diff --git a/CHANGES b/CHANGES index 2094a4c71..7c2f85cec 100644 --- a/CHANGES +++ b/CHANGES @@ -1,21 +1,23 @@ -Future Release +2022.82 - 1 April 2022 + Features and Changes: + Note >> for compatibility/configuration changes -- Implement OpenSSH format private key handling for dropbearconvert. - Keys can be read in OpenSSH format or the old PEM format, they will be - written in OpenSSH format. (DSS has not been implemented). - ED25519 support is now correct. +- Implemented OpenSSH format private key handling for dropbearconvert. + Keys can be read in OpenSSH format or the old PEM format. + >> Keys are now written in OpenSSH format rather than PEM. + ED25519 support is now correct. DSS keys are still PEM format. - Use SHA256 for key fingerprints -- Reworked -v verbose printing, specifying multiple times will increase +- >> Reworked -v verbose printing, specifying multiple times will increase verbosity. -vvvv is equivalent to the old DEBUG_TRACE -v level, it can be configured at compile time in localoptions.h (see default_options.h) Lower -v options can be used to check connection progress or algorithm negotiation. Thanks to Hans Harder for the implementation - > > localoptions.h DEBUG_TRACE should be set to 4 for the same result as the + localoptions.h DEBUG_TRACE should be set to 4 for the same result as the previous DEBUG_TRACE 1. - Added server support for U2F/FIDO keys (ecdsa-sk and ed25519-sk) in @@ -23,7 +25,7 @@ Features and Changes: Thanks to Egor Duda for the implementation - autoconf output (configure script etc) is now committed to version control. - It isn't necessary to run "autoconf" any more on a checkout. + >> It isn't necessary to run "autoconf" any more on a checkout. - sha1 will be omitted from the build if KEX/signing/MAC algorithms don't require it. Instead sha256 is used for random number generation. @@ -34,12 +36,15 @@ Features and Changes: (must only have characters a-z A-Z 0-9 .,_-+@) Patch from Hans Harder, modified by Matt Johnston +- Let dbclient multihop mode be used with '-J'. + Patch from Hans Harder + - Allow home-directory relative paths ~/path for various settings and command line options. *_PRIV_FILENAME DROPBEAR_PIDFILE SFTPSERVER_PATH MOTD_FILENAME Thanks to Begley Brothers Inc - > > The default DROPBEAR_DEFAULT_CLI_AUTHKEY has now changed, it now needs + >> The default DROPBEAR_DEFAULT_CLI_AUTHKEY has now changed, it now needs a tilde prefix. - LANG environment variable is carried over from the Dropbear server process @@ -50,7 +55,7 @@ Features and Changes: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=903403 - Added client option "-o DisableTrivialAuth". This can be used to prevent - the server immediately allowing successful authentication (before any auth + the server immediately accepting successful authentication (before any auth request) which could cause UI confusion and security issues with agent forwarding - it isn't clear which host is prompting to use a key. Thanks to Manfred Kaiser from Austrian MilCERT @@ -61,14 +66,14 @@ Features and Changes: This should be used with caution. Patch from Roland Vollgraf (github #118) -- Use DSCP for QoS traffic classes. Priority (tty) traffic is now set to +- >> Use DSCP for QoS traffic classes. Priority (tty) traffic is now set to AF21 "interactive". Previously TOS classes were used, they are not used by modern traffic classifiers. Non-tty traffic is left at default priority. -- Disable dh-group1 key exchange by default. It has been disabled server +- >> Disable dh-group1 key exchange by default. It has been disabled server side by default since 2018. -- Removed Twofish cipher +- >> Removed Twofish cipher Fixes: @@ -86,6 +91,9 @@ Fixes: - A missing home directory is now non-fatal, starting in / instead +- Fixed IPv6 [address]:port parsing for dbclient -b + Reported by Fabio Molinari + - Improve error logging so that they are logged on the server rather than being sent to the client over the connection @@ -107,6 +115,7 @@ Infrastructure: - Improvements to fuzzers. Added post-auth fuzzer, and a mutator that can handle the structure of SSH packet streams. Added cifuzz to run on commits and pull requests. + Thanks to OSS-Fuzz for the tools/clusters and reward funding. - Dropbear source tarballs generated by release.sh are now reproducible from a Git or Mercurial checkout, they will be identical on any system. Tested diff --git a/debian/changelog b/debian/changelog index 583244622..f7e2ffa4f 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +dropbear (2022.82-0.1) unstable; urgency=low + + * New upstream release. + + -- Matt Johnston Fri, 1 Apr 2022 22:51:57 +0800 + dropbear (2020.81-0.1) unstable; urgency=low * New upstream release. diff --git a/sysoptions.h b/sysoptions.h index 6c164f760..18df6de38 100644 --- a/sysoptions.h +++ b/sysoptions.h @@ -4,7 +4,7 @@ *******************************************************************/ #ifndef DROPBEAR_VERSION -#define DROPBEAR_VERSION "2020.81" +#define DROPBEAR_VERSION "2022.82" #endif #define LOCAL_IDENT "SSH-2.0-dropbear_" DROPBEAR_VERSION