[ANNOUNCEMENT] cygwin 3.4.9-1
The following packages have been uploaded to the Cygwin distribution: * cygwin-3.4.9-1 * cygwin-devel-3.4.9-1 * cygwin-doc-3.4.9-1 Bug Fixes - - Fix a bug introduced in cygwin 3.4.0 that switch_to_nat_pipe flag is not cleared properly when non-cygwin app is terminated in the case where pseudo console is not activated. - For the time being, disable creating special files using mknod/mkfifo on NFS. Addresses: https://cygwin.com/pipermail/cygwin/2023-August/254266.html - Fix segfault when too many command line args are specified. Addresses: https://cygwin.com/pipermail/cygwin/2023-August/254333.html - Fix build problems in terms of sys/cpuset.h. Addresses: https://cygwin.com/pipermail/cygwin/2023-August/254283.html -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation:https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple
[ANNOUNCEMENT] cygwin 3.4.8-1
The following packages have been uploaded to the Cygwin distribution: * cygwin-3.4.8-1 * cygwin-devel-3.4.8-1 * cygwin-doc-3.4.8-1 Bug Fixes - - Make safe for c89 compilations. Addresses: https://cygwin.com/pipermail/cygwin-patches/2023q3/012308.html - Make gcc-specific code in compiler-agnostic. Addresses: https://cygwin.com/pipermail/cygwin/2023-July/253927.html - Fix AT_EMPTY_PATH handling in fchmodat and fstatat if dirfd referres to a file other than a directory Addresses: https://cygwin.com/pipermail/cygwin-patches/2023q2/012306.html - Rename internal macros _NL_CTYPE_OUTDIGITSx_MB/WC to GLibc compatible _NL_CTYPE_OUTDIGITx_MB/WC. Addresses: https://cygwin.com/pipermail/cygwin-developers/2023-July/012637.html - Fix memory leak in printf() regarding gdtoa-based _ldtoa_r(). Addresses: https://cygwin.com/pipermail/cygwin/2023-July/254054.html - Fix a bug introduced in cygwin 3.4.5 that open_shared() does not set access permissions as requested by its argument. -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation:https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple
[ANNOUNCEMENT] openssh 9.4p1-1
The following packages have been uploaded to the Cygwin distribution: * openssh-9.4p1-1 OpenSSH is a program for logging into a remote machine and for executing commands on a remote machine. It can replace rlogin and rsh, providing encrypted communication between two machines. OpenSSH 9.4 has just been released. It will be available from the mirrors listed at https://www.openssh.com/ shortly. OpenSSH is a 100% complete SSH protocol 2.0 implementation and includes sftp client and server support. Once again, we would like to thank the OpenSSH community for their continued support of the project, especially those who contributed code or patches, reported bugs, tested snapshots or donated to the project. More information on donations may be found at: https://www.openssh.com/donations.html Changes since OpenSSH 9.3p2 === This release fixes a number of bugs and adds some small features. Potentially incompatible changes * This release removes support for older versions of libcrypto. OpenSSH now requires LibreSSL >= 3.1.0 or OpenSSL >= 1.1.1. Note that these versions are already deprecated by their upstream vendors. * ssh-agent(1): PKCS#11 modules must now be specified by their full paths. Previously dlopen(3) could search for them in system library directories. New features * ssh(1): allow forwarding Unix Domain sockets via ssh -W. * ssh(1): add support for configuration tags to ssh(1). This adds a ssh_config(5) "Tag" directive and corresponding "Match tag" predicate that may be used to select blocks of configuration similar to the pf.conf(5) keywords of the same name. * ssh(1): add a "match localnetwork" predicate. This allows matching on the addresses of available network interfaces and may be used to vary the effective client configuration based on network location. * ssh(1), sshd(8), ssh-keygen(1): infrastructure support for KRL extensions. This defines wire formats for optional KRL extensions and implements parsing of the new submessages. No actual extensions are supported at this point. * sshd(8): AuthorizedPrincipalsCommand and AuthorizedKeysCommand now accept two additional %-expansion sequences: %D which expands to the routing domain of the connected session and %C which expands to the addresses and port numbers for the source and destination of the connection. * ssh-keygen(1): increase the default work factor (rounds) for the bcrypt KDF used to derive symmetric encryption keys for passphrase protected key files by 50%. Bugfixes * ssh-agent(1): improve isolation between loaded PKCS#11 modules by running separate ssh-pkcs11-helpers for each loaded provider. * ssh(1): make -f (fork after authentication) work correctly with multiplexed connections, including ControlPersist. bz3589 bz3589 * ssh(1): make ConnectTimeout apply to multiplexing sockets and not just to network connections. * ssh-agent(1), ssh(1): improve defences against invalid PKCS#11 modules being loaded by checking that the requested module contains the required symbol before loading it. * sshd(8): fix AuthorizedPrincipalsCommand when AuthorizedKeysCommand appears before it in sshd_config. Since OpenSSH 8.7 the AuthorizedPrincipalsCommand directive was incorrectly ignored in this situation. bz3574 * sshd(8), ssh(1), ssh-keygen(1): remove vestigal support for KRL signatures When the KRL format was originally defined, it included support for signing of KRL objects. However, the code to sign KRLs and verify KRL signatues was never completed in OpenSSH. This release removes the partially-implemented code to verify KRLs. All OpenSSH tools now ignore KRL_SECTION_SIGNATURE sections in KRL files. * All: fix a number of memory leaks and unreachable/harmless integer overflows. * ssh-agent(1), ssh(1): don't truncate strings logged from PKCS#11 modules; GHPR406 * sshd(8), ssh(1): better validate CASignatureAlgorithms in ssh_config and sshd_config. Previously this directive would accept certificate algorithm names, but these were unusable in practice as OpenSSH does not support CA chains. bz3577 * ssh(1): make `ssh -Q CASignatureAlgorithms` only list signature algorithms that are valid for CA signing. Previous behaviour was to list all signing algorithms, including certificate algorithms. * ssh-keyscan(1): gracefully handle systems where rlimits or the maximum number of open files is larger than INT_MAX; bz3581 * ssh-keygen(1): fix "no comment" not showing on when running `ssh-keygen -l` on multiple keys where one has a comment and other following keys do not. bz3580 * scp(1), sftp(1): adjust ftruncate() logic to handle servers that reorder requests. Previously, if the server reordered requests then
[ANNOUNCEMENT] rebase 4.6.5-1
The following packages have been uploaded to the Cygwin distribution: * rebase-4.6.5-1 This package contains the Cygwin rebase utilities. Use rebase for specific DLLs or rebaseall for all DLLs installed by Cygwin's setup.exe. Changes: - Add peflags -p, --timestamp option This allows to set the header timestamp to 0 or some other fixed value (SOURCE_DATE_EPOCH) to support reproducible builds. - Add peflags -k, --checksum option This allows to fix the file checksum in the PE header. An invalid checksum may break reproducible builds or may increase the risk of false positive malware detections. The checksum calculation is done by a new self-contained module 'pechecksum.c' which could also be built as a stand-alone tool or later added to rebase. - Add rebase -c, --checksum option If specified, the file checksum in the PE header is updated after rebasing. -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation:https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple
[ANNOUNCEMENT] openssh 9.3p2-1
The following packages have been uploaded to the Cygwin distribution: * openssh-9.3p2-1 OpenSSH is a program for logging into a remote machine and for executing commands on a remote machine. It can replace rlogin and rsh, providing encrypted communication between two machines. === OpenSSH 9.3p2 has just been released. It will be available from the mirrors listed at https://www.openssh.com/ shortly. OpenSSH is a 100% complete SSH protocol 2.0 implementation and includes sftp client and server support. Once again, we would like to thank the OpenSSH community for their continued support of the project, especially those who contributed code or patches, reported bugs, tested snapshots or donated to the project. More information on donations may be found at: https://www.openssh.com/donations.html Changes since OpenSSH 9.3 = This release fixes a security bug. Security Fix CVE-2023-38408 - a condition where specific libaries loaded via ssh-agent(1)'s PKCS#11 support could be abused to achieve remote code execution via a forwarded agent socket if the following conditions are met: * Exploitation requires the presence of specific libraries on  the victim system. * Remote exploitation requires that the agent was forwarded  to an attacker-controlled system. Exploitation can also be prevented by starting ssh-agent(1) with an empty PKCS#11/FIDO allowlist (ssh-agent -P '') or by configuring an allowlist that contains only specific provider libraries. This vulnerability was discovered and demonstrated to be exploitable by the Qualys Security Advisory team. In addition to removing the main precondition for exploitation, this release removes the ability for remote ssh-agent(1) clients to load PKCS#11 modules by default (see below). Potentially-incompatible changes * ssh-agent(8): the agent will now refuse requests to load PKCS#11 modules issued by remote clients by default. A flag has been added to restore the previous behaviour "-Oallow-remote-pkcs11". Note that ssh-agent(8) depends on the SSH client to identify requests that are remote. The OpenSSH >=8.9 ssh(1) client does this, but forwarding access to an agent socket using other tools may circumvent this restriction. Checksums: == - SHA1 (openssh-9.3p2.tar.gz) = 219cf700c317f400bb20b001c0406056f7188ea4 - SHA256 (openssh-9.3p2.tar.gz) = IA6+FH9ss/EB/QzfngJEKvfdyimN/9n0VoeOfMrGdug= Please note that the SHA256 signatures are base64 encoded and not hexadecimal (which is the default for most checksum tools). The PGP key used to sign the releases is available from the mirror sites: https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc Reporting Bugs: === - Please read https://www.openssh.com/report.html Security bugs should be reported directly to open...@openssh.com -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation:https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple
[ANNOUNCEMENT] cygwin 3.4.7-1
The following packages have been uploaded to the Cygwin distribution: * cygwin-3.4.7-1 * cygwin-devel-3.4.7-1 * cygwin-doc-3.4.7-1 Bug Fixes - - Fix CPU_SET(3) macro type mismatch by making the macros type-safe. Addresses https://cygwin.com/pipermail/cygwin/2023-March/253220.html - kill(1): don't print spurious error message. Addresses: https://cygwin.com/pipermail/cygwin/2023-March/253291.html - Align behaviour of dirname in terms of leading slashes to POSIX: https://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap04.html - Fix reading CONIN$ in non cygwin apps when stdin is not a pty. Addresses https://cygwin.com/pipermail/cygwin/2023-April/253424.html - Fix bug in cygheap allocation size computation after fork. Addresses: https://cygwin.com/pipermail/cygwin-developers/2023-April/012620.html - Fix return value of ilogbl(NaN). Addresses: https://cygwin.com/pipermail/cygwin/2023-April/253511.html - Fix error handling in readlinkat. Addresses: https://cygwin.com/pipermail/cygwin/2023-April/253510.html - Fix return code and errno set by renameat2, if oldfile and newfile refer to the same file, and the RENAME_NOREPLACE flag is set. Addresses: https://cygwin.com/pipermail/cygwin/2023-April/253514.html -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation:https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple
[ANNOUNCEMENT] gawk 5.2.2-1
The following packages have been uploaded to the Cygwin distribution: * gawk-5.2.2-1 The gawk package contains the GNU version of awk, a text processing utility. Awk interprets a special-purpose programming language to do quick and easy text pattern matching and reformatting jobs. Install the gawk package if you need a text processing utility. Gawk is considered to be a standard Linux tool for processing text. -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation:https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple
[ANNOUNCEMENT] tcsh 6.24.10-1
The following packages have been uploaded to the Cygwin distribution: * tcsh-6.24.10-1 Tcsh is an enhanced but completely compatible version of csh, the C shell. Tcsh is a command language interpreter which can be used both as an interactive login shell and as a shell script command processor. Tcsh includes a command line editor, programmable word completion, spelling correction, a history mechanism, job control and a C language like syntax. -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation:https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple
[ANNOUNCEMENT] rebase 4.6.3-1
The following packages have been uploaded to the Cygwin distribution: * rebase-4.6.3-1 This release introduces a new flag -c / --control-flow-guard to set the Control Flow Guard flag on executables per https://learn.microsoft.com/en-us/windows/win32/secbp/control-flow-guard This package contains the Cygwin rebase utilities. Use rebase for specific DLLs or rebaseall for all DLLs installed by Cygwin's setup.exe. -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation:https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple
[ANNOUNCEMENT] csih 0.9.13-1
The following packages have been uploaded to the Cygwin distribution: * csih-0.9.13-1 New: getVolInfo now prints all the latest known filesystem flags. CSIH (cygwin-service-installation-helper is a script library used to assist installing cygwin services, such as sshd. It is derived in part from various other sources. It is intended to be 'sourced' by configuration scripts such as ssh-host-config, syslog-config, or iu-config, and that script can then make use of the shell functions defined by this package. -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation:https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple
[ANNOUNCEMENT] bsdgrep 2.6.0-1
The following packages have been uploaded to the Cygwin distribution: * bsdgrep-2.6.0-1 The FreeBSD versions of the commonly used grep utility, called bsdgrep. Bsdgrep searches through textual input for lines which contain a match to a specified pattern and then prints the matching lines. -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation:https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple
[ANNOUNCEMENT] openssh 9.3p1-1
The following packages have been uploaded to the Cygwin distribution: * openssh-9.3p1-1 OpenSSH is a program for logging into a remote machine and for executing commands on a remote machine. It can replace rlogin and rsh, providing encrypted communication between two machines. Upstream announcement: OpenSSH 9.3 has just been released. It will be available from the mirrors listed at https://www.openssh.com/ shortly. OpenSSH is a 100% complete SSH protocol 2.0 implementation and includes sftp client and server support. Once again, we would like to thank the OpenSSH community for their continued support of the project, especially those who contributed code or patches, reported bugs, tested snapshots or donated to the project. More information on donations may be found at: https://www.openssh.com/donations.html Changes since OpenSSH 9.2 = This release fixes a number of security bugs. Security This release contains fixes for a security problem and a memory safety problem. The memory safety problem is not believed to be exploitable, but we report most network-reachable memory faults as security bugs. * ssh-add(1): when adding smartcard keys to ssh-agent(1) with the per-hop desination constraints (ssh-add -h ...) added in OpenSSH 8.9, a logic error prevented the constraints from being communicated to the agent. This resulted in the keys being added without constraints. The common cases of non-smartcard keys and keys without destination constraints are unaffected. This problem was reported by Luci Stanescu. * ssh(1): Portable OpenSSH provides an implementation of the getrrsetbyname(3) function if the standard library does not provide it, for use by the VerifyHostKeyDNS feature. A specifically crafted DNS response could cause this function to perform an out-of-bounds read of adjacent stack data, but this condition does not appear to be exploitable beyond denial-of- service to the ssh(1) client. The getrrsetbyname(3) replacement is only included if the system's standard library lacks this function and portable OpenSSH was not compiled with the ldns library (--with-ldns). getrrsetbyname(3) is only invoked if using VerifyHostKeyDNS to fetch SSHFP records. This problem was found by the Coverity static analyzer. New features * ssh-keygen(1), ssh-keyscan(1): accept -Ohashalg=sha1|sha256 when outputting SSHFP fingerprints to allow algorithm selection. bz3493 * sshd(8): add a `sshd -G` option that parses and prints the effective configuration without attempting to load private keys and perform other checks. This allows usage of the option before keys have been generated and for configuration evaluation and verification by unprivileged users. Bugfixes * scp(1), sftp(1): fix progressmeter corruption on wide displays; bz3534 * ssh-add(1), ssh-keygen(1): use RSA/SHA256 when testing usability of private keys as some systems are starting to disable RSA/SHA1 in libcrypto. * sftp-server(8): fix a memory leak. GHPR363 * ssh(1), sshd(8), ssh-keyscan(1): remove vestigal protocol compatibility code and simplify what's left. * Fix a number of low-impact Coverity static analysis findings. These include several reported via bz2687 * ssh_config(5), sshd_config(5): mention that some options are not first-match-wins. * Rework logging for the regression tests. Regression tests will now capture separate logs for each ssh and sshd invocation in a test. * ssh(1): make `ssh -Q CASignatureAlgorithms` work as the manpage says it should; bz3532. * ssh(1): ensure that there is a terminating newline when adding a new entry to known_hosts; bz3529 Portability --- * sshd(8): harden Linux seccomp sandbox. Move to an allowlist of mmap(2), madvise(2) and futex(2) flags, removing some concerning kernel attack surface. * sshd(8): improve Linux seccomp-bpf sandbox for older systems; bz3537 Checksums: == - SHA1 (openssh-9.3.tar.gz) = 5f9d2f73ddfe94f3f0a78bdf46704b6ad7b66ec7 - SHA256 (openssh-9.3.tar.gz) = eRcXkFZByz70DUBUcyIdvU0pVxP2X280FrmV8pyUdrk= - SHA1 (openssh-9.3p1.tar.gz) = 610959871bf8d6baafc3525811948f85b5dd84ab - SHA256 (openssh-9.3p1.tar.gz) = 6bq6dwGnalHz2Fpiw4OjydzZf6kAuFm8fbEUwYaK+Kg= Please note that the SHA256 signatures are base64 encoded and not hexadecimal (which is the default for most checksum tools). The PGP key used to sign the releases is available from the mirror sites: https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc Reporting Bugs: === - Please read https://www.openssh.com/report.html Security bugs should be reported directly to open...@openssh.com -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation:https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple
[ANNOUNCEMENT] libcbor 0.9.0-3
The following packages have been uploaded to the Cygwin distribution: * libcbor-0.9.0-3 * libcbor-devel-0.9.0-3 Rebuild, removing the DLLs and just providing a library for static linking. libcbor is a C library for parsing and generating CBOR. -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation:https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple
[ANNOUNCEMENT] libfido2 1.9.0-2
The following packages have been uploaded to the Cygwin distribution: * libfido2-1.9.0-2 * libfido2-devel-1.9.0-2 This is a rebuild, statically linked against libcbor, to avoid problems with missing binary compatibility between libcbor 0.X versions. libfido2 provides library functionality and command-line tools to communicate with a FIDO device over USB, and to verify attestation and assertion signatures. libfido2 supports the FIDO U2F (CTAP 1) and FIDO 2.0 (CTAP 2) protocols. -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation:https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple
[ANNOUNCEMENT] libfido2 1.9.0-1
The following packages have been uploaded to the Cygwin distribution: * libfido2-1.9.0-1 * libfido2-devel-1.9.0-1 libfido2 provides library functionality and command-line tools to communicate with a FIDO device over USB, and to verify attestation and assertion signatures. libfido2 supports the FIDO U2F (CTAP 1) and FIDO 2.0 (CTAP 2) protocols. WINDOWS 10 hint: On Windows 1903 and newer versions, access to FIDO devices has been restricted to applications using the operating system's native WebAuthn API. This change has been included into libfido2 in the meantime, but for some reason it doesn't work with ssh yet. -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation:https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple
[ANNOUNCEMENT] libcbor 0.9.0-2
The following packages have been uploaded to the Cygwin distribution: * libcbor-0.9.0-2 * libcbor-devel-0.9.0-2 libcbor is a C library for parsing and generating CBOR. -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation:https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple
[ANNOUNCEMENT] libcbor 0.8.0-2
The following packages have been uploaded to the Cygwin distribution: * libcbor-0.8.0-2 * libcbor-devel-0.8.0-2 libcbor is a C library for parsing and generating CBOR. -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation:https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple
[ANNOUNCEMENT] libcbor 0.8.0-1
The following packages have been uploaded to the Cygwin distribution: * libcbor-0.8.0-1 * libcbor-devel-0.8.0-1 libcbor is a C library for parsing and generating CBOR. -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation:https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple
[ANNOUNCEMENT] tcsh 6.23.00-1
The following packages have been uploaded to the Cygwin distribution: * tcsh-6.23.00-1 I am pleased to announce that tcsh-6.23 is now available; this is mainly a bug fix release (after 2 years) with a couple of new features: 1. Add "jobs -Z" to setproctitle(3) 2. Add ln=target in LS_COLORS 3. Add a :Q modifier that preserves empty arguments Please consult the Fixes file for a complete list of changes. Tcsh is an enhanced but completely compatible version of csh, the C shell. Tcsh is a command language interpreter which can be used both as an interactive login shell and as a shell script command processor. Tcsh includes a command line editor, programmable word completion, spelling correction, a history mechanism, job control and a C language like syntax. -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation:https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple
[ANNOUNCEMENT] cygwin 3.3.2-1
The following packages have been uploaded to the Cygwin distribution: * cygwin-3.3.2-1 * cygwin-devel-3.3.2-1 * cygwin-doc-3.3.2-1 Bug Fixes - - Fix bug that Ctrl-C sometimes does not work as expected in Windows Terminal. Addresses: https://cygwin.com/pipermail/cygwin/2021-November/249749.html - Fix a float rounding issue in newlib. Addresses: https://sourceware.org/pipermail/newlib/2021/018626.html - Fix a permission problem when writing ACLs on Samba. - Fix the issue that pipe reader falsely detects EOF if the output of the C# program is redirected to the pipe. Addresses: https://cygwin.com/pipermail/cygwin/2021-November/249777.html -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation:https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple
[ANNOUNCEMENT] pl 8.4.0-1
The following packages have been uploaded to the Cygwin distribution: * pl-8.4.0-1 * pl-devel-8.4.0-1 * pl-doc-8.4.0-1 * pl-odbc-8.4.0-1 * pl-xpce-8.4.0-1 -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation:https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple
[ANNOUNCEMENT] pl 7.6.4-1 (SWI-Prolog)
The following packages have been uploaded to the Cygwin distribution: * pl-7.6.4-1 * pl-devel-7.6.4-1 * pl-doc-7.6.4-1 * pl-odbc-7.6.4-1 * pl-static-7.6.4-1 * pl-xpce-7.6.4-1 This is the last stable release of SWI-Prolog 7.x. While SWI-Prolog moved to 8.x quite some time ago, a change in the build system requires a lot more work, so this 7.6.4 release at least updates the package to openssl 1.1 for the time being. -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation:https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple
[ANNOUNCEMENT] syslog-ng 3.2.5-3
The following packages have been uploaded to the Cygwin distribution: * syslog-ng-3.2.5-3 This is just a rebuild updating from OpenSSL 1.0 to OpenSSL 1.1. Syslog-ng is a next generation system logger daemon which provides more capabilities and has a more flexible configuration then the traditional syslog daemon. -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation:https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple
[ANNOUNCEMENT] gawk 5.1.1-1
The following packages have been uploaded to the Cygwin distribution: * gawk-5.1.1-1 The gawk package contains the GNU version of awk, a text processing utility. Awk interprets a special-purpose programming language to do quick and easy text pattern matching and reformatting jobs. Install the gawk package if you need a text processing utility. Gawk is considered to be a standard Linux tool for processing text. -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation:https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple
[ANNOUNCEMENT] cygwin 3.3.1-1 [with DEPRECATION NOTES]
[Sending announcement once more to reinforce the deprecation notes] The following packages have been uploaded to the Cygwin distribution: * cygwin-3.3.1-1 * cygwin-devel-3.3.1-1 * cygwin-doc-3.3.1-1 == IMPORTANT DEPRECATION NOTES == - Cygwin 3.3 is the LAST major version supporting - Windows Vista - Windows Server 2008 - Cygwin 3.3 is the LAST major version supporting 32 bit installations. If you're using 32 bit Cygwin in WOW64 on 64 bit machines, consider to move to a real 64 bit Cygwin installation in the next couple of months. If you're using 32 bit Cygwin on real 32 bit hardware or on WOW64 on ARM64, don't be alarmed. The current installations including all Cygwin 3.3.x versions will continue to run on your system. You just wont get any more updates starting with Cygwin 3.4.0. - Cygwin 3.4, which will probably be release at some point in 2022, will be the LAST version supporting - Windows 7 - Windows Server 2008 R2 - Windows 8 - Windows Server 2012 There are no plans to deprecate support for 64 bit systems starting with Windows 8.1 / Windows Server 2012 R2 any time soon. == Bug Fixes - - Fix a fix in 3.3.0 which broke Vista / Server 2008 by using a Windows function introduced with Windows 7 only, namely TryAcquireSRWLockExclusive. Addresses: https://cygwin.com/pipermail/cygwin/2021-October/249732.html -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation:https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple
[ANNOUNCEMENT] cygwin 3.3.1-1
The following packages have been uploaded to the Cygwin distribution: * cygwin-3.3.1-1 * cygwin-devel-3.3.1-1 * cygwin-doc-3.3.1-1 Bug Fixes - - Fix a fix in 3.3.0 which broke Vista / Server 2008 by using a Windows function introduced with Windows 7 only, namely TryAcquireSRWLockExclusive. Addresses: https://cygwin.com/pipermail/cygwin/2021-October/249732.html -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation:https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple
[ANNOUNCEMENT] cygwin 3.3.0-1
The following packages have been uploaded to the Cygwin distribution: * cygwin-3.3.0-1 * cygwin-devel-3.3.0-1 * cygwin-doc-3.3.0-1 == IMPORTANT DEPRECATION NOTES == - Cygwin 3.3.0 is the LAST major version supporting - Windows Vista - Windows Server 2008 - Cygwin 3.3.0 is the LAST major version supporting 32 bit installations. If you're using 32 bit Cygwin in WOW64 on 64 bit machines, consider to move to a real 64 bit Cygwin installation in the next couple of months. If you're using 32 bit Cygwin on real 32 bit hardware or on WOW64 on ARM64, don't be alarmed. The current installations including all Cygwin 3.3.x versions will continue to run on your system. You just wont get any more updates starting with Cygwin 3.4.0. - Cygwin 3.4.0, which will probably be release at some point in 2022, will be the LAST version supporting - Windows 7 - Windows Server 2008 R2 - Windows 8 - Windows Server 2012 There are no plans to deprecate support for 64 bit systems starting with Windows 8.1 / Windows Server 2012 R2 any time soon. == What's new: --- - An IP-sampling profiler named 'profiler' has been added. It can be used to profile any Cygwin program along with any DLLs loaded. - A new tool 'gmondump' has been added. It can dump the raw information of any "gmon.out" file created by profiler, ssp, or use of the gcc/g++ option '-pg'. (Continue using gprof to get symbolic profile displays.) - New GNU-specific APIs, slated to become part of the next POSIX standard: pthread_cond_clockwait, pthread_mutex_clocklock, pthread_rwlock_clockrdlock, pthread_rwlock_clockwrlock, sem_clockwait. - New Solaris-specific APIs, slated to become part of the next POSIX standard: sig2str, str2sig. What changed: - - The speed argument to cfsetspeed(3) can now be a numerical baud rate rather than a Bnnn constant, as on Linux. Addresses: https://cygwin.com/pipermail/cygwin/2021-July/248887.html - The internal implementation of pipes has been overhauled; this should result in improved performance. Addresses: https://cygwin.com/pipermail/cygwin/2021-August/249238.html Bug Fixes - - Fix values returned by select(2) for shutdown sockets. Addresses: https://cygwin.com/pipermail/cygwin-developers/2021-April/012092.html - Introduce a new hypotl(3) function not suffering unnecessary overflows. Addresses: https://cygwin.com/pipermail/cygwin/2021-April/248302.html - Fix path handling for paths spanning native symlinks. Addresses: https://cygwin.com/pipermail/cygwin/2021-April/248307.html - Fix tab position evaluation after console window resize. - Fix a regression in pseudo console handling, resulting in rlwrap not being able to start a new pseudo console. - Handle two race conditions in pseudo console usage. Addresses: https://cygwin.com/pipermail/cygwin/2021-April/248292.html - Fix a bug in recognizing a successful completion of connect(2) on a datagram socket. - Fix connect(2) when called with an address structure whose family is AF_UNSPEC. As specified by POSIX and Linux, this is allowed on datagram sockets, and its effect is to reset the socket's peer address. - Fix nanosleep(2) returning negative rem. NtQueryTimer appears to be able to return a negative remaining time (less than the timer resolution) for unsignalled timers. - Fix getifaddrs(3) returning address family 0 or IPv4 address 0. Addresses: https://cygwin.com/pipermail/cygwin/2021-July/248970.html - Fix getaddrinfo(3) to return valid ai_socktype and ai_protocol values if the underlying GetAddrInfoW screws up. Addresses: https://cygwin.com/pipermail/cygwin/2021-July/248985.html - Fix duplicate /proc/partitions entries and (presumably) duplicate PIDs in ps(1) output. Addresses: https://cygwin.com/pipermail/cygwin/2021-July/248998.html https://cygwin.com/pipermail/cygwin/2021-August/249124.html - Fix pty master closing error regarding attach_mutex. Addresses: https://cygwin.com/pipermail/cygwin-developers/2021-October/012418.html - Fix access violation that can sometimes occur when copy/pasting between 32-bit and 64-bit Cygwin environments. Align clipboard descriptor layouts. Addresses: https://cygwin.com/pipermail/cygwin-patches/2021q4/011517.html - Fix a synchronization issue when running multiple threads from DLL initialization which in turn call malloc. Addresses: https://cygwin.com/pipermail/cygwin/2021-October/249635.html -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation:https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple
[ANNOUNCEMENT] lynx 2.8.9-13
The following packages have been uploaded to the Cygwin distribution: * lynx-2.8.9-13 Lynx is a text-based Web browser. Lynx does not display any images, but it does support frames, tables, and most other HTML tags. One advantage Lynx has over graphical browsers is speed; Lynx starts and exits quickly and swiftly displays web pages. -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation:https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple
[ANNOUNCEMENT] [HEADSUP] Phasing out old Windows versions and 32 bit support
[I sent this announcement to the Cygwin mailing list accidentally. Now sending it to cygwin-announce, too, to reach more people. Please reply on the cygwin mailing list if you have any concerns or comments] Hi folks, The upcoming version 3.3.0 is the last version officially supporting Windows Vista and Windows Server 2008. The next major release 3.4.0 will be released in 2022 and will be the last one officially supporting Windows 7, Windows 8, Windows Server 2008 R2, and Windows Server 2012. We're also planning to drop Support for the 32 bit release of Cygwin in 2022, thus Cygwin 3.4.0 won't come in 32 bit anymore, and the package maintainers won't have to update 32 bit packages anymore. If you're still running Cygwin under WOW64, consider to move to 64 bit in the next couple of months. Corinna -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation:https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple
[ANNOUNCEMENT] ssmtp 2.64-10
The following packages have been uploaded to the Cygwin distribution: * ssmtp-2.64-10 A secure, effective and simple way of getting mail off a system to your mail hub. It contains no suid-binaries or other dangerous things - no mail spool to poke around in, and no daemons running in the background. Mail is simply forwarded to the configured mailhost. Extremely easy configuration. WARNING: the above is all it does; it does not receive mail, expand aliases or manage a queue. That belongs on a mail hub with a system administrator. -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation:https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple
[ANNOUNCEMENT] openssl10 1.0.2u-1
The following packages have been uploaded to the Cygwin distribution: * libssl1.0-1.0.2u-1 * libssl1.0-devel-1.0.2u-1 The OpenSSL toolkit provides support for secure communications between machines. OpenSSL includes a certificate management tool and shared libraries which provide various cryptographic algorithms and protocols. -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation:https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple
[ANNOUNCEMENT] openssl 1.1.1l-1
The following packages have been uploaded to the Cygwin distribution: * openssl-1.1.1l-1 * openssl-perl-1.1.1l-1 * libssl1.1-1.1.1l-1 * libssl-devel-1.1.1l-1 The OpenSSL toolkit provides support for secure communications between machines. OpenSSL includes a certificate management tool and shared libraries which provide various cryptographic algorithms and protocols. -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation:https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple
[ANNOUNCEMENT] openssh 8.8p1-1
The following packages have been uploaded to the Cygwin distribution: * openssh-8.8p1-1 OpenSSH is a program for logging into a remote machine and for executing commands on a remote machine. It can replace rlogin and rsh, providing encrypted communication between two machines. Official release message: - OpenSSH 8.8 has just been released. It will be available from the mirrors listed at https://www.openssh.com/ shortly. OpenSSH is a 100% complete SSH protocol 2.0 implementation and includes sftp client and server support. Once again, we would like to thank the OpenSSH community for their continued support of the project, especially those who contributed code or patches, reported bugs, tested snapshots or donated to the project. More information on donations may be found at: https://www.openssh.com/donations.html Future deprecation notice = A near-future release of OpenSSH will switch scp(1) from using the legacy scp/rcp protocol to using SFTP by default. Legacy scp/rcp performs wildcard expansion of remote filenames (e.g. "scp host:* .") through the remote shell. This has the side effect of requiring double quoting of shell meta-characters in file names included on scp(1) command-lines, otherwise they could be interpreted as shell commands on the remote side. This creates one area of potential incompatibility: scp(1) when using the SFTP protocol no longer requires this finicky and brittle quoting, and attempts to use it may cause transfers to fail. We consider the removal of the need for double-quoting shell characters in file names to be a benefit and do not intend to introduce bug- compatibility for legacy scp/rcp in scp(1) when using the SFTP protocol. Another area of potential incompatibility relates to the use of remote paths relative to other user's home directories, for example - "scp host:~user/file /tmp". The SFTP protocol has no native way to expand a ~user path. However, sftp-server(8) in OpenSSH 8.7 and later support a protocol extension "expand-p...@openssh.com" to support this. Security sshd(8) from OpenSSH 6.2 through 8.7 failed to correctly initialise supplemental groups when executing an AuthorizedKeysCommand or AuthorizedPrincipalsCommand, where a AuthorizedKeysCommandUser or AuthorizedPrincipalsCommandUser directive has been set to run the command as a different user. Instead these commands would inherit the groups that sshd(8) was started with. Depending on system configuration, inherited groups may allow AuthorizedKeysCommand/AuthorizedPrincipalsCommand helper programs to gain unintended privilege. Neither AuthorizedKeysCommand nor AuthorizedPrincipalsCommand are enabled by default in sshd_config(5). Potentially-incompatible changes This release disables RSA signatures using the SHA-1 hash algorithm by default. This change has been made as the SHA-1 hash algorithm is cryptographically broken, and it is possible to create chosen-prefix hash collisions for https://eprint.iacr.org/2020/014.pdf Changes since OpenSSH 8.7 = This release is motivated primarily by the above deprecation and security fix. New features * ssh(1): allow the ssh_config(5) CanonicalizePermittedCNAMEs directive to accept a "none" argument to specify the default behaviour. Bugfixes * scp(1): when using the SFTP protocol, continue transferring files after a transfer error occurs, better matching original scp/rcp behaviour. * ssh(1): fixed a number of memory leaks in multiplexing, * ssh-keygen(1): avoid crash when using the -Y find-principals command. * A number of documentation and manual improvements, including bz#3340, PR#139, PR#215, PR#241, PR#257 Portability --- * ssh-agent(1): on FreeBSD, use procctl to disable ptrace(2) * ssh(1)/sshd(8): some fixes to the pselect(2) replacement compatibility code. bz#3345 Checksums: == - SHA1 (openssh-8.8.tar.gz) = 732947082a8998047e839cc0b4c066bf0a7e1a5b - SHA256 (openssh-8.8.tar.gz) = AngyrPSQH255hnzU1l7y+LlVAUNcGWtuYQIFEl22nRo= - SHA1 (openssh-8.8p1.tar.gz) = 1eb964897a4372f6fb96c7effeb509ec71c379c9 - SHA256 (openssh-8.8p1.tar.gz) = RZCJDqm7ms5Pca4zF4WjpYIyMkNRYZYO1fyGWI8zH+k= Please note that the SHA256 signatures are base64 encoded and not hexadecimal (which is the default for most checksum tools). The PGP key used to sign the releases is available from the mirror sites: https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc Please note that the OpenPGP key used to sign releases has been rotated for this release. The new key has been signed by the previous key to provide continuity. Reporting Bugs: === - Please read https://www.openssh.com/report.html Security bugs should be reported directly to open...@openssh.com -- Problem reports:
[ANNOUNCEMENT] openssh 8.7p1-1
The following packages have been uploaded to the Cygwin distribution: * openssh-8.7p1-1 OpenSSH is a program for logging into a remote machine and for executing commands on a remote machine. It can replace rlogin and rsh, providing encrypted communication between two machines. Official release message: - OpenSSH 8.7 was released on 2021-08-20. It is available from the mirrors listed at https://www.openssh.com/. OpenSSH is a 100% complete SSH protocol 2.0 implementation and includes sftp client and server support. Once again, we would like to thank the OpenSSH community for their continued support of the project, especially those who contributed code or patches, reported bugs, tested snapshots or donated to the project. More information on donations may be found at: https://www.openssh.com/donations.html Imminent deprecation notice === OpenSSH will disable the ssh-rsa signature scheme by default in the next release. In the SSH protocol, the "ssh-rsa" signature scheme uses the SHA-1 hash algorithm in conjunction with the RSA public key algorithm. It is now possible[1] to perform chosen-prefix attacks against the SHA-1 algorithm for less than USD$50K. Note that the deactivation of "ssh-rsa" signatures does not necessarily require cessation of use for RSA keys. In the SSH protocol, keys may be capable of signing using multiple algorithms. In particular, "ssh-rsa" keys are capable of signing using "rsa-sha2-256" (RSA/SHA256), "rsa-sha2-512" (RSA/SHA512) and "ssh-rsa" (RSA/SHA1). Only the last of these is being turned off by default. This algorithm is unfortunately still used widely despite the existence of better alternatives, being the only remaining public key signature algorithm specified by the original SSH RFCs that is still enabled by default. The better alternatives include: * The RFC8332 RSA SHA-2 signature algorithms rsa-sha2-256/512. These algorithms have the advantage of using the same key type as "ssh-rsa" but use the safe SHA-2 hash algorithms. These have been supported since OpenSSH 7.2 and are already used by default if the client and server support them. * The RFC8709 ssh-ed25519 signature algorithm. It has been supported in OpenSSH since release 6.5. * The RFC5656 ECDSA algorithms: ecdsa-sha2-nistp256/384/521. These have been supported by OpenSSH since release 5.7. To check whether a server is using the weak ssh-rsa public key algorithm, for host authentication, try to connect to it after removing the ssh-rsa algorithm from ssh(1)'s allowed list: ssh -oHostKeyAlgorithms=-ssh-rsa user@host If the host key verification fails and no other supported host key types are available, the server software on that host should be upgraded. OpenSSH recently enabled the UpdateHostKeys option by default to assist the client by automatically migrating to better algorithms. [1] "SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1 and Application to the PGP Web of Trust" Leurent, G and Peyrin, T (2020) https://eprint.iacr.org/2020/014.pdf Potentially-incompatible changes This release includes a number of changes that may affect existing configurations: * scp(1): this release changes the behaviour of remote to remote copies (e.g. "scp host-a:/path host-b:") to transfer through the local host by default. This was previously available via the -3 flag. This mode avoids the need to expose credentials on the origin hop, avoids triplicate interpretation of filenames by the shell (by the local system, the copy origin and the destination) and, in conjunction with the SFTP support for scp(1) mentioned below, allows use of all authentication methods to the remote hosts (previously, only non-interactive methods could be used). A -R flag has been added to select the old behaviour. * ssh(1)/sshd(8): both the client and server are now using a stricter configuration file parser. The new parser uses more shell-like rules for quotes, space and escape characters. It is also more strict in rejecting configurations that include options lacking arguments. Previously some options (e.g. DenyUsers) could appear on a line with no subsequent arguments. This release will reject such configurations. The new parser will also reject configurations with unterminated quotes and multiple '=' characters after the option name. * ssh(1): when using SSHFP DNS records for host key verification, ssh(1) will verify all matching records instead of just those with the specific signature type requested. This may cause host key verification problems if stale SSHFP records of a different or legacy signature type exist alongside other records for a particular host. bz#3322 * ssh-keygen(1): when generating a FIDO key and specifying an explicit attestation challenge (using -Ochallenge), the challenge will now be hashed by
[ANNOUNCEMENT] libfido2 1.5.0-2
The following packages have been uploaded to the Cygwin distribution: * libfido2-1.5.0-2 * libfido2-devel-1.5.0-2 libfido2 provides library functionality and command-line tools to communicate with a FIDO device over USB, and to verify attestation and assertion signatures. libfido2 supports the FIDO U2F (CTAP 1) and FIDO 2.0 (CTAP 2) protocols. libfido2-1.5.0-2 is equivalent to libfido2-1.5.0-1. It just adds a package dependency from libfido2-devel to libcbor-devel. -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation:https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple
[ANNOUNCEMENT] openssh 8.6p1-1
The following packages have been uploaded to the Cygwin distribution: * openssh-8.6p1-1 OpenSSH is a program for logging into a remote machine and for executing commands on a remote machine. It can replace rlogin and rsh, providing encrypted communication between two machines. Official announce message: -- OpenSSH 8.6 has just been released. It will be available from the mirrors listed at https://www.openssh.com/ shortly. OpenSSH is a 100% complete SSH protocol 2.0 implementation and includes sftp client and server support. Once again, we would like to thank the OpenSSH community for their continued support of the project, especially those who contributed code or patches, reported bugs, tested snapshots or donated to the project. More information on donations may be found at: https://www.openssh.com/donations.html Future deprecation notice = It is now possible[1] to perform chosen-prefix attacks against the SHA-1 algorithm for less than USD$50K. In the SSH protocol, the "ssh-rsa" signature scheme uses the SHA-1 hash algorithm in conjunction with the RSA public key algorithm. OpenSSH will disable this signature scheme by default in the near future. Note that the deactivation of "ssh-rsa" signatures does not necessarily require cessation of use for RSA keys. In the SSH protocol, keys may be capable of signing using multiple algorithms. In particular, "ssh-rsa" keys are capable of signing using "rsa-sha2-256" (RSA/SHA256), "rsa-sha2-512" (RSA/SHA512) and "ssh-rsa" (RSA/SHA1). Only the last of these is being turned off by default. This algorithm is unfortunately still used widely despite the existence of better alternatives, being the only remaining public key signature algorithm specified by the original SSH RFCs that is still enabled by default. The better alternatives include: * The RFC8332 RSA SHA-2 signature algorithms rsa-sha2-256/512. These algorithms have the advantage of using the same key type as "ssh-rsa" but use the safe SHA-2 hash algorithms. These have been supported since OpenSSH 7.2 and are already used by default if the client and server support them. * The RFC8709 ssh-ed25519 signature algorithm. It has been supported in OpenSSH since release 6.5. * The RFC5656 ECDSA algorithms: ecdsa-sha2-nistp256/384/521. These have been supported by OpenSSH since release 5.7. To check whether a server is using the weak ssh-rsa public key algorithm, for host authentication, try to connect to it after removing the ssh-rsa algorithm from ssh(1)'s allowed list: ssh -oHostKeyAlgorithms=-ssh-rsa user@host If the host key verification fails and no other supported host key types are available, the server software on that host should be upgraded. OpenSSH recently enabled the UpdateHostKeys option by default to assist the client by automatically migrating to better algorithms. [1] "SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1 and Application to the PGP Web of Trust" Leurent, G and Peyrin, T (2020) https://eprint.iacr.org/2020/014.pdf Security * sshd(8): OpenSSH 8.5 introduced the LogVerbose keyword. When this option was enabled with a set of patterns that activated logging in code that runs in the low-privilege sandboxed sshd process, the log messages were constructed in such a way that printf(3) format strings could effectively be specified the low-privilege code. An attacker who had sucessfully exploited the low-privilege process could use this to escape OpenSSH's sandboxing and attack the high-privilege process. Exploitation of this weakness is highly unlikely in practice as the LogVerbose option is not enabled by default and is typically only used for debugging. No vulnerabilities in the low-privilege process are currently known to exist. Thanks to Ilja Van Sprundel for reporting this bug. Changes since OpenSSH 8.5 = This release contains mostly bug fixes. New features * sftp-server(8): add a new lim...@openssh.com protocol extension that allows a client to discover various server limits, including maximum packet size and maximum read/write length. * sftp(1): use the new lim...@openssh.com extension (when available) to select better transfer lengths in the client. * sshd(8): Add ModuliFile keyword to sshd_config to specify the location of the "moduli" file containing the groups for DH-GEX. * unit tests: Add a TEST_SSH_ELAPSED_TIMES environment variable to enable printing of the elapsed time in seconds of each test. Bugfixes * ssh_config(5), sshd_config(5): sync CASignatureAlgorithms lists in manual pages with the current default. GHPR#174 * ssh(1): ensure that pkcs11_del_provider() is called before exit. GHPR#234 * ssh(1), sshd(8): fix problems in string->argv conversion. Multiple backslashes were
[ANNOUNCEMENT] rebase 4.5.0-1
The following packages have been uploaded to the Cygwin distribution: * rebase-4.5.0-1 This package contains the Cygwin rebase utilities. Use rebase for specific DLLs or rebaseall for all DLLs installed by Cygwin's setup.exe. What's new: - Introduce --merge-files (-M) flag. The --merge-files flag is to update the database for new files, without performing a rebase. The file names provided should have been rebased using the --oblivious flag just before. - Introduce --high-entropy-va (-e) flag. This flag allows for setting, clearing, and displaying the value of the "high entropy va" dll characteristics flag, which is required to indicate that a DLL is 64 bit ASLR clean. - The --verbose option now prints a reason why rebase is necessary. - Some errors causing an unnecessary rebase are fixed. - Add a --with-posix-shell configure flag to use other shells than dash to be used as default shell in scripts. This is only interesting when building rebase for non-Cygwin distros. -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation:https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple
[ANNOUNCEMENT] tcsh 6.22.04-1
The following packages have been uploaded to the Cygwin distribution: * tcsh-6.22.04-1 Tcsh is an enhanced but completely compatible version of csh, the C shell. Tcsh is a command language interpreter which can be used both as an interactive login shell and as a shell script command processor. Tcsh includes a command line editor, programmable word completion, spelling correction, a history mechanism, job control and a C language like syntax. 6.22.04 fixes problems introduced in 6.22.03, which were the reason we skipped 6.22.03 in Cygwin. Changes from 6.22.02: 15. V6.22.04 - 20210426 14. Don't crash with 'bindkey "^0" clear-screen' (Karl Jeacle) 13. Fix $x:q:h and $x:q:t return the whole string for strings not containing / 12. V6.22.03 - 20201118 11. Fix $x:q:h and $x:q:t to not crash (alzwded) with strings containing / 10. Block SIGHUP while writing history/directory stack (Brett Frankenberger) 9. Fixed reversed test that broke history merging (Brett Frankenberger) 8. Prevent recursive entry for writing history (Brett Frankenberger) 7. alxwded@github, keep track of the :g and :a modifiers per modifier they affect. 6. alzwded@github, fix infinite loop with :gas variable modifier 5. PR/88: Add a Q: modifier that preserves empty arguments leaving :q alone. -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation:https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple
[ANNOUNCEMENT] cygwin 3.2.0-1
The following packages have been uploaded to the Cygwin distribution: * cygwin-3.2.0-1 * cygwin-devel-3.2.0-1 * cygwin-doc-3.2.0-1 This is a new major release. What's new: --- - Revamped pseudo console support. Conditionally activating it only when a non-cygwin application is run. - New C11 threads API: call_once, cnd_broadcast, cnd_destroy, cnd_init, cnd_signal, cnd_timedwait, cnd_wait, mtx_destroy, mtx_init, mtx_lock, mtx_timedlock, mtx_trylock, mtx_unlock, thrd_create, thrd_current, thrd_detach, thrd_equal, thrd_exit, thrd_join, thrd_sleep, thrd_yield, tss_create, tss_delete, tss_get, tss_set. - In cygwin console, new thread which handles special keys/signals such as Ctrl-Z (VSUSP), Ctrl-\ (VQUIT), Ctrl-S (VSTOP), Ctrl-Q (VSTART) and SIGWINCH has been introduced. There have been a long standing issue that these keys/signals are handled only when app calls read() or select(). Now, these work even if app does not call read() or select(). - fchmodat(2) now has limited support for the AT_SYMLINK_NOFOLLOW flag. - Cygwin now recognizes native Windows AF_UNIX sockets (as regular files, not as socket files). This allows tools like 'ls' and 'rm' to work. What changed: - - Allow ~5000 child processes per process on 64 bit, ~1200 child processes per process on 32 bit. So far, only 256 child processes per process were supported. - A few FAQ updates. - Have tmpfile(3) make use of Win32 FILE_ATTRIBUTE_TEMPORARY via open(2) flag O_TMPFILE. Addresses: https://cygwin.com/pipermail/cygwin/2021-January/247304.html - Utilize Windows 10 1809 FILE_DISPOSITION_IGNORE_READONLY_ATTRIBUTE flag to allow simpler unlink of files with DOS readonly flags set. - getdtablesize(3), sysconf(_SC_OPEN_MAX), and getrlimit(RLIMIT_NOFILE) now return the true limit on the number of open descriptors, 3200. Previously they returned the current size of Cygwin's internal file descriptor table, which can grow dynamically. - facl(2) now fails with EBADF on a file opened with O_PATH. - Allow to start Windows Store executables via their "app execution aliases". Handle these aliases (which are special reparse points) as symlinks to the actual executables. Bug Fixes - - Iterate at least 4 times over pthread_key_t destructors per POSIX. - The pthread_yield declaration in pthread is now visible by default or when defining _BSD_SOURCE, too. - Fix SEGV in modfl call. Addresses: https://cygwin.com/pipermail/cygwin/2020-August/246056.html - Fix a collision of offical and internally used file flags. Addresses: https://cygwin.com/pipermail/cygwin/2020-September/246174.html - Fix assertion failure on an invalid path under /proc//fd/. Addresses: https://cygwin.com/pipermail/cygwin/2020-September/246160.html - Fix crash on stat(2)'ing /dev/ptmx on 32 bit. Addresses: https://cygwin.com/pipermail/cygwin/2020-September/246218.html - Fix return value of sqrtl on negative infinity. Addresses: https://cygwin.com/pipermail/cygwin/2020-October/246606.html - Fix a path handling problem if there is a WSL symlink in PATH. Addresses: https://cygwin.com/pipermail/cygwin/2020-December/246938.html - Fix a bug in fstatat(2) on 32 bit that could cause it to return garbage. Addresses: https://cygwin.com/pipermail/cygwin/2021-January/247399.html - Fix the errno when a path contains .. and the prefix exists but is not a directory. Addresses: https://lists.gnu.org/archive/html/bug-gnulib/2021-01/msg00214.html - Fix the return value when ptsname_r(3) is called with a bad file descriptor Addresses: https://lists.gnu.org/archive/html/bug-gnulib/2021-01/msg00245.html - Fix path handling in case the Cygwin installation dir is accessed via a Windows junction point. Addresses: https://cygwin.com/pipermail/cygwin-developers/2021-February/012054.html - Fix potential handle leaks when dup'ing descriptors Addresses: https://cygwin.com/pipermail/cygwin-developers/2021-February/012041.html - Fix a bug that could cause fstat(2) to return incorrect results on a FIFO. - Fix some system calls on AF_LOCAL sockets that are not socket files. Addresses: https://cygwin.com/pipermail/cygwin-developers/2021-February/012066.html - Fix access to block devices under /proc/sys. Addresses: https://sourceware.org/pipermail/cygwin-patches/2020q4/010843.html -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation:https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple
[ANNOUNCEMENT] cygwin 3.2.0-0.1 (TEST)
The following packages have been uploaded to the Cygwin distribution: * cygwin-3.2.0-0.1 * cygwin-devel-3.2.0-0.1 * cygwin-doc-3.2.0-0.1 This is the beginning of the public test cycle for a new major release with a couple of changes. Please report problems or regressions compared to Cygwin 3.1.7 to the public mailing list cygwin AT cygwin DOT com. What's new: --- - Revamped pseudo console support. Conditionally activating it only when a non-cygwin application is run. - New C11 threads API: call_once, cnd_broadcast, cnd_destroy, cnd_init, cnd_signal, cnd_timedwait, cnd_wait, mtx_destroy, mtx_init, mtx_lock, mtx_timedlock, mtx_trylock, mtx_unlock, thrd_create, thrd_current, thrd_detach, thrd_equal, thrd_exit, thrd_join, thrd_sleep, thrd_yield, tss_create, tss_delete, tss_get, tss_set. - In cygwin console, new thread which handles special keys/signals such as Ctrl-Z (VSUSP), Ctrl-\ (VQUIT), Ctrl-S (VSTOP), Ctrl-Q (VSTART) and SIGWINCH has been introduced. There have been a long standing issue that these keys/signals are handled only when app calls read() or select(). Now, these work even if app does not call read() or select(). - fchmodat(2) now has limited support for the AT_SYMLINK_NOFOLLOW flag. - Cygwin now recognizes native Windows AF_UNIX sockets (as regular files, not as socket files). This allows tools like 'ls' and 'rm' to work. What changed: - - Allow ~5000 child processes per process on 64 bit, ~1200 child processes per process on 32 bit. So far, only 256 child processes per process were supported. - A few FAQ updates. - Have tmpfile(3) make use of Win32 FILE_ATTRIBUTE_TEMPORARY via open(2) flag O_TMPFILE. Addresses: https://cygwin.com/pipermail/cygwin/2021-January/247304.html - Utilize Windows 10 1809 FILE_DISPOSITION_IGNORE_READONLY_ATTRIBUTE flag to allow simpler unlink of files with DOS readonly flags set. - getdtablesize(3), sysconf(_SC_OPEN_MAX), and getrlimit(RLIMIT_NOFILE) now return the true limit on the number of open descriptors, 3200. Previously they returned the current size of Cygwin's internal file descriptor table, which can grow dynamically. - facl(2) now fails with EBADF on a file opened with O_PATH. Bug Fixes - - Iterate at least 4 times over pthread_key_t destructors per POSIX. - The pthread_yield declaration in pthread is now visible by default or when defining _BSD_SOURCE, too. - Fix SEGV in modfl call. Addresses: https://cygwin.com/pipermail/cygwin/2020-August/246056.html - Fix a collision of offical and internally used file flags. Addresses: https://cygwin.com/pipermail/cygwin/2020-September/246174.html - Fix assertion failure on an invalid path under /proc//fd/. Addresses: https://cygwin.com/pipermail/cygwin/2020-September/246160.html - Fix crash on stat(2)'ing /dev/ptmx on 32 bit. Addresses: https://cygwin.com/pipermail/cygwin/2020-September/246218.html - Fix return value of sqrtl on negative infinity. Addresses: https://cygwin.com/pipermail/cygwin/2020-October/246606.html - Fix a path handling problem if there is a WSL symlink in PATH. Addresses: https://cygwin.com/pipermail/cygwin/2020-December/246938.html - Fix a bug in fstatat(2) on 32 bit that could cause it to return garbage. Addresses: https://cygwin.com/pipermail/cygwin/2021-January/247399.html - Fix the errno when a path contains .. and the prefix exists but is not a directory. Addresses: https://lists.gnu.org/archive/html/bug-gnulib/2021-01/msg00214.html - Fix the return value when ptsname_r(3) is called with a bad file descriptor Addresses: https://lists.gnu.org/archive/html/bug-gnulib/2021-01/msg00245.html - Fix path handling in case the Cygwin installation dir is accessed via a Windows junction point. Addresses: https://cygwin.com/pipermail/cygwin-developers/2021-February/012054.html - Fix potential handle leaks when dup'ing descriptors Addresses: https://cygwin.com/pipermail/cygwin-developers/2021-February/012041.html - Fix a bug that could cause fstat(2) to return incorrect results on a FIFO. - Fix some system calls on AF_LOCAL sockets that are not socket files. Addresses: https://cygwin.com/pipermail/cygwin-developers/2021-February/012066.html - Fix access to block devices under /proc/sys. Addresses: https://sourceware.org/pipermail/cygwin-patches/2020q4/010843.html -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation:https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple
[ANNOUNCEMENT] openssh 8.5p1-1
The following packages have been uploaded to the Cygwin distribution: * openssh-8.5p1-1 OpenSSH is a program for logging into a remote machine and for executing commands on a remote machine. It can replace rlogin and rsh, providing encrypted communication between two machines. Official announce message: -- OpenSSH 8.5 has just been released. It will be available from the mirrors listed at https://www.openssh.com/ shortly. OpenSSH is a 100% complete SSH protocol 2.0 implementation and includes sftp client and server support. Once again, we would like to thank the OpenSSH community for their continued support of the project, especially those who contributed code or patches, reported bugs, tested snapshots or donated to the project. More information on donations may be found at: https://www.openssh.com/donations.html Future deprecation notice = It is now possible[1] to perform chosen-prefix attacks against the SHA-1 algorithm for less than USD$50K. In the SSH protocol, the "ssh-rsa" signature scheme uses the SHA-1 hash algorithm in conjunction with the RSA public key algorithm. OpenSSH will disable this signature scheme by default in the near future. Note that the deactivation of "ssh-rsa" signatures does not necessarily require cessation of use for RSA keys. In the SSH protocol, keys may be capable of signing using multiple algorithms. In particular, "ssh-rsa" keys are capable of signing using "rsa-sha2-256" (RSA/SHA256), "rsa-sha2-512" (RSA/SHA512) and "ssh-rsa" (RSA/SHA1). Only the last of these is being turned off by default. This algorithm is unfortunately still used widely despite the existence of better alternatives, being the only remaining public key signature algorithm specified by the original SSH RFCs that is still enabled by default. The better alternatives include: * The RFC8332 RSA SHA-2 signature algorithms rsa-sha2-256/512. These algorithms have the advantage of using the same key type as "ssh-rsa" but use the safe SHA-2 hash algorithms. These have been supported since OpenSSH 7.2 and are already used by default if the client and server support them. * The RFC8709 ssh-ed25519 signature algorithm. It has been supported in OpenSSH since release 6.5. * The RFC5656 ECDSA algorithms: ecdsa-sha2-nistp256/384/521. These have been supported by OpenSSH since release 5.7. To check whether a server is using the weak ssh-rsa public key algorithm, for host authentication, try to connect to it after removing the ssh-rsa algorithm from ssh(1)'s allowed list: ssh -oHostKeyAlgorithms=-ssh-rsa user@host If the host key verification fails and no other supported host key types are available, the server software on that host should be upgraded. This release enables the UpdateHostKeys option by default to assist the client by automatically migrating to better algorithms. [1] "SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1 and Application to the PGP Web of Trust" Leurent, G and Peyrin, T (2020) https://eprint.iacr.org/2020/014.pdf Security * ssh-agent(1): fixed a double-free memory corruption that was introduced in OpenSSH 8.2 . We treat all such memory faults as potentially exploitable. This bug could be reached by an attacker with access to the agent socket. On modern operating systems where the OS can provide information about the user identity connected to a socket, OpenSSH ssh-agent and sshd limit agent socket access only to the originating user and root. Additional mitigation may be afforded by the system's malloc(3)/free(3) implementation, if it detects double-free conditions. The most likely scenario for exploitation is a user forwarding an agent either to an account shared with a malicious user or to a host with an attacker holding root access. * Portable sshd(8): Prevent excessively long username going to PAM. This is a mitigation for a buffer overflow in Solaris' PAM username handling (CVE-2020-14871), and is only enabled for Sun-derived PAM implementations. This is not a problem in sshd itself, it only prevents sshd from being used as a vector to attack Solaris' PAM. It does not prevent the bug in PAM from being exploited via some other PAM application. GHPR#212 Potentially-incompatible changes This release includes a number of changes that may affect existing configurations: * ssh(1), sshd(8): this release changes the first-preference signature algorithm from ECDSA to ED25519. * ssh(1), sshd(8): set the TOS/DSCP specified in the configuration for interactive use prior to TCP connect. The connection phase of the SSH session is time-sensitive and often explicitly interactive. The ultimate interactive/bulk TOS/DSCP will be set after authentication completes. * ssh(1), sshd(8): remove the
