Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
security/dropbear: update to 2022.83
Features and Changes: Note >> for compatibility/configuration changes - >> Disable DROPBEAR_DSS by default It is only 1024 bit and uses sha1, most distros disable it by default already. - Added DROPBEAR_RSA_SHA1 option to allow disabling sha1 rsa signatures. >> RSA with sha1 will be disabled in a future release (rsa keys will continue to work OK, with sha256 signatures used instead). - Add option for requiring both password and pubkey (-t) Patch from Jackkal - Add 'no-touch-required' and 'verify-required' options for sk keys Patch from Egor Duda - >> DROPBEAR_SK_KEYS config option now replaces separate DROPBEAR_SK_ECDSA and DROPBEAR_SK_ED25519 options. - Add 'permitopen' option for authorized_keys to restrict forwarded ports Patch from Tuomas Haikarainen - >> Added LTM_CFLAGS configure argument to set flags for building bundled libtommath. This also restores the previous arguments used in 2020.81 (-O3 -funroll-loops). That gives a big speedup for RSA key generation, which regressed in 2022.82. There is a tradeoff with code size, so -Os can be used if required. mkj/dropbear#174 Reported by David Bernard - Add '-z' flag to disable setting QoS traffic class. This may be necessary to work with broken networks or network drivers, exposed after changes to use AF21 in 2022.82 mkj/dropbear#193 Reported by yuhongwei380, patch from Petr Štetiar - Allow overriding user shells with COMPAT_USER_SHELLS Based on a patch from Matt Robinson - Improve permission error message Patch from k-kurematsu - >> Remove HMAC_MD5 entirely Regression fixes from 2022.82: - Fix X11 build - Fix build warning - Fix compilation when disabling pubkey authentication Patch from MaxMougg - Fix MAX_UNAUTH_CLIENTS regression Reported by ptpt52 - Avoid using slower prime testing in bundled libtomcrypt when DSS is disabled mkj/dropbear#174 Suggested by Steffen Jaeckel - Fix Dropbear plugin support mkj/dropbear#194 Reported by Struan Bartlett Other fixes: - Fix long standing incorrect compression size check. Dropbear (client or server) would erroneously exit with "bad packet, oversized decompressed" when receiving a compressed packet of exactly the maximum size. - Fix missing setsid() removed in 2020.79 mkj/dropbear#180 Reported and debugged by m5jt and David Bernard - Try keyboard-interactive auth before password, in dbclient. This was unintentionally changed back in 2013 mkj/dropbear#190 Patch from Michele Giacomoli - Drain the terminal when reading the fingerprint confirmation response mkj/dropbear#191 Patch from Michele Giacomoli - Fix utx wtmp variable typo. This has been wrong for a long time but only recently became a problem when wtmp was detected. mkj/dropbear#189 Patch from Michele Giacomoli - Improve configure test for hardening options. Fixes building on AIX mkj/dropbear#158 - Fix debian/dropbear.init newline From wulei-student Infrastructure: - Test off-by-default compile options - Set -Wundef to catch typos in #if statements
- Loading branch information