Dropbear 2018.76

Konstantin Tokarev annulen at yandex.ru
Tue Feb 27 23:28:37 AWST 2018



27.02.2018, 17:54, "Matt Johnston" <matt at ucc.asn.au>:
> Hi all,
>
> Dropbear 2018.76 is released. As well as the usual
> improvements and bugfixes this release simplifies
> local configuration options.
> You will probably need to adjust your build configuration.
>
> Rather than modifying options.h, local options are now
> placed in localoptions.h where they will override defaults.
> The header file default_options.h lists the available
> options similar to the old options.h - it should be left
> unmodified.
>
> There are a few other deprecations/changes to take note of.
>
> Cheers,
> Matt
>
> https://matt.ucc.asn.au/dropbear/dropbear.html
> https://dropbear.nl/mirror/dropbear.html
>
> 2018.76 - 27 February 2018
>
> = = = Configuration/compatibility changes
>   IMPORTANT
>   Custom configuration is now specified in local_options.h rather than options.h
>   Available options and defaults can be seen in default_options.h
>
>   To migrate your configuration, compare your customised options.h against the
>   upstream options.h from your relevant version. Any customised options should
>   be put in localoptions.h
>
> - "configure --enable-static" should now be used instead of "make STATIC=1"
>   This will avoid 'hardened build' flags that conflict with static binaries
>
> - Set 'hardened build' flags by default if supported by the compiler.
>   These can be disabled with configure --disable-harden if needed.
>   -Wl,-pie
>   -Wl,-z,now -Wl,-z,relro
>   -fstack-protector-strong
>   -D_FORTIFY_SOURCE=2
>   # spectre v2 mitigation
>   -mfunction-return=thunk
>   -mindirect-branch=thunk
>
>   Spectre patch from Loganaden Velvindron
>
> - "dropbear -r" option for hostkeys no longer attempts to load the default
>   hostkey paths as well. If desired these can be specified manually.
>   Patch from CamVan Nguyen
>
> - group1-sha1 key exchange is disabled in the server by default since
>   the fixed 1024-bit group may be susceptible to attacks
>
> - twofish ciphers are now disabled in the default configuration
>
> - Default generated ECDSA key size is now 256 (rather than 521)
>   for better interoperability
>
> - Minimum RSA key length has been increased to 1024 bits
>
> = = = Other features and fixes
>
> - Add runtime -T max_auth_tries option from Kevin Darbyshire-Bryant
>
> - Add 'dbclient -J &fd' to allow dbclient to connect over an existing socket.
>   See dbclient manpage for a socat example. Patch from Harald Becker

Wouldn't it be better to support -o ProxyUseFdPass like in OpenSSH?

>
> - Add "-c forced_command" option. Patch from Jeremy Kerr
>
> - Restricted group -G option added with patch from stellarpower
>
> - Support server-chosen TCP forwarding ports, patch from houseofkodai
>
> - Allow choosing outgoing address for dbclient with -b [bind_address][:bind_port]
>   Patch from houseofkodai
>
> - Makefile will now rebuild object files when header files are modified
>
> - Add group14-256 and group16 key exchange options
>
> - curve25519-sha256 also supported without @libssh.org suffix
>
> - Update bundled libtomcrypt to 1.18.1, libtommath to 1.0.1
>   This fixes building with some recent versions of clang
>
> - Set PAM_RHOST which is needed by modules such as pam_abl
>
> - Improvements to DSS and RSA public key validation, found by OSS-Fuzz.
>
> - Don't exit when an authorized_keys file has malformed entries. Found by OSS-Fuzz
>
> - Fix null-pointer crash with malformed ECDSA or DSS keys. Found by OSS-Fuzz
>
> - Numerous code cleanups and small issues fixed by Francois Perrad
>
> - Test for pkt_sched.h rather than SO_PRIORITY which was problematic with some musl
>   platforms. Reported by Oliver Schneider and Andrew Bainbridge
>
> - Fix some platform portability problems, from Ben Gardner
>
> - Add EXEEXT filename suffix for building dropbearmulti, from William Foster
>
> - Support --enable-<option> properly for configure, from Stefan Hauser
>
> - configure have_openpty result can be cached, from Eric Bénard
>
> - handle platforms that return close() < -1 on failure, from Marco Wenzel
>
> - Build and configuration cleanups from Michael Witten
>
> - Fix libtomcrypt/libtommath linking order, from Andre McCurdy
>
> - Fix old Linux platforms that have SYS_clock_gettime but not CLOCK_MONOTONIC
>
> - Update curve25519-donna implementation to current version

-- 
Regards,
Konstantin



More information about the Dropbear mailing list