OpenSSH 6.0 - Changelog

What's new in OpenSSH 6.0:

April 23rd, 2012

Features:

· ssh-keygen(1): Add optional checkpoints for moduli screening
· ssh-add(1): new -k option to load plain keys (skipping certificates)
· sshd(8): Add wildcard support to PermitOpen, allowing things like "PermitOpen localhost:*". bz #1857
· ssh(1): support for cancelling local and remote port forwards via the multiplex socket. Use ssh -O cancel -L xx:xx:xx -R yy:yy:yy user@host" to request the cancellation of the specified forwardings
· support cancellation of local/dynamic forwardings from ~C commandline

Bugfixes:

· ssh(1): ensure that $DISPLAY contains only valid characters before using it to extract xauth data so that it can't be used to play local shell metacharacter games.
· ssh(1): unbreak remote portforwarding with dynamic allocated listen ports
· scp(1): uppress adding '--' to remote commandlines when the first argument does not start with '-'. saves breakage on some difficult-to-upgrade embedded/router platforms
· ssh(1)/sshd(8): fix typo in IPQoS parsing: there is no "AF14" class, but there is an "AF21" class
· ssh(1)/sshd(8): do not permit SSH2_MSG_SERVICE_REQUEST/ACCEPT during rekeying
· ssh(1): skip attempting to create ~/.ssh when -F is passed
· sshd(8): unbreak stdio forwarding when ControlPersist is in use; bz#1943
· sshd(1): send tty break to pty master instead of (probably already closed) slave side; bz#1859
· sftp(1): silence error spam for "ls */foo" in directory with files; bz#1683
· Fixed a number of memory and file descriptor leaks

Portable OpenSSH:

· Add a new privilege separation sandbox implementation for Linux's new seccomp sandbox, automatically enabled on platforms that support it. (Note: privilege separation sandboxing is still experimental)
· Fix compilation problems on FreeBSD, where libutil contained openpty() but not login().
· ssh-keygen(1): don't fail in -A on platforms that don't support ECC
· Add optional support for LDNS, a BSD licensed DNS resolver library which supports DNSSEC
· Relax OpenSSL version check to allow running OpenSSH binaries on systems with OpenSSL libraries with a newer "fix" or "patch" level than the binaries were originally compiled on (previous check only allowed movement within "patch" releases). bz#1991
· Fix builds using contributed Redhat spec file. bz#1992

What's new in OpenSSH 5.8:

February 4th, 2011

· Fix vulnerability in legacy certificate signing introduced in OpenSSH-5.6 and found by Mateusz Kocielski.