ClearML/dropbear
1
0
Fork 0
mirror of https://github.com/clearml/dropbear synced 2025-02-07 13:21:15 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Bump version to 2022.82

Browse Source
This commit is contained in:
Matt Johnston 2022-04-01 14:43:27 +08:00
parent c6e2d50310
commit b8669b063b
3 changed files with 30 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
CHANGES
View File

@ -1,21 +1,23 @@
Future Release 2022.82 - 1 April 2022
Features and Changes:
- Implement OpenSSH format private key handling for dropbearconvert. Features and Changes:
Keys can be read in OpenSSH format or the old PEM format, they will be Note >> for compatibility/configuration changes
written in OpenSSH format. (DSS has not been implemented).
ED25519 support is now correct. - Implemented OpenSSH format private key handling for dropbearconvert.
Keys can be read in OpenSSH format or the old PEM format.
>> Keys are now written in OpenSSH format rather than PEM.
ED25519 support is now correct. DSS keys are still PEM format.
- Use SHA256 for key fingerprints - Use SHA256 for key fingerprints
- Reworked -v verbose printing, specifying multiple times will increase - >> Reworked -v verbose printing, specifying multiple times will increase
verbosity. -vvvv is equivalent to the old DEBUG_TRACE -v level, it verbosity. -vvvv is equivalent to the old DEBUG_TRACE -v level, it
can be configured at compile time in localoptions.h (see default_options.h) can be configured at compile time in localoptions.h (see default_options.h)
Lower -v options can be used to check connection progress or algorithm Lower -v options can be used to check connection progress or algorithm
negotiation. negotiation.
Thanks to Hans Harder for the implementation Thanks to Hans Harder for the implementation
> > localoptions.h DEBUG_TRACE should be set to 4 for the same result as the localoptions.h DEBUG_TRACE should be set to 4 for the same result as the
previous DEBUG_TRACE 1. previous DEBUG_TRACE 1.
- Added server support for U2F/FIDO keys (ecdsa-sk and ed25519-sk) in - Added server support for U2F/FIDO keys (ecdsa-sk and ed25519-sk) in
@ -23,7 +25,7 @@ Features and Changes:
Thanks to Egor Duda for the implementation Thanks to Egor Duda for the implementation
- autoconf output (configure script etc) is now committed to version control. - autoconf output (configure script etc) is now committed to version control.
It isn't necessary to run "autoconf" any more on a checkout. >> It isn't necessary to run "autoconf" any more on a checkout.
- sha1 will be omitted from the build if KEX/signing/MAC algorithms don't - sha1 will be omitted from the build if KEX/signing/MAC algorithms don't
require it. Instead sha256 is used for random number generation. require it. Instead sha256 is used for random number generation.
@ -34,12 +36,15 @@ Features and Changes:
(must only have characters a-z A-Z 0-9 .,_-+@) (must only have characters a-z A-Z 0-9 .,_-+@)
Patch from Hans Harder, modified by Matt Johnston Patch from Hans Harder, modified by Matt Johnston
- Let dbclient multihop mode be used with '-J'.
Patch from Hans Harder
- Allow home-directory relative paths ~/path for various settings - Allow home-directory relative paths ~/path for various settings
and command line options. and command line options.
*_PRIV_FILENAME DROPBEAR_PIDFILE SFTPSERVER_PATH MOTD_FILENAME *_PRIV_FILENAME DROPBEAR_PIDFILE SFTPSERVER_PATH MOTD_FILENAME
Thanks to Begley Brothers Inc Thanks to Begley Brothers Inc
> > The default DROPBEAR_DEFAULT_CLI_AUTHKEY has now changed, it now needs >> The default DROPBEAR_DEFAULT_CLI_AUTHKEY has now changed, it now needs
a tilde prefix. a tilde prefix.
- LANG environment variable is carried over from the Dropbear server process - LANG environment variable is carried over from the Dropbear server process
@ -50,7 +55,7 @@ Features and Changes:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=903403 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=903403
- Added client option "-o DisableTrivialAuth". This can be used to prevent - Added client option "-o DisableTrivialAuth". This can be used to prevent
the server immediately allowing successful authentication (before any auth the server immediately accepting successful authentication (before any auth
request) which could cause UI confusion and security issues with agent request) which could cause UI confusion and security issues with agent
forwarding - it isn't clear which host is prompting to use a key. forwarding - it isn't clear which host is prompting to use a key.
Thanks to Manfred Kaiser from Austrian MilCERT Thanks to Manfred Kaiser from Austrian MilCERT
@ -61,14 +66,14 @@ Features and Changes:
This should be used with caution. This should be used with caution.
Patch from Roland Vollgraf (github #118) Patch from Roland Vollgraf (github #118)
- Use DSCP for QoS traffic classes. Priority (tty) traffic is now set to - >> Use DSCP for QoS traffic classes. Priority (tty) traffic is now set to
AF21 "interactive". Previously TOS classes were used, they are not used by AF21 "interactive". Previously TOS classes were used, they are not used by
modern traffic classifiers. Non-tty traffic is left at default priority. modern traffic classifiers. Non-tty traffic is left at default priority.
- Disable dh-group1 key exchange by default. It has been disabled server - >> Disable dh-group1 key exchange by default. It has been disabled server
side by default since 2018. side by default since 2018.
- Removed Twofish cipher - >> Removed Twofish cipher
Fixes: Fixes:
@ -86,6 +91,9 @@ Fixes:
- A missing home directory is now non-fatal, starting in / instead - A missing home directory is now non-fatal, starting in / instead
- Fixed IPv6 [address]:port parsing for dbclient -b
Reported by Fabio Molinari
- Improve error logging so that they are logged on the server rather than being - Improve error logging so that they are logged on the server rather than being
sent to the client over the connection sent to the client over the connection
@ -107,6 +115,7 @@ Infrastructure:
- Improvements to fuzzers. Added post-auth fuzzer, and a mutator that can - Improvements to fuzzers. Added post-auth fuzzer, and a mutator that can
handle the structure of SSH packet streams. Added cifuzz to run on commits handle the structure of SSH packet streams. Added cifuzz to run on commits
and pull requests. and pull requests.
Thanks to OSS-Fuzz for the tools/clusters and reward funding.
- Dropbear source tarballs generated by release.sh are now reproducible from a - Dropbear source tarballs generated by release.sh are now reproducible from a
Git or Mercurial checkout, they will be identical on any system. Tested Git or Mercurial checkout, they will be identical on any system. Tested

6
debian/changelog vendored
View File

@ -1,3 +1,9 @@
dropbear (2022.82-0.1) unstable; urgency=low
* New upstream release.
-- Matt Johnston <matt@ucc.asn.au> Fri, 1 Apr 2022 22:51:57 +0800
dropbear (2020.81-0.1) unstable; urgency=low dropbear (2020.81-0.1) unstable; urgency=low
* New upstream release. * New upstream release.

2
sysoptions.h
View File

@ -4,7 +4,7 @@
*******************************************************************/ *******************************************************************/
#ifndef DROPBEAR_VERSION #ifndef DROPBEAR_VERSION
#define DROPBEAR_VERSION "2020.81" #define DROPBEAR_VERSION "2022.82"
#endif #endif
#define LOCAL_IDENT "SSH-2.0-dropbear_" DROPBEAR_VERSION #define LOCAL_IDENT "SSH-2.0-dropbear_" DROPBEAR_VERSION