool library versioning regression Andreas Gruenbacher
Version 2.3.0
Update po files and German translation Andreas Gruenbacher
getfacl: fix indent in --help output Valentin Vidic
getfacl: Add --one-file-system optionnext Pavel Polacek
Move struct stat into struct walk_tree_args Andreas Gruenbacher
Move list of open directories into struct walk_tree_args Andreas Gruenbacher
Move walk_tree_rec arguments into a separate struct Andreas Gruenbacher
acl_from_mode, acl_copy_int: Fix segfault on allocation failure Tavian Barnes
__acl_create_entry_obj: do not break strict aliasing rules Kamil Dudka
Fix typo in getfacl(1) man page Anthony Sottile
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update tshark from 3.4.2 to 3.4.3
- Update rootfile
- Changelog is too long to include here.
See ChangeLog file in source tarball
29 bugfixes included
Signed-off-by: Adolf Belka (ipfire) <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update stunnel from 5.57 to 5.58
- Update rootfile
- Changelog
Version 5.58, 2021.02.20, urgency: HIGH
Security bugfixes
The "redirect" option was fixed to properly handle unauthenticated requests (thx to Martin Stein).
Fixed a double free with OpenSSL older than 1.1.0 (thx to Petr Strukov).
OpenSSL DLLs updated to version 1.1.1j.
New features
New 'protocolHeader' service-level option to insert custom 'connect' protocol negotiation headers. This feature can be used to impersonate other software (e.g. web browsers).
'protocolHost' can also be used to control the client SMTP protocol negotiation HELO/EHLO value.
Initial FIPS 3.0 support.
Bugfixes
X.509v3 extensions required by modern versions of OpenSSL are added to generated self-signed test certificates.
Fixed a tiny memory leak in configuration file reload error handling (thx to Richard Könning).
Merged Debian 05-typos.patch (thx to Peter Pentchev).
Merged with minor changes Debian 06-hup-separate.patch (thx to Peter Pentchev).
Merged Debian 07-imap-capabilities.patch (thx to Ansgar).
Merged Debian 08-addrconfig-workaround.patch (thx to Peter Pentchev).
Fixed tests on the WSL2 platform.
NSIS installer updated to version 3.06 to fix a multiuser installation bug on some platforms, including 64-bit XP.
Fixed engine initialization (thx to Petr Strukov).
FIPS TLS feature is reported when a provider or container is available, and not when FIPS control API is available.
Signed-off-by: Adolf Belka (ipfire) <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update sqlite from 3.34.0 to 3.34.1
- Update rootfile
- Changelog
Fix a potential use-after-free bug when processing a a subquery with
both a correlated WHERE clause and a "HAVING 0" clause and where the
parent query is an aggregate.
Fix documentation typos
Fix minor problems in extensions.
Signed-off-by: Adolf Belka (ipfire) <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update qpdf from 10.1.0 to 10.3.0
- Updated rootfile
- Changelog is too long to fully include here
See ChangeLog file in source tarball
Bug fixes in 10.3.0
* The last several changes are in support of fixing more complex
cases of keeping form fields working properly through page copying
operations. Fixes #509.
Bug fixes in 10.2.0
* From qpdf CLI, --pages and --split-pages will properly preserve
interactive form functionality. Fixes #340.
* From qpdf CLI, --overlay and --underlay will copy annotations
and form fields from overlay/underlay file. Fixes #395.
* Add new option --password-file=file for reading the decryption
password from a file. file may be "-" to read from standard input.
Fixes #499.
* By default, give an error if a user attempts to encrypt a file
with a 256-bit key, a non-empty user password, and an empty owner
password. Such files are insecure since they can be opened with no
password. To allow explicit creation of files like this, pass the
new --allow-insecure option. Thanks to github user RobK88 for a
detailed analysis and for reporting this issue. Fixes #501.
* Bug fix: if a form XObject lacks a resources dictionary,
consider any names in that form XObject to be referenced from the
containing page. This is compliant with older PDF versions. Also
detect if any form XObjects have any unresolved names and, if so,
don't remove unreferenced resources from them or from the page
that contains them. Fixes #494.
* Give warnings instead of segfaulting if a QPDF operation is
attempted after calling closeInputSource(). Fixes #495.
Signed-off-by: Adolf Belka (ipfire) <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update nagios-plugins from 2.2.1 to 2.3.3
- Updated rootfile
- Changelog is too long to include here
See ChangeLog file in source tarball
80 bugs fixed with the last four releases
- Latest version og nagios-plugins is recommended by update of nagios_nrpe
to 4.0.3
Signed-off-by: Adolf Belka (ipfire) <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update nagios_nrpe from 3.2.1 to 4.0.3
- No update for rootfile
- Changelog
[4.0.3](https://github.com/NagiosEnterprises/nrpe/releases/tag/nrpe-4.0.3) - 2020-04-28
**FIXES**
- Fixed nasty_metachars not being read from config file (#235) (Sebastian Wolf)
[4.0.2](https://github.com/NagiosEnterprises/nrpe/releases/tag/nrpe-4.0.2) - 2020-03-11
**FIXES**
- Fixed buffer length calculations/writing past memory boundaries on some systems (#227, #228) (Andreas Baumann, hariwe, Sebastian Wolf)
- Fixed use of uninitialized variable when validating requests (#229) (hariwe, Sebastian Wolf)
[4.0.1](https://github.com/NagiosEnterprises/nrpe/releases/tag/nrpe-4.0.1) - 2020-01-22
**FIXES**
* Fixed syslog flooding with CRC-checking errors when both plugin and agent were updated to version 4 (Sebastian Wolf)
[4.0.0](https://github.com/NagiosEnterprises/nrpe/releases/tag/nrpe-4.0.0) - 2019-01-13
Note: This update includes security fixes which affect both the check_nrpe plugin and
the NRPE daemon. The latest version of NRPE is still able to interoperate with previous
versions, but for best results, both programs should be updated.
**ENHANCEMENTS**
* Added TLSv1.3 and TLSv1.3+ support for systems that have it (Nigel Yong, Rahul Golam)
* Added IPv6 ip address to list of default allow_from hosts (Troy Lea)
* Added -D option to disable logging to syslog (Tom Griep, Sebastian Wolf)
* Added -3 option to force check_nrpe to use NRPE v3 packets
* OpenRC: provide a default path for nrpe.cfg (Michael Orlitzky)
* OpenRC: Use RC_SVCNAME over a hard-coded PID file (j-licht)
**FIXES**
* Checks for '!' now only occur inside the command buffer (Joni Eskelinen)
* NRPE daemon is more resilient to DOS attacks (Leonid Vasiliev)
* allowed_hosts will no longer test getaddrinfo records against the wrong protocol (dombenson)
* nasty_metachars will now handle C escape sequences properly when specified in the config file (Sebastian Wolf)
* Calculated packet sizes now struct padding/alignment when sending and receiving messages (Sebastian Wolf)
* Buffer sizes are now checked before use in packet size calculation (Sebastian Wolf)
* When using `include_dir`, individual files' errors do not prevent the remaining files from being read (Sebastian Wolf)
Signed-off-by: Adolf Belka (ipfire) <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update nano from 5.5 to 5.6
- No update for rootfile
- Changelog
Changes between v5.5 and v5.6:
Benno Schulenberg (52):
build: avoid a warning about duplicate symbol when building from tarball
build: detect a build from git also when building out of tree
build: include a workaround only for versions of ncurses that need it
bump version numbers and add a news item for the 5.6 release
color: do not look for another 'end' match after already finding one
color: give highlighted text its own color, to not look like marked text
color: recompile the file-probing regexes a little faster with REG_NOSUB
color: use bright yellow to highlight a search match
color: use inverse video for highlighting when there are no colors
debug: add timing instruments to cache precalculation and screen refresh
display: for a large paste or insertion, recalculate the multiline cache
docs: correct the description of --quickblank for the changed base value
docs: correct the formatting of a comment in the sample nanorc
docs: correct the word order for Alt+D in the cheat sheet -- it changed
docs: mention the new 'set highlightcolor' option
docs: remove all mentions of --markmatch and 'set markmatch'
docs: say that --minibar is modified by --constantshow and --stateflags
feedback: make Full Justify show a message also when using --minibar
gnulib: update to its current upstream state
minibar: show a message a little longer when --quickblank isn't used
minibar: show cursor position + character code only with --constantshow
minibar: show the state flags only when --stateflags is used
minibar: suppress the toggling feedback for M-C, but show it for M-Y/M-P
options: remove --markmatch and 'set markmatch', as the behavior is gone
painting: always do backtracking for the first row of the screen
painting: trigger a refresh when a second start match appears on a line
painting: trigger fewer unneeded full-screen refreshes
painting: when finding an end match, set its multidata right away
scrolling: keep centering after large paste, also when line numbers widen
search: just highlight the found occurrence, instead of marking it
search: make highlighting the standard, non-changeable behavior
tweaks: avoid the vague possibility of advancing beyond end-of-line
tweaks: be slightly more efficient in marking lines as WOULDBE
tweaks: call wattron()/wattroff() only when actually painting something
tweaks: correct a comment, improve another, and trim some verbosity
tweaks: don't bother comparing virgin multidata with current situation
tweaks: don't bother initializing freshly allocated multidata
tweaks: don't bother wiping the multidata before recomputing it
tweaks: elide a function that is now just one line
tweaks: frob a condition, to be more concise, and reshuffle another
tweaks: frob some comments, and adjust indentation after previous change
tweaks: frob some comments, and reshuffle two fragments of code
tweaks: frob two fragments of code, to be more readable
tweaks: make a skipping condition more precise
tweaks: remove an old fix that was made superfluous by a recent fix
tweaks: remove a strangely placed warning
tweaks: rename six symbols, to be more straightforward
tweaks: reshuffle some code, and reduce the scope of a variable
tweaks: reshuffle three conditions into a better order
tweaks: rewrap and reindent a few lines
tweaks: rewrap two lines, for esthetics
tweaks: stop evaluating a rule when the match is offscreen to the right
Signed-off-by: Adolf Belka (ipfire) <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update ipset from 7.10 to 7.11
- No update to rootfile
- Changelog
- Parse port before trying by service name (Haw Loeung)
- Silence unused-but-set-variable warnings (reported by
Serhey Popovych)
- Handle -Werror=implicit-fallthrough= in debug mode compiling
- ipset: fix print format warning (Neutron Soutmun)
- Updated utilities
- Argument parsing buffer overflow in ipset_parse_argv fixed
(reported by Marshall Whittaker)
Signed-off-by: Adolf Belka (ipfire) <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update iproute2 from 5.10.0 to 5.11.0
- Updated rootfile
- Changelog extracted from commits
lib/fs: Fix single return points for get_cgroup2_* Andrea Claudi
lib/fs: avoid double call to mkdir on make_path() Andrea Claudi
lib/bpf: Fix and simplify bpf_mnt_check_target() Andrea Claudi
lib/namespace: fix ip -all netns return code Andrea Claudi
ip: lwtunnel: seg6: bail out if table ids are invalid Andrea Claudi
tc: m_gate: use SPRINT_BUF when needed Andrea Claudi
man8/bridge.8: be explicit that "flood" is an egress setting Vladimir Oltean
man8/bridge.8: explain self vs master for "bridge fdb add" Vladimir Oltean
man8/bridge.8: fix which one of self/master is default for "bridge fdb" Vladimir Oltean
man8/bridge.8: explain what a local FDB entry is Vladimir Oltean
man8/bridge.8: document that "local" is default for "bridge fdb add" Vladimir Oltean
man8/bridge.8: document the "permanent" flag for "bridge fdb add" Vladimir Oltean
rdma: Fix statistics bind/unbing argument handling Ido Kalir
uapi: pick up rpl.h fix Stephen Hemminger
iproute: force rtm_dst_len to 32/128 Luca Boccassi
ss: Add clarification about host conditions with multiple familes to man Thayne McCombs
Add documentation of ss filter to man page Thayne McCombs
iplink: print warning for missing VF data Edwin Peer
ss: do not emit warn while dumping MPTCP on old kernels Paolo Abeni
man: tc-taprio.8: document the full offload feature Vladimir Oltean
iplink_bareudp: cleanup help message and man page Guillaume Nault
vrf: fix ip vrf exec with libbpf Luca Boccassi
vrf: print BPF log buffer if bpf_program_load fails Luca Boccassi
build: Fix link errors on some systems Roi Dayan
tc: flower: fix json output with mpls lse Guillaume Nault
dcb: Change --Netns/-N to --netns/-n Petr Machata
dcb: Plug a leaking DCB socket buffer Petr Machata
dcb: Set values with RTM_SETDCB type Petr Machata
uapi: update if_link.h from upstream Stephen Hemminger
include: uapi: Carry dcbnl.h Petr Machata
uapi: update kernel headers to 5.11 pre rc1
Signed-off-by: Adolf Belka (ipfire) <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update hplip from 3.20.11 to 3.21.2
- Updated rootfile
- Changelog
Added support for following new Distro's:
Fedora 33
Manjaro 20.2
Debian 10.7
RHEL 8.3
RHEL 7.7
RHEL 7.8
RHEL 7.9
Added support for the following new Printers:
HP LaserJet Enterprise M406dn
HP LaserJet Enterprise M407dn
HP LaserJet Enterprise MFP M430f
HP LaserJet Enterprise MFP M431f
HP LaserJet Managed E40040dn
HP LaserJet Managed MFP E42540f
HP Color LaserJet Enterprise M455dn
HP Color LaserJet Managed E45028dn
HP Color LaserJet Enterprise MFP M480f
HP Color LaserJet Managed MFP E47528f
HP PageWide XL 3920 MFP
HP PageWide XL 4200 Printer
HP PageWide XL 4200 Multifunction Printer
HP PageWide XL 4700 Printer
HP PageWide XL 4700 Multifunction Printer
HP PageWide XL 5200 Printer
HP PageWide XL 5200 Multifunction Printer
HP PageWide XL 8200 Printer
HP Laserjet M207d
HP Laserjet M208d
HP Laserjet M209d
HP Laserjet M210d
HP Laserjet M212d
HP Lasejet M211d
HP Laserjet M209dw
HP Laserjet M209dwe
HP Laserjet M210dw
HP Laserjet M210dwe
HP Laserjet M212dw
HP LaserJet M212dwe
HP Laserjet M208dw
HP Laserjet M207dw
HP Laserjet M211dw
HP LaserJet MFP M234dw
HP LaserJet MFP M234dwe
HP LaserJet MFP M233d
HP LaserJet MFP M232d
HP LaserJet MFP M235d
HP LaserJet MFP M237d
HP LaserJet MFP M236d
HP LaserJet MFP M232dw
HP LaserJet MFP M232dwc
HP LaserJet MFP M233dw
HP LaserJet MFP M236dw
HP LaserJet MFP M235dw
HP LaserJet MFP M235dwe
HP LaserJet MFP M237dwe
HP LaserJet MFP M237dw
HP LaserJet MFP M232sdn
HP LaserJet MFP M233sdn
HP LaserJet MFP M236sdn
HP LaserJet MFP M234sdn
HP LaserJet MFP M234sdne
HP LaserJet MFP M235sdn
HP LaserJet MFP M235sdne
HP LaserJet MFP M237sdne
HP LaserJet MFP M237sdn
HP LaserJet MFP M232sdw
HP LaserJet MFP M233sdw
HP LaserJet MFP M236sdw
HP LaserJet MFP M234sdw
HP LaserJet MFP M234sdwe
HP LaserJet MFP M235sdw
HP LaserJet MFP M235sdwe
HP LaserJet MFP M237sdwe
HP LaserJet MFP M237sdw
Signed-off-by: Adolf Belka (ipfire) <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Use the traffic class description field to identify similar classes.
This ensures that a class used in both the up- and down-link is
printed with matching colors in both graphs.
Signed-off-by: Leo-Andres Hofmann <hofmann@leo-andres.de> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 5 Mar 2021 17:41:28 +0000 (18:41 +0100)]
openssh: Update to 8.5p1
- Update Openssh from 8.4p1 to 8.5p1
- rootfiles not changed
- ssh access by keys tested with 8.5p1 and successfully worked
- Full Release notes can be read at https://www.openssh.com/releasenotes.html
- Future deprecation notice
It is now possible[1] to perform chosen-prefix attacks against the
SHA-1 algorithm for less than USD$50K.
In the SSH protocol, the "ssh-rsa" signature scheme uses the SHA-1
hash algorithm in conjunction with the RSA public key algorithm.
OpenSSH will disable this signature scheme by default in the near
future.
Note that the deactivation of "ssh-rsa" signatures does not necessarily
require cessation of use for RSA keys. In the SSH protocol, keys may be
capable of signing using multiple algorithms. In particular, "ssh-rsa"
keys are capable of signing using "rsa-sha2-256" (RSA/SHA256),
"rsa-sha2-512" (RSA/SHA512) and "ssh-rsa" (RSA/SHA1). Only the last of
these is being turned off by default.
- Checked if the weak ssh-rsa public key algorithm was being used with
openssh8.4p1 by running
ssh -oHostKeyAlgorithms=-ssh-rsa user@host
host verification was successful with no issue so IPFire will not be
affected by this deprecation when it happens
- Potentially-incompatible changes
* ssh(1), sshd(8): this release changes the first-preference signature
algorithm from ECDSA to ED25519.
This did not affect my use of ssh login but I use ED25519 as the only
key algorithm that I use. It might be good to get it tested by
someone who has ECDSA and ED25519 keys and prefers ECDSA
Remaining changes don't look likely to affect IPFire users
- Bugfixes
* ssh(1): Prefix keyboard interactive prompts with "(user@host)" to
make it easier to determine which connection they are associated
with in cases like scp -3, ProxyJump, etc. bz#3224
* sshd(8): fix sshd_config SetEnv directives located inside Match
blocks. GHPR201
* ssh(1): when requesting a FIDO token touch on stderr, inform the
user once the touch has been recorded.
* ssh(1): prevent integer overflow when ridiculously large
ConnectTimeout values are specified, capping the effective value
(for most platforms) at 24 days. bz#3229
* ssh(1): consider the ECDSA key subtype when ordering host key
algorithms in the client.
* ssh(1), sshd(8): rename the PubkeyAcceptedKeyTypes keyword to
PubkeyAcceptedAlgorithms. The previous name incorrectly suggested
that it control allowed key algorithms, when this option actually
specifies the signature algorithms that are accepted. The previous
name remains available as an alias. bz#3253
* ssh(1), sshd(8): similarly, rename HostbasedKeyTypes (ssh) and
HostbasedAcceptedKeyTypes (sshd) to HostbasedAcceptedAlgorithms.
* sftp-server(8): add missing lsetstat@openssh.com documentation
and advertisement in the server's SSH2_FXP_VERSION hello packet.
* ssh(1), sshd(8): more strictly enforce KEX state-machine by
banning packet types once they are received. Fixes memleak caused
by duplicate SSH2_MSG_KEX_DH_GEX_REQUEST (oss-fuzz #30078).
* sftp(1): allow the full range of UIDs/GIDs for chown/chgrp on 32bit
platforms instead of being limited by LONG_MAX. bz#3206
* Minor man page fixes (capitalization, commas, etc.) bz#3223
* sftp(1): when doing an sftp recursive upload or download of a
read-only directory, ensure that the directory is created with
write and execute permissions in the interim so that the transfer
can actually complete, then set the directory permission as the
final step. bz#3222
* ssh-keygen(1): document the -Z, check the validity of its argument
earlier and provide a better error message if it's not correct.
bz#2879
* ssh(1): ignore comments at the end of config lines in ssh_config,
similar to what we already do for sshd_config. bz#2320
* sshd_config(5): mention that DisableForwarding is valid in a
sshd_config Match block. bz3239
* sftp(1): fix incorrect sorting of "ls -ltr" under some
circumstances. bz3248.
* ssh(1), sshd(8): fix potential integer truncation of (unlikely)
timeout values. bz#3250
* ssh(1): make hostbased authentication send the signature algorithm
in its SSH2_MSG_USERAUTH_REQUEST packets instead of the key type.
This make HostbasedAcceptedAlgorithms do what it is supposed to -
filter on signature algorithm and not key type.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>