OpenBSD src changes summary for 2016-02-17 ==========================================
lib/libcrypto regress/usr.bin sys/kern usr.bin/ssh usr.sbin/syslogd == lib =============================================================== 01/05 == http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib libcrypto ~ cert.pem > Sync some root certificates with Mozilla's cert store. ok bcook@ > - Add new root certificates present in Mozilla cert store from CA > organizations who are already in cert.pem (AddTrust, Comodo, DigiCert, > Entrust, GeoTrust, USERTrust). > - Replace Startcom's root with their updated sha256 version present in > Mozilla cert store. (They maintained serial# etc so this is still valid > for existing signed certificates). > - Add two root certificates from CA not previously present: > "C=US, O=Network Solutions L.L.C., CN=Network Solutions Certificate > Authority" > "C=PL, O=Unizeto Sp. z o.o., CN=Certum CA" (the latter used by yandex.ru) > We are still listing some certificates that have been removed from > Mozilla's store (1024-bit etc) however these cannot be removed until > cert validation is improved (we don't currently accept a certificate > as valid unless the CA is at the end of a chain). (sthen@) == regress =========================================================== 02/05 == http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/regress usr.bin ~ ssh/proxy-connect.sh > include bad $SSH_CONNECTION in failure output (djm@) == sys =============================================================== 03/05 == http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/sys kern ~ kern_pledge.c > Return ENOTTY for TIOCFLUSH when allowed by pledge but the fd is > not a tty. Fixes a pledge failure in telnet when piping the output. > OK deraadt@ (millert@) == usr.bin =========================================================== 04/05 == http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin ssh ~ servconf.c ~ sshd_config > make sandboxed privilege separation the default, not just for new > installs; "absolutely" deraadt@ (djm@) ~ ssh-keygen.1 ~ ssh-keysign.8 ~ ssh.1 ~ ssh_config.5 ~ sshd.8 ~ sshd_config.5 > since these pages now clearly tell folks to avoid v1, normalise > the docs from a v2 perspective (i.e. stop pointing out which bits > are v2 only); > ok/tweaks djm ok markus (jmc@) ~ ssh_config.5 ~ sshd_config.5 > rsa-sha2-512,rsa-sha2-256 cannot be selected explicitly in > *KeyTypes options yet. Remove them from the lists of algorithms > for now. committing on behalf of markus@ ok djm@ (djm@) ~ packet.c > rekey refactor broke SSH1; spotted by Tom G. Christensen (djm@) == usr.sbin ========================================================== 05/05 == http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.sbin syslogd ~ syslogd.c > Prevent an integer overflow in syslogd when parsing the priority. > From Michael Savage; input and OK mmcc@ (bluhm@) =============================================================================== _______________________________________________ odc mailing list [email protected] http://www.squish.net/mailman/listinfo/odc
