upstream: when checking that filenames sent by the server side
match what the client requested, be prepared to handle shell-style brace
alternations, e.g. "{foo,bar}".
"looks good to me" millert@ + in snaps for the last week courtesy
deraadt@
OpenBSD-Commit-ID: 3b1ce7639b0b25b2248e3a30f561a548f6815f3e
Discussed with: des
| remote->local directory copies satisfy the wildcard specified by the user.
|
| This checking provides some protection against a malicious server
| sending unexpected filenames, but it comes at a risk of rejecting wanted
| files due to differences between client and server wildcard expansion rules.
|
| For this reason, this also adds a new -T flag to disable the check.
|
| reported by Harry Sintonen
| fix approach suggested by markus@;
| has been in snaps for ~1wk courtesy deraadt@
|
| OpenBSD-Commit-ID: 00f44b50d2be8e321973f3c6d014260f8f7a8eda
Upstream commits:
482d23bcac upstream: hold our collective noses and use the openssl-1.1.x
48f54b9d12 adapt -portable to OpenSSL 1.1x API
86e0a9f3d2 upstream: use only openssl-1.1.x API here too
a3fd8074e2 upstream: missed a bit of openssl-1.0.x API in this unittest
cce8cbe0ed Fix openssl-1.1 fallout for --without-openssl.
Trivial conflicts in sshkey.c and test_sshkey.c were resolved.
Discussed with: des
add a whitelist of paths from which ssh-agent will load (via
ssh-pkcs11-helper) a PKCS#11 module; ok markus@
disable Unix-domain socket forwarding when privsep is disabled
(Note that this is a backport of upstream fixes, and this commit
is mainly to ease future imports).
Obtained from: OpenBSD
Unregister the KEXINIT handler after message has been received.
Otherwise an unauthenticated peer can repeat the KEXINIT and cause
allocation of up to 128MB -- until the connection is closed.
Reported by shilei-c at 360.cn
Obtained from: OpenBSD
- djm@cvs.openbsd.org 2012/04/11 13:34:17
[ssh-keyscan.1 ssh-keyscan.c]
now that sshd defaults to offering ECDSA keys, ssh-keyscan should also
look for them by default; bz#1971
Approved by: des
