[ANNOUNCEMENT] openssh 8.9p1-1
The following packages have been uploaded to the Cygwin distribution: * openssh-8.9p1-1 OpenSSH is a program for logging into a remote machine and for executing commands on a remote machine. It can replace rlogin and rsh, providing encrypted communication between two machines. Cygwin release message: WinHello support: Apart from the following official upstream release message, this release contains support for WinHello. That is, users of Windows 10 1909 or later will now be able to uses FIDO2 tokens in conjunction with WinHello. Create keys with one of ssh-keygen -t ed25519-sk [-O verify-required] ssh-keygen -t ecdsa-sk [-O verify-required] Please note that keys created with `-O no-touch-required' won't work, because WinHello doesn't support authenticating FIDO2 tokens without checking user presence. WinHello support is supposed to go upstream, but the changes didn't make it into 8.9p1 in time. Official upstream release message: OpenSSH 8.9 has just been released. It will be available from the mirrors listed at https://www.openssh.com/ shortly. OpenSSH is a 100% complete SSH protocol 2.0 implementation and includes sftp client and server support. Once again, we would like to thank the OpenSSH community for their continued support of the project, especially those who contributed code or patches, reported bugs, tested snapshots or donated to the project. More information on donations may be found at: https://www.openssh.com/donations.html Future deprecation notice = A near-future release of OpenSSH will switch scp(1) from using the legacy scp/rcp protocol to using SFTP by default. Legacy scp/rcp performs wildcard expansion of remote filenames (e.g. "scp host:* .") through the remote shell. This has the side effect of requiring double quoting of shell meta-characters in file names included on scp(1) command-lines, otherwise they could be interpreted as shell commands on the remote side. This creates one area of potential incompatibility: scp(1) when using the SFTP protocol no longer requires this finicky and brittle quoting, and attempts to use it may cause transfers to fail. We consider the removal of the need for double-quoting shell characters in file names to be a benefit and do not intend to introduce bug-compatibility for legacy scp/rcp in scp(1) when using the SFTP protocol. Another area of potential incompatibility relates to the use of remote paths relative to other user's home directories, for example - "scp host:~user/file /tmp". The SFTP protocol has no native way to expand a ~user path. However, sftp-server(8) in OpenSSH 8.7 and later support a protocol extension "expand-p...@openssh.com" to support this. Security Near Miss == * sshd(8): fix an integer overflow in the user authentication path that, in conjunction with other logic errors, could have yielded unauthenticated access under difficult to exploit conditions. This situation is not exploitable because of independent checks in the privilege separation monitor. Privilege separation has been enabled by default in since openssh-3.2.2 (released in 2002) and has been mandatory since openssh-7.5 (released in 2017). Moreover, portable OpenSSH has used toolchain features available in most modern compilers to abort on signed integer overflow since openssh-6.5 (released in 2014). Thanks to Malcolm Stagg for finding and reporting this bug. Potentially-incompatible changes * sshd(8), portable OpenSSH only: this release removes in-built support for MD5-hashed passwords. If you require these on your system then we recommend linking against libxcrypt or similar. * This release modifies the FIDO security key middleware interface and increments SSH_SK_VERSION_MAJOR. Changes since OpenSSH 8.8 = This release includes a number of new features. New features * ssh(1), sshd(8), ssh-add(1), ssh-agent(1): add a system for restricting forwarding and use of keys added to ssh-agent(1) A detailed description of the feature is available at https://www.openssh.com/agent-restrict.html and the protocol extensions are documented in the PROTOCOL and PROTOCOL.agent files in the source release. * ssh(1), sshd(8): add the sntrup761x25519-sha...@openssh.com hybrid ECDH/x25519 + Streamlined NTRU Prime post-quantum KEX to the default KEXAlgorithms list (after the ECDH methods but before the prime-group DH ones). The next release of OpenSSH is likely to make this key exchange the default method. * ssh-keygen(1): when downloading resident keys from a FIDO token, pass back the user ID that was used when the key was created and append it to the filename the key is written to (if it is not the
openssh 8.9p1-1
The following packages have been uploaded to the Cygwin distribution: * openssh-8.9p1-1 OpenSSH is a program for logging into a remote machine and for executing commands on a remote machine. It can replace rlogin and rsh, providing encrypted communication between two machines. Cygwin release message: WinHello support: Apart from the following official upstream release message, this release contains support for WinHello. That is, users of Windows 10 1909 or later will now be able to uses FIDO2 tokens in conjunction with WinHello. Create keys with one of ssh-keygen -t ed25519-sk [-O verify-required] ssh-keygen -t ecdsa-sk [-O verify-required] Please note that keys created with `-O no-touch-required' won't work, because WinHello doesn't support authenticating FIDO2 tokens without checking user presence. WinHello support is supposed to go upstream, but the changes didn't make it into 8.9p1 in time. Official upstream release message: OpenSSH 8.9 has just been released. It will be available from the mirrors listed at https://www.openssh.com/ shortly. OpenSSH is a 100% complete SSH protocol 2.0 implementation and includes sftp client and server support. Once again, we would like to thank the OpenSSH community for their continued support of the project, especially those who contributed code or patches, reported bugs, tested snapshots or donated to the project. More information on donations may be found at: https://www.openssh.com/donations.html Future deprecation notice = A near-future release of OpenSSH will switch scp(1) from using the legacy scp/rcp protocol to using SFTP by default. Legacy scp/rcp performs wildcard expansion of remote filenames (e.g. "scp host:* .") through the remote shell. This has the side effect of requiring double quoting of shell meta-characters in file names included on scp(1) command-lines, otherwise they could be interpreted as shell commands on the remote side. This creates one area of potential incompatibility: scp(1) when using the SFTP protocol no longer requires this finicky and brittle quoting, and attempts to use it may cause transfers to fail. We consider the removal of the need for double-quoting shell characters in file names to be a benefit and do not intend to introduce bug-compatibility for legacy scp/rcp in scp(1) when using the SFTP protocol. Another area of potential incompatibility relates to the use of remote paths relative to other user's home directories, for example - "scp host:~user/file /tmp". The SFTP protocol has no native way to expand a ~user path. However, sftp-server(8) in OpenSSH 8.7 and later support a protocol extension "expand-p...@openssh.com" to support this. Security Near Miss == * sshd(8): fix an integer overflow in the user authentication path that, in conjunction with other logic errors, could have yielded unauthenticated access under difficult to exploit conditions. This situation is not exploitable because of independent checks in the privilege separation monitor. Privilege separation has been enabled by default in since openssh-3.2.2 (released in 2002) and has been mandatory since openssh-7.5 (released in 2017). Moreover, portable OpenSSH has used toolchain features available in most modern compilers to abort on signed integer overflow since openssh-6.5 (released in 2014). Thanks to Malcolm Stagg for finding and reporting this bug. Potentially-incompatible changes * sshd(8), portable OpenSSH only: this release removes in-built support for MD5-hashed passwords. If you require these on your system then we recommend linking against libxcrypt or similar. * This release modifies the FIDO security key middleware interface and increments SSH_SK_VERSION_MAJOR. Changes since OpenSSH 8.8 = This release includes a number of new features. New features * ssh(1), sshd(8), ssh-add(1), ssh-agent(1): add a system for restricting forwarding and use of keys added to ssh-agent(1) A detailed description of the feature is available at https://www.openssh.com/agent-restrict.html and the protocol extensions are documented in the PROTOCOL and PROTOCOL.agent files in the source release. * ssh(1), sshd(8): add the sntrup761x25519-sha...@openssh.com hybrid ECDH/x25519 + Streamlined NTRU Prime post-quantum KEX to the default KEXAlgorithms list (after the ECDH methods but before the prime-group DH ones). The next release of OpenSSH is likely to make this key exchange the default method. * ssh-keygen(1): when downloading resident keys from a FIDO token, pass back the user ID that was used when the key was created and append it to the filename the key is written to (if it is not the
[PATCH] Cygwin: console: Redesign handling of special keys.
- This patch rearranges the cooperation between cons_master_thread, line_edit, and ctrl_c_handler so that only one of them operates at the same time. Since these handle Ctrl-C individually, so the signal may be sent multiple times to the process. This patch fixes the issue. --- winsup/cygwin/fhandler.h | 7 +++-- winsup/cygwin/fhandler_console.cc | 49 +++ winsup/cygwin/fhandler_termios.cc | 29 ++ winsup/cygwin/sigproc.cc | 3 +- 4 files changed, 53 insertions(+), 35 deletions(-) diff --git a/winsup/cygwin/fhandler.h b/winsup/cygwin/fhandler.h index f54eae4c9..b252b6e1c 100644 --- a/winsup/cygwin/fhandler.h +++ b/winsup/cygwin/fhandler.h @@ -1906,7 +1906,7 @@ class fhandler_termios: public fhandler_base signalled, not_signalled, not_signalled_but_done, -not_signalled_with_cyg_reader +not_signalled_with_nat_reader }; public: @@ -1954,9 +1954,9 @@ class fhandler_termios: public fhandler_base } static bool path_iscygexec_a (LPCSTR n, LPSTR c); static bool path_iscygexec_w (LPCWSTR n, LPWSTR c); - virtual bool is_pty_master_with_pcon () { return false; } virtual void cleanup_before_exit () {} virtual void setpgid_aux (pid_t pid) {} + virtual bool need_console_handler () { return false; } }; enum ansi_intensity @@ -2061,6 +2061,7 @@ class dev_console char cons_rabuf[40]; // cannot get longer than char buf[40] in char_command char *cons_rapoi; bool cursor_key_app_mode; + bool disable_master_thread; inline UINT get_console_cp (); DWORD con_to_str (char *d, int dlen, WCHAR w); @@ -2253,6 +2254,7 @@ private: void setup_for_non_cygwin_app (); static void cleanup_for_non_cygwin_app (handle_set_t *p); static void set_console_mode_to_native (); + bool need_console_handler (); friend tty_min * tty_list::get_cttyp (); }; @@ -2489,7 +2491,6 @@ public: void get_master_thread_param (master_thread_param_t *p); void get_master_fwd_thread_param (master_fwd_thread_param_t *p); void set_mask_flusho (bool m) { get_ttyp ()->mask_flusho = m; } - bool is_pty_master_with_pcon () { return get_ttyp ()->pcon_activated; } }; class fhandler_dev_null: public fhandler_base diff --git a/winsup/cygwin/fhandler_console.cc b/winsup/cygwin/fhandler_console.cc index ec33a9d3c..a7516f238 100644 --- a/winsup/cygwin/fhandler_console.cc +++ b/winsup/cygwin/fhandler_console.cc @@ -195,21 +195,7 @@ fhandler_console::cons_master_thread (handle_set_t *p, tty *ttyp) DWORD total_read, n, i; INPUT_RECORD input_rec[INREC_SIZE]; - bool nat_fg = false; - bool nat_child_fg = false; - winpids pids ((DWORD) 0); - for (unsigned i = 0; i < pids.npids; i++) - { - _pinfo *pi = pids[i]; - if (pi && pi->ctty == ttyp->ntty && pi->pgid == ttyp->getpgid () - && (pi->process_state & PID_NOTCYGWIN) - && !(pi->process_state & PID_NEW_PG)) - nat_fg = true; - if (pi && pi->ctty == ttyp->ntty && pi->pgid == ttyp->getpgid () - && !(pi->process_state & PID_CYGPARENT)) - nat_child_fg = true; - } - if (nat_fg && !nat_child_fg) + if (con.disable_master_thread) { cygwait (40); continue; @@ -403,6 +389,7 @@ fhandler_console::setup () con.cons_rapoi = NULL; shared_console_info->tty_min_state.is_console = true; con.cursor_key_app_mode = false; + con.disable_master_thread = true; } } @@ -519,6 +506,7 @@ fhandler_console::setup_for_non_cygwin_app () (get_ttyp ()->getpgid ()== myself->pgid) ? tty::native : tty::restore; set_input_mode (conmode, ()->ti, get_handle_set ()); set_output_mode (conmode, ()->ti, get_handle_set ()); + con.disable_master_thread = true; } void @@ -534,6 +522,7 @@ fhandler_console::cleanup_for_non_cygwin_app (handle_set_t *p) (con.owner == myself->pid) ? tty::restore : tty::cygwin; set_output_mode (conmode, ti, p); set_input_mode (conmode, ti, p); + con.disable_master_thread = (con.owner == myself->pid); } /* Return the tty structure associated with a given tty number. If the @@ -707,7 +696,14 @@ fhandler_console::bg_check (int sig, bool dontsignal) cygwin app and other non-cygwin apps are started simultaneously in the same process group. */ if (sig == SIGTTIN) -set_input_mode (tty::cygwin, ()->ti, get_handle_set ()); +{ + set_input_mode (tty::cygwin, ()->ti, get_handle_set ()); + if (con.disable_master_thread) + { + con.disable_master_thread = false; + init_console_handler (false); + } +} if (sig == SIGTTOU) set_output_mode (tty::cygwin, ()->ti, get_handle_set ()); @@ -1409,8 +1405,7 @@ bool fhandler_console::open_setup (int flags) { set_flags ((flags & ~O_TEXT) | O_BINARY); - if (myself->set_ctty (this, flags) && !myself->cygstarted) -init_console_handler (true); +
Re: python37-requests package does depends on charset_normalizer or chardet
On Wed, Feb 23, 2022 at 06:56:46PM +0800, Sharuzzaman Ahmat Raslan wrote: > On Wed, Feb 23, 2022 at 6:37 PM Sharuzzaman Ahmat Raslan > wrote: > > > > Hi Cygwin package manager. > > > > I'm on my new laptop, and installing packages as necessary. > > > > After installing python37-requests, my program raised an exception like > > this: > > > > Traceback (most recent call last): > > File "get_header.py", line 1, in > > import requests > > File "/usr/lib/python3.7/site-packages/requests/__init__.py", line > > 100, in > > check_compatibility(urllib3.__version__, chardet_version, > > charset_normalizer_version) > > File "/usr/lib/python3.7/site-packages/requests/__init__.py", line > > 85, in check_compatibility > > raise Exception("You need either charset_normalizer or chardet > > installed") > > Exception: You need either charset_normalizer or chardet installed > > > > I did not see python37-requests depends or pulling in > > charset_normalizer or chardet during installation. Is that > > intentional? > > > > Thank you. > > > Installing python37-chardet manually clears the exception, but not > solving the initial issue. It looks to me as though python37-requests correctly lists a dependency on python37-chardet in Cygwin's setup.ini. Can you please provide the setup.log.full file from when you installed python37-requests, as well as the cygcheck output per the link below? > Problem reports: https://cygwin.com/problems.html -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation:https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple
Re: python37-requests package does depends on charset_normalizer or chardet
On Wed, Feb 23, 2022 at 6:37 PM Sharuzzaman Ahmat Raslan wrote: > > Hi Cygwin package manager. > > I'm on my new laptop, and installing packages as necessary. > > After installing python37-requests, my program raised an exception like this: > > Traceback (most recent call last): > File "get_header.py", line 1, in > import requests > File "/usr/lib/python3.7/site-packages/requests/__init__.py", line > 100, in > check_compatibility(urllib3.__version__, chardet_version, > charset_normalizer_version) > File "/usr/lib/python3.7/site-packages/requests/__init__.py", line > 85, in check_compatibility > raise Exception("You need either charset_normalizer or chardet installed") > Exception: You need either charset_normalizer or chardet installed > > I did not see python37-requests depends or pulling in > charset_normalizer or chardet during installation. Is that > intentional? > > Thank you. Installing python37-chardet manually clears the exception, but not solving the initial issue. Thank you. -- Sharuzzaman Ahmat Raslan -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation:https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple
python37-requests package does depends on charset_normalizer or chardet
Hi Cygwin package manager. I'm on my new laptop, and installing packages as necessary. After installing python37-requests, my program raised an exception like this: Traceback (most recent call last): File "get_header.py", line 1, in import requests File "/usr/lib/python3.7/site-packages/requests/__init__.py", line 100, in check_compatibility(urllib3.__version__, chardet_version, charset_normalizer_version) File "/usr/lib/python3.7/site-packages/requests/__init__.py", line 85, in check_compatibility raise Exception("You need either charset_normalizer or chardet installed") Exception: You need either charset_normalizer or chardet installed I did not see python37-requests depends or pulling it charset_normalizer or chardet during installation. Is that intentional? Thank you. -- Sharuzzaman Ahmat Raslan -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation:https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple