move username validity check for usernames specified on the
commandline to earlier in main(), specifically before some
contexts where a username with shell characters might be
expanded by a %u directive in ssh_config.
We continue to recommend against using untrusted input on
the SSH commandline. Mitigations like this are not 100%
guarantees of safety because we can't control every
combination of user shell and configuration where they are
used.
Reported by Florian Kohnhäuser
correctly match ECDSA signature algorithms against algorithm
allowlists: HostKeyAlgorithms, PubkeyAcceptedAlgorithms and
HostbasedAcceptedAlgorithms.
Previously, if any ECDSA type (say "ecdsa-sha2-nistp521") was
present in one of these lists, then all ECDSA algorithms would
be permitted.
Reported by Christos Papakonstantinou of Cantina and Spearbit.
when downloading files as root in legacy (-O) mode and without the
-p (preserve modes) flag set, clear setuid/setgid bits from
downloaded files as one might expect.
AFAIK this bug dates back to the original Berkeley rcp program.
Reported by Christos Papakonstantinou of Cantina and Spearbit.
Fix possible sshd crash when sshd_config set MaxStartups to a
value <10 using the single-argument form of MaxStartups (e.g.
MaxStartups=3). This doesn't affect the three-argument form
of the directive (e.g. MaxStartups 3:20:5).
Patch from Peter Kaestle via bz3941
Mark cataclysm-dda BROKEN-sparc64
/usr/obj/ports/cataclysm-dda-0.H-no_x11/Cataclysm-DDA-0.H-RELEASE/src/third-party/flatbuffers_int/util.h:267:12: error: 'strtoll_l' was not declared in this scope; did you mean 'strcoll_l'?
267 | *val = __strtoll_impl(str, endptr, base);
| ^~~~~~~~~~~~~~
'strtoull_l' 'strtod_l' 'strtof_l' all also not declared in scopr
Add SA state check for CREATE_CHILD_SA exchange, similar to what we do
for INFORMATIONAL exchanges. iked currently assumes that IKE_AUTH always
results in valid child SAs, so IKEV2_STATE_ESTABLISHED means we have
successfully completed the IKE_AUTH exchange for the SA.
Independently found by Dirk Loss and Daniel Polak (SYS.nl)
from tobhe@; ok and discussed with markus@ stsp@
Add ikev2_validate_ef() to validate fragment payload header size field
as we do for other IKEv2 payloads.
Reported by Dirk Loss
from tobhe@; ok markus@
iked only ever handles one exchange at a time so we can drop the
entire fragment queue instead of doing a lookup based on the msgid
Found by Dirk Loss
from tobhe@; ok markus@ hshoexer@
[11 lines not shown]
Add SA state check for CREATE_CHILD_SA exchange, similar to what we do
for INFORMATIONAL exchanges. iked currently assumes that IKE_AUTH always
results in valid child SAs, so IKEV2_STATE_ESTABLISHED means we have
successfully completed the IKE_AUTH exchange for the SA.
Independently found by Dirk Loss and Daniel Polak (SYS.nl)
from tobhe@; ok and discussed with markus@ stsp@
Add ikev2_validate_ef() to validate fragment payload header size field
as we do for other IKEv2 payloads.
Reported by Dirk Loss
from tobhe@; ok markus@
iked only ever handles one exchange at a time so we can drop the
entire fragment queue instead of doing a lookup based on the msgid
Found by Dirk Loss
from tobhe@; ok markus@ hshoexer@
[11 lines not shown]
