[ssh_x509] PKIX-SSH release 13.3

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Thu Feb 24 21:30:45 EET 2022

Dear list members,

New mostly bugfix release 13.3 is available for download.
Except use of poll/ppoll other features are not considered as bugs because functionality is experimental.

(x) Features:

* New compatible implementation of poll(2) based on new ppoll(2) that uses pselect(2).
   This version starts transition from select to poll.
   - switch ssh-keyscan from select to ppoll
   - switch sftp-server from select to poll
   - switch "packet" from select to ppoll
   - switch daemon from pselect to ppoll
   - unified management of limits in sandboxes due to poll requirements
   - use compatible poll(2) implementation on OS X and Minix
   - do not enable by default Capsicum sandbox on FreeBSD 9/10
   Remaining uses in client and server loop will be transferred in future when use is stabilised.

* Use sftp protocol in secure copy utility.
   This experimental feature includes following corrections:
   - when secure copy transfers multiple files create the destination directory, if it does not already exist
   - return "No such file or directory" message if expand of user path fail in secure sftp server subsystem
   - fix some corner cases in handling of tilde-prefixed patch
   - rewrite tilde_expand_filename to handle ~user paths with no trailing slash
   - use status error message to communicate ~user expansion failures
   - show un-expanded paths in error messages
   - added extra debug messages on sftp client side
   - set default protocol from environment
   Note sftp mode is highly experimental and secure copy utility will use scp protocol by default.

* Update of host-keys
   Implementation of this experimental feature was updated:
   - new model for host keys updates
   - accept rsa/sha2 signatures on client side
   - use rsa/sha2 signatures if client support them

(x) Bugs:
* improvements and spelling corrections in manual pages, documents and program comments
* atomicio* should return bytes already read even on error
* do not set raw tty mode if command execution is not allowed
* use proper parameter when decompressing zlib compressed packets
* allow sha{384|512} key exchange hashes in host-based authentication helper utility
* correct handling of pselect(2) exceptfds/POLLPRI in ppoll(2) compatibility implementation
* check "revents" for POLLHUP wherever is checked for POLLIN
* use proper flag for IPQoS le option
* modify ssh-keyscan to hash host:port when is asked for
   (Fixes hashes for non-default ports)
* suppress "Connection to ... closed" message at log levels less then "information"
* unify checks for ipv4 loopback interface
   (Fixes issue with BindInterface that consider "localhost" as the only local loopback interface)
* do not use closefrom() implementation from GNU C library
   (It may die in "chroot" environment if read from /proc/self/fd fail. Also use close_range() if available, i.e. glibc 2.34.)
* remove broken realpath compatibility implementation
   - revert use of realpath when is created "ssh user directory" as it relies on broken functionality
   - use specific realpath only in sftp server related code
   - re-enable sftp protocol for secure copy regression tests
* fix memory leaks in pkcs11
* fix memory leak in ecdsa signature conversions function for X.509 algorithms
* fix memory leak when sftp client process replies from upload side
* improve work-around for STREAMS based ptys when daemon acquire a controlling terminal

(x) Misc:
* clean-up more buffers used in bcrypt_pbkdf compatible implementation
* clean-up cached host-key to ensure more clean OpenSSL shuthdown
* allow gettid in secure secure computing mode
* modernise OCSP - use TLS_client_method() if OpenSSL >= 1.1
* some OpenSSL 3.0 compatibility improvements
* use compatibility getline() on HP-UX 10.*
* seteuid breaks setuid on Minix
* remove possibility to build without "revocation" code for X.509 certificates.
* use mdb(memory-mapped database) in ldap regression tests
   (Note bdb and hdb are removed in openldap 2.5+ and mdb is available in openldap 2.4+)
* restored build on ancient OS-ses
   (C99 compiler is not strictly required. For instance code builds fine with gcc 4.1.2 with default language standard level as if compiler is gcc configure script sets language standard to gnu99 (-std=gnu99) if LLONG_MAX is not found by default.)

Roumen Petrov

More information about the ssh_x509 mailing list