Skip to content

Tags

Tags give the ability to mark specific points in history as being important
  • libssh-0.11.0
    libssh-0.11.0
    
    * Deprecations and Removals:
      * Dropped support for DSA
      * Deprecated Blowfish cipher (will be removed in next release)
      * Deprecated SSH_BIND_OPTIONS_{RSA,ECDSA}KEY in favor of generic HOSTKEY
      * Removed the usage of deprecated OpenSSL APIs (Note: Minimum supported
        OpenSSL version is 1.1.1)
      * Disabled preauth compression (zlib) by default
      * Support for pkcs#11 engines are deprecated, pkcs11-provider is used instead
      * Deprecation of old async SFTP API
      * libgcrypt cryptographic backend is deprecated
      * Deprecation of knownhosts hashing
    * SFTP Improvements:
      * Added support for async SFTP IO
      * Added support for sftp_limits() and applied capping to SFTP read/write
        operations accordingly
      * Added sftp_home_directory() API support for sftp extension "home-directory"
      * Added sftp_lsetstat() API for lsetstat extensions
      * Added sftp_expand_path() to canonicalize path using expand-path@openssh.com
        extension
      * Implemented stat and realpath in sftpserver
      * Added sftp_readlink() API to support hardlink@openssh.com
      * New extensible callback based SFTP server
      * Introduced the posix-rename@openssh.com extension
    * New functions and features:
      * Added support for PKCS #11 provider for OpenSSL 3.0
      * Added testing for GSSAPI Authentication
      * Implemented proxy jump using libssh
      * Recategorized loglevels to show fatal errors and alignment with OpenSSH
        log levels
      * Added ssh_channel_request_pty_size_modes() API to set terminal modes for
        PTYs
      * Added function to check username syntax
      * Added support to check all keys in authorized_keys instead of one in
        example server implementation
      * Handled hostkey similar to OpenSSH
      * Added ssh_session_socket_close() API in order to not close socket passed
        through options on error conditions
      * Added option SSH_BIND_OPTIONS_IMPORT_KEY_STR to read user-supplied key
        string in ssh_bind_options_set()
      * Improved log handling around ssh_set_callbacks
      * Added ssh_set_error_invalid in ssh_options_set()
      * Prevented signature blob to start with 1 bit in libgcrypt
      * Added support to unbreak key comparison of Ed25519 keys imported from PEM
        or OpenSSH container
      * Added support to calculate missing CRT parameters when building RSA key
      * Added ssh_pki_export_privkey_base64_format() and
        ssh_pki_export_privkey_file_format() to support exporting keys in different
        formats (PEM, OpenSSH)
      * Added support to compare certificates and handle automatic certificate
        authentication
      * Added support to make compile-commands generation conditional
      * Built fuzzers for normal testing
      * Avoided passing other events to callbacks when called recursively
      * Added control master and path options
      * Refactored channel_rcv_data, check for errors and report more useful errors
      * Added support to connect to other host addresses than just the first one
      * Terminated the server properly when the MaxAuthTries is reached
      * Added support for no-more-sessions@openssh.com request in both client and
        server
      * Added callback to support forwarded-tcpip requests
      * Bumped minimal CMake version to 3.12
      * Added support for MBedTLS 3.6.x
      * Added support for +,-,^ modifiers in front of algorithm lists in options
      * Added callbacks for channel open response, and channel request response
      * Replaced chroot() from chroot_wrapper internal library with chroot()
        from priv_wrapper package
      * Added a placeholder for non-expanded identities
      * Improved handling of channel transfer window sizes
    
  • libssh-0.9.8
    d18bd233 · Bump version to 0.9.8 ·
    libssh-0.9.8
    
    * Fix CVE-2023-6004: Command injection using proxycommand
    * Fix CVE-2023-48795: Potential downgrade attack using strict kex
    * Fix CVE-2023-6918: Missing checks for return values of MD functions
    * Allow @ in usernames when parsing from URI composes
    
  • libssh-0.10.6
    10e09e27 · Bump version to 0.10.6 ·
    libssh-0.10.6
    
    * Fix CVE-2023-6004: Command injection using proxycommand
    * Fix CVE-2023-48795: Potential downgrade attack using strict kex
    * Fix CVE-2023-6918: Missing checks for return values of MD functions
    * Fix ssh_send_issue_banner() for CMD(PowerShell)
    * Avoid passing other events to callbacks when poll is called recursively (#202)
    * Allow @ in usernames when parsing from URI composes
    
  • libssh-0.9.7
    70fef935 · Bump version to 0.9.7 ·
    libssh-0.9.7
    
    * Fix CVE-2023-1667: a NULL dereference during rekeying with algorithm
      guessing
    * Fix CVE-2023-2283: a possible authorization bypass in
      pki_verify_data_signature under low-memory conditions.
    * Fix several memory leaks in GSSAPI handling code
    * Build and test related backports
    
  • libssh-0.10.5
    479eca13 · Bump version to 0.10.5 ·
    libssh-0.10.5
    
    * Fix CVE-2023-1667: a NULL dereference during rekeying with algorithm
      guessing
    * Fix CVE-2023-2283: a possible authorization bypass in
      pki_verify_data_signature under low-memory conditions.
    * Fix several memory leaks in GSSAPI handling code
    * Escape braces in ProxyCommand created from ProxyJump options for zsh
      compatibility.
    * Fix pkg-config path relocation for MinGW
    * Improve doxygen documentation
    * Fix build with cygwin due to the glob support
    * Do not enqueue outgoing packets after sending SSH2_MSG_NEWKEYS
    * Add support for SSH_SUPPRESS_DEPRECATED
    * Avoid functions declarations without prototype to build with clang 15
    * Fix spelling issues
    * Avoid expanding KnownHosts, ProxyCommands and IdentityFiles
      repetitively
    * Add support sk-* keys through configuration
    * Improve checking for Argp library
    * Log information about received extensions
    * Correctly handle rekey with delayed compression
    * Move the EC keys handling to OpenSSL 3.0 API
    * Record peer disconnect message
    * Avoid deadlock when write buffering occurs and we call poll
      recursively to flush the output buffer
    * Disable preauthentication compression by default
    * Add CentOS 8 Stream / OpenSSL 1.1.1 to CI
    * Add accidentally removed default compile flags
    * Solve incorrect parsing of ProxyCommand option
    
  • libssh-0.10.4
    e8322817 · Bump version to 0.10.4 ·
    libssh-0.10.4
    
    * Fixed issues with KDF on big endian
    
  • libssh-0.10.3
    783f2b97 · Bump version to 0.10.3 ·
    libssh-0.10.3
    
    * Fixed possible infinite loop in known hosts checking
    
  • libssh-0.10.2
    ddea657b · Bump version to 0.10.2 ·
    libssh-0.10.2
    
    * Fixed tilde expansion when handling include directives
    * Fixed building the shared torture library
    * Made rekey test more robust (fixes running on i586 build systems e.g koji)
    
  • libssh-0.10.0
    libssh-0.10.0
    
    * Added support for OpenSSL 3.0
    * Added support for mbedTLS 3
    * Added support for Smart Cards  (through openssl pkcs11 engine)
    * Added support for chacha20-poly1305@openssh.com with libgcrypt
    * Added support ed25519 keys in PEM files
    * Added support for sk-ecdsa and sk-ed25519 (server side)
    * Added support for limiting RSA key sizes and not accepting small one by
      default
    * Added support for ssh-agent on Windows
    * Added ssh_userauth_publickey_auto_get_current_identity() API
    * Added ssh_vlog() API
    * Added ssh_send_issue_banner() API
    * Added ssh_session_set_disconnect_message() API
    * Added new configuration options:
      + IdentityAgent
      + ModuliFile
    * Provided X11 client example
    * Disabled DSA support at build time by default (will be removed in the next
      release)
    * Deprecated the SCP API!
    * Deprecated old pubkey, privatekey API
    * Avoided some needless large stack buffers to minimize memory footprint
    * Removed support for OpenSSL < 1.0.1
    * Fixed parsing username@host in login name
    * Free global init mutex in the destructor on Windows
    * Fixed PEM parsing in mbedtls to support both legacy and new PKCS8 formats
    
  • libssh-0.9.6
    da6d026c · Relase 0.9.6 ·
    libssh-0.9.6
    
    * CVE-2021-3634: Fix possible heap-buffer overflow when rekeying with
      different key exchange mechanism
    * Fix several memory leaks on error paths
    * Reset pending_call_state on disconnect
    * Fix handshake bug with AEAD ciphers and no HMAC overlap
    * Use OPENSSL_CRYPTO_LIBRARIES in CMake
    * Ignore request success and failure message if they are not expected
    * Support more identity files in configuration
    * Avoid setting compiler flags directly in CMake
    * Support build directories with special characters
    * Include stdlib.h to avoid crash in Windows
    * Fix sftp_new_channel constructs an invalid object
    * Fix Ninja multiple rules error
    * Several tests fixes
    
  • libssh-0.9.5
    0cceefd4 · Bump version to 0.9.5 ·
    libssh-0.9.5
    
    * CVE-2020-16135: Avoid null pointer dereference in sftpserver (T232)
    * Improve handling of library initialization (T222)
    * Fix parsing of subsecond times in SFTP (T219)
    * Make the documentation reproducible
    * Remove deprecated API usage in OpenSSL
    * Fix regression of ssh_channel_poll_timeout() returning SSH_AGAIN
    * Define version in one place (T226)
    * Prevent invalid free when using different C runtimes than OpenSSL (T229)
    * Compatibility improvements to testsuite
    
  • libssh-0.8.9
    04685a74 · Bump version to 0.8.9 ·
    libssh-0.8.9
    
    * Fixed CVE-2020-1730 - Possible DoS in client and server when handling
      AES-CTR keys with OpenSSL
    
  • libssh-0.9.4
    9e9df612 · Bump version to 0.9.4 ·
    libssh-0.9.4
    
    * Fixed CVE-2020-1730 - Possible DoS in client and server when handling
      AES-CTR keys with OpenSSL
    * Added diffie-hellman-group14-sha256
    * Fixed serveral possible memory leaks
    
  • libssh-0.8.8
    78503072 · Bump version to 0.8.8 ·
    libssh-0.8.8
    
    * Fixed CVE-2019-14889 - SCP: Unsanitized location leads to command execution
    
  • libssh-0.9.3
    64ce53fd · Bump version to 0.9.3 ·
    libssh-0.9.3
    
    * Fixed CVE-2019-14889 - SCP: Unsanitized location leads to command execution
    * SSH-01-003 Client: Missing NULL check leads to crash in erroneous state
    * SSH-01-006 General: Various unchecked Null-derefs cause DOS
    * SSH-01-007 PKI Gcrypt: Potential UAF/double free with RSA pubkeys
    * SSH-01-010 SSH: Deprecated hash function in fingerprinting
    * SSH-01-013 Conf-Parsing: Recursive wildcards in hostnames lead to DOS
    * SSH-01-014 Conf-Parsing: Integer underflow leads to OOB array access
    * SSH-01-001 State Machine: Initial machine states should be set explicitly
    * SSH-01-002 Kex: Differently bound macros used to iterate same array
    * SSH-01-005 Code-Quality: Integer sign confusion during assignments
    * SSH-01-008 SCP: Protocol Injection via unescaped File Names
    * SSH-01-009 SSH: Update documentation which RFCs are implemented
    * SSH-01-012 PKI: Information leak via uninitialized stack buffer
    
  • libssh-0.9.2
    libssh-0.9.2
    
      * Fixed libssh-config.cmake
      * Fixed issues with rsa algorithm negotiation (T191)
      * Fixed detection of OpenSSL ed25519 support (T197)
    
  • libssh-0.9.1
    libssh-0.9.1
    
      * Added support for Ed25519 via OpenSSL
      * Added support for X25519 via OpenSSL
      * Added support for localuser in Match keyword
      * Fixed Match keyword to be case sensitive
      * Fixed compilation with LibreSSL
      * Fixed error report of channel open (T75)
      * Fixed sftp documentation (T137)
      * Fixed known_hosts parsing (T156)
      * Fixed build issue with MinGW (T157)
      * Fixed build with gcc 9 (T164)
      * Fixed deprecation issues (T165)
      * Fixed known_hosts directory creation (T166)
    
  • libssh-0.9.0
    79900e52 · Bump version to 0.9.0 ·
    libssh-0.9.0
    
    * Added support for AES-GCM
    * Added improved rekeying support
    * Added performance improvements
    * Disabled blowfish support by default
    * Fixed several ssh config parsing issues
    * Added support for DH Group Exchange KEX
    * Added support for Encrypt-then-MAC mode
    * Added support for parsing server side configuration file
    * Added support for ECDSA/Ed25519 certificates
    * Added FIPS 140-2 compatibility
    * Improved known_hosts parsing
    * Improved documentation
    * Improved OpenSSL API usage for KEX, DH, and signatures
    
  • libssh-0.8.7
    52986115 · Bump version to 0.8.7 ·
    libssh-0.8.7
    
    * Fixed handling extension flags in the server implementation
    * Fixed exporting ed25519 private keys
    * Fixed corner cases for rsa-sha2 signatures
    * Fixed some issues with connector
    
  • libssh-0.8.6
    68fc17ca · Bump version to 0.8.6 ·
    libssh-0.8.6
    
    * Fixed compilation issues with different OpenSSL versions
    * Fixed StrictHostKeyChecking in new knownhosts API
    * Fixed ssh_send_keepalive() with packet filter
    * Fixed possible crash with knownhosts options
    * Fixed issus with rekeying
    * Fixed strong ECDSA keys
    * Fixed some issues with rsa-sha2 extentions
    * Fixed access violation in ssh_init() (static linking)
    * Fixed ssh_channel_close() handling