upstream commit Remove support for pre-authentication compression. Doing compression early in the protocol probably seemed reasonable in the 1990s, but today it's clearly a bad idea in terms of both cryptography (cf. multiple compression oracle attacks in TLS) and attack surface. Moreover, to support it across privilege-separation zlib needed the assistance of a complex shared-memory manager that made the required attack surface considerably larger. Prompted by Guido Vranken pointing out a compiler-elided security check in the shared memory manager found by Stack (http://css.csail.mit.edu/stack/); ok deraadt@ markus@ NB. pre-auth authentication has been disabled by default in sshd for >10 years. Upstream-ID: 32af9771788d45a0779693b41d06ec199d849caf

commit: 0082fba4efdd492f765ed4c53f0d0fbd3bdbdf7f [log] [tgz]
author: djm@openbsd.org <djm@openbsd.org> Wed Sep 28 16:33:06 2016 +0000
committer: Damien Miller <djm@mindrot.org> Thu Sep 29 03:11:32 2016 +1000
tree: b0271896ec4d6c0e716821954212677438824a05
parent: 27c3a9c2aede2184856b5de1e6eca414bb751c38 [diff] [blame]
diff --git a/Makefile.in b/Makefile.in
index d6df2ff..3990f55 100644
--- a/Makefile.in
+++ b/Makefile.in

@@ -104,7 +104,7 @@
 	auth2-chall.o groupaccess.o \
 	auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \
 	auth2-none.o auth2-passwd.o auth2-pubkey.o \
-	monitor_mm.o monitor.o monitor_wrap.o auth-krb5.o \
+	monitor.o monitor_wrap.o auth-krb5.o \
 	auth2-gss.o gss-serv.o gss-serv-krb5.o \
 	loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
 	sftp-server.o sftp-common.o \
commit	0082fba4efdd492f765ed4c53f0d0fbd3bdbdf7f	[log] [tgz]
author	djm@openbsd.org <djm@openbsd.org>	Wed Sep 28 16:33:06 2016 +0000
committer	Damien Miller <djm@mindrot.org>	Thu Sep 29 03:11:32 2016 +1000
tree	b0271896ec4d6c0e716821954212677438824a05
parent	27c3a9c2aede2184856b5de1e6eca414bb751c38 [diff] [blame]