OpenSSL now supports AES-NI in evp, not in an engine. We can now get
rid of the no longer maintained aesni engine, which was broken last
summer. Not only can OpenSSL now use AES-NI for everything it did
before we broke it last summer, but it can also use AES-NI for more
encryption modes than before, such as CTR.
Tested on amd64, both vanilla and in an i386 chroot.
ok christos
*) Correct fix for CVE-2013-0169. The original didn't work on AES-NI
supporting platforms or when small records were transferred.
[Andy Polyakov, Steve Henson]
This is primarily a bugfix release.
Features:
* sshd(8): This release turns on pre-auth sandboxing sshd by default for
new installs, by setting UsePrivilegeSeparation=sandbox in sshd_config.
* ssh-keygen(1): Add options to specify starting line number and number of
lines to process when screening moduli candidates, allowing processing
of different parts of a candidate moduli file in parallel
* sshd(8): The Match directive now supports matching on the local (listen)
address and port upon which the incoming connection was received via
LocalAddress and LocalPort clauses.
* sshd(8): Extend sshd_config Match directive to allow setting AcceptEnv
and {Allow,Deny}{Users,Groups}
* Add support for RFC6594 SSHFP DNS records for ECDSA key types. bz#1978
* ssh-keygen(1): Allow conversion of RSA1 keys to public PEM and PKCS8
* sshd(8): Allow the sshd_config PermitOpen directive to accept "none" as
an argument to refuse all port-forwarding requests.
* sshd(8): Support "none" as an argument for AuthorizedPrincipalsFile
* ssh-keyscan(1): Look for ECDSA keys by default. bz#1971
* sshd(8): Add "VersionAddendum" to sshd_config to allow server operators
to append some arbitrary text to the server SSH protocol banner.
Bugfixes:
* ssh(1)/sshd(8): Don't spin in accept() in situations of file
descriptor exhaustion. Instead back off for a while.
* ssh(1)/sshd(8): Remove hmac-sha2-256-96 and hmac-sha2-512-96 MACs as
they were removed from the specification. bz#2023,
* sshd(8): Handle long comments in config files better. bz#2025
* ssh(1): Delay setting tty_flag so RequestTTY options are correctly
picked up. bz#1995
* sshd(8): Fix handling of /etc/nologin incorrectly being applied to root
on platforms that use login_cap.
LP64.
Fixes problems showing up on regression tests on i386 (which work fine on
amd64) i.e. turn:
t_netpgpverify (1/1): 2 test cases
netpgpverify_dsa: [0.309746s] Failed: atf-check failed; see the output of the test for details
netpgpverify_rsa: [0.183148s] Passed.
[0.495102s]
Failed test cases:
t_netpgpverify:netpgpverify_dsa
Summary for 1 test programs:
1 passed test cases.
1 failed test cases.
0 expected failed test cases.
0 skipped test cases.
into:
t_netpgpverify (1/1): 2 test cases
netpgpverify_dsa: [0.236076s] Passed.
netpgpverify_rsa: [0.154680s] Passed.
[0.393034s]
Summary for 1 test programs:
2 passed test cases.
0 failed test cases.
0 expected failed test cases.
0 skipped test cases.
