1.9 Release notes

RELEASE-NOTES

@@ -1,29 +1,44 @@
-libssh2 1.8.1
+libssh2 1.9.0
 
-This release includes the following bugfixes:
+This release includes the following enhancements and bugfixes:
+ 
+ o adds ECDSA keys and host key support when using OpenSSL
+ o adds ED25519 key and host key support when using OpenSSL 1.1.1
+ o adds OpenSSH style key file reading
+ o adds AES CTR mode support when using WinCNG
+ o adds PEM passphrase protected file support for Libgcrypt and WinCNG
+ o adds SHA256 hostkey fingerprint
+ o adds libssh2_agent_get_identity_path() and libssh2_agent_set_identity_path()
+ o adds explicit zeroing of sensitive data in memory
+ o adds additional bounds checks to network buffer reads
+ o added the ability to use the server default permissions when creating sftp directories
+ o adds support for building with OpenSSL no engine flag
+ o adds support for building with LibreSSL
+ o increased sftp packet size to 256k
+ o fixed oversized packet handling in sftp
+ o fixed building with OpenSSL 1.1
+ o fixed a possible crash if sftp stat gets an unexpected response
+ o fixed incorrect parsing of the KEX preference string value
+ o fixed conditional RSA and AES-CTR support
+ o fixed a small memory leak during the key exchange process
+ o fixed a possible memory leak of the ssh banner string
+ o fixed various small memory leaks in the backends
+ o fixed possible out of bounds read when parsing public keys from the server
+ o fixed possible out of bounds read when parsing invalid PEM files
+ o no longer null terminates the scp remote exec command
+ o now handle errors when diffie hellman key pair generation fails
+ o fixed compiling on Windows with the flag STDCALL=ON
+ o improved building instructions
+ o improved unit tests
  
- o fixed possible integer overflow when reading a specially crafted packet 
-   (https://www.libssh2.org/CVE-2019-3855.html)
- o fixed possible integer overflow in userauth_keyboard_interactive with a 
-   number of extremely long prompt strings 
-   (https://www.libssh2.org/CVE-2019-3863.html)
- o fixed possible integer overflow if the server sent an extremely large number 
-   of keyboard prompts (https://www.libssh2.org/CVE-2019-3856.html)
- o fixed possible out of bounds read when processing a specially crafted packet 
-   (https://www.libssh2.org/CVE-2019-3861.html)
- o fixed possible integer overflow when receiving a specially crafted exit 
-   signal message channel packet (https://www.libssh2.org/CVE-2019-3857.html)
- o fixed possible out of bounds read when receiving a specially crafted exit 
-   status message channel packet (https://www.libssh2.org/CVE-2019-3862.html)
- o fixed possible zero byte allocation when reading a specially crafted SFTP 
-   packet (https://www.libssh2.org/CVE-2019-3858.html)
- o fixed possible out of bounds reads when processing specially crafted SFTP 
-   packets (https://www.libssh2.org/CVE-2019-3860.html)
- o fixed possible out of bounds reads in _libssh2_packet_require(v) 
-   (https://www.libssh2.org/CVE-2019-3859.html)
-
 This release would not have looked like this without help, code, reports and
 advice from friends like these:
 
-  Chris Coulson, Michael Buckley, Will Cosgrove, Daniel Stenberg
-  (4 contributors)
+  Peter Surge, Will Cosgrove, Daniel Stenberg, Alex Arslan, Alex Crichton, 
+  Thomas Bleeker, Keno Fischer, Marc Hörsken, Marcel Raad, Viktor Szakats,
+  Kamil Dudka, Panos, Etienne Samson, Tseng Jun, Brendan Shanks, doublex,
+  Erik B, Jakob Egger, Thomas Lochmatter, alex-weaver, Adrian Moran, Zenju,
+  gartens, Matthew D. Fuller, Ryan Kelley, Zhen-Huan HWANG, Orivej Desh, 
+  Alexander Curtiss
+  
+  (29 contributors)