Hello all,<div><br></div><div>Please test the mosh 1.2.3 release candidate:</div><div><br></div><div><a href="https://github.com/downloads/keithw/mosh/mosh-1.2.2.95rc1.tar.gz">https://github.com/downloads/keithw/mosh/mosh-1.2.2.95rc1.tar.gz</a><br>
<br><div class="gmail_quote">On Wed, May 23, 2012 at 12:52 PM, Keith Winstein <span dir="ltr"><<a href="mailto:keithw@mit.edu" target="_blank">keithw@mit.edu</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hello all,<br>
<br>
Please test the mosh 1.2.1 release candidate before it is released later this week.<br>
<br>
<a href="https://github.com/downloads/keithw/mosh/mosh-1.2.0.97.tar.gz" target="_blank">https://github.com/downloads/<u></u>keithw/mosh/mosh-1.2.0.97.tar.<u></u>gz</a><br>
<br>
This fixes a number of issues in mosh 1.2, including the ability of evil applications to cause the mosh-server to use a lot of CPU time trying execute a short ANSI escape sequence with a huge "repeat" count. The same sequences can allow a malicious mosh-server to cause the mosh-client to use a lot of CPU time.<br>
<br>
Timo Juhani Lindfors reported this issue to Fedora, which requested a CVE (CVE-2012-2385) on the grounds that it is a denial of service by the application against the mosh-server or by the mosh-server against the mosh-client. We don't generally consider this kind of issue to be security related, since the application is already trusted to decide what it on the screen, and can do things like shut off the keyboard. But it makes for more robust terminal emulation to ignore these gigantic repeat counts rather than getting stuck in a huge loop.<br>
<br>
This release will also:<br>
<br>
* Improve performance on lossy links<br>
<br>
* Give the user a helpful diagnostic when the link is dead in only one<br>
direction<br>
<br>
* Use less CPU when link is down (Keegan McAllister)<br>
<br>
* Use less memory when mosh-server is malicious.<br>
<br>
* Fix a vttest regression re: wrapping and tabs.<br>
<br>
* Enable a roundtrip verifier of terminal emulator correctness when<br>
the server is verbose.<br>
<br>
* Remove skalibs as a dependency (Keegan McAllister)<br>
<br>
* Remove use of poll() and the OS X poll workaround in favor of<br>
pselect(), which we think works everywhere (Keegan McAllister)<br>
<br>
* Include a bash_completion file (ejeffrey)<br>
<br>
* Include a firewall profile for UFW (Fumihito YOSHIDA)<br>
<br>
Please report any feedback to the list or by filing a new issue on GitHub (<a href="https://github.com/keithw/mosh/issues" target="_blank">https://github.com/keithw/<u></u>mosh/issues</a>).<br>
<br>
Thanks very much,<br>
Keith<br>
for the Mosh project<br>
</blockquote></div><br></div>