openssh 9.7p1-1

[Corinna Vinschen via Cygwin-announce]

The following packages have been uploaded to the Cygwin distribution:

* openssh-9.7p1-1

OpenSSH is a program for logging into a remote machine and for
executing commands on a remote machine.  It can replace rlogin
and rsh, providing encrypted communication between two machines.



PLEASE READ THE BELOW FUTURE DEPRECATION NOTICE!!!



OpenSSH 9.7 has just been released. It will be available from the
mirrors listed at https://www.openssh.com/ shortly.

OpenSSH is a 100% complete SSH protocol 2.0 implementation and
includes sftp client and server support.

Once again, we would like to thank the OpenSSH community for their
continued support of the project, especially those who contributed
code or patches, reported bugs, tested snapshots or donated to the
project. More information on donations may be found at:
https://www.openssh.com/donations.html

Future deprecation notice
=

OpenSSH plans to remove support for the DSA signature algorithm in
early 2025 and compile-time disable it later this year.

DSA, as specified in the SSHv2 protocol, is inherently weak - being
limited to a 160 bit private key and use of the SHA1 digest. Its
estimated security level is only 80 bits symmetric equivalent.

OpenSSH has disabled DSA keys by default since 2015 but has retained
run-time optional support for them. DSA was the only mandatory-to-
implement algorithm in the SSHv2 RFCs[3], mostly because alternative
algorithms were encumbered by patents when the SSHv2 protocol was
specified.

This has not been the case for decades at this point and better
algorithms are well supported by all actively-maintained SSH
implementations. We do not consider the costs of maintaining DSA in
OpenSSH to be justified and hope that removing it from OpenSSH can
accelerate its wider deprecation in supporting cryptography
libraries.

This release makes DSA support in OpenSSH compile-time optional,
defaulting to on. We intend the next release to change the default
to disable DSA at compile time. The first OpenSSH release of 2025
will remove DSA support entirely.

Changes since OpenSSH 9.6
=

This release contains mostly bugfixes.

New features


 * ssh(1), sshd(8): add a "global" ChannelTimeout type that watches
   all open channels and will close all open channels if there is no
   traffic on any of them for the specified interval. This is in
   addition to the existing per-channel timeouts added recently.

   This supports situations like having both session and x11
   forwarding channels open where one may be idle for an extended
   period but the other is actively used. The global timeout could
   close both channels when both have been idle for too long.

 * All: make DSA key support compile-time optional, defaulting to on.

Bugfixes


 * sshd(8): don't append an unnecessary space to the end of subsystem
   arguments (bz3667)

 * ssh(1): fix the multiplexing "channel proxy" mode, broken when
   keystroke timing obfuscation was added. (GHPR#463)

 * ssh(1), sshd(8): fix spurious configuration parsing errors when
   options that accept array arguments are overridden (bz3657).

 * ssh-agent(1): fix potential spin in signal handler (bz3670)

 * Many fixes to manual pages and other documentation, including
   GHPR#462, GHPR#454, GHPR#442 and GHPR#441.

 * Greatly improve interop testing against PuTTY.

Portability
---

 * Improve the error message when the autoconf OpenSSL header check
   fails (bz#3668)

 * Improve detection of broken toolchain -fzero-call-used-regs support
   (bz3645).

 * Fix regress/misc/fuzz-harness fuzzers and make them compile without
   warnings when using clang16

Checksums:
==

 - SHA1 (openssh-9.7.tar.gz) = 163272058edc20a8fde81661734a6684c9b4db11
 - SHA256 (openssh-9.7.tar.gz) = gXDWrF4wN2UWyPjyjvVhpjjKd7D2qI6LyZiIYhbJQVg=

 - SHA1 (openssh-9.7p1.tar.gz) = ce8985ea0ea2f16a5917fd982ade0972848373cc
 - SHA256 (openssh-9.7p1.tar.gz) = SQQm92bYKidj/KzY2D6j1weYdQx70q/y5X3FZg93P/0=

Please note that the SHA256 signatures are base64 encoded and not
hexadecimal (which is the default for most checksum tools). The PGP
key used to sign the releases is available from the mirror sites:
https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc

Reporting Bugs:
===

- Please read https://www.openssh.com/report.html
  Security bugs should be reported directly to open...@openssh.com

-- 
  *** CYGWIN-ANNOUNCE UNSUBSCRIBE INFO ***

The easiest way to unsubscribe is to visit 
, and click 'Unsubscribe'.

If you need more information on unsubscribing, start reading here: 
.

cygwin 3.5.0-1

[Corinna Vinschen via Cygwin-announce]

I'm happy to announce update of the first Cygwin 3.5 release

==
   IMPORTANT DEPRECATION NOTES
==

- Cygwin 3.4.10 was the LAST major version supporting

  - Windows 7 / 8
  - Windows Server 2008 R2 / 2012

- Cygwin 3.5.0 runs on

  - Windows 8.1 / 10 / 11
  - Windows Server 2012 R2 / 2016 / 2019 / 2022
  - and (hopefully) all upcoming releases of Windows.

==

Here's what's new and changed compared to Cygwin 3.4.10:


What's new:
---

- Drop support for Windows 7, Windows 8, Server 2008 R2 and Server 2012.

- Console devices (/dev/consN) are now accessible by processes attached
  to other consoles or ptys. Thanks to this new feature, GNU screen and
  tmux now work in the console.

- newgrp(1) tool.

- cygcheck has new options searching for available packages in the
  cygwin distro, as well as getting extended info on available and
  installed packages.

- fnmatch(3) and glob(3) now support named character classes, equivalence
  class expressions, and collating symbols in the search pattern, i.e.,
  [:alnum:], [=a=], [.aa.].

- Introduce /dev/disk directory with various by-* subdirectories which
  provide symlinks to disk and partition raw devices:
  by-drive/DRIVE_LETTER ->  ../../sdXN
  by-label/VOLUME_LABEL ->  ../../sdXN
  by-id/BUSTYPE-[VENDOR_]PRODUCT_[SERIAL|0xHASH][-partN] -> ../../sdX[N]
  by-partuuid/MBR_SERIAL-OFFSET -> ../../sdXN
  by-partuuid/GPT_GUID -> ../../sdXN
  by-uuid/VOLUME_SERIAL -> ../../sdXN
  by-voluuid/MBR_SERIAL-OFFSET -> ../../sdXN
  by-voluuid/VOLUME_GUID -> ../../sdXN
  The subdirectories by-drive and by-voluuid are Cygwin specific.

- Introduce /proc/codesets and /proc/locales with information on
  supported codesets and locales for all interested parties.  Locale(1)
  opens these files and uses the info for printing locale info like any
  other process could do.

- Add support for GB18030 codeset.

- Add support for lseek flags SEEK_DATA and SEEK_HOLE, a GNU extension.

- New API calls: posix_spawn_file_actions_addchdir_np,
  posix_spawn_file_actions_addfchdir_np.

- New API calls: c8rtomb, c16rtomb, c32rtomb, mbrtoc8, mbrtoc16, mbrtoc32.

- New API call: close_range (available on FreeBSD and Linux).

- New API call: fallocate (Linux-specific).

- Implement OSS-based sound mixer device (/dev/mixer).


What changed:
-

- posix_spawnp no longer falls back to starting the shell for unrecognized
  files as execvp.  For the reasoning, see
  https://www.austingroupbugs.net/view.php?id=1674

- FIFOs now also work on NFS filesystems.

- Enable automatic sparsifying of files on SSDs, independent of the
  "sparse" mount mode.

- When RLIMIT_CORE is more than 1MB, a core dump file which can be loaded by gdb
  is now written on a fatal error. Otherwise, if it's greater than zero, a text
  format .stackdump file is written, as previously.

- The default RLIMIT_CORE is now 0, disabling the generation of core dump or
  stackdump files.


Fixes:
--

- Fix arc4random reseeding after fork(2).
  Addresses: https://cygwin.com/pipermail/cygwin/2024-January/255245.html
-- 
  *** CYGWIN-ANNOUNCE UNSUBSCRIBE INFO ***

The easiest way to unsubscribe is to visit 
, and click 'Unsubscribe'.

If you need more information on unsubscribing, start reading here: 
.

bash 5.2.21-1

[Corinna Vinschen via Cygwin-announce]

The following packages have been uploaded to the Cygwin distribution:

* bash-5.2.21-1
* bash-devel-5.2.21-1


-- 
  *** CYGWIN-ANNOUNCE UNSUBSCRIBE INFO ***

The easiest way to unsubscribe is to visit 
, and click 'Unsubscribe'.

If you need more information on unsubscribing, start reading here: 
.

Cygwin 3.5 is coming soon, please test!

[Corinna Vinschen via Cygwin-announce]

Hi folks,


we're planning to release Cygwin 3.5 end of this month (Jan 2024) if
nothing serious crops up.

---

One major change in this release is dropping Windows 7, Windows 8,
Windows Server 2008 R2, and Windows Server 2012 from the list of
supported operating systems.

For those of you still running one of these old systems (despite
them all being unsupported and unpatched by the vendor), we will
keep the last 3.4 release (3.4.10) available for quite some time.

---

The minimum supported OS version when running Cygwin 3.5 will be
Windows 8.1 and Windows Server 2012 R2.

---

In this phase of development, we concentrate mainly on avoiding
regressions from 3.4.10.

It would be kind if some of you would start testing, by downloading
the test release. The last test release at the moment of writing this
mail is

  cygwin3.5.0-0.560.g0774a5da

Latest documentation is

  cygwin-doc3.5.0-0.560.g0774a5da

Developers developing Cygwin applications should also switch to
the matching developer files:

  cygwin-devel  3.5.0-0.560.g0774a5da

---

What's new:
---

- Drop support for Windows 7, Windows 8, Server 2008 R2 and Server 2012.

- Console devices (/dev/consN) are now accessible by processes attached
  to other consoles or ptys. Thanks to this new feature, GNU screen and
  tmux now work in the console.

- newgrp(1) tool.

- cygcheck has new options searching for available packages in the
  cygwin distro, as well as getting extended info on available and
  installed packages.

- fnmatch(3) and glob(3) now support named character classes, equivalence
  class expressions, and collating symbols in the search pattern, i.e.,
  [:alnum:], [=a=], [.aa.].

- Introduce /dev/disk directory with various by-* subdirectories which
  provide symlinks to disk and partition raw devices:
  by-drive/DRIVE_LETTER ->  ../../sdXN
  by-label/VOLUME_LABEL ->  ../../sdXN
  by-id/BUSTYPE-[VENDOR_]PRODUCT_[SERIAL|0xHASH][-partN] -> ../../sdX[N]
  by-partuuid/MBR_SERIAL-OFFSET -> ../../sdXN
  by-partuuid/GPT_GUID -> ../../sdXN
  by-uuid/VOLUME_SERIAL -> ../../sdXN
  by-voluuid/MBR_SERIAL-OFFSET -> ../../sdXN
  by-voluuid/VOLUME_GUID -> ../../sdXN
  The subdirectories by-drive and by-voluuid are Cygwin specific.

- Introduce /proc/codesets and /proc/locales with information on
  supported codesets and locales for all interested parties.  Locale(1)
  opens these files and uses the info for printing locale info like any
  other process could do.

- Add support for GB18030 codeset.

- Add support for lseek flags SEEK_DATA and SEEK_HOLE, a GNU extension.

- New API calls: posix_spawn_file_actions_addchdir_np,
  posix_spawn_file_actions_addfchdir_np.

- New API calls: c8rtomb, c16rtomb, c32rtomb, mbrtoc8, mbrtoc16, mbrtoc32.

- New API call: close_range (available on FreeBSD and Linux).

- New API call: fallocate (Linux-specific).

- Implement OSS-based sound mixer device (/dev/mixer).

What changed:
-

- posix_spawnp no longer falls back to starting the shell for unrecognized
  files as execvp.  For the reasoning, see
  https://www.austingroupbugs.net/view.php?id=1674

- FIFOs now also work on NFS filesystems.

- Enable automatic sparsifying of files on SSDs, independent of the
  "sparse" mount mode.

- When RLIMIT_CORE is more than 1MB, a core dump file which can be loaded by gdb
  is now written on a fatal error. Otherwise, if it's greater than zero, a text
  format .stackdump file is written, as previously.

- The default RLIMIT_CORE is now 0, disabling the generation of core dump or
  stackdump files.
-- 
  *** CYGWIN-ANNOUNCE UNSUBSCRIBE INFO ***

The easiest way to unsubscribe is to visit 
, and click 'Unsubscribe'.

If you need more information on unsubscribing, start reading here: 
.

cygwin 3.4.10-1

[Corinna Vinschen via Cygwin-announce]

The following packages have been uploaded to the Cygwin distribution:

* cygwin-3.4.10-1
* cygwin-devel-3.4.10-1
* cygwin-doc-3.4.10-1

Bug Fixes
-

- Fix missing term in __cpuset_zero_s() prototoype in sys/cpuset.h.
  Addresses: https://cygwin.com/pipermail/cygwin/2023-September/254423.html

- Fix hang in process initialization if cwd is unreadable.
  Addresses: https://cygwin.com/pipermail/cygwin/2023-October/254604.html

- Let feraiseexcept actually raise an exception.
  Addresses: https://cygwin.com/pipermail/cygwin/2023-October/254667.html

- Make random(3) family of functions thread-safe.
  Addresses: https://cygwin.com/pipermail/cygwin/2023-November/254734.html

- Updates to profiler and gmondump: error display mechanics, buffer sizing,
  and output formatting.

- Align behaviour of rand(3) to ISO C.
  Adresses: https://cygwin.com/pipermail/cygwin/2023-November/254735.html

- Fix posix_fallocate(3) return value in case of being called on
  other than regular files.

- Reset sparseness in case open(2) has been called with O_CREAT|O_TRUNC on
  sparse files.
-- 
  *** CYGWIN-ANNOUNCE UNSUBSCRIBE INFO ***

The easiest way to unsubscribe is to visit 
, and click 'Unsubscribe'.

If you need more information on unsubscribing, start reading here: 
.

openssh 9.5p1-1

[Corinna Vinschen via Cygwin-announce]

The following packages have been uploaded to the Cygwin distribution:

* openssh-9.5p1-1

OpenSSH is a program for logging into a remote machine and for
executing commands on a remote machine.  It can replace rlogin and rsh,
providing encrypted communication between two machines.



OpenSSH 9.5 has just been released. It will be available from the
mirrors listed at https://www.openssh.com/ shortly.

OpenSSH is a 100% complete SSH protocol 2.0 implementation and
includes sftp client and server support.

Once again, we would like to thank the OpenSSH community for their
continued support of the project, especially those who contributed
code or patches, reported bugs, tested snapshots or donated to the
project. More information on donations may be found at:
https://www.openssh.com/donations.html

Changes since OpenSSH 9.4
=

This release fixes a number of bugs and adds some small features.

Potentially incompatible changes


 * ssh-keygen(1): generate Ed25519 keys by default. Ed25519 public keys
   are very convenient due to their small size. Ed25519 keys are
   specified in RFC 8709 and OpenSSH has supported them since version 6.5
   (January 2014).

 * sshd(8): the Subsystem directive now accurately preserves quoting of
   subsystem commands and arguments. This may change behaviour for exotic
   configurations, but the most common subsystem configuration
   (sftp-server) is unlikely to be affected.

New features


 * ssh(1): add keystroke timing obfuscation to the client. This attempts
   to hide inter-keystroke timings by sending interactive traffic at
   fixed intervals (default: every 20ms) when there is only a small
   amount of data being sent. It also sends fake "chaff" keystrokes for
   a random interval after the last real keystroke. These are
   controlled by a new ssh_config ObscureKeystrokeTiming keyword.

 * ssh(1), sshd(8): Introduce a transport-level ping facility. This adds
   a pair of SSH transport protocol messages SSH2_MSG_PING/PONG to
   implement a ping capability. These messages use numbers in the "local
   extensions" number space and are advertised using a "p...@openssh.com"
   ext-info message with a string version number of "0".

 * sshd(8): allow override of Sybsystem directives in sshd Match blocks.

Bugfixes


 * scp(1): fix scp in SFTP mode recursive upload and download of
   directories that contain symlinks to other directories. In scp mode,
   the links would be followed, but in SFTP mode they were not. bz3611

 * ssh-keygen(1): handle cr+lf (instead of just cr) line endings in
   sshsig signature files.

 * ssh(1): interactive mode for ControlPersist sessions if they
   originally requested a tty.

 * sshd(8): make PerSourceMaxStartups first-match-wins

 * sshd(8): limit artificial login delay to a reasonable maximum (5s)
   and don't delay at all for the "none" authentication mechanism.cw
bz3602

 * sshd(8): Log errors in kex_exchange_identification() with level
   verbose instead of error to reduce preauth log spam. All of those
   get logged with a more generic error message by sshpkt_fatal().

 * sshd(8): correct math for ClientAliveInterval that caused the probes
to be sent less frequently than configured.

 * ssh(1): fix regression in OpenSSH 9.4 (mux.c r1.99) that caused
   multiplexed sessions to ignore SIGINT under some circumstances.

Portability
---

 * Avoid clang zero-call-used-regs=all bug on Apple compilers, which
   for some reason have version numbers that do not match the upstream
   clang version numbers. bz#3584

 * Fix configure test for zlib 1.3 and later/development versions. bz3604

Checksums:
==

 - SHA1 (openssh-9.5.tar.gz) = 8a0bd3a91fac338d97d91817af58df731f6509a3
 - SHA256 (openssh-9.5.tar.gz) = sVMxeM3d6g65qBMktJIofxmK4Ipg9dblKif0VnhPeO0=

 - SHA1 (openssh-9.5p1.tar.gz) = 35c16dcc6e7d0a9465faa241476ef24f76b196cc
 - SHA256 (openssh-9.5p1.tar.gz) = 8Cbnt5un+1QPdRgq+W3IqPHbOV+SK7yfbKYDZyaGCGs=

Please note that the SHA256 signatures are base64 encoded and not
hexadecimal (which is the default for most checksum tools). The PGP
key used to sign the releases is available from the mirror sites:
https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc

Reporting Bugs:
===

- Please read https://www.openssh.com/report.html
  Security bugs should be reported directly to open...@openssh.com


-- 
  *** CYGWIN-ANNOUNCE UNSUBSCRIBE INFO ***

If you want to unsubscribe from the cygwin-announce mailing list, look at the 
"List-Unsubscribe: " tag in the email header of this message. It will be in the 
format:

List-Unsubscribe: , 


The easiest unsubscribe method is to visit the web page associated with the 
mailing list as seen above, 

cygwin 3.4.9-1

[Corinna Vinschen via Cygwin-announce]

The following packages have been uploaded to the Cygwin distribution:

* cygwin-3.4.9-1
* cygwin-devel-3.4.9-1
* cygwin-doc-3.4.9-1

Bug Fixes
-

- Fix a bug introduced in cygwin 3.4.0 that switch_to_nat_pipe flag is
  not cleared properly when non-cygwin app is terminated in the case
  where pseudo console is not activated.

- For the time being, disable creating special files using mknod/mkfifo
  on NFS.
  Addresses: https://cygwin.com/pipermail/cygwin/2023-August/254266.html

- Fix segfault when too many command line args are specified.
  Addresses: https://cygwin.com/pipermail/cygwin/2023-August/254333.html

- Fix build problems in terms of sys/cpuset.h.
  Addresses: https://cygwin.com/pipermail/cygwin/2023-August/254283.html

cygwin 3.4.8-1

[Corinna Vinschen via Cygwin-announce]

The following packages have been uploaded to the Cygwin distribution:

* cygwin-3.4.8-1
* cygwin-devel-3.4.8-1
* cygwin-doc-3.4.8-1

Bug Fixes
-

- Make  safe for c89 compilations.
  Addresses: https://cygwin.com/pipermail/cygwin-patches/2023q3/012308.html

- Make gcc-specific code in  compiler-agnostic.
  Addresses: https://cygwin.com/pipermail/cygwin/2023-July/253927.html

- Fix AT_EMPTY_PATH handling in fchmodat and fstatat if dirfd referres to
  a file other than a directory
  Addresses: https://cygwin.com/pipermail/cygwin-patches/2023q2/012306.html

- Rename internal macros _NL_CTYPE_OUTDIGITSx_MB/WC to GLibc compatible
  _NL_CTYPE_OUTDIGITx_MB/WC.
  Addresses: 
https://cygwin.com/pipermail/cygwin-developers/2023-July/012637.html

- Fix memory leak in printf() regarding gdtoa-based _ldtoa_r().
  Addresses: https://cygwin.com/pipermail/cygwin/2023-July/254054.html

- Fix a bug introduced in cygwin 3.4.5 that open_shared() does not set
  access permissions as requested by its argument.

openssh 9.4p1-1

[Corinna Vinschen via Cygwin-announce]

The following packages have been uploaded to the Cygwin distribution:

* openssh-9.4p1-1

OpenSSH is a program for logging into a remote machine and for
executing commands on a remote machine.  It can replace rlogin and rsh,
providing encrypted communication between two machines.



OpenSSH 9.4 has just been released. It will be available from the
mirrors listed at https://www.openssh.com/ shortly.

OpenSSH is a 100% complete SSH protocol 2.0 implementation and
includes sftp client and server support.

Once again, we would like to thank the OpenSSH community for their
continued support of the project, especially those who contributed
code or patches, reported bugs, tested snapshots or donated to the
project. More information on donations may be found at:
https://www.openssh.com/donations.html

Changes since OpenSSH 9.3p2
===

This release fixes a number of bugs and adds some small features.

Potentially incompatible changes


 * This release removes support for older versions of libcrypto.
   OpenSSH now requires LibreSSL >= 3.1.0 or OpenSSL >= 1.1.1.
   Note that these versions are already deprecated by their upstream
   vendors.

 * ssh-agent(1): PKCS#11 modules must now be specified by their full
   paths. Previously dlopen(3) could search for them in system
   library directories.

New features


 * ssh(1): allow forwarding Unix Domain sockets via ssh -W.

 * ssh(1): add support for configuration tags to ssh(1).
   This adds a ssh_config(5) "Tag" directive and corresponding
   "Match tag" predicate that may be used to select blocks of
   configuration similar to the pf.conf(5) keywords of the same
   name.

 * ssh(1): add a "match localnetwork" predicate. This allows matching
   on the addresses of available network interfaces and may be used to
   vary the effective client configuration based on network location.

 * ssh(1), sshd(8), ssh-keygen(1): infrastructure support for KRL
   extensions.  This defines wire formats for optional KRL extensions
   and implements parsing of the new submessages. No actual extensions
   are supported at this point.

 * sshd(8): AuthorizedPrincipalsCommand and AuthorizedKeysCommand now
   accept two additional %-expansion sequences: %D which expands to
   the routing domain of the connected session and %C which expands
   to the addresses and port numbers for the source and destination
   of the connection.

 * ssh-keygen(1): increase the default work factor (rounds) for the
   bcrypt KDF used to derive symmetric encryption keys for passphrase
   protected key files by 50%.

Bugfixes


 * ssh-agent(1): improve isolation between loaded PKCS#11 modules
   by running separate ssh-pkcs11-helpers for each loaded provider.

 * ssh(1): make -f (fork after authentication) work correctly with
   multiplexed connections, including ControlPersist. bz3589 bz3589

 * ssh(1): make ConnectTimeout apply to multiplexing sockets and not
   just to network connections.

 * ssh-agent(1), ssh(1): improve defences against invalid PKCS#11
   modules being loaded by checking that the requested module
   contains the required symbol before loading it.

 * sshd(8): fix AuthorizedPrincipalsCommand when AuthorizedKeysCommand
   appears before it in sshd_config. Since OpenSSH 8.7 the
   AuthorizedPrincipalsCommand directive was incorrectly ignored in
   this situation. bz3574

 * sshd(8), ssh(1), ssh-keygen(1): remove vestigal support for KRL
   signatures When the KRL format was originally defined, it included
   support for signing of KRL objects. However, the code to sign KRLs
   and verify KRL signatues was never completed in OpenSSH. This
   release removes the partially-implemented code to verify KRLs.
   All OpenSSH tools now ignore KRL_SECTION_SIGNATURE sections in
   KRL files.

 * All: fix a number of memory leaks and unreachable/harmless integer
   overflows.

 * ssh-agent(1), ssh(1): don't truncate strings logged from PKCS#11
   modules; GHPR406

 * sshd(8), ssh(1): better validate CASignatureAlgorithms in
   ssh_config and sshd_config. Previously this directive would accept
   certificate algorithm names, but these were unusable in practice as
   OpenSSH does not support CA chains. bz3577

 * ssh(1): make `ssh -Q CASignatureAlgorithms` only list signature
   algorithms that are valid for CA signing. Previous behaviour was
   to list all signing algorithms, including certificate algorithms.

 * ssh-keyscan(1): gracefully handle systems where rlimits or the
   maximum number of open files is larger than INT_MAX; bz3581

 * ssh-keygen(1): fix "no comment" not showing on when running
   `ssh-keygen -l` on multiple keys where one has a comment and other
   following keys do not. bz3580

 * scp(1), sftp(1): adjust ftruncate() logic to handle servers that
   reorder requests. Previously, if the server reordered requests then
   

rebase 4.6.5-1

[Corinna Vinschen via Cygwin-announce]

The following packages have been uploaded to the Cygwin distribution:

* rebase-4.6.5-1

This package contains the Cygwin rebase utilities.  Use rebase for
specific DLLs or rebaseall for all DLLs installed by Cygwin's setup.exe.

Changes:

- Add peflags -p, --timestamp option

  This allows to set the header timestamp to 0 or some other fixed
  value (SOURCE_DATE_EPOCH) to support reproducible builds.

- Add peflags -k, --checksum option

  This allows to fix the file checksum in the PE header.
  An invalid checksum may break reproducible builds or may
  increase the risk of false positive malware detections.  
  The checksum calculation is done by a new self-contained module
  'pechecksum.c' which could also be built as a stand-alone tool
  or later added to rebase.

- Add rebase -c, --checksum option

  If specified, the file checksum in the PE header is updated after
  rebasing.

openssh 9.3p2-1

[Corinna Vinschen via Cygwin-announce]

The following packages have been uploaded to the Cygwin distribution:

* openssh-9.3p2-1

OpenSSH is a program for logging into a remote machine and for
executing commands on a remote machine.  It can replace rlogin and rsh,
providing encrypted communication between two machines.

===
OpenSSH 9.3p2 has just been released. It will be available from the
mirrors listed at https://www.openssh.com/ shortly.

OpenSSH is a 100% complete SSH protocol 2.0 implementation and
includes sftp client and server support.

Once again, we would like to thank the OpenSSH community for their
continued support of the project, especially those who contributed
code or patches, reported bugs, tested snapshots or donated to the
project. More information on donations may be found at:
https://www.openssh.com/donations.html

Changes since OpenSSH 9.3
=

This release fixes a security bug.

Security


Fix CVE-2023-38408 - a condition where specific libaries loaded via
ssh-agent(1)'s PKCS#11 support could be abused to achieve remote
code execution via a forwarded agent socket if the following
conditions are met:

* Exploitation requires the presence of specific libraries on
  the victim system.
* Remote exploitation requires that the agent was forwarded
  to an attacker-controlled system.

Exploitation can also be prevented by starting ssh-agent(1) with an
empty PKCS#11/FIDO allowlist (ssh-agent -P '') or by configuring
an allowlist that contains only specific provider libraries.

This vulnerability was discovered and demonstrated to be exploitable
by the Qualys Security Advisory team.

In addition to removing the main precondition for exploitation,
this release removes the ability for remote ssh-agent(1) clients
to load PKCS#11 modules by default (see below).

Potentially-incompatible changes


 * ssh-agent(8): the agent will now refuse requests to load PKCS#11
   modules issued by remote clients by default. A flag has been added
   to restore the previous behaviour "-Oallow-remote-pkcs11".

   Note that ssh-agent(8) depends on the SSH client to identify
   requests that are remote. The OpenSSH >=8.9 ssh(1) client does
   this, but forwarding access to an agent socket using other tools
   may circumvent this restriction.

Checksums:
==

- SHA1 (openssh-9.3p2.tar.gz) = 219cf700c317f400bb20b001c0406056f7188ea4
- SHA256 (openssh-9.3p2.tar.gz) = IA6+FH9ss/EB/QzfngJEKvfdyimN/9n0VoeOfMrGdug=

Please note that the SHA256 signatures are base64 encoded and not
hexadecimal (which is the default for most checksum tools). The PGP
key used to sign the releases is available from the mirror sites:
https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc

Reporting Bugs:
===

- Please read https://www.openssh.com/report.html
  Security bugs should be reported directly to open...@openssh.com

cygwin 3.4.7-1

[Corinna Vinschen via Cygwin-announce]

The following packages have been uploaded to the Cygwin distribution:

* cygwin-3.4.7-1
* cygwin-devel-3.4.7-1
* cygwin-doc-3.4.7-1

Bug Fixes
-

- Fix CPU_SET(3) macro type mismatch by making the macros type-safe.
  Addresses https://cygwin.com/pipermail/cygwin/2023-March/253220.html

- kill(1): don't print spurious error message.
  Addresses: https://cygwin.com/pipermail/cygwin/2023-March/253291.html

- Align behaviour of dirname in terms of leading slashes to POSIX:
  https://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap04.html

- Fix reading CONIN$ in non cygwin apps when stdin is not a pty.
  Addresses https://cygwin.com/pipermail/cygwin/2023-April/253424.html

- Fix bug in cygheap allocation size computation after fork.  Addresses:
  https://cygwin.com/pipermail/cygwin-developers/2023-April/012620.html

- Fix return value of ilogbl(NaN).
  Addresses: https://cygwin.com/pipermail/cygwin/2023-April/253511.html

- Fix error handling in readlinkat.
  Addresses: https://cygwin.com/pipermail/cygwin/2023-April/253510.html

- Fix return code and errno set by renameat2, if oldfile and newfile
  refer to the same file, and the RENAME_NOREPLACE flag is set.
  Addresses: https://cygwin.com/pipermail/cygwin/2023-April/253514.html

tcsh 6.24.10-1

[Corinna Vinschen via Cygwin-announce]

The following packages have been uploaded to the Cygwin distribution:

* tcsh-6.24.10-1

Tcsh is an enhanced but completely compatible version of csh, the C
shell.  Tcsh is a command language interpreter which can be used both
as an interactive login shell and as a shell script command processor.
Tcsh includes a command line editor, programmable word completion,
spelling correction, a history mechanism, job control and a C language
like syntax.

rebase 4.6.3-1

[Corinna Vinschen via Cygwin-announce]

The following packages have been uploaded to the Cygwin distribution:

* rebase-4.6.3-1

This release introduces a new flag -c / --control-flow-guard to
set the Control Flow Guard flag on executables per
https://learn.microsoft.com/en-us/windows/win32/secbp/control-flow-guard

This package contains the Cygwin rebase utilities.  Use rebase for
specific DLLs or rebaseall for all DLLs installed by Cygwin's setup.exe.

csih 0.9.13-1

[Corinna Vinschen via Cygwin-announce]

The following packages have been uploaded to the Cygwin distribution:

* csih-0.9.13-1

New: getVolInfo now prints all the latest known filesystem flags.

CSIH (cygwin-service-installation-helper is a script
library used to assist installing cygwin services, such as sshd.
It is derived in part from various other sources. It is intended
to be 'sourced' by configuration scripts such as ssh-host-config,
syslog-config, or iu-config, and that script can then make use of
the shell functions defined by this package.

bsdgrep 2.6.0-1

[Corinna Vinschen via Cygwin-announce]

The following packages have been uploaded to the Cygwin distribution:

* bsdgrep-2.6.0-1

The FreeBSD versions of the commonly used grep utility, called bsdgrep.
Bsdgrep searches through textual input for lines which contain a match to a
specified pattern and then prints the matching lines.

openssh 9.3p1-1

[Corinna Vinschen via Cygwin-announce]

The following packages have been uploaded to the Cygwin distribution:

* openssh-9.3p1-1

OpenSSH is a program for logging into a remote machine and for
executing commands on a remote machine.  It can replace rlogin and rsh,
providing encrypted communication between two machines.

Upstream announcement:

OpenSSH 9.3 has just been released. It will be available from the
mirrors listed at https://www.openssh.com/ shortly.

OpenSSH is a 100% complete SSH protocol 2.0 implementation and
includes sftp client and server support.

Once again, we would like to thank the OpenSSH community for their
continued support of the project, especially those who contributed
code or patches, reported bugs, tested snapshots or donated to the
project. More information on donations may be found at:
https://www.openssh.com/donations.html

Changes since OpenSSH 9.2
=

This release fixes a number of security bugs.

Security


This release contains fixes for a security problem and a memory
safety problem. The memory safety problem is not believed to be
exploitable, but we report most network-reachable memory faults as
security bugs.

 * ssh-add(1): when adding smartcard keys to ssh-agent(1) with the
   per-hop desination constraints (ssh-add -h ...) added in OpenSSH
   8.9, a logic error prevented the constraints from being
   communicated to the agent. This resulted in the keys being added
   without constraints. The common cases of non-smartcard keys and
   keys without destination constraints are unaffected. This problem
   was reported by Luci Stanescu.

 * ssh(1): Portable OpenSSH provides an implementation of the
   getrrsetbyname(3) function if the standard library does not
   provide it, for use by the VerifyHostKeyDNS feature. A
   specifically crafted DNS response could cause this function to
   perform an out-of-bounds read of adjacent stack data, but this
   condition does not appear to be exploitable beyond denial-of-
   service to the ssh(1) client.

   The getrrsetbyname(3) replacement is only included if the system's
   standard library lacks this function and portable OpenSSH was not
   compiled with the ldns library (--with-ldns). getrrsetbyname(3) is
   only invoked if using VerifyHostKeyDNS to fetch SSHFP records. This
   problem was found by the Coverity static analyzer.

New features


 * ssh-keygen(1), ssh-keyscan(1): accept -Ohashalg=sha1|sha256 when
   outputting SSHFP fingerprints to allow algorithm selection. bz3493

 * sshd(8): add a `sshd -G` option that parses and prints the
   effective configuration without attempting to load private keys
   and perform other checks. This allows usage of the option before
   keys have been generated and for configuration evaluation and
   verification by unprivileged users.

Bugfixes


 * scp(1), sftp(1): fix progressmeter corruption on wide displays;
   bz3534

 * ssh-add(1), ssh-keygen(1): use RSA/SHA256 when testing usability
   of private keys as some systems are starting to disable RSA/SHA1
   in libcrypto.

 * sftp-server(8): fix a memory leak. GHPR363

 * ssh(1), sshd(8), ssh-keyscan(1): remove vestigal protocol
   compatibility code and simplify what's left.

 * Fix a number of low-impact Coverity static analysis findings.
   These include several reported via bz2687

 * ssh_config(5), sshd_config(5): mention that some options are not
   first-match-wins.

 * Rework logging for the regression tests. Regression tests will now
   capture separate logs for each ssh and sshd invocation in a test.

 * ssh(1): make `ssh -Q CASignatureAlgorithms` work as the manpage
   says it should; bz3532.

 * ssh(1): ensure that there is a terminating newline when adding a
   new entry to known_hosts; bz3529

Portability
---

 * sshd(8): harden Linux seccomp sandbox. Move to an allowlist of
   mmap(2), madvise(2) and futex(2) flags, removing some concerning
   kernel attack surface.

 * sshd(8): improve Linux seccomp-bpf sandbox for older systems;
   bz3537

Checksums:
==

- SHA1 (openssh-9.3.tar.gz) = 5f9d2f73ddfe94f3f0a78bdf46704b6ad7b66ec7
- SHA256 (openssh-9.3.tar.gz) = eRcXkFZByz70DUBUcyIdvU0pVxP2X280FrmV8pyUdrk=

- SHA1 (openssh-9.3p1.tar.gz) = 610959871bf8d6baafc3525811948f85b5dd84ab
- SHA256 (openssh-9.3p1.tar.gz) = 6bq6dwGnalHz2Fpiw4OjydzZf6kAuFm8fbEUwYaK+Kg=

Please note that the SHA256 signatures are base64 encoded and not
hexadecimal (which is the default for most checksum tools). The PGP
key used to sign the releases is available from the mirror sites:
https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc

Reporting Bugs:
===

- Please read https://www.openssh.com/report.html
  Security bugs should be reported directly to open...@openssh.com

TEST: bash 5.2.15-2

[Corinna Vinschen]

The following packages have been uploaded to the Cygwin distribution:

* bash-5.2.15-2
* bash-devel-5.2.15-2

v2: Make /usr/bin/sh.exe a hardlink to /usr/bin/bash.exe, as required.
The v1 installer script accidentally created a symlink.

This is a long overdue update of the bash shell.  Given the big step in
the version, this is a TEST release for now.  Please give it a try.

This release is based on the Fedora Linux 37 bash release with most
patches from Fedora used for the Cygwin release, too.  

This includes noticably:

- A bash-devel package

- Real executables for some builtins in /usr/bin.  This is actually  
  required per POSIX.  For a discussion, see
  https://bugzilla.redhat.com/show_bug.cgi?id=820192


Bash is an sh-compatible shell that incorporates useful features
from the Korn shell (ksh) and C shell (csh).  It is intended to conform to the
IEEE POSIX P1003.2/ISO 9945.2 Shell and Tools standard.  It offers functional
improvements over sh for both programming and interactive use. In addition,
most sh scripts can be run by Bash without modification.

TEST: bash 5.2.15-1

[Corinna Vinschen]

[first announcement was a bit... incomplete...]

The following packages have been uploaded to the Cygwin distribution:

* bash-5.2.15-1
* bash-devel-5.2.15-1

This is a long overdue update of the bash shell.  Given the big step in
the version, this is a TEST release for now.  Please give it a try.

This release is based on the Fedora Linux 37 bash release with most
patches from Fedora used for the Cygwin release, too.

This includes noticably:

- A bash-devel package

- real executables for some builtins in /usr/bin.  This is actually
  required per POSIX.  For a discussion, see
  https://bugzilla.redhat.com/show_bug.cgi?id=820192


Bash is an sh-compatible shell that incorporates useful features
from the Korn shell (ksh) and C shell (csh).  It is intended to conform to the
IEEE POSIX P1003.2/ISO 9945.2 Shell and Tools standard.  It offers functional
improvements over sh for both programming and interactive use. In addition,
most sh scripts can be run by Bash without modification.

TEST: bash 5.2.15-1

[Corinna Vinschen]

The following packages have been uploaded to the Cygwin distribution:

* bash-5.2.15-1
* bash-devel-5.2.15-1

This is a long overdue update of the bash shell.  Given the big
step in the version, this is a TEST release for now.  Please give
it a try.

This release is based on the Fedora Linux 37 bash release with
most patches from Fedora used for the Cygwin release, too.

This includes noticably:

- A bash-devel package
- real exeutables 

bash_DESCRIPTION="Bash is an sh-compatible shell that incorporates useful 
features
from the Korn shell (ksh) and C shell (csh).  It is intended to conform to the
IEEE POSIX P1003.2/ISO 9945.2 Shell and Tools standard.  It offers functional
improvements over sh for both programming and interactive use. In addition,
most sh scripts can be run by Bash without modification."

cygwin 3.4.6-1

[Corinna Vinschen]

The following packages have been uploaded to the Cygwin distribution:

* cygwin-3.4.6-1
* cygwin-devel-3.4.6-1
* cygwin-doc-3.4.6-1


Bug Fixes
-

Fix a problem that fsync returns EINVAL for block device.
Addresses: https://cygwin.com/pipermail/cygwin/2023-January/252916.html

Don't reject valid server and share names when mounting.
Addresses: https://cygwin.com/pipermail/cygwin/2023-January/252928.html

Create directories with correctly umask-filtered default ACEs.
Addresses: https://cygwin.com/pipermail/cygwin/2023-February/253037.html

Don't accidentally drop the default ACEs when chmod'ing directories.
Addresses: https://cygwin.com/pipermail/cygwin/2023-February/253037.html

netcat 1.219-2

[Corinna Vinschen]

The following packages have been uploaded to the Cygwin distribution:

* netcat-1.219-2

This package replaces the old "nc" and "nc6" packages.  The tool is
still called "nc", the build system is now based on the "netcat" package
from the Fedora Linux distro.

The OpenBSD nc (or netcat) utility can be used for just about anything involving
TCP, UDP, or UNIX-domain sockets. It can open TCP connections, send UDP packets,
listen on arbitrary TCP and UDP ports, do port scanning, and deal with both IPv4
and IPv6. Unlike telnet(1), nc scripts nicely, and separates error messages onto
standard error instead of sending them to standard output, as telnet(1) might do
with some.

libretls 3.7.0-1

[Corinna Vinschen]

The following packages have been uploaded to the Cygwin distribution:

* libretls26-3.7.0-1
* libretls-devel-3.7.0-1

LibreTLS is a port of libtls from LibreSSL to OpenSSL. OpenBSD's libtls is a
new TLS library, designed to make it easier to write foolproof applications.

libbsd 0.11.7-3

[Corinna Vinschen]

The following packages have been uploaded to the Cygwin distribution:

* libbsd0-0.11.7-3
* libbsd-devel-0.11.7-3

libbsd provides useful functions commonly found on BSD systems, and
lacking on others like GNU systems, thus making it easier to port
projects with strong BSD origins, without needing to embed the same
code over and over again on each project.

libmd 1.0.4-3

[Corinna Vinschen]

The following packages have been uploaded to the Cygwin distribution:

* libmd0-1.0.4-3
* libmd-devel-1.0.4-3

The libmd library provides a few message digest ('hash') functions, as
found on various BSD systems, either on their libc or on a library with
the same name, and with a compatible API.

pl 8.4.3-1

[Corinna Vinschen]

The following packages have been uploaded to the Cygwin distribution:

* pl-8.4.3-1
* pl-devel-8.4.3-1
* pl-doc-8.4.3-1
* pl-odbc-8.4.3-1
* pl-xpce-8.4.3-1

ISO/Edinburgh-style Prolog compiler including modules, auto-load,
libraries, Garbage-collector, stack-expandor, C/C++-interface,
GNU-readline interface, very fast compiler.  Including packages
clib (Unix process control and sockets), cpp (C++ interface), sgml
(reading XML/SGML), sgml/RDF (reading RDF into triples) and XPCE
(Graphics UI toolkit, integrated editor (Emacs-clone) and
source-level debugger).

libedit 20221030-4

[Corinna Vinschen]

The following packages have been uploaded to the Cygwin distribution:

* libedit-devel-20221030-4
* libedit0-20221030-4

This release is supposed to fix the problem outlined in
https://cygwin.com/pipermail/cygwin/2023-February/253029.html

Libedit is an autotool- and libtoolized port of the NetBSD Editline library.
It provides generic line editing, history, and tokenization functions, similar
to those found in GNU Readline.

rlwrap 0.46.1-2

[Corinna Vinschen]

The following packages have been uploaded to the Cygwin distribution:

* rlwrap-0.46.1-2

rlwrap is a readline wrapper that uses the GNU readline library
to allow the editing of keyboard input for any other command.
Input history is remembered across invocations, separately for
each command; history completion and search work as in bash and
completion word lists can be specified on the command line.

cygrunsrv 1.64-1

[Corinna Vinschen]

The following packages have been uploaded to the Cygwin distribution:

* cygrunsrv-1.64-1


This release contains a change which is supposed to handle quoted
service application paths to be handeled sanely.



Windows provides a set of functions required to be called by applications
supposed to run as a service.  The usual POSIX daemon is not prepared to do
so, so it can't run as a service under Windows.

Cygrunsrv is a Windows service application, acting as a wrapper between
the POSIX daemon and the Windows system.

For usage info, read the file /usr/share/doc/Cygwin/cygrunsrv.README.

recode 3.7.12-1

[Corinna Vinschen]

The following packages have been uploaded to the Cygwin distribution:

* recode-3.7.12-1
* librecode3-3.7.12-1
* recode-devel-3.7.12-1

The 'recode' converts files between character sets and usages.
It recognises or produces nearly 150 different character sets
and is able to transliterate files between almost any pair. When exact
transliteration are not possible, it may get rid of the offending
characters or fall back on approximations.  Most RFC 1345 character sets
are supported.

cygrunsrv 1.63-1

[Corinna Vinschen]

The following packages have been uploaded to the Cygwin distribution:

* cygrunsrv-1.63-1

Adding two options -T and -X to control timeouts when starting/stopping
the service.  Rearranging the package build system.


Windows provides a set of functions required to be called by applications
supposed to run as a service.  The usual POSIX daemon is not prepared to do
so, so it can't run as a service under Windows.

Cygrunsrv is a Windows service application, acting as a wrapper between
the POSIX daemon and the Windows system.

For usage info, read the file /usr/share/doc/Cygwin/cygrunsrv.README.

openssh 9.2p1-1

[Corinna Vinschen]

The following packages have been uploaded to the Cygwin distribution:

* openssh-9.2p1-1

OpenSSH is a program for logging into a remote machine and for
executing commands on a remote machine.  It can replace rlogin and rsh,
providing encrypted communication between two machines.

Upstream announcement:

OpenSSH 9.2 released


OpenSSH 9.2 has just been released. It will be available from the
mirrors listed at https://www.openssh.com/ shortly.

OpenSSH is a 100% complete SSH protocol 2.0 implementation and
includes sftp client and server support.

Once again, we would like to thank the OpenSSH community for their
continued support of the project, especially those who contributed
code or patches, reported bugs, tested snapshots or donated to the
project. More information on donations may be found at:
https://www.openssh.com/donations.html

Changes since OpenSSH 9.1
=

This release fixes a number of security bugs.

Security


This release contains fixes for two security problems and a memory
safety problem. The memory safety problem is not believed to be
exploitable, but we report most network-reachable memory faults as
security bugs.

 * sshd(8): fix a pre-authentication double-free memory fault
   introduced in OpenSSH 9.1. This is not believed to be exploitable,
   and it occurs in the unprivileged pre-auth process that is
   subject to chroot(2) and is further sandboxed on most major
   platforms.

 * ssh(8): in OpenSSH releases after 8.7, the PermitRemoteOpen option
   would ignore its first argument unless it was one of the special
   keywords "any" or "none", causing the permission list to fail open
   if only one permission was specified. bz3515

 * ssh(1): if the CanonicalizeHostname and CanonicalizePermittedCNAMEs
   options were enabled, and the system/libc resolver did not check
   that names in DNS responses were valid, then use of these options
   could allow an attacker with control of DNS to include invalid
   characters (possibly including wildcards) in names added to
   known_hosts files when they were updated. These names would still
   have to match the CanonicalizePermittedCNAMEs allow-list, so
   practical exploitation appears unlikely.

Potentially-incompatible changes


 * ssh(1): add a new EnableEscapeCommandline ssh_config(5) option that
   controls whether the client-side ~C escape sequence that provides a
   command-line is available. Among other things, the ~C command-line
   could be used to add additional port-forwards at runtime.

   This option defaults to "no", disabling the ~C command-line that
   was previously enabled by default. Turning off the command-line
   allows platforms that support sandboxing of the ssh(1) client
   (currently only OpenBSD) to use a stricter default sandbox policy.

New features


 * sshd(8): add support for channel inactivity timeouts via a new
   sshd_config(5) ChannelTimeout directive. This allows channels that
   have not seen traffic in a configurable interval to be
   automatically closed. Different timeouts may be applied to session,
   X11, agent and TCP forwarding channels.

 * sshd(8): add a sshd_config UnusedConnectionTimeout option to
   terminate client connections that have no open channels for a
   length of time. This complements the ChannelTimeout option above.

 * sshd(8): add a -V (version) option to sshd like the ssh client has.

 * ssh(1): add a "Host" line to the output of ssh -G showing the
   original hostname argument. bz3343

 * scp(1), sftp(1): add a -X option to both scp(1) and sftp(1) to
   allow control over some SFTP protocol parameters: the copy buffer
   length and the number of in-flight requests, both of which are used
   during upload/download. Previously these could be controlled in
   sftp(1) only. This makes them available in both SFTP protocol
   clients using the same option character sequence.

 * ssh-keyscan(1): allow scanning of complete CIDR address ranges,
   e.g.  "ssh-keyscan 192.168.0.0/24". If a CIDR range is passed, then
   it will be expanded to all possible addresses in the range
   including the all-0s and all-1s addresses. bz#976

 * ssh(1): support dynamic remote port forwarding in escape
   command-line's -R processing. bz#3499

Bugfixes


 * ssh(1): when restoring non-blocking mode to stdio fds, restore
   exactly the flags that ssh started with and don't just clobber them
   with zero, as this could also remove the append flag from the set.
   bz3523

 * ssh(1): avoid printf("%s", NULL) if using UserKnownHostsFile=none
   and a hostkey in one of the system known hosts file changes.

 * scp(1): switch scp from using pipes to a socket-pair for
   communication with its ssh sub-processes, matching how sftp(1)
   operates.

 * sshd(8): clear signal mask early in main(); sshd may have been
   started with one or more signals masked (sigprocmask(2) is not
   cleared on 

getent 2.18.90-5

[Corinna Vinschen]

The following packages have been uploaded to the Cygwin distribution:

* getent-2.18.90-5

The getent command displays entries from databases supported by the
Name Service Switch libraries, which are configured in /etc/nss‐
witch.conf.  If one or more key arguments are provided, then only the
entries that match the supplied keys will be displayed.  Otherwise, if
no key is provided, all entries will be displayed (unless the database
does not support enumeration).

tin 2.6.2-1

[Corinna Vinschen]

The following packages have been uploaded to the Cygwin distribution:

* tin-2.6.2-1

Tin is a basic, easy to use Internet news reader.  Tin can read news
locally or remotely via an NNTP (Network News Transport Protocol)
server.

Install tin if you need a basic news reader.

libfido2 1.12.0-1

[Corinna Vinschen]

The following packages have been uploaded to the Cygwin distribution:

* libfido2-1.12.0-1
* libfido2-devel-1.12.0-1

libfido2 provides library functionality and command-line tools to
communicate with a FIDO device over USB, and to verify attestation and
assertion signatures.

libfido2 supports the FIDO U2F (CTAP 1) and FIDO 2.0 (CTAP 2) protocols.

libcbor 0.9.0-4

[Corinna Vinschen]

The following packages have been uploaded to the Cygwin distribution:

* libcbor-0.9.0-4
* libcbor-devel-0.9.0-4

libcbor is a C library for parsing and generating CBOR.

libedit 20221030-1

[Corinna Vinschen]

The following packages have been uploaded to the Cygwin distribution:

* libedit-20221030-1
* libedit-devel-20221030-1
* libedit0-20221030-1

Libedit is an autotool- and libtoolized port of the NetBSD Editline library.
It provides generic line editing, history, and tokenization functions, similar
to those found in GNU Readline.

psmisc 23.4-4

[Corinna Vinschen]

The following packages have been uploaded to the Cygwin distribution:

* psmisc-23.4-4

The psmisc package contains utilities for managing processes on your
system: pstree, killall, fuser and pslog.  The pstree command displays
a tree structure of all of the running processes on your system.  The
killall command sends a specified signal (SIGTERM if nothing is specified)
to processes identified by name.  The fuser command identifies the PIDs
of processes that are using specified files or filesystems. The pslog
command shows the path of log files owned by a given process.

cygwin 3.4.5-1

[Corinna Vinschen]

The following packages have been uploaded to the Cygwin distribution:

* cygwin-3.4.5-1
* cygwin-devel-3.4.5-1
* cygwin-doc-3.4.5-1

The 3.4.4 release had to be skipped for technical reasons.


Bug Fixes
-

- Fix an uninitialized variable having weird side-effects in path handling.
  Addresses: https://cygwin.com/pipermail/cygwin/2022-December/252734.html

- Fix hang-up of less on quit which occurs when it is started from non-cygwin
  shell and window is resized.
  Addresses: https://cygwin.com/pipermail/cygwin/2022-December/252737.html

- Reinstantiate exporting _alloca.
  Addresses: https://cygwin.com/pipermail/cygwin/2023-January/252797.html

- Avoid hangs when reading /proc//status.
  Addresses: https://cygwin.com/pipermail/cygwin/2022-December/252756.html

- Fix vmstat(1) printing an error message on single core CPUs.
  Addresses: https://cygwin.com/pipermail/cygwin/2023-January/252857.html

- Fix potential process termination during process initialization.
  Most easily reproducible is the case of non-Cygwin processes running
  with high-entropy VA enabled and loading the Cygwin DLL dynamically.
  Addresses: https://cygwin.com/pipermail/cygwin/2023-January/252765.html
 https://cygwin.com/pipermail/cygwin/2023-January/252865.html

- Fix a build problem breaking cygcheck and strace.
  Addresses: https://cygwin.com/pipermail/cygwin/2023-January/252894.html

rebase 4.6.2-2

[Corinna Vinschen]

The following packages have been uploaded to the Cygwin distribution:

* rebase-4.6.2-2

This package contains the Cygwin rebase utilities.  Use rebase for
specific DLLs or rebaseall for all DLLs installed by Cygwin's setup.exe.

This is a minor bug fix release, fixing a confusing warning in peflags.

cpio 2.13-13

[Corinna Vinschen]

The following packages have been uploaded to the Cygwin distribution:

* cpio-2.13-13

GNU cpio copies files into or out of a cpio or tar archive.  Archives
are files which contain a collection of other files plus information
about them, such as their file name, owner, timestamps, and access
permissions.  The archive can be another file on the disk, a magnetic
tape, or a pipe.  GNU cpio supports the following archive formats:  binary,
old ASCII, new ASCII, crc, HPUX binary, HPUX old ASCII, old tar and POSIX.1
tar.  By default, cpio creates binary format archives, so that they are
compatible with older cpio programs.  When it is extracting files from
archives, cpio automatically recognizes which kind of archive it is reading
and can read archives created on machines with a different byte-order.

Install cpio if you need a program to manage file archives.

cygwin 3.4.2-1

[Corinna Vinschen]

The following packages have been uploaded to the Cygwin distribution:

* cygwin-3.4.2-1
* cygwin-devel-3.4.2-1
* cygwin-doc-3.4.2-1

This is a bugfix release.

- Fix regression in uname(2), accidentally adding a leading dot to
  utsname::machine.

==
   IMPORTANT DEPRECATION NOTES
==

- Cygwin 3.4 is the FIRST major version dropping support for

  - 32 bit Windows including WOW64 on 64 bit Windows.
  - Windows Vista
  - Windows Server 2008

- Cygwin 3.4 is the LAST major version supporting

  - Windows 7
  - Windows Server 2008 R2
  - Windows 8
  - Windows Server 2012

- Cygwin 3.5, which will probably be release at some point in late 2023,
  will run on

  - Windows 8.1
  - Windows 10
  - Windows 11
  - Windows Server 2012 R2
  - Windows Server 2016
  - Windows Server 2019
  - Windows Server 2022

cygwin 3.4.1-1

[Corinna Vinschen]

The following packages have been uploaded to the Cygwin distribution:

* cygwin-3.4.1-1
* cygwin-devel-3.4.1-1
* cygwin-doc-3.4.1-1

This is a bugfix release.

- Fix a backward incompatibility problem in the definition of the
  base type of the stdio type FILE.  This requires that C++ binaries
  compiled under Cygwin 3.4.0 having a public facing interface using
  FILE need to be recompiled.
  Addresses: https://savannah.gnu.org/bugs/index.php?63480

- Fix an error introduced into the build process, resulting in `gcc -pg'
  becoming disfunctional.
  Addresses: https://cygwin.com/pipermail/cygwin/2022-December/252619.html

- Fix performance degradation of non-cygwin pipe.
  Addresses: https://cygwin.com/pipermail/cygwin/2022-December/252628.html

==
   IMPORTANT DEPRECATION NOTES
==

- Cygwin 3.4 is the FIRST major version dropping support for

  - 32 bit Windows including WOW64 on 64 bit Windows.
  - Windows Vista
  - Windows Server 2008

- Cygwin 3.4 is the LAST major version supporting

  - Windows 7
  - Windows Server 2008 R2
  - Windows 8
  - Windows Server 2012

- Cygwin 3.5, which will probably be release at some point in late 2023,
  will run on

  - Windows 8.1
  - Windows 10
  - Windows 11
  - Windows Server 2012 R2
  - Windows Server 2016
  - Windows Server 2019
  - Windows Server 2022

There are no plans to deprecate support for 64 bit systems starting with
Windows 8.1 / Windows Server 2012 R2 any time soon.

tcsh 6.24.05-1

[Corinna Vinschen]

The following packages have been uploaded to the Cygwin distribution:

* tcsh-6.24.05-1

This is a maintenance release with no functional change to the shell
itself, but all additional changes from 6.24.03 (and 6.24.04, never
released) have been applied to the manual page.  All other changes are
about the build and release processes.

Downside: The conversion from the man page to HTML has been deprecated,
so the HTML documentation is no longer part of this package.

Tcsh is an enhanced but completely compatible version of csh, the C
shell.  Tcsh is a command language interpreter which can be used both
as an interactive login shell and as a shell script command processor.
Tcsh includes a command line editor, programmable word completion,
spelling correction, a history mechanism, job control and a C language
like syntax.

cygwin 3.4.0-1

[Corinna Vinschen]

The following packages have been uploaded to the Cygwin distribution:

* cygwin-3.4.0-1
* cygwin-devel-3.4.0-1
* cygwin-doc-3.4.0-1

==
   IMPORTANT DEPRECATION NOTES
==

- Cygwin 3.4 is the FIRST major version dropping support for

  - 32 bit Windows including WOW64 on 64 bit Windows.
  - Windows Vista
  - Windows Server 2008

- Cygwin 3.4 is the LAST major version supporting

  - Windows 7
  - Windows Server 2008 R2
  - Windows 8
  - Windows Server 2012

- Cygwin 3.5, which will probably be release at some point in late 2023,
  will run on

  - Windows 8.1
  - Windows 10
  - Windows 11
  - Windows Server 2012 R2
  - Windows Server 2016
  - Windows Server 2019
  - Windows Server 2022

There are no plans to deprecate support for 64 bit systems starting with
Windows 8.1 / Windows Server 2012 R2 any time soon.

==

What's new:
---

- Drop support for Vista and Server 2008.

- Drop support for 32 bit Windows and WOW64.

- Allow to run with full ASLR enabled and enable on Cygwin DLL by default.

- Remove any special handling for the .com filename suffix. It has to
  be used always explicitely.

- Add code to handle setrlimit(RLIMIT_AS).

- Add code to handle signal masks in /proc//status.

- Handle UDP_SEGMENT and UDP_GRO socket options.


What changed:
-

- The CYGWIN=pipe_byte option is now set by default, so that pipes are
  opened in byte mode rather than message mode.
  Addresses: https://cygwin.com/pipermail/cygwin/2021-March/247987.html

- The stdio input functions no longer try again to read after EOF.
  This aligns Cygwin behavior to that of Linux.
  Addresses: https://cygwin.com/pipermail/cygwin/2022-June/251672.html

- Treat an empty path (empty element in PATH or PATH is absent) as
  the current directory as Linux does.
  Addresses: https://cygwin.com/pipermail/cygwin/2022-June/251730.html

- The default values of FD_SETSIZE and NOFILE are now 1024 and 3200,
  respectively.
  Addresses: https://cygwin.com/pipermail/cygwin/2022-July/251839.html


Bug Fixes
-

- Don't error out if getfacl(1) is called on a socket file.
  Partially addresses: https://cygwin.com/pipermail/cygwin/2022-July/251768.html

- Make serial ioctl(TIOCMBIS/TIOCMBIC) work on USB CDC devices.
  Addresses: https://cygwin.com/pipermail/cygwin/2022-November/252443.html

- Fix a SEGV when running a process with changed primary group.
  Addresses: https://cygwin.com/pipermail/cygwin-apps/2022-September/042245.html

- Fix primary group handling when running a process tree containing
  non-Cygwin processes and with changed primary group.  The Cygwin child
  process of a non-Cygwin process will have reverted its primary group
  to the default primary group erroneously.
  Addresses: https://cygwin.com/pipermail/cygwin-apps/2022-September/042245.html

- Fix parsing Windows command line when non-ASCII chars are in the input.
  Addresses: https://cygwin.com/pipermail/cygwin/2022-November/252481.html

tcsh 6.24.03-1

[Corinna Vinschen]

The following packages have been uploaded to the Cygwin distribution:

* tcsh-6.24.03-1

This is a bugfix release.

1. Handle \c in echo properly.
2. Add a configure check for a working sbrk().
3. Fix a test failure on busybox.

Tcsh is an enhanced but completely compatible version of csh, the C
shell.  Tcsh is a command language interpreter which can be used both
as an interactive login shell and as a shell script command processor.
Tcsh includes a command line editor, programmable word completion,
spelling correction, a history mechanism, job control and a C language
like syntax.

tcsh 6.24.02-2

[Corinna Vinschen]

The following packages have been uploaded to the Cygwin distribution:

* tcsh-6.24.02-2

This is a bugfix release.  It fixes the behaviour of the "\c" escape
sequence, which was broken since tcsh 6.23.00.

Tcsh is an enhanced but completely compatible version of csh, the C
shell.  Tcsh is a command language interpreter which can be used both
as an interactive login shell and as a shell script command processor.
Tcsh includes a command line editor, programmable word completion,
spelling correction, a history mechanism, job control and a C language
like syntax.

tcsh 6.24.02-1

[Corinna Vinschen]

The following packages have been uploaded to the Cygwin distribution:

* tcsh-6.24.02-1

This is a bugfix release.  It fixes a situation where a ~/.history
file has been written when it should not have been.

Tcsh is an enhanced but completely compatible version of csh, the C
shell.  Tcsh is a command language interpreter which can be used both
as an interactive login shell and as a shell script command processor.
Tcsh includes a command line editor, programmable word completion,
spelling correction, a history mechanism, job control and a C language
like syntax.

gawk 5.2.1-1

[Corinna Vinschen via Cygwin-announce]

The following packages have been uploaded to the Cygwin distribution:

* gawk-5.2.1-1

The gawk package contains the GNU version of awk, a text
processing utility. Awk interprets a special-purpose programming
language to do quick and easy text pattern matching and
reformatting jobs.

Install the gawk package if you need a text processing utility.
Gawk is considered to be a standard Linux tool for processing text.

Changes from 5.2.0 to 5.2.1
---

1. More subtle issues with untyped array elements being passed to
   functions have been fixed. 

2. The rwarray extension's readall() function has had some bugs fixed.

3. The PMA allocator is now supported on Linux on s/390, FreeBSD and OpenBSD.
   It is currently disabled on macos on M1 since there are some unsolved
   problems in that environment. macos on Intel works without problem.

4. There have been several minor code cleanups and bug fixes. See the
   ChangeLog for details.

Changes from 5.1.x to 5.2.0
---

*
* MPFR mode (the -M option) is now ON PAROLE.  This feature is now being*
* supported by a volunteer in the development team and not by the primary   *
* maintainer.  If this situation changes, then the feature will be removed. *
* For more information see this section in the manual:  *
* https://www.gnu.org/software/gawk/manual/html_node/MPFR-On-Parole.html*
*

1. Infrastructure upgrades: Libtool 2.4.7, Bison 3.8.2.

2. Numeric scalars now compare in the same way as C for the relational
   operators. Comparison order for sorting has not changed.  This only
   makes a difference when comparing Infinity and NaN values with
   regular numbers; it should not be noticeable most of the time.

3. If the AWK_HASH environment variable is set to "fnv1a" gawk will
   use the FNV1-A hash function for associative arrays.

4. The CMake infrastructure has been removed. In the five years it was in
   the tree, nobody used it, and it was not updated.

5. There is now a new function, mkbool(), that creates Boolean-typed
   values.  These values *are* numbers, but they are also tagged as
   Boolean. This is mainly for use with data exchange to/from languages
   or environments that support real Boolean values. See the manual
   for details.

6. As BWK awk has supported interval expressions since 2019, they are
   now enabled even if --traditional is supplied. The -r/--re-interval option
   remains, but it does nothing.

7. The rwarray extension has two new functions, writeall() and readall(),
   for saving / restoring all of gawk's variables and arrays.

8. The new `gawkbug' script should be used for reporting bugs.

9. The manual page (doc/gawk.1) has been considerably reduced in size.
   Wherever possible, details were replaced with references to the online
   copy of the manual.

10. Gawk now supports Terence Kelly's "persistent malloc" (pma),
allowing gawk to preserve its variables, arrays and user-defined
functions between runs. THIS IS AN EXPERIMENTAL FEATURE!

For more information, see the manual. A new pm-gawk.1 man page
is included, as is a separate user manual that focuses on the feature.

11. Support for OS/2 has been removed. It was not being actively
maintained.

12. Similarly, support for DJGPP has been removed. It also was not
being actively maintained.

13. VAX/VMS is no longer supported, as it can no longer be tested.
The files for it remain in the distribution but will be removed
eventually.

14. Some subtle issues with untyped array elements being passed to
functions have been fixed.

15. Syntax errors are now immediately fatal. This prevents problems
with errors from fuzzers and other such things.

16. There have been numerous minor code cleanups and bug fixes. See the
ChangeLog for details.

TEST: cygwin 3.4.0-0.1

[Corinna Vinschen via Cygwin-announce]

The following packages have been uploaded to the Cygwin distribution:

* cygwin-3.4.0-0.1
* cygwin-devel-3.4.0-0.1
* cygwin-doc-3.4.0-0.1

This is the first test release of the 64 bit-only Cygwin 3.4.0.
Please test.



What's new:
---

- Drop support for Vista and Server 2008.

- Drop support for 32 bit Windows and WOW64.

- Allow to run with full ASLR enabled and enable on Cygwin DLL by default.

- Remove any special handling for the .com filename suffix. It has to
  be used always explicitely.

- Add code to handle setrlimit(RLIMIT_AS).

- Add code to handle signal masks in /proc//status.

- Handle UDP_SEGMENT and UDP_GRO socket options.


What changed:
-

- The CYGWIN=pipe_byte option is now set by default, so that pipes are
  opened in byte mode rather than message mode.
  Addresses: https://cygwin.com/pipermail/cygwin/2021-March/247987.html

- The stdio input functions no longer try again to read after EOF.
  This aligns Cygwin behavior to that of Linux.
  Addresses: https://cygwin.com/pipermail/cygwin/2022-June/251672.html

- Treat an empty path (empty element in PATH or PATH is absent) as
  the current directory as Linux does.
  Addresses: https://cygwin.com/pipermail/cygwin/2022-June/251730.html

- The default values of FD_SETSIZE and NOFILE are now 1024 and 3200,
  respectively.
  Addresses: https://cygwin.com/pipermail/cygwin/2022-July/251839.html


Bug Fixes
-

- Don't error out if getfacl(1) is called on a socket file.
  Partially addresses: https://cygwin.com/pipermail/cygwin/2022-July/251768.html

- Make serial ioctl(TIOCMBIS/TIOCMBIC) work on USB CDC devices.
  Addresses: https://cygwin.com/pipermail/cygwin/2022-November/252443.html

openssh 9.1p1-1

[Corinna Vinschen via Cygwin-announce]

The following packages have been uploaded to the Cygwin distribution:

* openssh-9.1p1-1

OpenSSH is a program for logging into a remote machine and for
executing commands on a remote machine.  It can replace rlogin and rsh,
providing encrypted communication between two machines.

Cygwin release message:

WinHello support:

Lots of patches to support FIDO2 keys utilizing WinHello have gone into
the upstream release now.  Additionally to the 9.0p1-1 Cygwin release,
Biometric FIDO2 keys are now seamlessly supported as well.

Please note that keys created with `-O no-touch-required' won't work,
because WinHello doesn't support authenticating FIDO2 tokens without
checking user presence.


Official upstream release message:


OpenSSH 9.1 has just been released. It will be available from the
mirrors listed at https://www.openssh.com/ shortly.

OpenSSH is a 100% complete SSH protocol 2.0 implementation and
includes sftp client and server support.

Once again, we would like to thank the OpenSSH community for their
continued support of the project, especially those who contributed
code or patches, reported bugs, tested snapshots or donated to the
project. More information on donations may be found at:
https://www.openssh.com/donations.html

Changes since OpenSSH 9.0
=

This release is focused on bug fixing.

Security


This release contains fixes for three minor memory safety problems.
None are believed to be exploitable, but we report most memory safety
problems as potential security vulnerabilities out of caution.

 * ssh-keyscan(1): fix a one-byte overflow in SSH- banner processing.
   Reported by Qualys

 * ssh-keygen(1): double free() in error path of file hashing step in
   signing/verify code; GHPR333

 * ssh-keysign(8): double-free in error path introduced in openssh-8.9

Potentially-incompatible changes


 * The portable OpenSSH project now signs commits and release tags
   using git's recent SSH signature support. The list of developer
   signing keys is included in the repository as .git_allowed_signers
   and is cross-signed using the PGP key that is still used to sign
   release artifacts:
   https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc

 * ssh(1), sshd(8): SetEnv directives in ssh_config and sshd_config
   are now first-match-wins to match other directives. Previously
   if an environment variable was multiply specified the last set
   value would have been used. bz3438

 * ssh-keygen(8): ssh-keygen -A (generate all default host key types)
   will no longer generate DSA keys, as these are insecure and have
   not been used by default for some years.  


 * ssh(1), sshd(8): add a RequiredRSASize directive to set a minimum
   RSA key length. Keys below this length will be ignored for user
   authentication and for host authentication in sshd(8).

   ssh(1) will terminate a connection if the server offers an RSA key
   that falls below this limit, as the SSH protocol does not include
   the ability to retry a failed key exchange.

 * sftp-server(8): add a "users-groups-by...@openssh.com" extension
   request that allows the client to obtain user/group names that
   correspond to a set of uids/gids.

 * sftp(1): use "users-groups-by...@openssh.com" sftp-server
   extension (when available) to fill in user/group names for
   directory listings.

 * sftp-server(8): support the "home-directory" extension request
   defined in draft-ietf-secsh-filexfer-extensions-00. This overlaps
   a bit with the existing "expand-p...@openssh.com", but some other
   clients support it.

 * ssh-keygen(1), sshd(8): allow certificate validity intervals,
   sshsig verification times and authorized_keys expiry-time options
   to accept dates in the UTC time zone in addition to the default
   of interpreting them in the system time zone. MMDD and
   YYMMDDHHMM[SS] dates/times will be interpreted as UTC if suffixed
   with a 'Z' character.

   Also allow certificate validity intervals to be specified in raw
   seconds-since-epoch as hex value, e.g. -V 0x1234:0x4567890. This
   is intended for use by regress tests and other tools that call
   ssh-keygen as part of a CA workflow. bz3468

 * sftp(1): allow arguments to the sftp -D option, e.g. sftp -D
   "/usr/libexec/sftp-server -el debug3"

 * ssh-keygen(1): allow the existing -U (use agent) flag to work
   with "-Y sign" operations, where it will be interpreted to require
   that the private keys is hosted in an agent; bz3429

New features


 * ssh(1), sshd(8): add a RequiredRSASize directive to set a minimum
   RSA key length. Keys below this length will be ignored for user
   authentication and for host authentication in sshd(8).

   ssh(1) will terminate a connection if the server offers an RSA key
   that falls below this 

cygwin 3.3.6-1

[Corinna Vinschen via Cygwin-announce]

The following packages have been uploaded to the Cygwin distribution:

* cygwin-3.3.6-1
* cygwin-devel-3.3.6-1
* cygwin-doc-3.3.6-1

==
   IMPORTANT DEPRECATION NOTES
==

- Cygwin 3.3 is the LAST major version supporting

  - Windows Vista
  - Windows Server 2008

- Cygwin 3.3 is the LAST major version supporting 32 bit installations.

  If you're using 32 bit Cygwin in WOW64 on 64 bit machines, consider
  to move to a real 64 bit Cygwin installation in the next couple of
  months.

  If you're using 32 bit Cygwin on real 32 bit hardware or on WOW64 on
  ARM64, don't be alarmed.  The current installations including all
  Cygwin 3.3.x versions will continue to run on your system.  You just
  wont get any more updates starting with Cygwin 3.4.0.  

- Cygwin 3.4, which will probably be release at some point in late 2022,
  will be the LAST version supporting

  - Windows 7
  - Windows Server 2008 R2
  - Windows 8
  - Windows Server 2012

There are no plans to deprecate support for 64 bit systems starting with
Windows 8.1 / Windows Server 2012 R2 any time soon.

==

Bug Fixes
-

- Fix an issue that command "cmd /c script -c cmd" crashes if it
  is issued in console of Windows 7.

- Fix killpg failing because the exec'ing as well as the exec'ed
  process are not in the pidlist for a brief moment.
  Addresses: https://cygwin.com/pipermail/cygwin/2022-May/251479.html

- Fix mknod (64-bit only), whose definition didn't match its prototype.
  Addresses: https://cygwin.com/pipermail/cygwin-developers/2022-May/012589.html

- Fix a regression that prevented Cygwin from starting if cygwin1.dll
  is in the root directory.
  Addresses: https://cygwin.com/pipermail/cygwin/2022-May/251548.html

- Handle setting very long window title correctly in console.
  Addresses: https://cygwin.com/pipermail/cygwin/2022-June/251662.html

- Fix a bug of poll() that it returns event which is not inquired
  if events are inquired in multiple pollfd entries on the same fd
  at the same time.
  Addresses: https://cygwin.com/pipermail/cygwin/2022-June/251732.html

- Fix a console problem that the text longer than 1024 bytes cannot
  be pasted correctly.
  Addresses: https://cygwin.com/pipermail/cygwin/2022-June/251764.html

- Fix a pty problem that pty failed to switch I/O pipe to that for
  native apps if *.bat or *.cmd is executed directly from cygwin
  shell.
  Addresses: https://cygwin.com/pipermail/cygwin/2022-July/251993.html

- Fix a problem that prevented some symbolic links to /cygdrive/C,
  /cygdrive/./c, /cygdrive//c, etc. from working.
  Addresses: https://cygwin.com/pipermail/cygwin/2022-July/251994.html

- Fix a path handling bug that could cause a non-existing file to be
  treated as the current directory.
  Addresses: https://cygwin.com/pipermail/cygwin/2022-August/252030.html

- Fix a crash in newlocale.
  Addresses: https://cygwin.com/pipermail/cygwin/2022-August/252043.html

libfido2 1.11.0-1

[Corinna Vinschen via Cygwin-announce]

The following packages have been uploaded to the Cygwin distribution:

* libfido2-1.11.0-1
* libfido2-devel-1.11.0-1

libfido2 provides library functionality and command-line tools to
communicate with a FIDO device over USB, and to verify attestation and
assertion signatures.

libfido2 supports the FIDO U2F (CTAP 1) and FIDO 2.0 (CTAP 2) protocols.

What's new:

* Version 1.11.0 (2022-05-03)
 ** Experimental PCSC support; enable with -DUSE_PCSC.
 ** Improved OpenSSL 3.0 compatibility.
 ** Use RFC1951 raw deflate to compress CTAP 2.1 largeBlobs.
 ** winhello: advertise "uv" instead of "clientPin".
 ** winhello: support hmac-secret in fido_dev_get_assert().
 ** New API calls:
  - fido_cbor_info_maxlargeblob.
 ** Documentation and reliability fixes.
 ** Separate build and regress targets.

rebase 4.6.1-1

[Corinna Vinschen via Cygwin-announce]

The following packages have been uploaded to the Cygwin distribution:

* rebase-4.6.1-1

This package contains the Cygwin rebase utilities.  Use rebase for
specific DLLs or rebaseall for all DLLs installed by Cygwin's setup.exe.

* Make rebaseall a wrapper around /etc/postinstall/0p_000_autorebase.dash.

rebase 4.6.0-2

[Corinna Vinschen via Cygwin-announce]

The following packages have been uploaded to the Cygwin distribution:

* rebase-4.6.0-2

This package contains the Cygwin rebase utilities.  Use rebase for
specific DLLs or rebaseall for all DLLs installed by Cygwin's setup.exe.

This release adds support for Compact OS and contains a couple of
bugfixes of the rebasing algorithm, courtesy Christian Franke.

cygwin 3.3.5-1

[Corinna Vinschen via Cygwin-announce]

The following packages have been uploaded to the Cygwin distribution:

* cygwin-3.3.5-1
* cygwin-devel-3.3.5-1
* cygwin-doc-3.3.5-1

==
   IMPORTANT DEPRECATION NOTES
==

- Cygwin 3.3 is the LAST major version supporting

  - Windows Vista
  - Windows Server 2008

- Cygwin 3.3 is the LAST major version supporting 32 bit installations.

  If you're using 32 bit Cygwin in WOW64 on 64 bit machines, consider
  to move to a real 64 bit Cygwin installation in the next couple of
  months.

  If you're using 32 bit Cygwin on real 32 bit hardware or on WOW64 on
  ARM64, don't be alarmed.  The current installations including all   
  Cygwin 3.3.x versions will continue to run on your system.  You just
  wont get any more updates starting with Cygwin 3.4.0.

- Cygwin 3.4, which will probably be release at some point in late 2022,
  will be the LAST version supporting

  - Windows 7
  - Windows Server 2008 R2
  - Windows 8
  - Windows Server 2012

There are no plans to deprecate support for 64 bit systems starting with
Windows 8.1 / Windows Server 2012 R2 any time soon.

==

Bug Fixes
-

- Fix a bug that accessing UNC path mounted to a drive letter using
  SMB3.11 fails with error "Too many levels of symbolic links.".

- Fix a console bug that escape sequence IL/DL (CSI Ps L, CSI Ps M)
  does not work correctly at the last line.
  Addresses: https://cygwin.com/pipermail/cygwin/2022-February/250736.html

- Fix a problem that ENABLE_INSERT_MODE and ENABLE_QUICK_EDIT_MODE
  flags are cleared if cygwin is started in console.

- Fix an issue that cmd.exe also is terminated along with the cygwin
  app started from the cmd.exe if the cygwin app is terminated by
  Ctrl-C.

- Fix deadlock caused when keys are typed in pty while a lot of text
  output.

- Fix a problem that the console mode for input is not set correctly
  when non-cygwin app is started with stdin redirected.
  Addresses:
  https://github.com/GitCredentialManager/git-credential-manager/issues/576

- Fix some problems such as:
   1) If output of non-cygwin app and input of cygwin app are connected
  by a pipe, Ctrl-C has to be sent twice to stop apps when the
  cygwin app does not read stdin at the moment.
   2) In cmd.exe started from cygwin shell, if output of non-cygwin
  app and input of cygwin app are connected by a pipe, Ctrl-C
  can never terminate the apps.

- Fix exit code when non-cygwin app is terminated by Ctrl-C.

- Fix a bug that the order of the console key inputs are occasionally
  swapped, especially when CPU load is high.
  Addresses: https://cygwin.com/pipermail/cygwin/2022-February/250957.html

- Fix a problem that fsync() flushes the console input buffer unlike
  linux. fsync() should return EINVAL for special files such as tty.
  Addresses: https://cygwin.com/pipermail/cygwin/2022-March/251022.html

- Fix a formatting problem in gmondump where all displayed addresses are
  mistakenly prefixed with "0x0x". Fix man pages for gmondump and ssp.

- Fix crash on pty master close in Windows 7.
  Addresses: https://cygwin.com/pipermail/cygwin/2022-March/251162.html

- Avoid deadlock of non-cygwin pipe writer which occurs when the other
  cygwin pipe writers exist if the pipe is created by system account
  or the pipe creator is running as service.
  Addresses: https://cygwin.com/pipermail/cygwin/2022-March/251097.html

tcsh 6.24.01-1

[Corinna Vinschen via Cygwin-announce]

The following packages have been uploaded to the Cygwin distribution:

* tcsh-6.24.01-1

This is a bug fix release:

1. Fix return status of which (Jamie Landeg-Jones)
2. Fix quoting of ! characters in history recall (Kimmo Suominen)

Tcsh is an enhanced but completely compatible version of csh, the C
shell.  Tcsh is a command language interpreter which can be used both
as an interactive login shell and as a shell script command processor.
Tcsh includes a command line editor, programmable word completion,
spelling correction, a history mechanism, job control and a C language
like syntax.

openssh 9.0p1-1

[Corinna Vinschen via Cygwin-announce]

The following packages have been uploaded to the Cygwin distribution:

* openssh-9.0p1-1

OpenSSH is a program for logging into a remote machine and for
executing commands on a remote machine.  It can replace rlogin and rsh,
providing encrypted communication between two machines.


Cygwin release message:

WinHello support:

Apart from the following official upstream release message, this release
contains support for WinHello.  That is, users of Windows 10 1909 or
later will now be able to uses FIDO2 tokens in conjunction with
WinHello.  Create keys with one of

  ssh-keygen -t ed25519-sk [-O verify-required]
  ssh-keygen -t ecdsa-sk [-O verify-required]

Please note that keys created with `-O no-touch-required' won't work,
because WinHello doesn't support authenticating FIDO2 tokens without
checking user presence.

WinHello support is supposed to go upstream, but the changes didn't   
make it into 9.0p1.


Official upstream release message:


OpenSSH 9.0 has just been released. It will be available from the
mirrors listed at https://www.openssh.com/ shortly.

OpenSSH is a 100% complete SSH protocol 2.0 implementation and
includes sftp client and server support.

Once again, we would like to thank the OpenSSH community for their
continued support of the project, especially those who contributed
code or patches, reported bugs, tested snapshots or donated to the
project. More information on donations may be found at:  
https://www.openssh.com/donations.html

Changes since OpenSSH 8.9
=

This release is focused on bug fixing.

Potentially-incompatible changes


This release switches scp(1) from using the legacy scp/rcp protocol
to using the SFTP protocol by default.

Legacy scp/rcp performs wildcard expansion of remote filenames (e.g.
"scp host:* .") through the remote shell. This has the side effect of
requiring double quoting of shell meta-characters in file names
included on scp(1) command-lines, otherwise they could be interpreted
as shell commands on the remote side.

This creates one area of potential incompatibility: scp(1) when using
the SFTP protocol no longer requires this finicky and brittle quoting,
and attempts to use it may cause transfers to fail. We consider the
removal of the need for double-quoting shell characters in file names
to be a benefit and do not intend to introduce bug-compatibility for
legacy scp/rcp in scp(1) when using the SFTP protocol.

Another area of potential incompatibility relates to the use of remote
paths relative to other user's home directories, for example -
"scp host:~user/file /tmp". The SFTP protocol has no native way to
expand a ~user path. However, sftp-server(8) in OpenSSH 8.7 and later
support a protocol extension "expand-p...@openssh.com" to support
this.

In case of incompatibility, the scp(1) client may be instructed to use
the legacy scp/rcp using the -O flag.

New features


 * ssh(1), sshd(8): use the hybrid Streamlined NTRU Prime + x25519 key
   exchange method by default ("sntrup761x25519-sha...@openssh.com").
   The NTRU algorithm is believed to resist attacks enabled by future
   quantum computers and is paired with the X25519 ECDH key exchange
   (the previous default) as a backstop against any weaknesses in
   NTRU Prime that may be discovered in the future. The combination
   ensures that the hybrid exchange offers at least as good security
   as the status quo.

   We are making this change now (i.e. ahead of cryptographically-
   relevant quantum computers) to prevent "capture now, decrypt
   later" attacks where an adversary who can record and store SSH
   session ciphertext would be able to decrypt it once a sufficiently
   advanced quantum computer is available.

 * sftp-server(8): support the "copy-data" extension to allow server-
   side copying of files/data, following the design in
   draft-ietf-secsh-filexfer-extensions-00. bz2948

 * sftp(1): add a "cp" command to allow the sftp client to perform
   server-side file copies.

Bugfixes


 * ssh(1), sshd(8): upstream: fix poll(2) spin when a channel's output
   fd closes without data in the channel buffer. bz3405 and bz3411

 * sshd(8): pack pollfd array in server listen/accept loop. Could
   cause the server to hang/spin when MaxStartups > RLIMIT_NOFILE

 * ssh-keygen(1): avoid NULL deref via the find-principals and
   check-novalidate operations. bz3409 and GHPR#307 respectively.

 * scp(1): fix a memory leak in argument processing. bz3404

 * sshd(8): don't try to resolve ListenAddress directives in the sshd
   re-exec path. They are unused after re-exec and parsing errors
   (possible for example if the host's network configuration changed)
   could prevent connections from being accepted.

 * sshd(8): when refusing a public key authentication request 

openssh 8.9p1-1

[Corinna Vinschen via Cygwin-announce]

The following packages have been uploaded to the Cygwin distribution:

* openssh-8.9p1-1

OpenSSH is a program for logging into a remote machine and for
executing commands on a remote machine.  It can replace rlogin and rsh,
providing encrypted communication between two machines.


Cygwin release message:

WinHello support:

Apart from the following official upstream release message, this release
contains support for WinHello.  That is, users of Windows 10 1909 or
later will now be able to uses FIDO2 tokens in conjunction with
WinHello.  Create keys with one of

  ssh-keygen -t ed25519-sk [-O verify-required]
  ssh-keygen -t ecdsa-sk [-O verify-required]

Please note that keys created with `-O no-touch-required' won't work,
because WinHello doesn't support authenticating FIDO2 tokens without
checking user presence.

WinHello support is supposed to go upstream, but the changes didn't
make it into 8.9p1 in time.


Official upstream release message:

OpenSSH 8.9 has just been released. It will be available from the
mirrors listed at https://www.openssh.com/ shortly.

OpenSSH is a 100% complete SSH protocol 2.0 implementation and
includes sftp client and server support.

Once again, we would like to thank the OpenSSH community for their
continued support of the project, especially those who contributed
code or patches, reported bugs, tested snapshots or donated to the
project. More information on donations may be found at:
https://www.openssh.com/donations.html

Future deprecation notice
=

A near-future release of OpenSSH will switch scp(1) from using the
legacy scp/rcp protocol to using SFTP by default.

Legacy scp/rcp performs wildcard expansion of remote filenames (e.g.
"scp host:* .") through the remote shell. This has the side effect of
requiring double quoting of shell meta-characters in file names
included on scp(1) command-lines, otherwise they could be interpreted
as shell commands on the remote side.

This creates one area of potential incompatibility: scp(1) when using
the SFTP protocol no longer requires this finicky and brittle quoting,
and attempts to use it may cause transfers to fail. We consider the
removal of the need for double-quoting shell characters in file names
to be a benefit and do not intend to introduce bug-compatibility for
legacy scp/rcp in scp(1) when using the SFTP protocol.

Another area of potential incompatibility relates to the use of remote
paths relative to other user's home directories, for example -
"scp host:~user/file /tmp". The SFTP protocol has no native way to
expand a ~user path. However, sftp-server(8) in OpenSSH 8.7 and later
support a protocol extension "expand-p...@openssh.com" to support
this.

Security Near Miss
==

 * sshd(8): fix an integer overflow in the user authentication path
   that, in conjunction with other logic errors, could have yielded
   unauthenticated access under difficult to exploit conditions.

   This situation is not exploitable because of independent checks in
   the privilege separation monitor. Privilege separation has been
   enabled by default in since openssh-3.2.2 (released in 2002) and
   has been mandatory since openssh-7.5 (released in 2017). Moreover,
   portable OpenSSH has used toolchain features available in most
   modern compilers to abort on signed integer overflow since
   openssh-6.5 (released in 2014).

   Thanks to Malcolm Stagg for finding and reporting this bug.

Potentially-incompatible changes


 * sshd(8), portable OpenSSH only: this release removes in-built
   support for MD5-hashed passwords. If you require these on your
   system then we recommend linking against libxcrypt or similar.

 * This release modifies the FIDO security key middleware interface
   and increments SSH_SK_VERSION_MAJOR.

Changes since OpenSSH 8.8
=

This release includes a number of new features.

New features


 * ssh(1), sshd(8), ssh-add(1), ssh-agent(1): add a system for
   restricting forwarding and use of keys added to ssh-agent(1)
   A detailed description of the feature is available at
   https://www.openssh.com/agent-restrict.html and the protocol
   extensions are documented in the PROTOCOL and PROTOCOL.agent
   files in the source release.

 * ssh(1), sshd(8): add the sntrup761x25519-sha...@openssh.com hybrid
   ECDH/x25519 + Streamlined NTRU Prime post-quantum KEX to the
   default KEXAlgorithms list (after the ECDH methods but before the
   prime-group DH ones). The next release of OpenSSH is likely to
   make this key exchange the default method.

 * ssh-keygen(1): when downloading resident keys from a FIDO token,
   pass back the user ID that was used when the key was created and
   append it to the filename the key is written to (if it is not the
   

tcsh 6.24.00-1

[Corinna Vinschen via Cygwin-announce]

The following packages have been uploaded to the Cygwin distribution:

* tcsh-6.24.00-1

Tcsh is an enhanced but completely compatible version of csh, the C
shell.  Tcsh is a command language interpreter which can be used both
as an interactive login shell and as a shell script command processor.
Tcsh includes a command line editor, programmable word completion,
spelling correction, a history mechanism, job control and a C language
like syntax.

cygwin 3.3.4-2

[Corinna Vinschen via Cygwin-announce]

The following packages have been uploaded to the Cygwin distribution:

* cygwin-3.3.4-2
* cygwin-devel-3.3.4-2
* cygwin-doc-3.3.4-2

This is a replacement for the broken 3.3.4-1 release, which stumbled
over an installation glitch in the latest cygport release.

   IMPORTANT DEPRECATION NOTES
==

- Cygwin 3.3 is the LAST major version supporting

  - Windows Vista
  - Windows Server 2008

- Cygwin 3.3 is the LAST major version supporting 32 bit installations.

  If you're using 32 bit Cygwin in WOW64 on 64 bit machines, consider
  to move to a real 64 bit Cygwin installation in the next couple of
  months.

  If you're using 32 bit Cygwin on real 32 bit hardware or on WOW64 on
  ARM64, don't be alarmed.  The current installations including all
  Cygwin 3.3.x versions will continue to run on your system.  You just
  wont get any more updates starting with Cygwin 3.4.0.

- Cygwin 3.4, which will probably be release at some point in 2022,
  will be the LAST version supporting

  - Windows 7
  - Windows Server 2008 R2
  - Windows 8
  - Windows Server 2012

There are no plans to deprecate support for 64 bit systems starting with
Windows 8.1 / Windows Server 2012 R2 any time soon.

==

Bug Fixes
-

- Fix a bug in fhandler_dev_clipboard::read() that the second read
  fails with 'Bad address'.
  Addresses: https://cygwin.com/pipermail/cygwin/2021-December/250141.html

- Convert UNC path prefix back to drive letter in symlink_info::check().
  This solves the following issues:
  Addresses: https://cygwin.com/pipermail/cygwin/2021-November/250087.html
 https://cygwin.com/pipermail/cygwin/2021-December/250103.html

- Fix a bug in pty code that input is wrongly sent to io_handle_nat
  rather than io_handle while neither read() nor select() is called
  after the cygwin app is started from non-cygwin app.
  Addresses: https://cygwin.com/pipermail/cygwin-patches/2021q4/011587.html

- Avoid a crash when NtQueryInformationProcess returns invalid handle data.
  Addresses: https://cygwin.com/pipermail/cygwin-patches/2021q4/011611.html

- Ignore INHERIT ACEs when reading the DACL of non-directory files.
  Addresses: https://cygwin.com/pipermail/cygwin/2022-January/250363.html

- Fix an "Invalid argument" problem in posix_spawn on i686.
  Addresses: https://cygwin.com/pipermail/cygwin/2022-January/250453.html

- Fix handling of  records in Cygwin resolver code using native
  windows calls.  Also fix various bugs in the resolver.

- Fix a problem creating a dir "foo", if a file (but not a Cygwin symlink)
  "foo.lnk" already exists.
  Addresses: https://github.com/msys2/msys2-runtime/issues/81

- Fix double free for archetype, which is caused when open() fails.
  Addresses: https://cygwin.com/pipermail/cygwin/2022-January/250518.html

- Fix a permission problem when writing DOS attributes on Samba.
  Addresses: https://cygwin.com/pipermail/cygwin/2022-January/250629.html

cygwin 3.3.4-1

[Corinna Vinschen via Cygwin-announce]

The following packages have been uploaded to the Cygwin distribution:

* cygwin-3.3.4-1
* cygwin-devel-3.3.4-1
* cygwin-doc-3.3.4-1

==
   IMPORTANT DEPRECATION NOTES
==

- Cygwin 3.3 is the LAST major version supporting

  - Windows Vista
  - Windows Server 2008

- Cygwin 3.3 is the LAST major version supporting 32 bit installations.

  If you're using 32 bit Cygwin in WOW64 on 64 bit machines, consider
  to move to a real 64 bit Cygwin installation in the next couple of
  months.

  If you're using 32 bit Cygwin on real 32 bit hardware or on WOW64 on
  ARM64, don't be alarmed.  The current installations including all
  Cygwin 3.3.x versions will continue to run on your system.  You just
  wont get any more updates starting with Cygwin 3.4.0.

- Cygwin 3.4, which will probably be release at some point in 2022,
  will be the LAST version supporting

  - Windows 7
  - Windows Server 2008 R2
  - Windows 8
  - Windows Server 2012

There are no plans to deprecate support for 64 bit systems starting with
Windows 8.1 / Windows Server 2012 R2 any time soon.

==

Bug Fixes
-

- Fix a bug in fhandler_dev_clipboard::read() that the second read
  fails with 'Bad address'.
  Addresses: https://cygwin.com/pipermail/cygwin/2021-December/250141.html

- Convert UNC path prefix back to drive letter in symlink_info::check().
  This solves the following issues:
  Addresses: https://cygwin.com/pipermail/cygwin/2021-November/250087.html
 https://cygwin.com/pipermail/cygwin/2021-December/250103.html

- Fix a bug in pty code that input is wrongly sent to io_handle_nat
  rather than io_handle while neither read() nor select() is called
  after the cygwin app is started from non-cygwin app.
  Addresses: https://cygwin.com/pipermail/cygwin-patches/2021q4/011587.html

- Avoid a crash when NtQueryInformationProcess returns invalid handle data.
  Addresses: https://cygwin.com/pipermail/cygwin-patches/2021q4/011611.html

- Ignore INHERIT ACEs when reading the DACL of non-directory files.
  Addresses: https://cygwin.com/pipermail/cygwin/2022-January/250363.html

- Fix an "Invalid argument" problem in posix_spawn on i686.
  Addresses: https://cygwin.com/pipermail/cygwin/2022-January/250453.html

- Fix handling of  records in Cygwin resolver code using native
  windows calls.  Also fix various bugs in the resolver.

- Fix a problem creating a dir "foo", if a file (but not a Cygwin symlink)
  "foo.lnk" already exists.
  Addresses: https://github.com/msys2/msys2-runtime/issues/81

- Fix double free for archetype, which is caused when open() fails.
  Addresses: https://cygwin.com/pipermail/cygwin/2022-January/250518.html

- Fix a permission problem when writing DOS attributes on Samba.
  Addresses: https://cygwin.com/pipermail/cygwin/2022-January/250629.html

libfido2 1.10.0-1

[Corinna Vinschen via Cygwin-announce]

The following packages have been uploaded to the Cygwin distribution:

* libfido2-1.10.0-1
* libfido2-devel-1.10.0-1

libfido2 provides library functionality and command-line tools to
communicate with a FIDO device over USB, and to verify attestation and
assertion signatures.

libfido2 supports the FIDO U2F (CTAP 1) and FIDO 2.0 (CTAP 2) protocols.

file 5.41-2

[Corinna Vinschen via Cygwin-announce]

The following packages have been uploaded to the Cygwin distribution:

* file-5.41-2
* file-devel-5.41-2
* python3-magic-5.41-2

This update rectifies a wrong dependency to python 3.8 in the 32 bit
package and removes the obsolete python2 bindings.

--- 

With file you can obtain information on the file type of a specified
file. File type recognition is controlled by the file /usr/share/file/magic
which contains the classification criteria.

file 5.41-1

[Corinna Vinschen via Cygwin-announce]

The following packages have been uploaded to the Cygwin distribution:

* file-5.41-1
* file-devel-5.41-1
* python2-magic-5.41-1
* python3-magic-5.41-1

With file you can obtain information on the file type of a specified
file. File type recognition is controlled by the file /usr/share/file/magic
which contains the classification criteria.

cygwin 3.3.3-1 [with DEPRECATION NOTES]

[Corinna Vinschen via Cygwin-announce]

The following packages have been uploaded to the Cygwin distribution:

* cygwin-3.3.3-1
* cygwin-devel-3.3.3-1
* cygwin-doc-3.3.3-1

==
   IMPORTANT DEPRECATION NOTES
==

- Cygwin 3.3 is the LAST major version supporting

  - Windows Vista
  - Windows Server 2008

- Cygwin 3.3 is the LAST major version supporting 32 bit installations.

  If you're using 32 bit Cygwin in WOW64 on 64 bit machines, consider
  to move to a real 64 bit Cygwin installation in the next couple of
  months.

  If you're using 32 bit Cygwin on real 32 bit hardware or on WOW64 on
  ARM64, don't be alarmed.  The current installations including all
  Cygwin 3.3.x versions will continue to run on your system.  You just
  wont get any more updates starting with Cygwin 3.4.0.

- Cygwin 3.4, which will probably be release at some point in 2022,
  will be the LAST version supporting

  - Windows 7
  - Windows Server 2008 R2
  - Windows 8
  - Windows Server 2012

There are no plans to deprecate support for 64 bit systems starting with
Windows 8.1 / Windows Server 2012 R2 any time soon.

==

Bug Fixes
-

- Fix issue that new pipe code doesn't handle size zero pipe which
  may be created by non-cygwin apps.
  Addresses: https://cygwin.com/pipermail/cygwin/2021-November/249844.html

- Make sure that "X:" paths are not handled as absolute DOS paths in
  fstatat and other ...at calls.  "X:/" still is handled as absolute
  path.
  Addresses: https://cygwin.com/pipermail/cygwin/2021-November/249837.html

- Fix showing DLL version info from native Windows tools.
  Addresses: https://cygwin.com/pipermail/cygwin/2021-November/249867.html

- Handle Unicode surrogate pairs in console. Cygwin console does not
  handle surrogate pairs correctly at the moment.  Fix issue that
  running bash in Windows Terminal and inserting an emoji does not
  work as expected.
  Addresses: https://github.com/git-for-windows/git/issues/3281

- Fix long-standing problem that fchmod or facl on newly created files
  screw up the DOS file attributes.
  Addresses: https://cygwin.com/pipermail/cygwin/2021-November/249909.html

- Fix issue that pipe read()/write() occasionally returns a garbage
  length when NtReadFile/NtWriteFile returns STATUS_PENDING in non-
  blocking mode.
  Addresses: https://cygwin.com/pipermail/cygwin/2021-November/249910.html

- Fix two bugs in raise(2).
  Addresses: https://cygwin.com/pipermail/cygwin/2021-November/249973.html

- Fix regression in printf introduced with Cygwin 3.3.2.
  Addresses: https://cygwin.com/pipermail/cygwin/2021-November/249930.html

cygwin 3.3.3-1

[Corinna Vinschen via Cygwin-announce]

The following packages have been uploaded to the Cygwin distribution:

* cygwin-3.3.3-1
* cygwin-devel-3.3.3-1
* cygwin-doc-3.3.3-1

Bug Fixes
-

- Fix issue that new pipe code doesn't handle size zero pipe which
  may be created by non-cygwin apps.
  Addresses: https://cygwin.com/pipermail/cygwin/2021-November/249844.html

- Make sure that "X:" paths are not handled as absolute DOS paths in
  fstatat and other ...at calls.  "X:/" still is handled as absolute
  path.
  Addresses: https://cygwin.com/pipermail/cygwin/2021-November/249837.html

- Fix showing DLL version info from native Windows tools.
  Addresses: https://cygwin.com/pipermail/cygwin/2021-November/249867.html

- Handle Unicode surrogate pairs in console. Cygwin console does not
  handle surrogate pairs correctly at the moment.  Fix issue that
  running bash in Windows Terminal and inserting an emoji does not
  work as expected.
  Addresses: https://github.com/git-for-windows/git/issues/3281

- Fix long-standing problem that fchmod or facl on newly created files
  screw up the DOS file attributes.
  Addresses: https://cygwin.com/pipermail/cygwin/2021-November/249909.html

- Fix issue that pipe read()/write() occasionally returns a garbage
  length when NtReadFile/NtWriteFile returns STATUS_PENDING in non-
  blocking mode.
  Addresses: https://cygwin.com/pipermail/cygwin/2021-November/249910.html

- Fix two bugs in raise(2).
  Addresses: https://cygwin.com/pipermail/cygwin/2021-November/249973.html

- Fix regression in printf introduced with Cygwin 3.3.2.
  Addresses: https://cygwin.com/pipermail/cygwin/2021-November/249930.html

libcbor 0.9.0-3

[Corinna Vinschen via Cygwin-announce]

The following packages have been uploaded to the Cygwin distribution:

* libcbor-0.9.0-3
* libcbor-devel-0.9.0-3

Rebuild, removing the DLLs and just providing a library for static linking.

libcbor is a C library for parsing and generating CBOR.

libfido2 1.9.0-2

[Corinna Vinschen via Cygwin-announce]

The following packages have been uploaded to the Cygwin distribution:

* libfido2-1.9.0-2
* libfido2-devel-1.9.0-2

This is a rebuild, statically linked against libcbor, to avoid problems
with missing binary compatibility between libcbor 0.X versions.


libfido2 provides library functionality and command-line tools to
communicate with a FIDO device over USB, and to verify attestation and
assertion signatures.

libfido2 supports the FIDO U2F (CTAP 1) and FIDO 2.0 (CTAP 2) protocols.

libfido2 1.9.0-1

[Corinna Vinschen via Cygwin-announce]

The following packages have been uploaded to the Cygwin distribution:

* libfido2-1.9.0-1
* libfido2-devel-1.9.0-1

libfido2 provides library functionality and command-line tools to
communicate with a FIDO device over USB, and to verify attestation and
assertion signatures.

libfido2 supports the FIDO U2F (CTAP 1) and FIDO 2.0 (CTAP 2) protocols.

WINDOWS 10 hint:

  On Windows 1903 and newer versions, access to FIDO devices has been
  restricted to applications using the operating system's native WebAuthn
  API.  This change has been included into libfido2 in the meantime, but
  for some reason it doesn't work with ssh yet.

libcbor 0.9.0-2

[Corinna Vinschen via Cygwin-announce]

The following packages have been uploaded to the Cygwin distribution:

* libcbor-0.9.0-2
* libcbor-devel-0.9.0-2

libcbor is a C library for parsing and generating CBOR.

libcbor 0.8.0-2

[Corinna Vinschen via Cygwin-announce]

The following packages have been uploaded to the Cygwin distribution:

* libcbor-0.8.0-2
* libcbor-devel-0.8.0-2

libcbor is a C library for parsing and generating CBOR.

tcsh 6.23.00-1

[Corinna Vinschen via Cygwin-announce]

The following packages have been uploaded to the Cygwin distribution:

* tcsh-6.23.00-1

I am pleased to announce that tcsh-6.23 is now available; this is mainly
a bug fix release (after 2 years) with a couple of new features:

1. Add "jobs -Z" to setproctitle(3)
2. Add ln=target in LS_COLORS
3. Add a :Q modifier that preserves empty arguments

Please consult the Fixes file for a complete list of changes.

Tcsh is an enhanced but completely compatible version of csh, the C
shell.  Tcsh is a command language interpreter which can be used both
as an interactive login shell and as a shell script command processor.
Tcsh includes a command line editor, programmable word completion,
spelling correction, a history mechanism, job control and a C language
like syntax.

cygwin 3.3.2-1

[Corinna Vinschen via Cygwin-announce]

The following packages have been uploaded to the Cygwin distribution:

* cygwin-3.3.2-1
* cygwin-devel-3.3.2-1
* cygwin-doc-3.3.2-1

Bug Fixes
-

- Fix bug that Ctrl-C sometimes does not work as expected in Windows Terminal.
  Addresses: https://cygwin.com/pipermail/cygwin/2021-November/249749.html

- Fix a float rounding issue in newlib.
  Addresses: https://sourceware.org/pipermail/newlib/2021/018626.html

- Fix a permission problem when writing ACLs on Samba.

- Fix the issue that pipe reader falsely detects EOF if the output of
  the C# program is redirected to the pipe.
  Addresses: https://cygwin.com/pipermail/cygwin/2021-November/249777.html

pl 8.4.0-1

[Corinna Vinschen via Cygwin-announce]

The following packages have been uploaded to the Cygwin distribution:

* pl-8.4.0-1
* pl-devel-8.4.0-1
* pl-doc-8.4.0-1
* pl-odbc-8.4.0-1
* pl-xpce-8.4.0-1

pl 7.6.4-1 (SWI-Prolog)

[Corinna Vinschen via Cygwin-announce]

The following packages have been uploaded to the Cygwin distribution:

* pl-7.6.4-1
* pl-devel-7.6.4-1
* pl-doc-7.6.4-1
* pl-odbc-7.6.4-1
* pl-static-7.6.4-1
* pl-xpce-7.6.4-1

This is the last stable release of SWI-Prolog 7.x.  While SWI-Prolog
moved to 8.x quite some time ago, a change in the build system requires
a lot more work, so this 7.6.4 release at least updates the package to
openssl 1.1 for the time being.

syslog-ng 3.2.5-3

[Corinna Vinschen via Cygwin-announce]

The following packages have been uploaded to the Cygwin distribution:

* syslog-ng-3.2.5-3

This is just a rebuild updating from OpenSSL 1.0 to OpenSSL 1.1.

Syslog-ng is a next generation system logger daemon which provides more
capabilities and has a more flexible configuration then the traditional
syslog daemon.

gawk 5.1.1-1

[Corinna Vinschen via Cygwin-announce]

The following packages have been uploaded to the Cygwin distribution:

* gawk-5.1.1-1

The gawk package contains the GNU version of awk, a text
processing utility. Awk interprets a special-purpose programming
language to do quick and easy text pattern matching and
reformatting jobs.

Install the gawk package if you need a text processing utility.
Gawk is considered to be a standard Linux tool for processing text.

cygwin 3.3.1-1 [with DEPRECATION NOTES]

[Corinna Vinschen via Cygwin-announce]

[Sending announcement once more to reinforce the deprecation notes]

The following packages have been uploaded to the Cygwin distribution:

* cygwin-3.3.1-1
* cygwin-devel-3.3.1-1
* cygwin-doc-3.3.1-1

==
   IMPORTANT DEPRECATION NOTES
==

- Cygwin 3.3 is the LAST major version supporting

  - Windows Vista
  - Windows Server 2008

- Cygwin 3.3 is the LAST major version supporting 32 bit installations.

  If you're using 32 bit Cygwin in WOW64 on 64 bit machines, consider
  to move to a real 64 bit Cygwin installation in the next couple of
  months.

  If you're using 32 bit Cygwin on real 32 bit hardware or on WOW64 on
  ARM64, don't be alarmed.  The current installations including all
  Cygwin 3.3.x versions will continue to run on your system.  You just
  wont get any more updates starting with Cygwin 3.4.0.

- Cygwin 3.4, which will probably be release at some point in 2022,
  will be the LAST version supporting

  - Windows 7
  - Windows Server 2008 R2
  - Windows 8
  - Windows Server 2012

There are no plans to deprecate support for 64 bit systems starting with
Windows 8.1 / Windows Server 2012 R2 any time soon.

==

Bug Fixes
-

- Fix a fix in 3.3.0 which broke Vista / Server 2008 by using a Windows
  function introduced with Windows 7 only, namely TryAcquireSRWLockExclusive.
  Addresses: https://cygwin.com/pipermail/cygwin/2021-October/249732.html

cygwin 3.3.1-1

[Corinna Vinschen via Cygwin-announce]

The following packages have been uploaded to the Cygwin distribution:

* cygwin-3.3.1-1
* cygwin-devel-3.3.1-1
* cygwin-doc-3.3.1-1

Bug Fixes
-

- Fix a fix in 3.3.0 which broke Vista / Server 2008 by using a Windows
  function introduced with Windows 7 only, namely TryAcquireSRWLockExclusive.
  Addresses: https://cygwin.com/pipermail/cygwin/2021-October/249732.html

cygwin 3.3.0-1

[Corinna Vinschen via Cygwin-announce]

The following packages have been uploaded to the Cygwin distribution:

* cygwin-3.3.0-1
* cygwin-devel-3.3.0-1
* cygwin-doc-3.3.0-1

==
   IMPORTANT DEPRECATION NOTES
==

- Cygwin 3.3.0 is the LAST major version supporting

  - Windows Vista
  - Windows Server 2008

- Cygwin 3.3.0 is the LAST major version supporting 32 bit installations.

  If you're using 32 bit Cygwin in WOW64 on 64 bit machines, consider
  to move to a real 64 bit Cygwin installation in the next couple of
  months.

  If you're using 32 bit Cygwin on real 32 bit hardware or on WOW64 on
  ARM64, don't be alarmed.  The current installations including all
  Cygwin 3.3.x versions will continue to run on your system.  You just
  wont get any more updates starting with Cygwin 3.4.0.

- Cygwin 3.4.0, which will probably be release at some point in 2022,
  will be the LAST version supporting

  - Windows 7
  - Windows Server 2008 R2
  - Windows 8
  - Windows Server 2012

There are no plans to deprecate support for 64 bit systems starting with
Windows 8.1 / Windows Server 2012 R2 any time soon.

==


What's new:
---

- An IP-sampling profiler named 'profiler' has been added.  It can be used
  to profile any Cygwin program along with any DLLs loaded.

- A new tool 'gmondump' has been added.  It can dump the raw information
  of any "gmon.out" file created by profiler, ssp, or use of the gcc/g++
  option '-pg'.  (Continue using gprof to get symbolic profile displays.)

- New GNU-specific APIs, slated to become part of the next POSIX standard:
  pthread_cond_clockwait, pthread_mutex_clocklock, pthread_rwlock_clockrdlock,
  pthread_rwlock_clockwrlock, sem_clockwait.

- New Solaris-specific APIs, slated to become part of the next POSIX standard:
  sig2str, str2sig.


What changed:
-

- The speed argument to cfsetspeed(3) can now be a numerical baud rate
  rather than a Bnnn constant, as on Linux.
  Addresses: https://cygwin.com/pipermail/cygwin/2021-July/248887.html

- The internal implementation of pipes has been overhauled; this
  should result in improved performance.
  Addresses: https://cygwin.com/pipermail/cygwin/2021-August/249238.html


Bug Fixes
-

- Fix values returned by select(2) for shutdown sockets.
  Addresses: 
https://cygwin.com/pipermail/cygwin-developers/2021-April/012092.html

- Introduce a new hypotl(3) function not suffering unnecessary overflows.
  Addresses: https://cygwin.com/pipermail/cygwin/2021-April/248302.html

- Fix path handling for paths spanning native symlinks.
  Addresses: https://cygwin.com/pipermail/cygwin/2021-April/248307.html

- Fix tab position evaluation after console window resize.

- Fix a regression in pseudo console handling, resulting in rlwrap not
  being able to start a new pseudo console.

- Handle two race conditions in pseudo console usage.
  Addresses: https://cygwin.com/pipermail/cygwin/2021-April/248292.html

- Fix a bug in recognizing a successful completion of connect(2) on a
  datagram socket.

- Fix connect(2) when called with an address structure whose family is
  AF_UNSPEC.  As specified by POSIX and Linux, this is allowed on
  datagram sockets, and its effect is to reset the socket's peer
  address.

- Fix nanosleep(2) returning negative rem. NtQueryTimer appears to be able to
  return a negative remaining time (less than the timer resolution) for
  unsignalled timers.

- Fix getifaddrs(3) returning address family 0 or IPv4 address 0.
  Addresses: https://cygwin.com/pipermail/cygwin/2021-July/248970.html

- Fix getaddrinfo(3) to return valid ai_socktype and ai_protocol values
  if the underlying GetAddrInfoW screws up.
  Addresses: https://cygwin.com/pipermail/cygwin/2021-July/248985.html

- Fix duplicate /proc/partitions entries and (presumably) duplicate PIDs
  in ps(1) output.
  Addresses: https://cygwin.com/pipermail/cygwin/2021-July/248998.html
 https://cygwin.com/pipermail/cygwin/2021-August/249124.html

- Fix pty master closing error regarding attach_mutex.
  Addresses: 
https://cygwin.com/pipermail/cygwin-developers/2021-October/012418.html

- Fix access violation that can sometimes occur when copy/pasting between
  32-bit and 64-bit Cygwin environments.  Align clipboard descriptor layouts.
  Addresses: https://cygwin.com/pipermail/cygwin-patches/2021q4/011517.html

- Fix a synchronization issue when running multiple threads from DLL
  initialization which in turn call malloc.
  Addresses: https://cygwin.com/pipermail/cygwin/2021-October/249635.html

lynx 2.8.9-13

[Corinna Vinschen via Cygwin-announce]

The following packages have been uploaded to the Cygwin distribution:

* lynx-2.8.9-13

Lynx is a text-based Web browser. Lynx does not display any images,
but it does support frames, tables, and most other HTML tags. One
advantage Lynx has over graphical browsers is speed; Lynx starts and
exits quickly and swiftly displays web pages.

[HEADSUP] Phasing out old Windows versions and 32 bit support

[Corinna Vinschen via Cygwin-announce]

[I sent this announcement to the Cygwin mailing list accidentally.
 Now sending it to cygwin-announce, too, to reach more people.  Please
 reply on the cygwin mailing list if you have any concerns or comments]


Hi folks,


The upcoming version 3.3.0 is the last version officially supporting
Windows Vista and Windows Server 2008.

The next major release 3.4.0 will be released in 2022 and will be the
last one officially supporting Windows 7, Windows 8, Windows Server 2008
R2, and Windows Server 2012.

We're also planning to drop Support for the 32 bit release of Cygwin in
2022, thus Cygwin 3.4.0 won't come in 32 bit anymore, and the package
maintainers won't have to update 32 bit packages anymore.  If you're
still running Cygwin under WOW64, consider to move to 64 bit in the next
couple of months.


Corinna

ssmtp 2.64-10

[Corinna Vinschen via Cygwin-announce]

The following packages have been uploaded to the Cygwin distribution:

* ssmtp-2.64-10

A secure, effective and simple way of getting mail off a system to
your mail hub. It contains no suid-binaries or other dangerous
things - no mail spool to poke around in, and no daemons running
in the background. Mail is simply forwarded to the configured
mailhost. Extremely easy configuration.

WARNING: the above is all it does; it does not receive mail,
expand aliases or manage a queue. That belongs on a mail hub with
a system administrator.

openssl10 1.0.2u-1

[Corinna Vinschen via Cygwin-announce]

The following packages have been uploaded to the Cygwin distribution:

* libssl1.0-1.0.2u-1
* libssl1.0-devel-1.0.2u-1

The OpenSSL toolkit provides support for secure communications between
machines. OpenSSL includes a certificate management tool and shared
libraries which provide various cryptographic algorithms and protocols.

openssl 1.1.1l-1

[Corinna Vinschen via Cygwin-announce]

The following packages have been uploaded to the Cygwin distribution:

* openssl-1.1.1l-1
* openssl-perl-1.1.1l-1
* libssl1.1-1.1.1l-1
* libssl-devel-1.1.1l-1

The OpenSSL toolkit provides support for secure communications between
machines. OpenSSL includes a certificate management tool and shared
libraries which provide various cryptographic algorithms and protocols.

openssh 8.8p1-1

[Corinna Vinschen via Cygwin-announce]

The following packages have been uploaded to the Cygwin distribution:

* openssh-8.8p1-1

OpenSSH is a program for logging into a remote machine and for
executing commands on a remote machine.  It can replace rlogin and rsh,
providing encrypted communication between two machines.

Official release message:

-

OpenSSH 8.8 has just been released. It will be available from the
mirrors listed at https://www.openssh.com/ shortly.

OpenSSH is a 100% complete SSH protocol 2.0 implementation and
includes sftp client and server support.

Once again, we would like to thank the OpenSSH community for their
continued support of the project, especially those who contributed
code or patches, reported bugs, tested snapshots or donated to the
project. More information on donations may be found at:
https://www.openssh.com/donations.html

Future deprecation notice
=

A near-future release of OpenSSH will switch scp(1) from using the
legacy scp/rcp protocol to using SFTP by default.

Legacy scp/rcp performs wildcard expansion of remote filenames (e.g.
"scp host:* .") through the remote shell. This has the side effect of
requiring double quoting of shell meta-characters in file names
included on scp(1) command-lines, otherwise they could be interpreted
as shell commands on the remote side.

This creates one area of potential incompatibility: scp(1) when using
the SFTP protocol no longer requires this finicky and brittle quoting,
and attempts to use it may cause transfers to fail. We consider the
removal of the need for double-quoting shell characters in file names
to be a benefit and do not intend to introduce bug- compatibility for
legacy scp/rcp in scp(1) when using the SFTP protocol.

Another area of potential incompatibility relates to the use of remote
paths relative to other user's home directories, for example -
"scp host:~user/file /tmp". The SFTP protocol has no native way to
expand a ~user path. However, sftp-server(8) in OpenSSH 8.7 and later
support a protocol extension "expand-p...@openssh.com" to support
this.

Security


sshd(8) from OpenSSH 6.2 through 8.7 failed to correctly initialise
supplemental groups when executing an AuthorizedKeysCommand or
AuthorizedPrincipalsCommand, where a AuthorizedKeysCommandUser or
AuthorizedPrincipalsCommandUser directive has been set to run the
command as a different user. Instead these commands would inherit
the groups that sshd(8) was started with.

Depending on system configuration, inherited groups may allow
AuthorizedKeysCommand/AuthorizedPrincipalsCommand helper programs to
gain unintended privilege.

Neither AuthorizedKeysCommand nor AuthorizedPrincipalsCommand are
enabled by default in sshd_config(5).

Potentially-incompatible changes


This release disables RSA signatures using the SHA-1 hash algorithm
by default. This change has been made as the SHA-1 hash algorithm is
cryptographically broken, and it is possible to create chosen-prefix
hash collisions for https://eprint.iacr.org/2020/014.pdf

Changes since OpenSSH 8.7
=

This release is motivated primarily by the above deprecation and
security fix.

New features

 * ssh(1): allow the ssh_config(5) CanonicalizePermittedCNAMEs
   directive to accept a "none" argument to specify the default
   behaviour.

Bugfixes


 * scp(1): when using the SFTP protocol, continue transferring files
   after a transfer error occurs, better matching original scp/rcp
   behaviour.

 * ssh(1): fixed a number of memory leaks in multiplexing,

 * ssh-keygen(1): avoid crash when using the -Y find-principals
   command.

 * A number of documentation and manual improvements, including
   bz#3340, PR#139, PR#215, PR#241, PR#257

Portability
---

 * ssh-agent(1): on FreeBSD, use procctl to disable ptrace(2)

 * ssh(1)/sshd(8): some fixes to the pselect(2) replacement
   compatibility code. bz#3345

Checksums:
==

 - SHA1 (openssh-8.8.tar.gz) = 732947082a8998047e839cc0b4c066bf0a7e1a5b
 - SHA256 (openssh-8.8.tar.gz) = AngyrPSQH255hnzU1l7y+LlVAUNcGWtuYQIFEl22nRo=

 - SHA1 (openssh-8.8p1.tar.gz) = 1eb964897a4372f6fb96c7effeb509ec71c379c9
 - SHA256 (openssh-8.8p1.tar.gz) = RZCJDqm7ms5Pca4zF4WjpYIyMkNRYZYO1fyGWI8zH+k=

Please note that the SHA256 signatures are base64 encoded and not
hexadecimal (which is the default for most checksum tools). The PGP
key used to sign the releases is available from the mirror sites:
https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc

Please note that the OpenPGP key used to sign releases has been
rotated for this release. The new key has been signed by the previous
key to provide continuity.

Reporting Bugs:
===

- Please read https://www.openssh.com/report.html
  Security bugs should be reported directly to open...@openssh.com

openssh 8.7p1-1

[Corinna Vinschen via Cygwin-announce]

The following packages have been uploaded to the Cygwin distribution:

* openssh-8.7p1-1

OpenSSH is a program for logging into a remote machine and for
executing commands on a remote machine.  It can replace rlogin and rsh,
providing encrypted communication between two machines.

Official release message:
-

OpenSSH 8.7 was released on 2021-08-20. It is available from the
mirrors listed at https://www.openssh.com/.

OpenSSH is a 100% complete SSH protocol 2.0 implementation and
includes sftp client and server support.

Once again, we would like to thank the OpenSSH community for their
continued support of the project, especially those who contributed
code or patches, reported bugs, tested snapshots or donated to the
project. More information on donations may be found at:
https://www.openssh.com/donations.html

Imminent deprecation notice
===

OpenSSH will disable the ssh-rsa signature scheme by default in the
next release.

In the SSH protocol, the "ssh-rsa" signature scheme uses the SHA-1
hash algorithm in conjunction with the RSA public key algorithm.
It is now possible[1] to perform chosen-prefix attacks against the
SHA-1 algorithm for less than USD$50K.

Note that the deactivation of "ssh-rsa" signatures does not necessarily
require cessation of use for RSA keys. In the SSH protocol, keys may be
capable of signing using multiple algorithms. In particular, "ssh-rsa"
keys are capable of signing using "rsa-sha2-256" (RSA/SHA256),
"rsa-sha2-512" (RSA/SHA512) and "ssh-rsa" (RSA/SHA1). Only the last of
these is being turned off by default.

This algorithm is unfortunately still used widely despite the
existence of better alternatives, being the only remaining public key
signature algorithm specified by the original SSH RFCs that is still
enabled by default.

The better alternatives include:

 * The RFC8332 RSA SHA-2 signature algorithms rsa-sha2-256/512. These
   algorithms have the advantage of using the same key type as
   "ssh-rsa" but use the safe SHA-2 hash algorithms. These have been
   supported since OpenSSH 7.2 and are already used by default if the
   client and server support them.

 * The RFC8709 ssh-ed25519 signature algorithm. It has been supported
   in OpenSSH since release 6.5.

 * The RFC5656 ECDSA algorithms: ecdsa-sha2-nistp256/384/521. These
   have been supported by OpenSSH since release 5.7.

To check whether a server is using the weak ssh-rsa public key
algorithm, for host authentication, try to connect to it after
removing the ssh-rsa algorithm from ssh(1)'s allowed list:

ssh -oHostKeyAlgorithms=-ssh-rsa user@host

If the host key verification fails and no other supported host key
types are available, the server software on that host should be
upgraded.

OpenSSH recently enabled the UpdateHostKeys option by default to
assist the client by automatically migrating to better algorithms.

[1] "SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1 and
Application to the PGP Web of Trust" Leurent, G and Peyrin, T
(2020) https://eprint.iacr.org/2020/014.pdf

Potentially-incompatible changes


This release includes a number of changes that may affect existing
configurations:

 * scp(1): this release changes the behaviour of remote to remote
   copies (e.g. "scp host-a:/path host-b:") to transfer through the
   local host by default. This was previously available via the -3
   flag. This mode avoids the need to expose credentials on the
   origin hop, avoids triplicate interpretation of filenames by the
   shell (by the local system, the copy origin and the destination)
   and, in conjunction with the SFTP support for scp(1) mentioned
   below, allows use of all authentication methods to the remote
   hosts (previously, only non-interactive methods could be used).
   A -R flag has been added to select the old behaviour.

 * ssh(1)/sshd(8): both the client and server are now using a
   stricter configuration file parser. The new parser uses more
   shell-like rules for quotes, space and escape characters. It is
   also more strict in rejecting configurations that include options
   lacking arguments. Previously some options (e.g. DenyUsers) could
   appear on a line with no subsequent arguments. This release will
   reject such configurations. The new parser will also reject
   configurations with unterminated quotes and multiple '='
   characters after the option name.

 * ssh(1): when using SSHFP DNS records for host key verification,
   ssh(1) will verify all matching records instead of just those
   with the specific signature type requested. This may cause host
   key verification problems if stale SSHFP records of a different
   or legacy signature type exist alongside other records for a
   particular host. bz#3322

 * ssh-keygen(1): when generating a FIDO key and specifying an
   explicit attestation challenge (using -Ochallenge), the challenge
   will now be hashed by 

libfido2 1.5.0-2

[Corinna Vinschen via Cygwin-announce]

The following packages have been uploaded to the Cygwin distribution:

* libfido2-1.5.0-2
* libfido2-devel-1.5.0-2

libfido2 provides library functionality and command-line tools to
communicate with a FIDO device over USB, and to verify attestation and
assertion signatures.

libfido2 supports the FIDO U2F (CTAP 1) and FIDO 2.0 (CTAP 2) protocols.

libfido2-1.5.0-2 is equivalent to libfido2-1.5.0-1.  It just adds a
package dependency from libfido2-devel to libcbor-devel.

openssh 8.6p1-1

[Corinna Vinschen via Cygwin-announce]

The following packages have been uploaded to the Cygwin distribution:

* openssh-8.6p1-1

OpenSSH is a program for logging into a remote machine and for
executing commands on a remote machine.  It can replace rlogin and rsh,
providing encrypted communication between two machines.

Official announce message:
--
OpenSSH 8.6 has just been released. It will be available from the
mirrors listed at https://www.openssh.com/ shortly.

OpenSSH is a 100% complete SSH protocol 2.0 implementation and
includes sftp client and server support.

Once again, we would like to thank the OpenSSH community for their
continued support of the project, especially those who contributed
code or patches, reported bugs, tested snapshots or donated to the
project. More information on donations may be found at:
https://www.openssh.com/donations.html

Future deprecation notice
=

It is now possible[1] to perform chosen-prefix attacks against the
SHA-1 algorithm for less than USD$50K.

In the SSH protocol, the "ssh-rsa" signature scheme uses the SHA-1
hash algorithm in conjunction with the RSA public key algorithm.
OpenSSH will disable this signature scheme by default in the near
future.

Note that the deactivation of "ssh-rsa" signatures does not necessarily
require cessation of use for RSA keys. In the SSH protocol, keys may be
capable of signing using multiple algorithms. In particular, "ssh-rsa"
keys are capable of signing using "rsa-sha2-256" (RSA/SHA256),
"rsa-sha2-512" (RSA/SHA512) and "ssh-rsa" (RSA/SHA1). Only the last of
these is being turned off by default.

This algorithm is unfortunately still used widely despite the
existence of better alternatives, being the only remaining public key
signature algorithm specified by the original SSH RFCs that is still
enabled by default.

The better alternatives include:

 * The RFC8332 RSA SHA-2 signature algorithms rsa-sha2-256/512. These
   algorithms have the advantage of using the same key type as
   "ssh-rsa" but use the safe SHA-2 hash algorithms. These have been
   supported since OpenSSH 7.2 and are already used by default if the
   client and server support them.

 * The RFC8709 ssh-ed25519 signature algorithm. It has been supported
   in OpenSSH since release 6.5.

 * The RFC5656 ECDSA algorithms: ecdsa-sha2-nistp256/384/521. These
   have been supported by OpenSSH since release 5.7.

To check whether a server is using the weak ssh-rsa public key
algorithm, for host authentication, try to connect to it after
removing the ssh-rsa algorithm from ssh(1)'s allowed list:

ssh -oHostKeyAlgorithms=-ssh-rsa user@host

If the host key verification fails and no other supported host key
types are available, the server software on that host should be
upgraded.

OpenSSH recently enabled the UpdateHostKeys option by default to assist
the client by automatically migrating to better algorithms.

[1] "SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1 and
Application to the PGP Web of Trust" Leurent, G and Peyrin, T
(2020) https://eprint.iacr.org/2020/014.pdf

Security


 * sshd(8): OpenSSH 8.5 introduced the LogVerbose keyword. When this
   option was enabled with a set of patterns that activated logging
   in code that runs in the low-privilege sandboxed sshd process, the
   log messages were constructed in such a way that printf(3) format
   strings could effectively be specified the low-privilege code.

   An attacker who had sucessfully exploited the low-privilege
   process could use this to escape OpenSSH's sandboxing and attack
   the high-privilege process. Exploitation of this weakness is
   highly unlikely in practice as the LogVerbose option is not
   enabled by default and is typically only used for debugging. No
   vulnerabilities in the low-privilege process are currently known
   to exist.

   Thanks to Ilja Van Sprundel for reporting this bug.

Changes since OpenSSH 8.5
=

This release contains mostly bug fixes.

New features


 * sftp-server(8): add a new lim...@openssh.com protocol extension
   that allows a client to discover various server limits, including
   maximum packet size and maximum read/write length.

 * sftp(1): use the new lim...@openssh.com extension (when available)
   to select better transfer lengths in the client.

 * sshd(8): Add ModuliFile keyword to sshd_config to specify the
   location of the "moduli" file containing the groups for DH-GEX.

 * unit tests: Add a TEST_SSH_ELAPSED_TIMES environment variable to
   enable printing of the elapsed time in seconds of each test.

Bugfixes


 * ssh_config(5), sshd_config(5): sync CASignatureAlgorithms lists in
   manual pages with the current default. GHPR#174

 * ssh(1): ensure that pkcs11_del_provider() is called before exit.
   GHPR#234

 * ssh(1), sshd(8): fix problems in string->argv conversion. Multiple
   backslashes were 

rebase 4.5.0-1

[Corinna Vinschen via Cygwin-announce]

The following packages have been uploaded to the Cygwin distribution:

* rebase-4.5.0-1

This package contains the Cygwin rebase utilities.  Use rebase for
specific DLLs or rebaseall for all DLLs installed by Cygwin's setup.exe.

What's new:

- Introduce --merge-files (-M) flag.

  The --merge-files flag is to update the database for new files, without
  performing a rebase.  The file names provided should have been rebased
  using the --oblivious flag just before.

- Introduce --high-entropy-va (-e) flag.

  This flag allows for setting, clearing, and displaying the value of the
  "high entropy va" dll characteristics flag, which is required to indicate
  that a DLL is 64 bit ASLR clean.

- The --verbose option now prints a reason why rebase is necessary.

- Some errors causing an unnecessary rebase are fixed.

- Add a --with-posix-shell configure flag to use other shells than dash to
  be used as default shell in scripts.  This is only interesting when
  building rebase for non-Cygwin distros.

tcsh 6.22.04-1

[Corinna Vinschen via Cygwin-announce]

The following packages have been uploaded to the Cygwin distribution:

* tcsh-6.22.04-1

Tcsh is an enhanced but completely compatible version of csh, the C
shell.  Tcsh is a command language interpreter which can be used both
as an interactive login shell and as a shell script command processor.
Tcsh includes a command line editor, programmable word completion,
spelling correction, a history mechanism, job control and a C language
like syntax.

6.22.04 fixes problems introduced in 6.22.03, which were the reason
we skipped 6.22.03 in Cygwin.  Changes from 6.22.02:

 15. V6.22.04 - 20210426
 14. Don't crash with 'bindkey "^0" clear-screen' (Karl Jeacle)
 13. Fix $x:q:h and $x:q:t return the whole string for strings not containing /

 12. V6.22.03 - 20201118
 11. Fix $x:q:h and $x:q:t to not crash (alzwded) with strings containing /
 10. Block SIGHUP while writing history/directory stack (Brett Frankenberger)
  9. Fixed reversed test that broke history merging (Brett Frankenberger)
  8. Prevent recursive entry for writing history (Brett Frankenberger)
  7. alxwded@github, keep track of the :g and :a modifiers per modifier they
 affect.
  6. alzwded@github, fix infinite loop with :gas variable modifier
  5. PR/88: Add a Q: modifier that preserves empty arguments leaving :q
 alone.

cygwin 3.2.0-1

[Corinna Vinschen via Cygwin-announce]

The following packages have been uploaded to the Cygwin distribution:

* cygwin-3.2.0-1
* cygwin-devel-3.2.0-1
* cygwin-doc-3.2.0-1

This is a new major release.

What's new:
---

- Revamped pseudo console support.  Conditionally activating it only when
  a non-cygwin application is run.

- New C11 threads API: call_once, cnd_broadcast, cnd_destroy, cnd_init,
  cnd_signal, cnd_timedwait, cnd_wait, mtx_destroy, mtx_init, mtx_lock,
  mtx_timedlock, mtx_trylock, mtx_unlock, thrd_create, thrd_current,
  thrd_detach, thrd_equal, thrd_exit, thrd_join, thrd_sleep, thrd_yield,
  tss_create, tss_delete, tss_get, tss_set.

- In cygwin console, new thread which handles special keys/signals such
  as Ctrl-Z (VSUSP), Ctrl-\ (VQUIT), Ctrl-S (VSTOP), Ctrl-Q (VSTART) and
  SIGWINCH has been introduced. There have been a long standing issue
  that these keys/signals are handled only when app calls read() or
  select(). Now, these work even if app does not call read() or select().

- fchmodat(2) now has limited support for the AT_SYMLINK_NOFOLLOW flag.

- Cygwin now recognizes native Windows AF_UNIX sockets (as regular
  files, not as socket files).  This allows tools like 'ls' and 'rm'
  to work.

What changed:
-

- Allow ~5000 child processes per process on 64 bit, ~1200 child processes
  per process on 32 bit.  So far, only 256 child processes per process were
  supported.

- A few FAQ updates.

- Have tmpfile(3) make use of Win32 FILE_ATTRIBUTE_TEMPORARY via open(2)
  flag O_TMPFILE.
  Addresses: https://cygwin.com/pipermail/cygwin/2021-January/247304.html

- Utilize Windows 10 1809 FILE_DISPOSITION_IGNORE_READONLY_ATTRIBUTE
  flag to allow simpler unlink of files with DOS readonly flags set.

- getdtablesize(3), sysconf(_SC_OPEN_MAX), and
  getrlimit(RLIMIT_NOFILE) now return the true limit on the number of
  open descriptors, 3200.  Previously they returned the current size
  of Cygwin's internal file descriptor table, which can grow
  dynamically.

- facl(2) now fails with EBADF on a file opened with O_PATH.

- Allow to start Windows Store executables via their "app execution
  aliases".  Handle these aliases (which are special reparse points)
  as symlinks to the actual executables.

Bug Fixes
-

- Iterate at least 4 times over pthread_key_t destructors per POSIX.

- The pthread_yield declaration in pthread is now visible by default
  or when defining _BSD_SOURCE, too.

- Fix SEGV in modfl call.
  Addresses: https://cygwin.com/pipermail/cygwin/2020-August/246056.html

- Fix a collision of offical and internally used file flags.
  Addresses: https://cygwin.com/pipermail/cygwin/2020-September/246174.html

- Fix assertion failure on an invalid path under /proc//fd/.
  Addresses: https://cygwin.com/pipermail/cygwin/2020-September/246160.html

- Fix crash on stat(2)'ing /dev/ptmx on 32 bit.
  Addresses: https://cygwin.com/pipermail/cygwin/2020-September/246218.html

- Fix return value of sqrtl on negative infinity.
  Addresses: https://cygwin.com/pipermail/cygwin/2020-October/246606.html

- Fix a path handling problem if there is a WSL symlink in PATH.
  Addresses: https://cygwin.com/pipermail/cygwin/2020-December/246938.html

- Fix a bug in fstatat(2) on 32 bit that could cause it to return garbage.
  Addresses: https://cygwin.com/pipermail/cygwin/2021-January/247399.html

- Fix the errno when a path contains .. and the prefix exists but is
  not a directory.
  Addresses: https://lists.gnu.org/archive/html/bug-gnulib/2021-01/msg00214.html

- Fix the return value when ptsname_r(3) is called with a bad file descriptor
  Addresses: https://lists.gnu.org/archive/html/bug-gnulib/2021-01/msg00245.html

- Fix path handling in case the Cygwin installation dir is accessed via
  a Windows junction point.
  Addresses: 
https://cygwin.com/pipermail/cygwin-developers/2021-February/012054.html

- Fix potential handle leaks when dup'ing descriptors
  Addresses: 
https://cygwin.com/pipermail/cygwin-developers/2021-February/012041.html

- Fix a bug that could cause fstat(2) to return incorrect results on a FIFO.

- Fix some system calls on AF_LOCAL sockets that are not socket files.
  Addresses: 
https://cygwin.com/pipermail/cygwin-developers/2021-February/012066.html

- Fix access to block devices under /proc/sys.
  Addresses: https://sourceware.org/pipermail/cygwin-patches/2020q4/010843.html

cygwin 3.2.0-0.1 (TEST)

[Corinna Vinschen via Cygwin-announce]

The following packages have been uploaded to the Cygwin distribution:

* cygwin-3.2.0-0.1
* cygwin-devel-3.2.0-0.1
* cygwin-doc-3.2.0-0.1

This is the beginning of the public test cycle for a new major release
with a couple of changes.  Please report problems or regressions compared
to Cygwin 3.1.7 to the public mailing list cygwin AT cygwin DOT com.


What's new:
---

- Revamped pseudo console support.  Conditionally activating it only when
  a non-cygwin application is run.

- New C11 threads API: call_once, cnd_broadcast, cnd_destroy, cnd_init,
  cnd_signal, cnd_timedwait, cnd_wait, mtx_destroy, mtx_init, mtx_lock,
  mtx_timedlock, mtx_trylock, mtx_unlock, thrd_create, thrd_current,
  thrd_detach, thrd_equal, thrd_exit, thrd_join, thrd_sleep, thrd_yield,
  tss_create, tss_delete, tss_get, tss_set.

- In cygwin console, new thread which handles special keys/signals such
  as Ctrl-Z (VSUSP), Ctrl-\ (VQUIT), Ctrl-S (VSTOP), Ctrl-Q (VSTART) and
  SIGWINCH has been introduced. There have been a long standing issue
  that these keys/signals are handled only when app calls read() or
  select(). Now, these work even if app does not call read() or select().

- fchmodat(2) now has limited support for the AT_SYMLINK_NOFOLLOW flag.

- Cygwin now recognizes native Windows AF_UNIX sockets (as regular
  files, not as socket files).  This allows tools like 'ls' and 'rm'
  to work.


What changed:
-

- Allow ~5000 child processes per process on 64 bit, ~1200 child processes
  per process on 32 bit.  So far, only 256 child processes per process were
  supported.

- A few FAQ updates.

- Have tmpfile(3) make use of Win32 FILE_ATTRIBUTE_TEMPORARY via open(2)
  flag O_TMPFILE.
  Addresses: https://cygwin.com/pipermail/cygwin/2021-January/247304.html

- Utilize Windows 10 1809 FILE_DISPOSITION_IGNORE_READONLY_ATTRIBUTE
  flag to allow simpler unlink of files with DOS readonly flags set.

- getdtablesize(3), sysconf(_SC_OPEN_MAX), and
  getrlimit(RLIMIT_NOFILE) now return the true limit on the number of
  open descriptors, 3200.  Previously they returned the current size
  of Cygwin's internal file descriptor table, which can grow
  dynamically.

- facl(2) now fails with EBADF on a file opened with O_PATH.


Bug Fixes
-

- Iterate at least 4 times over pthread_key_t destructors per POSIX.

- The pthread_yield declaration in pthread is now visible by default
  or when defining _BSD_SOURCE, too.

- Fix SEGV in modfl call.
  Addresses: https://cygwin.com/pipermail/cygwin/2020-August/246056.html

- Fix a collision of offical and internally used file flags.
  Addresses: https://cygwin.com/pipermail/cygwin/2020-September/246174.html

- Fix assertion failure on an invalid path under /proc//fd/.
  Addresses: https://cygwin.com/pipermail/cygwin/2020-September/246160.html

- Fix crash on stat(2)'ing /dev/ptmx on 32 bit.
  Addresses: https://cygwin.com/pipermail/cygwin/2020-September/246218.html

- Fix return value of sqrtl on negative infinity.
  Addresses: https://cygwin.com/pipermail/cygwin/2020-October/246606.html

- Fix a path handling problem if there is a WSL symlink in PATH.
  Addresses: https://cygwin.com/pipermail/cygwin/2020-December/246938.html

- Fix a bug in fstatat(2) on 32 bit that could cause it to return garbage.
  Addresses: https://cygwin.com/pipermail/cygwin/2021-January/247399.html

- Fix the errno when a path contains .. and the prefix exists but is
  not a directory.
  Addresses: https://lists.gnu.org/archive/html/bug-gnulib/2021-01/msg00214.html

- Fix the return value when ptsname_r(3) is called with a bad file descriptor
  Addresses: https://lists.gnu.org/archive/html/bug-gnulib/2021-01/msg00245.html

- Fix path handling in case the Cygwin installation dir is accessed via
  a Windows junction point.
  Addresses: 
https://cygwin.com/pipermail/cygwin-developers/2021-February/012054.html

- Fix potential handle leaks when dup'ing descriptors
  Addresses: 
https://cygwin.com/pipermail/cygwin-developers/2021-February/012041.html

- Fix a bug that could cause fstat(2) to return incorrect results on a FIFO.

- Fix some system calls on AF_LOCAL sockets that are not socket files.
  Addresses: 
https://cygwin.com/pipermail/cygwin-developers/2021-February/012066.html

- Fix access to block devices under /proc/sys.
  Addresses: https://sourceware.org/pipermail/cygwin-patches/2020q4/010843.html

openssh 8.5p1-1

[Corinna Vinschen via Cygwin-announce]

The following packages have been uploaded to the Cygwin distribution:

* openssh-8.5p1-1

OpenSSH is a program for logging into a remote machine and for
executing commands on a remote machine.  It can replace rlogin and rsh,
providing encrypted communication between two machines.

Official announce message:
--
OpenSSH 8.5 has just been released. It will be available from the
mirrors listed at https://www.openssh.com/ shortly.

OpenSSH is a 100% complete SSH protocol 2.0 implementation and
includes sftp client and server support.

Once again, we would like to thank the OpenSSH community for their
continued support of the project, especially those who contributed
code or patches, reported bugs, tested snapshots or donated to the
project. More information on donations may be found at:
https://www.openssh.com/donations.html

Future deprecation notice
=

It is now possible[1] to perform chosen-prefix attacks against the
SHA-1 algorithm for less than USD$50K.

In the SSH protocol, the "ssh-rsa" signature scheme uses the SHA-1
hash algorithm in conjunction with the RSA public key algorithm.
OpenSSH will disable this signature scheme by default in the near
future.

Note that the deactivation of "ssh-rsa" signatures does not necessarily
require cessation of use for RSA keys. In the SSH protocol, keys may be
capable of signing using multiple algorithms. In particular, "ssh-rsa"
keys are capable of signing using "rsa-sha2-256" (RSA/SHA256),
"rsa-sha2-512" (RSA/SHA512) and "ssh-rsa" (RSA/SHA1). Only the last of
these is being turned off by default.

This algorithm is unfortunately still used widely despite the
existence of better alternatives, being the only remaining public key
signature algorithm specified by the original SSH RFCs that is still
enabled by default.

The better alternatives include:

 * The RFC8332 RSA SHA-2 signature algorithms rsa-sha2-256/512. These
   algorithms have the advantage of using the same key type as
   "ssh-rsa" but use the safe SHA-2 hash algorithms. These have been
   supported since OpenSSH 7.2 and are already used by default if the
   client and server support them.

 * The RFC8709 ssh-ed25519 signature algorithm. It has been supported
   in OpenSSH since release 6.5.

 * The RFC5656 ECDSA algorithms: ecdsa-sha2-nistp256/384/521. These
   have been supported by OpenSSH since release 5.7.

To check whether a server is using the weak ssh-rsa public key
algorithm, for host authentication, try to connect to it after
removing the ssh-rsa algorithm from ssh(1)'s allowed list:

ssh -oHostKeyAlgorithms=-ssh-rsa user@host

If the host key verification fails and no other supported host key
types are available, the server software on that host should be
upgraded.

This release enables the UpdateHostKeys option by default to assist
the client by automatically migrating to better algorithms.

[1] "SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1 and
Application to the PGP Web of Trust" Leurent, G and Peyrin, T
(2020) https://eprint.iacr.org/2020/014.pdf

Security


 * ssh-agent(1): fixed a double-free memory corruption that was
   introduced in OpenSSH 8.2 . We treat all such memory faults as
   potentially exploitable. This bug could be reached by an attacker
   with access to the agent socket.

   On modern operating systems where the OS can provide information
   about the user identity connected to a socket, OpenSSH ssh-agent
   and sshd limit agent socket access only to the originating user
   and root. Additional mitigation may be afforded by the system's
   malloc(3)/free(3) implementation, if it detects double-free
   conditions.

   The most likely scenario for exploitation is a user forwarding an
   agent either to an account shared with a malicious user or to a
   host with an attacker holding root access.

 * Portable sshd(8): Prevent excessively long username going to PAM.
   This is a mitigation for a buffer overflow in Solaris' PAM username
   handling (CVE-2020-14871), and is only enabled for Sun-derived PAM
   implementations.  This is not a problem in sshd itself, it only
   prevents sshd from being used as a vector to attack Solaris' PAM.
   It does not prevent the bug in PAM from being exploited via some
   other PAM application. GHPR#212


Potentially-incompatible changes


This release includes a number of changes that may affect existing
configurations:

 * ssh(1), sshd(8): this release changes the first-preference signature
   algorithm from ECDSA to ED25519.

 * ssh(1), sshd(8): set the TOS/DSCP specified in the configuration
   for interactive use prior to TCP connect. The connection phase of
   the SSH session is time-sensitive and often explicitly interactive.
   The ultimate interactive/bulk TOS/DSCP will be set after
   authentication completes.

 * ssh(1), sshd(8): remove the 

openssh 8.4p1-2

[Corinna Vinschen]

The following packages have been uploaded to the Cygwin distribution:

* openssh-8.4p1-2

---
This release fixes a bug in the ssh-copy-id script.
---

OpenSSH is a program for logging into a remote machine and for
executing commands on a remote machine.  It can replace rlogin and rsh,
providing encrypted communication between two machines.

file 5.39-1

[Corinna Vinschen]

The following packages have been uploaded to the Cygwin distribution:

* file-5.39-1
* file-devel-5.39-1
* python2-magic-5.39-1
* python3-magic-5.39-1

With file you can obtain information on the file type of a specified
file. File type recognition is controlled by the file /usr/share/file/magic
which contains the classification criteria.

openssh 8.4p1-1

[Corinna Vinschen]

The following packages have been uploaded to the Cygwin distribution:

* openssh-8.4p1-1

OpenSSH is a program for logging into a remote machine and for
executing commands on a remote machine.  It can replace rlogin and rsh,
providing encrypted communication between two machines.

Official release message:
-

OpenSSH 8.4 has just been released. It will be available from the
mirrors listed at https://www.openssh.com/ shortly.

OpenSSH is a 100% complete SSH protocol 2.0 implementation and
includes sftp client and server support.

Once again, we would like to thank the OpenSSH community for their
continued support of the project, especially those who contributed
code or patches, reported bugs, tested snapshots or donated to the
project. More information on donations may be found at:
https://www.openssh.com/donations.html

Future deprecation notice
=

It is now possible[1] to perform chosen-prefix attacks against the
SHA-1 algorithm for less than USD$50K. For this reason, we will be
disabling the "ssh-rsa" public key signature algorithm by default in a
near-future release.

This algorithm is unfortunately still used widely despite the
existence of better alternatives, being the only remaining public key
signature algorithm specified by the original SSH RFCs.

The better alternatives include:

 * The RFC8332 RSA SHA-2 signature algorithms rsa-sha2-256/512. These
   algorithms have the advantage of using the same key type as
   "ssh-rsa" but use the safe SHA-2 hash algorithms. These have been
   supported since OpenSSH 7.2 and are already used by default if the
   client and server support them.

 * The ssh-ed25519 signature algorithm. It has been supported in
   OpenSSH since release 6.5.

 * The RFC5656 ECDSA algorithms: ecdsa-sha2-nistp256/384/521. These
   have been supported by OpenSSH since release 5.7.

To check whether a server is using the weak ssh-rsa public key
algorithm, for host authentication, try to connect to it after
removing the ssh-rsa algorithm from ssh(1)'s allowed list:

ssh -oHostKeyAlgorithms=-ssh-rsa user@host

If the host key verification fails and no other supported host key
types are available, the server software on that host should be
upgraded.

We intend to enable UpdateHostKeys by default in the next OpenSSH
release. This will assist the client by automatically migrating to
better algorithms. Users may consider enabling this option manually.

[1] "SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1 and
Application to the PGP Web of Trust" Leurent, G and Peyrin, T
(2020) https://eprint.iacr.org/2020/014.pdf

Security


 * ssh-agent(1): restrict ssh-agent from signing web challenges for
   FIDO/U2F keys.

   When signing messages in ssh-agent using a FIDO key that has an
   application string that does not start with "ssh:", ensure that the
   message being signed is one of the forms expected for the SSH protocol
   (currently public key authentication and sshsig signatures).

   This prevents ssh-agent forwarding on a host that has FIDO keys
   attached granting the ability for the remote side to sign challenges
   for web authentication using those keys too.

   Note that the converse case of web browsers signing SSH challenges is
   already precluded because no web RP can have the "ssh:" prefix in the
   application string that we require.

 * ssh-keygen(1): Enable FIDO 2.1 credProtect extension when generating
   a FIDO resident key.

   The recent FIDO 2.1 Client to Authenticator Protocol introduced a
   "credProtect" feature to better protect resident keys. We use this
   option to require a PIN prior to all operations that may retrieve
   a resident key from a FIDO token.

Potentially-incompatible changes


This release includes a number of changes that may affect existing
configurations:

 * For FIDO/U2F support, OpenSSH recommends the use of libfido2 1.5.0
   or greater. Older libraries have limited support at the expense of
   disabling particular features. These include resident keys, PIN-
   required keys and multiple attached tokens.

 * ssh-keygen(1): the format of the attestation information optionally
   recorded when a FIDO key is generated has changed. It now includes
   the authenticator data needed to validate attestation signatures.

 * The API between OpenSSH and the FIDO token middleware has changed
   and the SSH_SK_VERSION_MAJOR version has been incremented as a
   result. Third-party middleware libraries must support the current
   API version (7) to work with OpenSSH 8.4.

 * The portable OpenSSH distribution now requires automake to rebuild
   the configure script and supporting files. This is not required when
   simply building portable OpenSSH from a release tar file.

Changes since OpenSSH 8.3
=

New features


 * ssh(1), ssh-keygen(1): support for FIDO keys that require a PIN for
   each 

cygwin 3.1.7-1

[Corinna Vinschen]

The following packages have been uploaded to the Cygwin distribution:

* cygwin-3.1.7-1
* cygwin-devel-3.1.7-1
* cygwin-doc-3.1.7-1

This is a bugfix release.

Bug Fixes:
--

- Fix acl_get_* functions in 32-bit Cygwin (pointer sign extension)

- Fix select/poll issue in case a socket connect call fails.
  Addresses: https://cygwin.com/pipermail/cygwin/2020-July/245528.html

- Fix multiple reader support for FIFOs
  Addresses: https://sourceware.org/pipermail/cygwin/2020-July/245456.html

- Fix an mmap issue that could cause failure with errno EFBIG
  Partially addresses: 
https://sourceware.org/pipermail/cygwin/2020-July/245557.html

- Fix the behavior of C++ apps after an unhandled exception (64-bit only)
  Addresses: https://cygwin.com/pipermail/cygwin/2019-October/242795.html
 https://cygwin.com/pipermail/cygwin/2020-August/245897.html

tcsh 6.22.02-1

[Corinna Vinschen]

The following packages have been uploaded to the Cygwin distribution:

* tcsh-6.22.02-1

Tcsh is an enhanced but completely compatible version of csh, the C
shell.  Tcsh is a command language interpreter which can be used both
as an interactive login shell and as a shell script command processor.
Tcsh includes a command line editor, programmable word completion,
spelling correction, a history mechanism, job control and a C language
like syntax.