Tags

libssh-0.11.1

 * Fixed default TTY modes that are set when stdin is not connected to tty (#270)
 * Fixed zlib cleanup procedure, which could crash on i386
 * Various test fixes improving their stability
 * Fixed cygwin build

libssh-0.11.0

* Deprecations and Removals:
  * Dropped support for DSA
  * Deprecated Blowfish cipher (will be removed in next release)
  * Deprecated SSH_BIND_OPTIONS_{RSA,ECDSA}KEY in favor of generic HOSTKEY
  * Removed the usage of deprecated OpenSSL APIs (Note: Minimum supported
    OpenSSL version is 1.1.1)
  * Disabled preauth compression (zlib) by default
  * Support for pkcs#11 engines are deprecated, pkcs11-provider is used instead
  * Deprecation of old async SFTP API
  * libgcrypt cryptographic backend is deprecated
  * Deprecation of knownhosts hashing
* SFTP Improvements:
  * Added support for async SFTP IO
  * Added support for sftp_limits() and applied capping to SFTP read/write
    operations accordingly
  * Added sftp_home_directory() API support for sftp extension "home-directory"
  * Added sftp_lsetstat() API for lsetstat extensions
  * Added sftp_expand_path() to canonicalize path using expand-path@openssh.com
    extension
  * Implemented stat and realpath in sftpserver
  * Added sftp_readlink() API to support hardlink@openssh.com
  * New extensible callback based SFTP server
  * Introduced the posix-rename@openssh.com extension
* New functions and features:
  * Added support for PKCS #11 provider for OpenSSL 3.0
  * Added testing for GSSAPI Authentication
  * Implemented proxy jump using libssh
  * Recategorized loglevels to show fatal errors and alignment with OpenSSH
    log levels
  * Added ssh_channel_request_pty_size_modes() API to set terminal modes for
    PTYs
  * Added function to check username syntax
  * Added support to check all keys in authorized_keys instead of one in
    example server implementation
  * Handled hostkey similar to OpenSSH
  * Added ssh_session_socket_close() API in order to not close socket passed
    through options on error conditions
  * Added option SSH_BIND_OPTIONS_IMPORT_KEY_STR to read user-supplied key
    string in ssh_bind_options_set()
  * Improved log handling around ssh_set_callbacks
  * Added ssh_set_error_invalid in ssh_options_set()
  * Prevented signature blob to start with 1 bit in libgcrypt
  * Added support to unbreak key comparison of Ed25519 keys imported from PEM
    or OpenSSH container
  * Added support to calculate missing CRT parameters when building RSA key
  * Added ssh_pki_export_privkey_base64_format() and
    ssh_pki_export_privkey_file_format() to support exporting keys in different
    formats (PEM, OpenSSH)
  * Added support to compare certificates and handle automatic certificate
    authentication
  * Added support to make compile-commands generation conditional
  * Built fuzzers for normal testing
  * Avoided passing other events to callbacks when called recursively
  * Added control master and path options
  * Refactored channel_rcv_data, check for errors and report more useful errors
  * Added support to connect to other host addresses than just the first one
  * Terminated the server properly when the MaxAuthTries is reached
  * Added support for no-more-sessions@openssh.com request in both client and
    server
  * Added callback to support forwarded-tcpip requests
  * Bumped minimal CMake version to 3.12
  * Added support for MBedTLS 3.6.x
  * Added support for +,-,^ modifiers in front of algorithm lists in options
  * Added callbacks for channel open response, and channel request response
  * Replaced chroot() from chroot_wrapper internal library with chroot()
    from priv_wrapper package
  * Added a placeholder for non-expanded identities
  * Improved handling of channel transfer window sizes

libssh-0.9.8

* Fix CVE-2023-6004: Command injection using proxycommand
* Fix CVE-2023-48795: Potential downgrade attack using strict kex
* Fix CVE-2023-6918: Missing checks for return values of MD functions
* Allow @ in usernames when parsing from URI composes

libssh-0.10.6

* Fix CVE-2023-6004: Command injection using proxycommand
* Fix CVE-2023-48795: Potential downgrade attack using strict kex
* Fix CVE-2023-6918: Missing checks for return values of MD functions
* Fix ssh_send_issue_banner() for CMD(PowerShell)
* Avoid passing other events to callbacks when poll is called recursively (#202)
* Allow @ in usernames when parsing from URI composes

libssh-0.9.7

* Fix CVE-2023-1667: a NULL dereference during rekeying with algorithm
  guessing
* Fix CVE-2023-2283: a possible authorization bypass in
  pki_verify_data_signature under low-memory conditions.
* Fix several memory leaks in GSSAPI handling code
* Build and test related backports

libssh-0.10.5

* Fix CVE-2023-1667: a NULL dereference during rekeying with algorithm
  guessing
* Fix CVE-2023-2283: a possible authorization bypass in
  pki_verify_data_signature under low-memory conditions.
* Fix several memory leaks in GSSAPI handling code
* Escape braces in ProxyCommand created from ProxyJump options for zsh
  compatibility.
* Fix pkg-config path relocation for MinGW
* Improve doxygen documentation
* Fix build with cygwin due to the glob support
* Do not enqueue outgoing packets after sending SSH2_MSG_NEWKEYS
* Add support for SSH_SUPPRESS_DEPRECATED
* Avoid functions declarations without prototype to build with clang 15
* Fix spelling issues
* Avoid expanding KnownHosts, ProxyCommands and IdentityFiles
  repetitively
* Add support sk-* keys through configuration
* Improve checking for Argp library
* Log information about received extensions
* Correctly handle rekey with delayed compression
* Move the EC keys handling to OpenSSL 3.0 API
* Record peer disconnect message
* Avoid deadlock when write buffering occurs and we call poll
  recursively to flush the output buffer
* Disable preauthentication compression by default
* Add CentOS 8 Stream / OpenSSL 1.1.1 to CI
* Add accidentally removed default compile flags
* Solve incorrect parsing of ProxyCommand option

libssh-0.10.4

* Fixed issues with KDF on big endian

libssh-0.10.3

* Fixed possible infinite loop in known hosts checking

libssh-0.10.2

* Fixed tilde expansion when handling include directives
* Fixed building the shared torture library
* Made rekey test more robust (fixes running on i586 build systems e.g koji)

libssh-0.10.0

* Added support for OpenSSL 3.0
* Added support for mbedTLS 3
* Added support for Smart Cards  (through openssl pkcs11 engine)
* Added support for chacha20-poly1305@openssh.com with libgcrypt
* Added support ed25519 keys in PEM files
* Added support for sk-ecdsa and sk-ed25519 (server side)
* Added support for limiting RSA key sizes and not accepting small one by
  default
* Added support for ssh-agent on Windows
* Added ssh_userauth_publickey_auto_get_current_identity() API
* Added ssh_vlog() API
* Added ssh_send_issue_banner() API
* Added ssh_session_set_disconnect_message() API
* Added new configuration options:
  + IdentityAgent
  + ModuliFile
* Provided X11 client example
* Disabled DSA support at build time by default (will be removed in the next
  release)
* Deprecated the SCP API!
* Deprecated old pubkey, privatekey API
* Avoided some needless large stack buffers to minimize memory footprint
* Removed support for OpenSSL < 1.0.1
* Fixed parsing username@host in login name
* Free global init mutex in the destructor on Windows
* Fixed PEM parsing in mbedtls to support both legacy and new PKCS8 formats

libssh-0.9.6

* CVE-2021-3634: Fix possible heap-buffer overflow when rekeying with
  different key exchange mechanism
* Fix several memory leaks on error paths
* Reset pending_call_state on disconnect
* Fix handshake bug with AEAD ciphers and no HMAC overlap
* Use OPENSSL_CRYPTO_LIBRARIES in CMake
* Ignore request success and failure message if they are not expected
* Support more identity files in configuration
* Avoid setting compiler flags directly in CMake
* Support build directories with special characters
* Include stdlib.h to avoid crash in Windows
* Fix sftp_new_channel constructs an invalid object
* Fix Ninja multiple rules error
* Several tests fixes

libssh-0.9.5

* CVE-2020-16135: Avoid null pointer dereference in sftpserver (T232)
* Improve handling of library initialization (T222)
* Fix parsing of subsecond times in SFTP (T219)
* Make the documentation reproducible
* Remove deprecated API usage in OpenSSL
* Fix regression of ssh_channel_poll_timeout() returning SSH_AGAIN
* Define version in one place (T226)
* Prevent invalid free when using different C runtimes than OpenSSL (T229)
* Compatibility improvements to testsuite

libssh-0.8.9

* Fixed CVE-2020-1730 - Possible DoS in client and server when handling
  AES-CTR keys with OpenSSL

libssh-0.9.4

* Fixed CVE-2020-1730 - Possible DoS in client and server when handling
  AES-CTR keys with OpenSSL
* Added diffie-hellman-group14-sha256
* Fixed serveral possible memory leaks

libssh-0.8.8

* Fixed CVE-2019-14889 - SCP: Unsanitized location leads to command execution

libssh-0.9.3

* Fixed CVE-2019-14889 - SCP: Unsanitized location leads to command execution
* SSH-01-003 Client: Missing NULL check leads to crash in erroneous state
* SSH-01-006 General: Various unchecked Null-derefs cause DOS
* SSH-01-007 PKI Gcrypt: Potential UAF/double free with RSA pubkeys
* SSH-01-010 SSH: Deprecated hash function in fingerprinting
* SSH-01-013 Conf-Parsing: Recursive wildcards in hostnames lead to DOS
* SSH-01-014 Conf-Parsing: Integer underflow leads to OOB array access
* SSH-01-001 State Machine: Initial machine states should be set explicitly
* SSH-01-002 Kex: Differently bound macros used to iterate same array
* SSH-01-005 Code-Quality: Integer sign confusion during assignments
* SSH-01-008 SCP: Protocol Injection via unescaped File Names
* SSH-01-009 SSH: Update documentation which RFCs are implemented
* SSH-01-012 PKI: Information leak via uninitialized stack buffer

libssh-0.9.2

  * Fixed libssh-config.cmake
  * Fixed issues with rsa algorithm negotiation (T191)
  * Fixed detection of OpenSSL ed25519 support (T197)

libssh-0.9.1

  * Added support for Ed25519 via OpenSSL
  * Added support for X25519 via OpenSSL
  * Added support for localuser in Match keyword
  * Fixed Match keyword to be case sensitive
  * Fixed compilation with LibreSSL
  * Fixed error report of channel open (T75)
  * Fixed sftp documentation (T137)
  * Fixed known_hosts parsing (T156)
  * Fixed build issue with MinGW (T157)
  * Fixed build with gcc 9 (T164)
  * Fixed deprecation issues (T165)
  * Fixed known_hosts directory creation (T166)

libssh-0.9.0

* Added support for AES-GCM
* Added improved rekeying support
* Added performance improvements
* Disabled blowfish support by default
* Fixed several ssh config parsing issues
* Added support for DH Group Exchange KEX
* Added support for Encrypt-then-MAC mode
* Added support for parsing server side configuration file
* Added support for ECDSA/Ed25519 certificates
* Added FIPS 140-2 compatibility
* Improved known_hosts parsing
* Improved documentation
* Improved OpenSSL API usage for KEX, DH, and signatures

libssh-0.8.7

* Fixed handling extension flags in the server implementation
* Fixed exporting ed25519 private keys
* Fixed corner cases for rsa-sha2 signatures
* Fixed some issues with connector