fix ineffective max file size check when loading blobs/keys from
files and add another one on a patch that was not covered by the
existing ones. From Tess Gauthier via bz3969 and bz3970
move documentation of the Include directive to near the start of
the options list, alongside that for Match and Host which are similar
insofar as they all affect configuration parsing rather than altering
the configuration directly. from xspielinbox via bz3968
Make pane scrollbars able to auto-hide after a short timeout. This
replaces the previous "modal" behaviour where the pane would be resized,
which tended to make a mess. Instead, the scrollbar appears when
scrolling or when hovered over with the mouse and disappears a
(configurable) short period later. From Michael Grant.
don't print an error message when trying to load a host private key
when PKCS#11 keys are in use, as these don't need the private half
on the filesystem. GHPR664 from Ingo Franzki
make ssh-add open it's connection to the agent after it has
finished getopt() processing and not before. This allows the -v
flag to work properly.
ok jca@
Fix bounds checking when signing messages of length greater than will
fit in a size_t.
In OpenSSH, messages sizes are bounded by SSHBUF_SIZE_MAX so this was
unreachable.
From Swival scanner.
avoid situation where sftp_download() could get stuck in a loop if
a broken server repeatedly returned zero length while reading a file.
Identified by Swival scanner
restrict IMSG_CTL_PROCFD to parent and check process id/instance
IMSG_CTL_PROCFD messages contain a destination process id and instance
number that were used to index internal arrays before being checked.
A child sending bad imsgs could cause out-of-bounds reads or
writes.
Check for a missing fd, a bad process id, or an out-of-range instance
before any array is indexed. Also reject IMSG_CTL_PROCFD that does not
come from the parent.
from Andrew Griffiths, diff by martijn@ and myself, ok martijn@
Switch the default TLS cipher set from "compat" to "secure"
The "secure" keyword only allows TLSv1.3 and the TLSv1.2 AEAD ciphers
that have forward secrecy (ECDHE/DHE). See tls_config_set_ciphers(3)
for details. This is stricter than "HIGH:!aNULL" and drops older
ciphers without AEAD or forward secrecy.
Also update the ciphers text in httpd.conf.5 with the clearer wording
from smtpd.conf.5.
Old peers that need these older ciphers may no longer connect.
idea from Mischa, ok kirill@ ok tb@
Switch the default TLS cipher set from "HIGH:!aNULL" to "secure"
The "secure" keyword only allows TLSv1.3 and the TLSv1.2 AEAD ciphers
that have forward secrecy (ECDHE/DHE). See tls_config_set_ciphers(3)
for details. This is stricter than "HIGH:!aNULL" and drops older
ciphers without AEAD or forward secrecy.
Also update the ciphers text in relayd.conf.5 with the clearer wording
from smtpd.conf.5.
Old peers that need these older ciphers may no longer connect.
idea from Mischa, ok kirill@ ok tb@
Revert the -fno-omit-frame-pointer change (including the clang only
-mno-omit-leaf-frame-pointer). Committed by accident.
Noticed because of commit from miod@
