diff --git a/RELEASE-NOTES b/RELEASE-NOTES index 6c2d7de..d4f323f 100644 --- a/RELEASE-NOTES +++ b/RELEASE-NOTES @@ -1,29 +1,44 @@ -libssh2 1.8.1 +libssh2 1.9.0 -This release includes the following bugfixes: +This release includes the following enhancements and bugfixes: + + o adds ECDSA keys and host key support when using OpenSSL + o adds ED25519 key and host key support when using OpenSSL 1.1.1 + o adds OpenSSH style key file reading + o adds AES CTR mode support when using WinCNG + o adds PEM passphrase protected file support for Libgcrypt and WinCNG + o adds SHA256 hostkey fingerprint + o adds libssh2_agent_get_identity_path() and libssh2_agent_set_identity_path() + o adds explicit zeroing of sensitive data in memory + o adds additional bounds checks to network buffer reads + o added the ability to use the server default permissions when creating sftp directories + o adds support for building with OpenSSL no engine flag + o adds support for building with LibreSSL + o increased sftp packet size to 256k + o fixed oversized packet handling in sftp + o fixed building with OpenSSL 1.1 + o fixed a possible crash if sftp stat gets an unexpected response + o fixed incorrect parsing of the KEX preference string value + o fixed conditional RSA and AES-CTR support + o fixed a small memory leak during the key exchange process + o fixed a possible memory leak of the ssh banner string + o fixed various small memory leaks in the backends + o fixed possible out of bounds read when parsing public keys from the server + o fixed possible out of bounds read when parsing invalid PEM files + o no longer null terminates the scp remote exec command + o now handle errors when diffie hellman key pair generation fails + o fixed compiling on Windows with the flag STDCALL=ON + o improved building instructions + o improved unit tests - o fixed possible integer overflow when reading a specially crafted packet - (https://www.libssh2.org/CVE-2019-3855.html) - o fixed possible integer overflow in userauth_keyboard_interactive with a - number of extremely long prompt strings - (https://www.libssh2.org/CVE-2019-3863.html) - o fixed possible integer overflow if the server sent an extremely large number - of keyboard prompts (https://www.libssh2.org/CVE-2019-3856.html) - o fixed possible out of bounds read when processing a specially crafted packet - (https://www.libssh2.org/CVE-2019-3861.html) - o fixed possible integer overflow when receiving a specially crafted exit - signal message channel packet (https://www.libssh2.org/CVE-2019-3857.html) - o fixed possible out of bounds read when receiving a specially crafted exit - status message channel packet (https://www.libssh2.org/CVE-2019-3862.html) - o fixed possible zero byte allocation when reading a specially crafted SFTP - packet (https://www.libssh2.org/CVE-2019-3858.html) - o fixed possible out of bounds reads when processing specially crafted SFTP - packets (https://www.libssh2.org/CVE-2019-3860.html) - o fixed possible out of bounds reads in _libssh2_packet_require(v) - (https://www.libssh2.org/CVE-2019-3859.html) - This release would not have looked like this without help, code, reports and advice from friends like these: - Chris Coulson, Michael Buckley, Will Cosgrove, Daniel Stenberg - (4 contributors) + Peter Surge, Will Cosgrove, Daniel Stenberg, Alex Arslan, Alex Crichton, + Thomas Bleeker, Keno Fischer, Marc Hörsken, Marcel Raad, Viktor Szakats, + Kamil Dudka, Panos, Etienne Samson, Tseng Jun, Brendan Shanks, doublex, + Erik B, Jakob Egger, Thomas Lochmatter, alex-weaver, Adrian Moran, Zenju, + gartens, Matthew D. Fuller, Ryan Kelley, Zhen-Huan HWANG, Orivej Desh, + Alexander Curtiss + + (29 contributors)